Privacy Policy

§ 1. Data Controller

The controller of personal data within the meaning of Article 4(7) of the GDPR is the Service Provider — the operator of VoiceTrap, conducting business in the territory of the Republic of Poland. For all matters relating to the protection of personal data, you may contact us at the email address indicated on the contact page of the service. The Controller exercises the utmost diligence in protecting the rights and freedoms of data subjects, in particular ensuring that personal data is processed lawfully, collected for specified and legitimate purposes, substantively accurate, and adequate in relation to the purposes for which it is processed.

§ 2. Scope of Personal Data Collected

• Account data — first and last name, email address, and password provided during registration, as well as language preferences, time zone, and notification settings.
• Call data — caller phone numbers, call duration, timestamps, and call routing information.
• Voice recordings and transcriptions — audio recordings of incoming voicemail messages, their AI-generated transcriptions, summaries, and lead assessments. Voice recordings are processed solely for the purpose of transcription and content analysis and are not used for biometric identification within the meaning of Article 4(14) of the GDPR.
• Service usage data — pages visited, features used, and technical data such as IP address, browser type and version, device information, and operating system.
• Payment data — billing information processed by the external payment operator Stripe, Inc. The Service Provider does not store full payment card numbers on its servers.

§ 3. Legal Basis for Data Processing

Personal data is processed on the following legal bases arising from the GDPR:

• Article 6(1)(b) GDPR (performance of a contract) — processing of account data, call data, voice recordings, transcriptions, AI-generated analyses, and follow-up SMS messages is necessary for the performance of the VoiceTrap service agreement to which the data subject is a party, in accordance with the Terms of Service.
• Article 6(1)(f) GDPR (legitimate interest of the controller) — processing of service usage data for the purpose of improving service functionality, security monitoring, abuse detection, and content moderation to protect the integrity of the service and the accounts held with AI providers.
• Article 6(1)(c) GDPR (legal obligation) — retention of payment and invoicing data as required by the provisions of the Polish Act of 29 September 1994 on Accounting (Journal of Laws 1994, No. 121, item 591, as amended) and the Polish Act of 11 March 2004 on Value Added Tax (Journal of Laws 2004, No. 54, item 535, as amended).
• Article 6(1)(a) GDPR (consent) — for processing operations requiring the consent of the data subject. Consent may be withdrawn at any time, without affecting the lawfulness of processing carried out prior to its withdrawal.

§ 4. Purposes of Data Processing

• Provision of the VoiceTrap service — answering incoming calls, recording voicemail messages, generating transcriptions and analyses using AI systems, and sending automated follow-up SMS messages.
• Generating voice greetings using text-to-speech (TTS) technology powered by artificial intelligence systems.
• Automatic content moderation, abuse detection, and ensuring compliance with AI provider usage policies, in accordance with the requirements of the Digital Services Act (Regulation (EU) 2022/2065, "DSA").
• Payment processing, subscription management, and fulfilment of accounting and tax obligations.
• Communicating with the User regarding account matters, responding to technical support inquiries, and sending service-related notifications.

§ 5. Processing of Data by Artificial Intelligence Systems

In accordance with the transparency obligations arising from Regulation (EU) 2024/1689 (the Artificial Intelligence Act), we inform you that VoiceTrap uses the following artificial intelligence systems to process User data:

• OpenAI Whisper — a speech recognition (Speech-to-Text) system that processes call audio recordings to generate text transcriptions. Provider: OpenAI, LLC (USA).
• OpenAI GPT — a language model that processes transcriptions to generate conversation summaries, lead quality assessments (lead scoring), and urgency level determinations. Provider: OpenAI, LLC (USA).
• OpenAI TTS / ElevenLabs TTS — text-to-speech systems that generate voice greeting audio from text entered by the User. Providers: OpenAI, LLC (USA) / ElevenLabs, Inc. (USA).
• OpenAI Moderation API — an automated content moderation system that reviews user-submitted text and transcriptions for prohibited content. Provider: OpenAI, LLC (USA).
• None of the above AI systems is used for biometric identification, social scoring, or any other application prohibited under Article 5 of the Artificial Intelligence Act.

The outputs generated by AI systems are of an exclusively informational and supportive nature. No decisions producing legal effects or similarly significantly affecting the data subject are made solely on the basis of automated processing. The User may at any time request a human review of an assessment generated by an AI system.

§ 6. Data Processors

The Service Provider does not sell Users' personal data. Data is shared exclusively with data processors acting on behalf of the Controller on the basis of data processing agreements pursuant to Article 28 of the GDPR: Twilio, Inc. (USA) — telecommunications services, call routing, call recording, and SMS delivery; processes phone numbers, call audio, and SMS content; OpenAI, LLC (USA) — speech transcription, AI analysis, TTS generation, and content moderation; processes audio recordings and text content; ElevenLabs, Inc. (USA) — TTS generation for voice greetings; processes greeting texts; Stripe, Inc. (USA) — payment processing and subscription management; processes billing data; cloud infrastructure provider — hosting, databases, and file storage on servers located within the European Economic Area (EEA).

§ 7. Transfer of Data to Third Countries

Certain data processors (Twilio, OpenAI, ElevenLabs, Stripe) are established in the United States of America. The transfer of personal data to the USA is carried out in accordance with Chapter V of the GDPR, on the basis of: (a) the European Commission's adequacy decision under the EU–US Data Privacy Framework for providers holding active certification, and (b) Standard Contractual Clauses (SCCs) adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, supplemented by additional technical and organisational measures (in particular, encryption of data in transit and at rest) in accordance with the guidance of the European Data Protection Board (EDPB).

• legal.privacy_s7_li1
• legal.privacy_s7_li2
• legal.privacy_s7_li3
• legal.privacy_s7_li4
• legal.privacy_s7_li5
• legal.privacy_s7_li6
• legal.privacy_s7_li7

§ 8. Data Retention Period

Personal data is retained for the period necessary to fulfil the purposes for which it was collected, taking into account applicable legal requirements:

• Account data — for the duration of the active account and, following its deletion, for a period of up to 30 days to complete pending technical operations.
• Call recordings — in accordance with the User's subscription plan settings. The User may manually delete recordings at any time.
• Transcriptions and AI analyses — for the duration of the active account or until manually deleted by the User.
• Payment and invoicing data — for a period of 5 years from the end of the fiscal year in which the transaction took place, in accordance with Article 74 of the Polish Accounting Act and Article 112 of the Polish Value Added Tax Act.
• Content moderation logs — 90 days from the date of the event.
• Technical and service usage data — up to 12 months.
• Reporter data in the notice-and-takedown procedure (Article 16 DSA) — 6 months from the resolution of the notice, after which personal data (name, email) is anonymised; the decision record is retained in accordance with Article 24(5) DSA.

Upon expiry of the above retention periods, personal data is permanently deleted or anonymised.

§ 9. Rights of the Data Subject

Under the GDPR, you are entitled to the following rights: the right of access to data (Article 15) — obtaining confirmation of processing and a copy of your data; the right to rectification (Article 16); the right to erasure — the "right to be forgotten" (Article 17), subject to legal retention obligations; the right to restriction of processing (Article 18); the right to data portability (Article 20) — receiving your data in a structured, commonly used, machine-readable format; the right to object to processing based on legitimate interest (Article 21); and the right to withdraw consent at any time (Article 7(3)). To exercise any of these rights, please contact us at the email address listed on the contact page. We will respond without undue delay, and no later than 30 days from receipt of your request. Should you be dissatisfied with the Controller's response, you have the right to lodge a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

§ 10. Automated Decision-Making and Profiling

VoiceTrap uses AI systems for the automatic analysis of call transcriptions, generation of summaries, lead quality assessment (lead scoring), and urgency level determination. These processes constitute profiling within the meaning of Article 4(4) of the GDPR. At the same time, we inform you that no decisions producing legal effects or similarly significantly affecting the User are made solely on the basis of automated processing within the meaning of Article 22(1) of the GDPR. AI-generated assessments are of an auxiliary and informational nature, and any actions resulting therefrom (e.g., sending follow-up SMS messages) are configured directly by the User. The User has the right to obtain human intervention from the Controller, to express their point of view, and to contest any decision based on automated processing.

§ 11. Data Security Measures

The Controller implements appropriate technical and organisational measures within the meaning of Article 32 of the GDPR to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include, in particular: encryption of data in transit (TLS 1.2+) and at rest, role-based access control (RBAC) and multi-factor authentication mechanisms, regular security reviews and audits, and data processing agreements containing security clauses with all data processors.

§ 12. Cookies and Similar Technologies

VoiceTrap uses only cookies that are strictly necessary for the proper functioning of the service (session management, language preference storage, CSRF protection), in accordance with Article 173 of the Polish Telecommunications Act of 16 July 2004 (Journal of Laws 2004, No. 171, item 1800, as amended). These cookies are necessary for the provision of the service requested by the User and do not require separate consent pursuant to Article 173(3)(2) of the Telecommunications Act. The Service Provider does not use advertising, tracking, or third-party analytics cookies.

§ 13. Protection of Children's and Minors' Data

VoiceTrap is intended exclusively for persons aged 16 or older. We do not knowingly collect personal data from persons below that age. If the Controller becomes aware that personal data has been provided by a person under the age of 16 without the consent of a parent or legal guardian, such data will be promptly deleted. If you suspect such a situation, please contact us at the email address listed on the contact page.

§ 14. Changes to the Privacy Policy

The Controller reserves the right to amend this Privacy Policy. Material changes will be communicated to the User at least 14 days in advance by electronic means (email or in-app notification), in accordance with Article 3a of the Polish Act of 18 July 2002 on the Provision of Electronic Services. The current version of the Policy is always available on the service's website. Should the User not accept the amended Policy, they have the right to terminate the service agreement (delete their account) before the changes take effect.