Privacy Policy – CallCompany Oy

Effective date: 15 February 2025 Last updated: 1 April 2026

CallCompany Oy ("CallCompany", "we", "us", or "our") is committed to protecting your privacy and ensuring that your personal data is handled responsibly, transparently, and in compliance with the EU General Data Protection Regulation (2016/679, "GDPR") and Finnish data protection laws.

This Privacy Policy explains how we collect, use, disclose, and protect your personal data when you:

• Visit our website, https://callcompany.ai (the "Site");

• Use our AI voice receptionist / AI caller solution and related services (the "Service"); or

• Interact with us through other channels (e.g., email, events, social media).

If you do not agree with this Privacy Policy, please do not use our Site or Service.

1. Who is the data controller?

CallCompany Oy is the data controller for personal data we process for our own purposes (e.g., Site operations, sales, marketing, contracting, billing, and customer account administration).

CallCompany Oy Business ID: 3502674-5 Address: Lapinlahdenkatu 16, 00180, Helsinki, Finland Email: support@callcompany.ai

When we act as a Processor

When a business customer (e.g. a restaurant) uses our Service to handle calls  from their own customers, the business customer is typically the controller of that call data, and CallCompany acts as a data processor on the customer's instructions under Article 28 GDPR. That processing is governed by our Data Processing Agreement (DPA), which forms part of the customer terms. This Privacy Policy provides a high-level explanation only; the DPA contains the binding processor obligations. 

Caller Memory. 

Where a business customer enables Caller Memory features, we store and use call data within that customer's tenant to recognise returning callers and personalise interactions on the customer's instruction. We do not combine such data across customers. The business customer is the controller of that processing; please contact the relevant business directly to exercise your rights, or contact us at support@callcompany.ai and we will route your request.

2. What personal data do we collect and how?

We will only collect personal data that is relevant and necessary for the purposes described in this Privacy Policy.

A) Information you provide to us (via the Site)

• Contact details: name, email address, phone number

• Professional details: company name, job title

• Any information submitted via forms, messages, or demo requests

B) Automatically collected data (via the Site)

• Technical data: IP address, browser type/version, device information, operating system

• Usage data: pages viewed, links clicked, timestamps, referral URLs

• Approximate location derived from IP address (where applicable)

For more information about cookies, see Section 7.

C) Service account data (customer users / admins)

If you are an authorised user of a customer account, we may collect:

• Account data: name, work email, role, authentication-related data

• Account settings and preferences

• Support communications and feedback

• Service usage and security logs (e.g. login events, admin actions)

D) Call data handled in the Service (typically as Processor)

Depending on customer configuration and caller input, call data may include:

• Caller phone number (telephony metadata)

• Call audio recordings, if enabled by the customer

• Transcripts, summaries, outcomes, and classifications

• Caller-provided details (e.g. reservation time, party size, preferences)

• Call metadata (timestamps, duration, routing outcome)

Note: Speech recognition accuracy (especially names and email addresses) is not guaranteed.

E) Voice data and special category data

Call audio is processed only where the relevant business customer has enabled recording or transcription, and is handled in accordance with the customer's instructions under the DPA. We do not use call audio to create voiceprints, or for biometric identification or biometric categorisation of callers, and we do not process voice data as biometric data within the meaning of Article 9 GDPR.

Callers may inadvertently disclose information that constitutes special category data under Article 9 GDPR (for example, health information when calling a clinic, or dietary or religious preferences when calling a restaurant). Where this occurs, we process such information only as strictly necessary to deliver the Service on the customer's instructions and apply additional access controls. The business customer (as controller) is responsible for identifying the applicable Article 9(2) basis.

Notice to callers

When call recording or transcription is enabled by a business customer, our AI agent provides a clear announcement at the outset of the call that the call is being handled by an AI system and, where applicable, that it may be recorded or transcribed. The business customer is responsible for ensuring that an appropriate legal basis exists and that callers are given any further information required by applicable law.

3. For what purposes do we process your data and on what legal basis?

When we act as controller

Responding to contact and demo requests
- Legitimate interest (Art. 6(1)(f))

AI-assisted outreach to incoming leads (see Section 3a) 
- Consent (Art. 6(1) (a)) and pre-contractual steps (Art. 6(1)(b))

Sending newsletters or marketing communications
- Consent (Art. 6(1)(a))

Hosting events or providing materials you request
- Legitimate interest (Art. 6(1)(f))

Providing and improving our website and services
- Legitimate interest (Art. 6(1)(f))

Billing, accounting, and compliance
- Legal obligation (Art. 6(1)(c)) / Contract (Art. 6(1)(b))

Processing job applications
- Legitimate interest or pre-contractual steps (Art. 6(1)(f) or (b))

Security monitoring and incident response
- Legitimate interest (Art. 6(1)(f))

We always ensure that our legitimate interests are balanced against your rights and freedoms.

Job applicants

If you apply for a position with CallCompany, we process your application data (CV, contact details, work history, references, and any other information you provide) for the purposes of evaluating your application and conducting the recruitment process. The legal bases are our legitimate interest in evaluating candidates and, where applicable, taking pre-contractual steps at your request (Article 6(1)(b) and (f) GDPR).Processing is also subject to the Finnish Act on the Protection of Privacy in Working Life (759/2004).

We retain unsuccessful applicant data for 6 months after the end of the recruitment process unless you consent to a longer retention period for future opportunities.

3a.  AI-assisted follow-up to your inquiry

When you submit an inquiry, demo request, or other expression of interest through our Site, we may follow up with you using AI-powered communication tools, including automated phone calls. This follow-up is conducted in direct response to your own inquiry; it is a transactional communication, not unsolicited direct marketing.

Where the follow-up is conducted by an AI system:

- We will clearly inform you at the outset of any call or message that you are interacting with an AI system, in accordance with Article 50(1) of the EU AI Act;

- Our contact form contains a clear notice that submission may result in an AI-led follow-up. By submitting the form, you acknowledge this and consent to be contacted, including by automated means, for the purpose of responding to your inquiry;

- The legal bases under the GDPR are your consent (Article 6(1)(a)) for the use of automated calling means, in line with the requirements of Article 13 of Directive 2002/58/EC (the ePrivacy Directive) and Section 200 of the Finnish Information Society Code (917/2014), and the performance of pre-contractual steps taken at your request (Article 6(1)(b));

- This processing does not constitute solely automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR.

You may withdraw your consent and object to AI-assisted follow-up at any time by emailing support@callcompany.ai or by replying to any communication you receive. Withdrawing your consent does not affect the lawfulness of any prior processing.

When we act as Processor

When processing call data on behalf of a business customer, we act solely on the customer's instructions as described in the DPA. The customer is responsible for ensuring a valid legal basis for processing their callers' data.

4. Our role under the EU AI Act

CallCompany is the Provider of the AI voice agent within the meaning of Regulation (EU) 2024/1689 (the "AI Act"). As Provider, we are responsible for the design, development, and lawful provision of the AI system, including:

- Ensuring the AI agent clearly informs natural persons that they are interacting with an AI system at the outset of each interaction (Article 50(1) AI Act);

- Maintaining technical documentation, data governance measures, and post-market monitoring as required;

- Reporting serious incidents to the relevant authorities where required.

When a business customer uses the Service to handle calls from their own customers, that customer is the Deployer under the AI Act and is responsible for the obligations applicable to deployers under Article 26 and, where applicable, Article 50(3)–(4). These obligations are further detailed in the Customer Terms and the Data Processing Agreement.

We do not use the AI agent for emotion recognition, biometric categorisation, or biometric identification of callers. We do not deploy AI systems that fall within the prohibited practices under Article 5 of the AI Act.

The AI voice agent is designed to assist with call handling, for example, taking reservations, answering routine questions, capturing caller details, and routing calls. It does not make decisions producing legal effects or similarly significant effects on callers within the meaning of Article 22 GDPR. Business customers are responsible for ensuring that any actions taken on the basis of AI output include appropriate human oversight where required.

We do not use customer call data, including audio, transcripts, or caller-provided details, to train or improve generalized AI models that benefit other customers. Identifiable call data is processed only to deliver the Service to the customer that controls it.

5. De-identified and anonymised data

We may use de-identified data, data from which direct identifiers have been removed and which is subject to additional safeguards to prevent re-identification, to maintain, secure, and improve our Service, including our AI models. Where data has been fully anonymised (irreversibly rendered non-identifiable, in line with applicable EDPB guidance), it is no longer personal data and is not subject to this Privacy Policy.

We do not use identifiable call data to train or improve our AI models without authorisation from the relevant customer as set out in the DPA. Customers may, as set out in the DPA, opt out of having their identifiable Service data used to improve our AI models prior to any de-identification or anonymisation. Any model improvement use is subject to appropriate technical and organisational safeguards.

6. How long do we retain your personal data?

We only retain personal data for as long as necessary for the purposes described in this policy, or as required by law.

Contact and form submissions / incoming leads
- 12 months from last interaction

Newsletter and marketing subscriber data
- Until you withdraw your consent

Analytics and usage data
- Up to 6 months, or as defined in cookie settings

Job applicant data
- 6 months after end of recruitment process

Customer relationship and billing data
- 6 years (Finnish Accounting Act)

Security and service logs
- Limited period appropriate to security and troubleshooting needs

User account and feedback data
- Duration of the agreement plus 12 months

Retention periods for call data handled on behalf of business customers are governed by the DPA and the customer's configuration. We regularly review and securely delete or anonymise data that is no longer needed.

7. Who do we share your data with?

We do not sell or rent your personal data.

Your data may be shared with:

• Trusted service providers (e.g. CRM, email marketing, analytics, telephony infrastructure, hosting) under data processing agreements compliant with Art. 28 GDPR

• Professional advisors (legal, accounting) where necessary

• Authorities if legally required (e.g. court orders or legal obligations)

• Within our corporate structure (e.g. subsidiaries) when necessary for internal operations

• In connection with a merger, acquisition, or asset transfer, subject to appropriate protections

All third parties processing data on our behalf are required to comply with strict confidentiality and data security standards. Sharing and sub-processing relating to call data handled on behalf of business customers is governed by the DPA.

A current list of sub-processors used in connection with the Service, including their location and the function they perform, is available at request. Business customers will be notified of material changes to the sub-processor list in accordance with the DPA.

8. Cookies and tracking technologies

We use cookies and similar technologies on our website to ensure functionality, improve user experience, and analyse website usage. These include:

• Essential cookies – required for the website to function correctly

• Analytics cookies – help us understand how the website is used and improve its performance

• Marketing cookies – used to display relevant advertising and measure its effectiveness (only with your consent)

For general information about cookies and how to manage them, visit www.aboutcookies.org. Detailed information about the specific cookies we use, their purpose, and their retention is available in our Cookie Notice at callcompany.ai/cookies.

9. International data transfers

We primarily process personal data within the EU/EEA. If we transfer personal data outside of the EEA (e.g. to a service provider located in a third country), we ensure that appropriate safeguards are in place, such as:

• European Commission adequacy decisions

• Standard Contractual Clauses (SCCs)

• EU-US Data Privacy Framework (where applicable)

For further details, or to request a copy of the applicable safeguards, please contact us at support@callcompany.ai. Details relevant to processor processing of call data are handled via the DPA.

10. How we protect your data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

• Encrypted communications (TLS/HTTPS)

• Role-based access controls and least-privilege principles

• Secure data storage and regular backups

• Staff confidentiality obligations and data protection training

• Security monitoring and incident response processes

All personnel and subcontractors who process personal data on our behalf are bound by strict confidentiality obligations. We regularly review and update our security practices. No system is perfectly secure, but we work to maintain safeguards appropriate to the risk.

11. Your rights under the GDPR

If CallCompany is the controller of your personal data, you have the following rights:

• Right of access – to obtain a copy of the personal data we hold about you

• Right to rectification – to have inaccurate or incomplete data corrected

• Right to erasure – to have your data deleted in certain circumstances

• Right to restrict processing – to limit how we use your data

• Right to object – to processing based on legitimate interests or for direct marketing purposes (including AI-assisted outreach)

• Right to data portability – to receive your data in a structured, machine-readable format

• Right to withdraw consent – at any time, without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@callcompany.ai. We may need to verify your identity before responding. We will respond without undue delay and in any event within one month of receiving your request. Where a request is particularly complex or where we receive a high volume of requests, we may extend this period by up to two further months, in which case we will inform you within the first month, together with the reasons for the extension.

If you are a caller to a business using our Service, the business is typically the controller of your call data. Please contact that business directly to exercise your rights in relation to your call. If you contact us, we may redirect you to the relevant customer where appropriate.

12. Your choices

You have the following practical controls over how we communicate with you:

• Marketing emails: You can unsubscribe at any time via the unsubscribe link in any marketing email we send.

• AI-assisted outreach: You can object to being contacted by AI-powered tools by emailing privacy@callcompany.ai. We will honour such requests promptly.

• Cookies: You can manage or withdraw cookie consent at any time via our cookie banner or your browser settings.

• Account information: Customer admins can update certain account information directly within the Service (where available).

13. Supervisory authority

If you believe your rights under data protection law have been violated, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman or with the supervisory authority in your country of residence within the EU/EEA.

Office of the Data Protection Ombudsman Ratapihantie 9, 00520 Helsinki, Finland Phone: +358 29 566 6700 Email: tietosuoja@om.fi Website: tietosuoja.fi

Users in the United Kingdom

Where we process personal data of individuals in the United Kingdom, we do so in accordance with the UK GDPR and the Data Protection Act 2018. UK individuals have substantively the same rights described in Section 10 and may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Children

Our Site and Service are intended for businesses and their authorised users. They are not directed to children under the age of 16, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@callcompany.ai and we will take steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable legal requirements. The latest version will always be available at callcompany.ai/privacy with an updated "Last updated" date. Where changes materially affect your rights, we will notify you by email using the address you have provided in the Services.

15. Contact us

If you have questions about this Privacy Policy or how we handle personal data, please contact:

CallCompany Oy General enquiries: support@callcompany.ai Data protection / rights requests: privacy@callcompany.ai Address: Lapinlahdenkatu 16, 00180, Helsinki, Finland