Privacy Policy

CallingScout, Inc. (“CallingScout,” “we,” “us”) provides software that lets customers build and run AI voice agents. This Privacy Policy explains what personal data we handle, why, and what choices you have.

For data we process on behalf of our business customers (their leads, callers, end users), our customer is the data controller and we are the processor. The terms of that processing are governed by our Data Processing Addendum.

This policy covers personal data we process when you:

• visit CallingScout.ai and our subdomains;
• create an account, log in, or use the dashboard, SDKs, or API;
• place or receive a call routed through a CallingScout agent;
• contact us, sign up for a newsletter, or apply for a job.

It does not cover the websites or services of third parties we link to or integrate with. Those are governed by their own policies.

The categories of personal data we process, what they typically contain, and the default retention applied when the customer has not configured a shorter or longer window.

Customers can configure shorter or longer retention windows for call audio, transcripts, and metadata, subject to applicable law.

We use personal data to:

• provide, operate, secure, and improve the platform;
• authenticate users and prevent abuse, fraud, and unauthorized access;
• process payments and provide customer support;
• send service announcements, security notices, and (with consent or a permitted lawful basis) marketing communications you can opt out of at any time;
• comply with law and protect rights, safety, and property.

Where required by law, our legal bases under the GDPR are: contract (to provide the service you signed up for), legitimate interests (security, abuse prevention, product improvement that does not override your rights), consent (for marketing and non-essential cookies), and legal obligation (tax, accounting, lawful requests).

We do not train our models on customer call audio or transcripts. We do not sell call data. We do not share it with third parties for advertising or any purpose other than operating the service the customer asked us to perform.

When you run an agent, audio and transcripts are processed by sub-processors (telephony provider, speech-to-text, large language model, text-to-speech) only to the extent needed to make the conversation happen and to record what was said for the customer's own use. The customer chooses retention, redaction, and which integrations the agent may call. The customer may delete call data at any time from the dashboard or via API.

Aggregate, fully de-identified statistics (for example, average call duration across the platform) may be used to operate, secure, and improve the service. These statistics cannot be re-associated with a specific call, caller, or customer.

Under some laws, including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Article 9 of the GDPR, voice recordings or voiceprints used for identification can be classified as biometric data.

CallingScout does not use voice to identify or authenticate individuals. We do not extract voiceprints from call audio to recognize speakers across calls, and we do not use audio to infer health, mood for advertising, or other sensitive attributes.

If a customer configures their agent to perform speaker identification or any biometric processing, that customer is responsible for the legal basis and notices required, including any BIPA-style written consent. Our DPA reflects this allocation of responsibility.

We share personal data only:

• With sub-processors who help us run the service, under contract and with confidentiality and security obligations. The current list is available on request, as described in our Trust page.
• With the customer whose agent generated the call data (for end-user data we process on their behalf).
• For legal reasons, to comply with valid legal process, to protect rights and safety, and where we believe disclosure is required by law. We push back on overbroad requests.
• For business transfers, in connection with a merger, acquisition, financing, or sale of assets, with appropriate notice.
• With your consent, in any case not covered above.

The current, dated list of sub-processors is available from security@CallingScout.ai on request, and is referenced on our Trust page. We give customers at least 30 days' notice before adding or replacing a sub-processor, and customers have the right to object on reasonable data-protection grounds, as described in the DPA.

CallingScout is incorporated in the United States and operates infrastructure primarily in the United States and the European Union. When we transfer personal data out of the EEA, the UK, or Switzerland, we rely on:

• the European Commission's Standard Contractual Clauses (2021/914/EU), with the UK International Data Transfer Addendum where required;
• adequacy decisions, where one exists for the destination country;
• your explicit consent, where permitted, for the specific transfer.

A copy of the SCCs and supplementary measures we apply is available at privacy@CallingScout.ai.

Defaults are shown in the data-categories table in Section 3. Beyond those:

• Billing records are retained as long as required by tax and accounting law (typically seven years).
• Security logs are retained up to 12 months.
• Backups roll off within 35 days.

After account termination, customer data on paid plans is retained for 30 days to allow export, then deleted within a further 30 days from primary systems and rotated out of backups within 90 days.

We use encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access, single sign-on with MFA for the team, network segmentation, audit logging, and periodic third-party penetration testing. A fuller summary is on our Trust page. No system is perfectly secure, and we cannot guarantee data will never be accessed by an unauthorized party, but we work hard to make it unlikely and limit the impact if it happens.

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• correct or update inaccurate data;
• delete your data (“right to be forgotten”);
• restrict or object to certain processing;
• port your data to another service;
• withdraw consent at any time, without affecting the lawfulness of processing based on consent before withdrawal;
• opt out of “sale” or “sharing” of personal data as defined under U.S. state privacy laws (CallingScout does not sell data);
• lodge a complaint with a supervisory authority. In the EU, your local Data Protection Authority. In the UK, the ICO.

To exercise these rights, contact privacy@CallingScout.ai. If you are an end user rather than a CallingScout customer, we will usually direct you to the customer who collected the data, since they are the controller.

CallingScout is built for businesses. It is not directed to children, and we do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, contact privacy@CallingScout.ai and we will delete it.

We will update this policy when our practices change or when the law requires. The “Last updated” date at the top will change, and we will notify account holders by email when changes are material. Continued use of the service after the effective date of the updated policy constitutes acceptance.

For privacy questions, requests, or complaints:

Email

privacy@CallingScout.ai

Postal

CallingScout, Inc., Attn: Privacy, [street address], [city, state, ZIP], United States

EU representative

To be appointed where required under Article 27 GDPR.