Privacy Policy

1. Introduction

1.1 This Privacy Policy ("Policy") describes how MyAutobot Ltd ("MyAutobot", "we", "us", "our") collects, uses, discloses and protects personal data when you use our AI-powered receptionist and voice agent platform (the "Service").

1.2 By accessing or using the Service, you acknowledge that you have read and understood this Policy and our Terms and Conditions. If you do not agree with this Policy, you must not use the Service.

1.3 This Policy applies to business users only. As a business user, you are responsible for ensuring your own privacy notices to end-users (callers) comply with applicable data protection laws.

1.4 We are committed to protecting your privacy and handling personal data in accordance with applicable laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other relevant data protection legislation.

2. About Us

2.1 MyAutobot Ltd is a company registered in England and Wales. Our registered office address and company number are available on our website (www.myautobot.ai) and on our invoices.

2.2 For data protection purposes, MyAutobot Ltd is the data controller for your account, billing and usage data. For personal data you submit through the Service (such as caller information, call recordings and transcripts), you are typically the data controller and we act as your data processor.

2.3 You may contact us regarding privacy matters at: [email protected]

3. Key Definitions

• 3.1 "Personal Data" means any information relating to an identified or identifiable natural person.
• 3.2 "Customer Data" means data (including personal data) that you or your users submit to the Service, including prompts, scripts, knowledge base content, contact details, caller information, call audio recordings and transcripts.
• 3.3 "Account Data" means information you provide when registering and managing your account, including your name, email address, company details and billing information.
• 3.4 "Usage Data" means information automatically collected about your use of the Service, including call volumes, duration, technical logs and analytics.
• 3.5 "Third-Party Services" means services provided by third parties that integrate with or are used in connection with the Service, including telephony carriers (such as Twilio), AI voice providers (such as ElevenLabs), booking systems, CRM systems and other integration partners.

4. Information We Collect

4.1 Account Data

When you register for an account, we collect:

• 4.1.1 Your name and email address
• 4.1.2 Company or business name
• 4.1.3 Phone number
• 4.1.4 Billing and payment information (processed securely through our payment provider, Stripe)
• 4.1.5 Login credentials (passwords are encrypted and never stored in plain text)
• 4.1.6 VAT number or tax identification number (where applicable)

4.2 Customer Data

When you use the Service, we process Customer Data on your behalf, which may include:

• 4.2.1 Caller information: phone numbers, names and any information provided during calls
• 4.2.2 Call audio recordings and transcripts
• 4.2.3 SMS message content (if SMS features are used)
• 4.2.4 Web widget chat interactions and messages
• 4.2.5 Appointment and booking information
• 4.2.6 Contact details and customer information you upload to your knowledge base
• 4.2.7 Custom prompts, scripts and configuration settings you create
• 4.2.8 Integration data from connected Third-Party Services (such as CRM data, calendar availability)

4.3 Usage Data

We automatically collect information about how you use the Service, including:

• 4.3.1 Call logs: date, time, duration, phone numbers, call status and outcomes
• 4.3.2 Service usage metrics: features used, API calls, dashboard activity
• 4.3.3 Technical information: IP addresses, browser type and version, device information, operating system
• 4.3.4 Error logs and diagnostic information
• 4.3.5 Performance and analytics data

4.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service. These include:

• 4.4.1 Essential cookies: necessary for authentication, security and core functionality
• 4.4.2 Analytics cookies: to understand how the Service is used (such as Google Analytics)
• 4.4.3 Preference cookies: to remember your settings and preferences

You can control cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain features of the Service.

4.5 Information from Third-Party Services

If you connect Third-Party Services to your account (such as Google Calendar, CRM systems, or booking platforms), we may receive information from those services in accordance with their authorization processes and privacy policies. This may include:

• 4.5.1 Calendar availability and appointment data
• 4.5.2 Contact and customer information from your CRM
• 4.5.3 Email addresses and communication preferences
• 4.5.4 Team member details and scheduling permissions

5. How We Use Your Information

5.1 Legal Bases for Processing

We process personal data only where we have a lawful basis to do so:

• 5.1.1 Contract performance: to provide the Service and fulfill our obligations under our Terms and Conditions
• 5.1.2 Legitimate interests: to improve the Service, prevent fraud, ensure security and conduct business operations
• 5.1.3 Legal compliance: to comply with applicable laws, regulations and legal processes
• 5.1.4 Consent: where you have given explicit consent (which you may withdraw at any time)

5.2 Purposes of Processing

We use the information we collect for the following purposes:

• 5.2.1 Service Delivery: To provide, operate and maintain the AI receptionist platform, including handling calls, processing voice interactions, generating transcripts, managing appointments and providing analytics
• 5.2.2 Account Management: To create and manage your account, process subscriptions, handle billing and payments, and provide customer support
• 5.2.3 Communication: To send you service-related notifications, respond to your inquiries, provide technical support and send important updates about the Service
• 5.2.4 Improvement and Development: To improve the performance, reliability and user experience of the Service. We do not use Google user data obtained through Google APIs to develop, improve or train generalized artificial intelligence (AI) or machine learning (ML) models.
• 5.2.5 Security and Fraud Prevention: To detect and prevent fraud, unauthorized access, security incidents and other malicious activities
• 5.2.6 Legal Compliance: To comply with applicable laws, regulations, legal processes and enforceable governmental requests
• 5.2.7 Marketing (with consent): To send you information about our services, features, promotions and events (you may opt-out at any time)

5.3 AI and Voice Processing

The Service uses artificial intelligence and voice technology to process calls and interactions. This involves:

• 5.3.1 Converting speech to text and text to speech
• 5.3.2 Analyzing call content to understand intent and provide appropriate responses
• 5.3.3 Processing your custom prompts and knowledge base to train agent behavior
• 5.3.4 Generating call summaries, transcripts and analytics

AI-generated responses may be incomplete, inaccurate or outdated. The Service is not a substitute for professional advice, and you are responsible for verifying critical information before relying on it.

6. Data Sharing and Disclosure

6.1 Third-Party Service Providers (Sub-Processors)

We engage carefully selected third-party service providers to help us operate the Service. These providers act as data processors on our behalf and are contractually obligated to protect your data. Our key sub-processors include:

• 6.1.1 Google Cloud Platform (GCP): Infrastructure hosting and cloud services (UK data centers)
• 6.1.2 ElevenLabs: AI voice technology, call handling, audio processing and transcript storage (may process data in UK, EU, US or other locations with appropriate safeguards)
• 6.1.3 Twilio: Telephony services and phone number provisioning
• 6.1.4 Stripe: Payment processing and billing services
• 6.1.5 Email service providers: For sending transactional and marketing emails
• 6.1.6 Analytics providers: For usage analytics and service improvement (such as Google Analytics)

A complete and current list of our sub-processors is available upon request by contacting [email protected].

6.2 International Data Transfers

Our core platform services are hosted on Google Cloud Platform data centers located in the United Kingdom. However, some of our sub-processors may process data outside the UK and European Economic Area (EEA), including in the United States.

Where we transfer personal data outside the UK or EEA, we ensure appropriate safeguards are in place, including:

• 6.2.1 Standard Contractual Clauses (SCCs) approved by the European Commission and UK authorities
• 6.2.2 Adequacy decisions recognizing equivalent data protection standards
• 6.2.3 Other legally recognized transfer mechanisms as appropriate

6.3 Business Transfers

If MyAutobot is involved in a merger, acquisition, asset sale or similar corporate transaction, your personal data may be transferred to the successor entity. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

6.4 Legal Requirements and Protection of Rights

We may disclose personal data if required to do so by law or if we believe in good faith that such disclosure is necessary to:

• 6.4.1 Comply with legal obligations, court orders, or governmental requests
• 6.4.2 Enforce our Terms and Conditions and other agreements
• 6.4.3 Protect the rights, property or safety of MyAutobot, our customers or others
• 6.4.4 Prevent fraud, security breaches or illegal activities

6.5 Aggregated and Anonymized Data

We may share aggregated or anonymized information that does not include Google user data obtained through Google APIs.

7. Data Security

7.1 We implement appropriate technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure or destruction. These measures include:

• 7.1.1 Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS/SSL protocols
• 7.1.2 Encryption at rest: Customer Data, including call recordings and transcripts, is encrypted when stored
• 7.1.3 Access controls: Role-based access restrictions and multi-factor authentication options
• 7.1.4 Logging and monitoring: Key administrative actions and security events are logged
• 7.1.5 Regular security assessments: Ongoing security reviews and vulnerability testing
• 7.1.6 Secure infrastructure: Industry-leading cloud hosting with Google Cloud Platform
• 7.1.7 Employee training: Staff are trained in data protection and confidentiality requirements

7.2 Despite these measures, no method of transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your login credentials and for all activities under your account.

7.3 If you become aware of any unauthorized access to your account or any security breach, you must notify us immediately at [email protected].

8. Data Retention

8.1 We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

8.2 Customer Data Retention

• 8.2.1 Call transcripts and related metadata: Retained for up to 24 months, then deleted or anonymized
• 8.2.2 Call audio recordings: May be retained for a shorter period than transcripts, while maintaining transcripts for service and support purposes
• 8.2.3 Custom configurations, prompts and knowledge base: Retained while your account is active and for a reasonable period afterward

Once available, you may configure shorter retention periods in your dashboard to meet your own regulatory requirements.

8.3 Account and Billing Data Retention

• 8.3.1 Account information: Retained while your account is active and for up to 7 years afterward for legal, tax and accounting purposes
• 8.3.2 Billing records and invoices: Retained for at least 7 years to comply with financial regulations
• 8.3.3 Payment information: Stored securely by our payment processor (Stripe) and subject to their retention policies

8.4 Extended Retention

We may retain certain data for longer periods where required or permitted by law, including for:

• 8.4.1 Legal compliance and regulatory obligations
• 8.4.2 Fraud prevention and security investigations
• 8.4.3 Resolving disputes and enforcing agreements
• 8.4.4 Audit and compliance purposes

8.5 Deletion Requests

You may request deletion of specific call records or closure of your account at any time. Upon such request, we will delete or anonymize the relevant Customer Data within a reasonable period, except where we are required or permitted to retain it under applicable law.

9. Your Data Protection Rights

9.1 Depending on your location and applicable law, you may have the following rights regarding your personal data:

9.2 Access and Portability

• 9.2.1 Right of access: You may request confirmation of whether we process your personal data and obtain a copy of such data
• 9.2.2 Right to data portability: You may request your data in a structured, commonly used and machine-readable format and have it transmitted to another controller

9.3 Correction and Deletion

• 9.3.1 Right to rectification: You may request correction of inaccurate or incomplete personal data
• 9.3.2 Right to erasure ("right to be forgotten"): You may request deletion of your personal data in certain circumstances

9.4 Restriction and Objection

• 9.4.1 Right to restriction: You may request that we restrict processing of your personal data in certain circumstances
• 9.4.2 Right to object: You may object to processing based on legitimate interests or for direct marketing purposes

9.5 Consent Withdrawal

Where we process your personal data based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.6 Exercising Your Rights

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within one month, or as otherwise required by applicable law. We may need to verify your identity before processing your request.

Please note that some rights may be subject to limitations or exceptions under applicable law. For example, we may not be able to delete data that we are legally required to retain.

9.7 Right to Complain

You have the right to lodge a complaint with a supervisory authority if you believe we have processed your personal data unlawfully. In the UK, the relevant authority is the Information Commissioner's Office (ICO). In the EU, you may contact your local data protection authority.

10. Google OAuth and Third-Party Integrations

10.1 Google API Services

If you choose to connect your Google account to the Service (for example, to enable calendar integration for appointment booking), we will request your permission to access specific Google services through OAuth 2.0.

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• 10.1.1 We only request access to Google user data that is strictly necessary to provide calendar availability checking and appointment booking functionality within the Service.
• 10.1.2 We do not use Google user data for serving advertisements
• 10.1.3 We do not allow humans to read Google user data unless: (a) we have your explicit consent, (b) it is necessary for security purposes, (c) it is required to comply with applicable law.
• 10.1.4 We do not transfer Google user data to third parties except as necessary to provide the Service, comply with applicable law, or as part of a merger or acquisition (with prior notice)
• 10.1.5 Google user data is used strictly to provide calendar availability checking and appointment booking functionality within the Service. We do not use Google user data for advertising, profiling, resale, research, marketing, or training generalized AI models.

Google Calendar Scope Details: We read events (https://www.googleapis.com/auth/calendar) for availability; create/update bookings (https://www.googleapis.com/auth/calendar.events). Processed in-transit only, encrypted, no sharing.

10.2 Scopes We May Request

Depending on the features you enable, we may request access to:

• 10.2.1 Google Calendar: To check availability and create appointments on behalf of callers
• 10.2.2 Google Contacts: To access contact information for call routing and personalization
• 10.2.3 Gmail: To send appointment confirmations or notifications (if enabled)

You can revoke our access to your Google account at any time through your Google Account settings (https://myaccount.google.com/permissions).

10.3 Other Third-Party Integrations

If you integrate other third-party services (such as CRM systems, booking platforms, or communication tools), your use of those services is governed by their respective terms of service and privacy policies. We are not responsible for the privacy practices of third-party services.

When you authorize an integration, you may be sharing data with both MyAutobot and the third-party service. Please review the third party's privacy policy to understand how they handle your information.

Our use of Google user data is limited to the practices disclosed in this Privacy Policy and complies with the Google API Services User Data Policy, including the Limited Use requirements.

11. Marketing Communications

11.1 With your consent, we may send you marketing communications about our services, new features, promotions and events. You can opt out of marketing emails at any time by:

• 11.1.1 Clicking the 'unsubscribe' link at the bottom of any marketing email
• 11.1.2 Updating your communication preferences in your account settings
• 11.1.3 Contacting us at [email protected]

11.2 Please note that even if you opt out of marketing communications, we will still send you essential service-related communications (such as account notifications, billing information and security alerts).

12. Children's Privacy

12.1 The Service is intended for business use only and is not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18.

12.2 If we become aware that we have collected personal data from a child under 18 without appropriate consent, we will take steps to delete such information as soon as possible.

12.3 If you believe we have collected information from a child under 18, please contact us immediately at [email protected].

13. Your Responsibilities as a Data Controller

13.1 When you use the Service to collect and process personal data from callers and end-users, you act as a data controller and are responsible for compliance with applicable data protection laws, including:

• 13.1.1 Providing appropriate privacy notices to callers and obtaining any necessary consents
• 13.1.2 Ensuring you have a lawful basis for processing caller data
• 13.1.3 Informing callers if calls are being recorded and obtaining consent where required by applicable law (such as UK GDPR, UAE PDPL, or US state recording laws)
• 13.1.4 Responding to data subject rights requests from your callers and end-users
• 13.1.5 Implementing appropriate security measures for the data you collect
• 13.1.6 Complying with telemarketing, spam, and consumer protection regulations
• 13.1.7 Maintaining records of processing activities as required by law

13.2 You must ensure that your use of the Service and your instructions to us comply with all applicable laws. You are solely responsible for the content and legality of the data you input into the Service.

14. Data Processing Addendum

14.1 For Customer Data that contains personal data, a Data Processing Addendum (DPA) is incorporated into our Terms and Conditions. The DPA sets out the terms under which we process personal data on your behalf as a data processor.

14.2 The DPA includes Standard Contractual Clauses for international data transfers and details regarding sub-processors, data security measures and assistance with data subject requests.

14.3 You can request a copy of our DPA by contacting [email protected].

15. Changes to This Privacy Policy

15.1 We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors.

15.2 For material changes, we will provide reasonable notice by email or through the Service at least 30 days before the changes take effect. If you continue to use the Service after the effective date of the updated Policy, you are deemed to have accepted the changes.

15.3 The 'Last Updated' date at the top of this Policy indicates when it was last revised. We encourage you to review this Policy periodically.

16. Contact Us

16.1 If you have any questions, concerns or requests regarding this Privacy Policy or our data protection practices, please contact us at:

MyAutobot Ltd

Email: [email protected]

Website: www.myautobot.ai

16.2 For data protection inquiries specifically, you may also use the subject line 'Data Protection Request' to help us route your inquiry appropriately.

16.3 We will respond to all legitimate requests within the timeframes required by applicable law.