Privacy Policy

Privacy Policy - Staffify AI

Privacy Policy

Last updated: 17 December 2025

This Privacy Policy explains how Staffify AI ("StaffifyAI", "we", "us", "our") collects, uses, shares, and protects personal data when you visit our websites, create an account, or use our services.

Quick Summary (not legal text)

We act as data controller for our users and data processor for customer call data. We use Stripe for payments. We don't sell your data. GDPR/CPRA rights apply. Netherlands law governs. Contact support@staffifyai.com for any requests.

1 Who We Are

Company: Staffify AI

Registered in: The Netherlands

Privacy contact: support@staffifyai.com

EU Supervisory Authority: Autoriteit Persoonsgegevens (Netherlands)

This Policy covers EU/UK GDPR and U.S. state privacy rights (including California CPRA).

We have not appointed a DPO at this time. If we appoint one, we will update this Policy.

2 Our Role: Controller and Processor

When We Act as Controller

We are the data controller for personal data we collect directly from:

  • Website visitors
  • Users who create accounts on our platform
  • Subscribers to our services
  • Individuals who contact our support team

When We Act as Processor

When our customers use our AI telephony services, we process personal data on their behalf. This includes:

  • Caller phone numbers
  • Call recordings
  • Call transcripts
  • Voice memos and messages
  • Appointment booking information

For Business Customers: If you use our AI phone services, you are the data controller for your callers' personal data. You are responsible for ensuring you have appropriate legal bases and providing privacy notices to your callers. A Data Processing Agreement (DPA) is available upon request at support@staffifyai.com.

Call Recording Disclosure

Our AI telephony services may record calls on behalf of our customers. Customers using our call recording features are responsible for:

  • Informing callers that calls may be recorded (e.g., "This call may be recorded for quality and training purposes")
  • Obtaining any required consent under applicable laws
  • Complying with local telecommunications and recording consent laws

3 What Data We Collect

Category Data Types
Account Data Name, email address, password (hashed)
Billing Data Card last four digits, billing address, country, subscription details (via Stripe). We do not store full card numbers.
Usage & Device Data IP address, device/user-agent, pages viewed, actions taken, timestamps, referral sources
Content You Provide Text, code, files, and other materials you submit to use the Service
Voice & Telephony Data Call recordings, transcripts, caller phone numbers, voice memos (processed on behalf of customers)
Calendar Data Calendar events and availability (when you connect Google Calendar for appointment booking)
Support Communications Messages you send to us (email/chat)
Marketing Preferences Newsletter opt-in/opt-out
Error & Diagnostic Logs Application and infrastructure logs for reliability and security

We do not intentionally collect special category data (e.g., health, biometric, racial/ethnic data).

4 How We Use Your Data

We process personal data under the GDPR on the following legal bases:

  • Contract (Art. 6(1)(b)): To create your account, provide the Service, process subscriptions, handle telephony services, and respond to support requests.
  • Legitimate interests (Art. 6(1)(f)): To secure the Service, prevent fraud/abuse, debug and improve performance, measure product usage, and defend legal claims.
  • Consent (Art. 6(1)(a)): For non-essential cookies/analytics and marketing emails. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): To comply with tax and accounting laws and respond to lawful requests from authorities.

5 Cookies, Analytics & Advertising

  • We use a consent banner for non-essential cookies.
  • Analytics: Google Analytics (via Google Tag Manager) for aggregated usage insights.
  • Advertising: Meta (Facebook) Pixel for conversion tracking and audience building.

You can manage your cookie preferences via our cookie banner or your browser settings. Blocking cookies may affect some features.

Type Purpose Duration
Essential Required for the Service to function (authentication, security) Session / 1 year
Analytics Help us understand how you use the Service Up to 2 years
Advertising Conversion tracking and audience building Up to 2 years

6 Sharing Your Data (Recipients)

We do not sell or share personal information for cross-context behavioral advertising under CPRA.

We share data with the following categories of service providers:

Provider Category Purpose Location
Payment Processing Subscription billing and payments USA (Stripe)
Cloud Infrastructure Application hosting and deployment USA/EU (Fly.io)
File Storage Storing recordings and files EU (AWS S3 - eu-north-1)
Email Services Transactional and notification emails EU (AWS SES)
Telephony Services Voice calls and SMS USA (Telnyx)
Speech Services Speech-to-text transcription USA (Deepgram)
Calendar Integration Appointment scheduling USA (Google)
Error Monitoring Application reliability and debugging EU (Sentry)
Cache & Queue Performance and background processing USA (Upstash Redis)
Domain Registration Custom domain purchases USA (Dynadot)
Analytics Website usage analytics USA (Google)
Advertising Conversion tracking USA (Meta)

We require all processors to protect data, use it only on our instructions, and implement appropriate security measures.

We may also disclose data: (i) to comply with law, (ii) to protect rights, safety, or property, or (iii) in connection with a business transfer (merger, acquisition).

7 International Data Transfers

Where data is transferred outside the EEA/UK (e.g., to the U.S.), we rely on:

  • Standard Contractual Clauses (SCCs)
  • EU-U.S. Data Privacy Framework (where applicable)
  • Other appropriate safeguards

Copies of relevant transfer mechanisms can be requested at support@staffifyai.com.

8 Security

We implement appropriate technical and organizational measures, including:

  • Encryption in transit (TLS) and at rest
  • Role-based access control and least-privilege principles
  • Audit logging for administrative access
  • Secrets management and key encryption
  • Signed URLs for controlled file access
  • Regular backups with a 30-day rolling retention
  • Ongoing monitoring, patching, and incident response procedures
  • Sensitive data filtering in error monitoring

No system is 100% secure. We will notify you and authorities of data breaches as required by law.

9 Data Retention

We keep data only as long as needed:

Data Type Retention Period
Account data Life of the account + 12 months
Billing & invoices 7-10 years (legal/tax requirements)
Call recordings 90 days (then automatically deleted)
Call transcripts & analytics Life of the account
Application logs 30 days
Support tickets 24 months
Backups 30-day rolling

We may anonymize and retain data for statistics and product improvement.

10 Your Rights (EU/UK)

Under the GDPR/UK GDPR, you have the right to:

Access: Request a copy of your personal data.
Rectify: Correct inaccurate or incomplete data.
Erase: Request deletion of your data ("right to be forgotten").
Restrict: Limit how we process your data.
Object: Object to certain processing activities.
Portability: Receive your data in a structured, machine-readable format.
Withdraw consent: At any time (without affecting prior processing).

To exercise your rights, email support@staffifyai.com. You also have the right to complain to your local supervisory authority (e.g., Autoriteit Persoonsgegevens in the Netherlands).

11 U.S. State Privacy Rights (incl. California CPRA)

Residents of certain U.S. states (including California) have:

  • Right to know/access: The categories and specific pieces of personal information we collected.
  • Right to delete: Personal information (subject to legal exceptions).
  • Right to correct: Inaccurate personal information.
  • Right to opt-out of sale/share: We do not sell/share for cross-context advertising.
  • Right to limit use of sensitive personal information: We do not use SPI for inferring characteristics.
  • Non-discrimination: For exercising your rights.

To make a request, email support@staffifyai.com. We honor Global Privacy Control (GPC) signals.

12 Automated Decision-Making & Profiling

Our Service includes AI-powered features such as:

  • Automated call handling and responses
  • Speech transcription and analysis
  • Appointment scheduling recommendations
  • Call routing decisions

We maintain human oversight capabilities and logging for transparency and safety. Customers can configure AI behavior and transfer calls to human agents when needed.

13 Children's Privacy

The Service is not directed to children and is intended for individuals 16 years and older. We do not knowingly collect personal data from children under 16.

If you believe a child has provided data to us, contact support@staffifyai.com to request deletion.

14 Third-Party Links

Our site may link to third-party websites or services. Their privacy practices are governed by their own policies. We are not responsible for the privacy practices of third parties.

15 Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., by email or in-app notification) and update the "Last updated" date at the top of this page.

16 Contact Us

Questions or requests about this Policy or your data rights:

Email: support@staffifyai.com

Data Processing Agreement (DPA) requests:

Email: support@staffifyai.com

Supercharge Your Business

Let the future work for you!

Get StartedContact