Privacy Policy

CallDesk (operated by Resident Labs, LLC) is committed to protecting your privacy. This policy explains how we collect, use, share, and safeguard your information when you use our AI-powered phone system. Your use of CallDesk constitutes acceptance of this Privacy Policy. If you disagree with any part of this policy, please do not use our Services.

We collect information you give us (account details, business info), call data (recordings, transcripts, caller numbers), and technical data (IP address, browser type, usage patterns).

Information You Provide to Us

• Account information: Name, email address, phone number, company name
• Business information: Industry, business hours, preferences, custom prompts
• Payment information: Processed securely through Stripe (we don't store credit card numbers)
• Communication preferences: Notification settings, language preferences
• Support communications: Messages you send us for customer support

Information Collected Automatically

• Call data: Voice recordings, call transcripts, caller phone numbers, call duration, timestamps
• Usage data: Features accessed, actions taken, time spent in the app
• Device information: IP address, browser type and version, operating system, device type
• Log data: Server logs, error logs, performance metrics
• Analytics data: How you interact with our service (via cookies and similar technologies)

Information from Callers

When someone calls your CallDesk number, we may collect:

• Their phone number (caller ID)
• Voice recordings (only if call recordings are enabled in your settings)
• Conversation transcripts (only if transcription is enabled in your settings)
• Any information they provide during the call (names, messages, appointment details)

When you opt in to receive SMS messages from CallDesk, we collect your mobile phone number and consent preferences. This section explains how we handle your SMS-related data.

How We Collect SMS Consent

We obtain your consent to send SMS messages through:

• Website forms: When you provide your phone number and check the SMS opt-in box during signup or account settings
• Text-to-join: When you text a keyword to our short code or phone number
• AI agent calls: When you verbally consent to receive SMS notifications during a call with our AI assistant
• Account settings: When you enable SMS notifications in your CallDesk dashboard

Limited Sharing for Service Delivery

We share your mobile phone number only with the following service providers, solely to deliver SMS messages on our behalf:

• Twilio: Our SMS gateway provider that transmits messages to your phone. Twilio is contractually prohibited from using your data for any purpose other than message delivery.

These providers receive only the data necessary to deliver your messages and are bound by strict data protection agreements.

Message Frequency & Costs

Message frequency varies based on your account activity and scheduled appointments. Typical users receive 2–10 messages per month. Standard message and data rates may apply based on your mobile carrier plan.

For full details on our SMS program, including opt-in methods, message types, and carrier information, see our SMS Opt-In & Program Information page.

Managing Your SMS Preferences

You can update your SMS preferences or opt out at any time through your account settings, by replying STOP to any message, or by contacting support@24calldesk.com. See our SMS Terms and Conditions for complete opt-out instructions.

We use your data to provide the service (answer calls, schedule appointments), send you updates, provide customer support, and comply with legal requirements:

• Provide and maintain our services: Answer calls, transcribe conversations (if enabled), schedule appointments, sync with your integrations
• Process transactions: Manage subscriptions, process payments, send invoices
• Improve our platform: Use anonymized, aggregated usage metrics (not call content) to improve user experience and product features
• Send service communications: Account notifications, billing updates, service announcements
• Provide customer support: Respond to your requests, troubleshoot issues, provide technical assistance
• Analyze usage patterns: Understand how customers use our service to improve user interface and workflows (anonymized data only)
• Detect and prevent fraud: Monitor for abusive or illegal activity, protect against security threats
• Comply with legal obligations: Respond to legal requests, enforce our Terms of Service
• Send marketing communications: Product updates, new features, tips (you can opt out anytime)

Legal Bases for Processing (GDPR)

For EU users, we process your data based on:

• Contract performance: Processing necessary to provide the services you signed up for
• Legitimate interests: Improving our service, preventing fraud, ensuring security
• Consent: Marketing communications (you can withdraw consent anytime)
• Legal compliance: Complying with laws and regulations

Your call audio and transcripts are processed by AI models (OpenAI GPT-4, GPT-5, Anthropic Claude, and speech to text) to power the voice assistant. Our AI voice service converts speech to text in real-time, language models generate responses, and we store your data encrypted at rest and in transit.

We do not sell your personal information. We share data only with trusted service providers necessary to operate our platform.

Service Providers (Data Processors)

We work with third-party companies to operate our business. Each receives only the data necessary to perform their specific function. Here's exactly what data each service receives and why:

Other Sharing Scenarios

We may also share your data:

• With your consent: When you explicitly agree to share your data (e.g., enabling CRM integrations)
• For legal compliance: When required by law, court order, subpoena, or government request
• In business transfers: If we're acquired or merge with another company, your data may transfer to the new entity
• To protect rights and safety: To enforce our Terms, protect against fraud, or ensure user safety

Visual guide showing how data moves from callers through Twilio and AI models, to storage and your integrations, all encrypted.

We implement industry-standard security measures to protect your data from unauthorized access, disclosure, alteration, or destruction.

Security Measures

• Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access controls: Multi-factor authentication, role-based permissions, least-privilege access
• Infrastructure: AWS data centers with physical security, redundancy, and automated encrypted backups
• Network security: Firewalls, intrusion detection, DDoS protection
• Security audits: Regular third-party penetration testing and vulnerability assessments
• Staff training: All employees trained on data protection and privacy best practices
• Incident response: Documented procedures for security incidents and data breaches
• Vendor oversight: Security reviews of all third-party service providers

We keep your data as long as your account is active. Call recordings are kept for 90 days by default (configurable). After account deletion, we retain data for 30 days, then permanently delete it.

We retain your personal information for as long as necessary to provide our services and comply with legal obligations:

Retention Periods

• Account data: Retained while your account is active, plus 30 days after closure (grace period for reactivation)
• Call recordings: Default 90-day retention (configurable in your settings: 7 days to 1 year)
• Call transcripts: Same retention period as recordings
• Payment records: Retained for 7 years to comply with tax and accounting regulations
• Support communications: Retained for 3 years for customer service purposes
• Anonymized analytics: Retained indefinitely (contains no personally identifiable information)

What Happens After Deletion

When you delete your account or we delete your data after the retention period:

• Permanent deletion: Data is securely deleted from our production servers and cannot be recovered
• Backup deletion: Data removed from backups within 90 days
• Third-party deletion: We request deletion from service providers (AI Providers, Twilio, etc.)
• Exceptions: We may retain data if required by law, to resolve disputes, or prevent fraud

You can access, correct, delete, or export your data anytime. You can opt out of marketing emails and request restrictions on data processing. Contact us to exercise these rights.

You have the following rights regarding your personal data:

Universal Rights (All Users)

• Right to access: Request a copy of all personal data we hold about you
• Right to correction: Request correction of inaccurate or incomplete data
• Right to deletion: Request deletion of your personal data (subject to legal obligations)
• Right to data portability: Export your data in a machine-readable format (JSON, CSV)
• Right to opt-out of marketing: Unsubscribe from promotional emails (click "unsubscribe" or email us)
• Right to object: Object to certain data processing activities

How to Exercise Your Rights

To exercise any of these rights:

1. Email us at support@24calldesk.com
2. Include your account email and describe your request
3. We'll verify your identity and respond within 30 days

For users in the European Union, we comply with the General Data Protection Regulation (GDPR), which grants you additional rights beyond those available to all users.

Additional GDPR Rights

• Right to data portability: Receive your data in a structured, commonly-used format
• Right to be forgotten: Request complete deletion of your data (with some exceptions)
• Right to restrict processing: Limit how we use your data in certain circumstances
• Right to object to automated decisions: Object to decisions made solely by automated processing (including profiling)
• Right to lodge a complaint: File a complaint with your national data protection authority

GDPR Inquiries

For GDPR-related requests and inquiries, please contact us at support@24calldesk.com. We'll respond to all GDPR requests within 30 days.

Data Processing Agreements (DPA)

If you're a business customer processing EU personal data through CallDesk, we'll provide a Data Processing Agreement (DPA) upon request. Contact support@24calldesk.com to request a DPA.

For California residents, we comply with the California Consumer Privacy Act (CCPA), which grants you specific rights regarding your personal information.

Your CCPA Rights

• Right to know: Request disclosure of what personal information we've collected, used, disclosed, or sold in the past 12 months
• Right to deletion: Request deletion of your personal information (subject to exceptions)
• Right to opt-out of "sales": We do NOT sell your personal information, so this doesn't apply
• Right to non-discrimination: We won't discriminate against you for exercising your CCPA rights

How to Exercise Your CCPA Rights

To make a CCPA request:

1. Email us at support@24calldesk.com with subject "CCPA Request"
2. Include your account email and describe your request
3. We'll verify your identity (to prevent unauthorized access)
4. We'll respond within 45 days (30-day extension if needed)

Categories of Information We Collect

Under CCPA, we collect the following categories of personal information:

• Identifiers: Name, email, phone number, IP address
• Commercial information: Subscription plan, payment history, call usage
• Internet/network activity: Usage data, device information, log data
• Audio/visual data: Call recordings, voice data
• Inferences: Preferences, behavior patterns (anonymized analytics)

If a data breach occurs that affects your personal information, we'll notify you within 72 hours and explain what happened, what data was affected, and what we're doing about it.

In the unlikely event of a data breach involving your personal information, we commit to:

Our Notification Process

• Immediate investigation: Contain the breach, assess scope, identify affected users
• Notify affected users within 72 hours: Email to your registered email address
• Notify regulators: Report to data protection authorities (GDPR, CCPA) as required
• Provide clear communication: Explain what happened, what data was affected, and what we're doing

What We'll Tell You

Our breach notification will include:

• Nature of the breach: What happened and how it occurred
• Data affected: What types of personal information were compromised
• Potential impact: Risks to your privacy and security
• Our response: Steps we've taken to contain the breach and prevent future incidents
• Your next steps: Recommended actions you should take (e.g., change passwords, monitor accounts)
• Contact information: How to reach us with questions or concerns

Prevention Measures

We take proactive steps to prevent data breaches:

• Regular security audits and penetration testing
• 24/7 security monitoring and intrusion detection
• Employee security training and access controls
• Incident response plan with defined procedures
• Encryption of all sensitive data

CDisabling essential cookies maallDesk supports HIPAA-compliant deployments for healthcare providers through Business Associate Agreements (BAA). Healthcare organizations must execute a BAA before processing Protected Health Information (PHI) through our platform.

When HIPAA Applies

HIPAA requirements apply when:

• You are a covered entity or business associate under HIPAA
• Callers discuss medical conditions, treatments, prescriptions, or other PHI
• You store, transmit, or process PHI through CallDesk

HIPAA Compliance Measures

• Encryption of all PHI in transit (TLS 1.3) and at rest (AES-256)
• Role-based access controls, audit logs, and multi-factor authentication
• BAAs with HIPAA-compliant subprocessors (Twilio telephony infrastructure)
• Breach notification within 60 days per HIPAA requirements
• Configurable data retention periods

Requesting a BAA

Email support@24calldesk.com with subject "HIPAA BAA Request" and include your organization name. We'll send you our standard BAA for review and execution.

Important: AI providers (OpenAI, Anthropic) do not currently offer BAAs for their API services. Healthcare providers should limit conversations to non-PHI communications (appointment scheduling, general inquiries) or implement additional safeguards for PHI discussions.

We use cookies for authentication, analytics, and to remember your preferences. You can control cookie settings in your browser.

We use cookies and similar technologies to enhance your experience, analyze usage, and provide personalized content.

Types of Cookies We Use

• Essential cookies: Required for the service to function (authentication, security, session management). These cannot be disabled.
• Analytics cookies: Help us understand how users interact with our service (Google Analytics, Mixpanel)
• Preference cookies: Remember your settings and preferences
• Marketing cookies: Track conversions from marketing campaigns (you can opt out)

How to Control Cookies

You can control cookies by:

• Browser settings: Most browsers allow you to refuse cookies or delete existing ones
• Opt-out tools: Use tools like Google Analytics Opt-out
• Do Not Track: We respect Do Not Track (DNT) browser settings

Note: Disabling essential cookies may prevent you from using certain features of CallDesk.

CallDesk is not intended for anyone under 18. We don't knowingly collect data from children. If we discover we have, we'll delete it immediately.

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@24calldesk.com. We will delete such information immediately.

Note: If callers to your CallDesk number include minors (e.g., parents calling about their children), you are responsible for complying with applicable child privacy laws (COPPA, etc.).

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers (Standard Contractual Clauses, etc.).

Your information may be transferred to and processed in countries other than your country of residence, including the United States.

Where Your Data is Processed

• United States: Our primary servers and infrastructure (AWS US regions)
• Service providers: AI Voice, Twilio, OpenAI, Anthropic (primarily US-based)
• Backup storage: Geographically distributed for redundancy

Safeguards for International Transfers

We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): EU-approved contract terms for data transfers
• Adequacy decisions: We transfer data to countries deemed adequate by the EU Commission where possible
• Data processing agreements: Contracts with all service providers to ensure data protection

If you have questions or concerns about international data transfers, contact support@24calldesk.com.

We may update this privacy policy from time to time. We will notify you of any material changes by:

• Sending an email to your registered email address
• Posting a notice within the Services
• Updating the "Last updated" date at the top of this page

Your continued use of the Services after changes become effective constitutes acceptance of the updated Privacy Policy.

Notice period: For material changes that affect your rights, we'll provide at least 30 days' advance notice.

Questions about privacy? Email support@24calldesk.com or write to us in San Francisco. We respond within 30 days.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Note: For privacy inquiries, GDPR requests, HIPAA BAA requests, or general support, please email us at the address above.