Staffify AI | Privacy Policy | Your Data, Security & Trust

1 Who We Are

Company: Staffify AI

Registered in: The Netherlands

Privacy contact: support@staffifyai.com

EU Supervisory Authority: Autoriteit Persoonsgegevens (Netherlands)

This Policy covers EU/UK GDPR and U.S. state privacy rights (including California CPRA).

We have not appointed a DPO at this time. If we appoint one, we will update this Policy.

2 Our Role: Controller and Processor

When We Act as Controller

We are the data controller for personal data we collect directly from:

Website visitors
Users who create accounts on our platform
Customers who use our services
Individuals who contact our support team

When We Act as Processor

When our customers use our AI telephony services, voice/text widgets, or property management features, we process personal data on their behalf. This includes:

Caller phone numbers
Call recordings and transcripts
Voice and text widget conversation transcripts
Widget visitor information (name, email, custom identifiers — when provided by the visitor)
SMS messages and delivery status
Voice memos and messages
Appointment booking information
Tenant and property management data (maintenance requests, contact details)

For Business Customers: If you use our AI phone services, you are the data controller for your callers' personal data. You are responsible for ensuring you have appropriate legal bases and providing privacy notices to your callers. A Data Processing Agreement (DPA) is available upon request at support@staffifyai.com.

Call Recording Disclosure

Our AI telephony services may record calls on behalf of our customers. Customers using our call recording features are responsible for:

Informing callers that calls may be recorded (e.g., "This call may be recorded for quality and training purposes")
Obtaining any required consent under applicable laws
Complying with local telecommunications and recording consent laws

Voice Recognition & Caller Identification

Our platform uses voice biometric technology to identify repeat callers across businesses that use Staffify AI. When a caller speaks during a call or voice widget session, we automatically create a voiceprint — a mathematical representation (numerical embedding) of their voice characteristics. This voiceprint is used solely to recognize the caller on future calls, enabling faster service by pre-filling known information such as name, email, and language preference. Because voiceprints are stored at the platform level, personal information collected during a call with one business (such as name, email, and language preference) may be used to identify the same caller when they contact a different business on the platform.

Important: Voiceprints are one-way numerical representations. They cannot be used to reconstruct, replay, or clone a person's voice. If our voiceprint database were compromised, an attacker could not generate or reproduce any caller's voice from the stored data.

Voice recognition is active on all calls processed through our platform. Business customers may enable a pre-recorded disclosure message that informs callers about call recording and voice recognition at the start of the call. Business customers are responsible for:

Enabling the disclosure message in compliance with applicable biometric data laws
Informing callers about voice recognition through their own privacy notices
Complying with GDPR Article 9 (special categories of data), the Illinois Biometric Information Privacy Act (BIPA), and any other applicable biometric data regulations in their jurisdiction

Callers may request deletion of their voiceprint at any time by contacting the business they called or by emailing support@staffifyai.com. Upon request, we will permanently erase the voiceprint and all associated identification data within 30 days.

3 What Data We Collect

Category	Data Types
Account Data	Name, email address, password (hashed), two-factor authentication status
Billing Data	Card last four digits, billing address, country, usage details (via our payment processor). We do not store full card numbers.
Usage & Device Data	IP address, device/user-agent, pages viewed, actions taken, timestamps, referral sources
Content You Provide	Text, files, and other materials you submit to use the Service, including knowledge base documents (PDF, DOCX, TXT) and crawled website content
Voice & Telephony Data	Call recordings, transcripts, caller phone numbers, voice memos, SMS messages and delivery status, and voice biometric embeddings (numerical voiceprints for caller identification) (processed on behalf of customers)
Widget Conversation Data	Voice and text widget transcripts, visitor-provided information (name, email, custom identifier), conversation duration, and AI-generated analytics (sentiment, intent, topics, outcome)
Calendar & OAuth Data	Calendar events and availability (when you connect a calendar integration). OAuth access and refresh tokens for connected integrations (calendar, CRM platforms)
CRM Integration Data	Data synced between the Service and connected CRM platforms (e.g., HubSpot, Salesforce, Zoho, Pipedrive, Monday.com, Zendesk) via OAuth
Property Management Data	Tenant contact details, building and property information, maintenance requests, and portal interactions (processed on behalf of customers)
Security & Audit Data	Login attempts (IP address, success/failure, user-agent), account lockout records, and administrative audit logs (action, IP, old/new values)
Webhook Data	Event payloads delivered to customer-configured webhook endpoints, delivery status, and response logs
Support Communications	Messages you send to us (email/chat)
Marketing Preferences	Newsletter opt-in/opt-out
Error & Diagnostic Logs	Application and infrastructure logs for reliability and security

We do not intentionally collect special category data (e.g., health, racial/ethnic data), with the exception of voice biometric data (voiceprints) used for caller identification as described in Section 2. Voice biometric embeddings are processed with appropriate safeguards, including encryption, access controls, and the right to erasure upon request.

4 How We Use Your Data

We process personal data under the GDPR on the following legal bases:

Contract (Art. 6(1)(b)): To create your account, provide the Service, process payments, handle telephony services, and respond to support requests.
Legitimate interests (Art. 6(1)(f)): To secure the Service, prevent fraud/abuse, debug and improve performance, measure product usage, and defend legal claims.
Consent (Art. 6(1)(a)): For non-essential cookies/analytics and marketing emails. You can withdraw consent at any time.
Legal obligation (Art. 6(1)(c)): To comply with tax and accounting laws and respond to lawful requests from authorities.

5 Cookies, Analytics & Advertising

We use a consent banner for non-essential cookies.
Analytics: Analytics tools for aggregated usage insights.
Advertising: Conversion tracking pixels for audience building.

You can manage your cookie preferences via our cookie banner or your browser settings. Blocking cookies may affect some features.

Type	Purpose	Duration
Essential	Required for the Service to function — includes authentication token (HttpOnly, secure) and session cookies	6 hours / session
Bot Protection	Bot protection service — prevents automated abuse on forms and sign-up	Per provider policy
Analytics	Help us understand how you use the Service	Up to 2 years
Advertising	Conversion tracking and audience building	Up to 2 years

6 Sharing Your Data (Recipients)

We do not sell or share personal information for cross-context behavioral advertising under CPRA.

We share data with the following categories of service providers:

Provider Category	Purpose	Location
Payment Processing	Billing and payments	USA
Cloud Infrastructure	Application hosting and deployment	USA/EU
File Storage	Storing recordings and files	EU
Email Services	Transactional and notification emails	EU
Telephony & SMS	Voice calls and SMS messaging	USA/EU
Speech Services	Speech-to-text and text-to-speech	USA
Calendar Integration	Appointment scheduling	USA
CRM Integrations	Customer relationship management sync (when connected by you)	USA
Bot Protection	Preventing automated abuse on forms	USA
Error Monitoring	Application reliability and debugging	EU
Cache & Queue	Performance and background processing	USA
Domain & CDN	Custom domain hosting and SSL	USA
Domain Registration	Custom domain purchases	USA
Analytics	Website usage analytics	USA
Advertising	Conversion tracking	USA

We require all processors to protect data, use it only on our instructions, and implement appropriate security measures.

We may also disclose data: (i) to comply with law, (ii) to protect rights, safety, or property, or (iii) in connection with a business transfer (merger, acquisition).

7 International Data Transfers

Where data is transferred outside the EEA/UK (e.g., to the U.S.), we rely on:

Standard Contractual Clauses (SCCs)
EU-U.S. Data Privacy Framework (where applicable)
Other appropriate safeguards

Copies of relevant transfer mechanisms can be requested at support@staffifyai.com.

8 Security

We implement appropriate technical and organizational measures, including:

Encryption in transit (TLS) and at rest
Role-based access control and least-privilege principles
Audit logging for administrative access
Secrets management and key encryption
Signed URLs for controlled file access
Regular backups with a 30-day rolling retention
Ongoing monitoring, patching, and incident response procedures
Sensitive data filtering in error monitoring

No system is 100% secure. We will notify you and authorities of data breaches as required by law.

9 Data Retention

We keep data only as long as needed:

Data Type	Retention Period
Account data	Life of the account + 12 months
Billing & invoices	7-10 years (legal/tax requirements)
Call recordings	90 days (then automatically deleted)
Voice biometric embeddings (voiceprints)	Indefinitely while the caller profile is active; deleted within 30 days upon erasure request. If a business customer cancels their account, interaction logs are removed but voiceprints may be retained for caller identification across the platform
Call transcripts & analytics	Life of the account
Widget conversation transcripts & analytics	Life of the account
Knowledge base documents	Life of the account
Login attempts & audit logs	Life of the account
OAuth tokens (Calendar, CRM)	Until revoked or account deletion
Webhook delivery logs	7 days
Application logs	30 days
Support tickets	24 months
Backups	30-day rolling

We may anonymize and retain data for statistics and product improvement.

10 Your Rights (EU/UK)

Under the GDPR/UK GDPR, you have the right to:

Access: Request a copy of your personal data.

Rectify: Correct inaccurate or incomplete data.

Erase: Request deletion of your data ("right to be forgotten").

Restrict: Limit how we process your data.

Object: Object to certain processing activities.

Portability: Receive your data in a structured, machine-readable format.

Withdraw consent: At any time (without affecting prior processing).

To exercise your rights, email support@staffifyai.com. You also have the right to complain to your local supervisory authority (e.g., Autoriteit Persoonsgegevens in the Netherlands).

11 U.S. State Privacy Rights (incl. California CPRA)

Residents of certain U.S. states (including California) have:

Right to know/access: The categories and specific pieces of personal information we collected.
Right to delete: Personal information (subject to legal exceptions).
Right to correct: Inaccurate personal information.
Right to opt-out of sale/share: We do not sell/share for cross-context advertising.
Right to limit use of sensitive personal information: We do not use SPI for inferring characteristics.
Non-discrimination: For exercising your rights.

To make a request, email support@staffifyai.com. We honor Global Privacy Control (GPC) signals.

12 Automated Decision-Making & Profiling

Our Service includes AI-powered features such as:

Automated call handling and responses via voice and text widgets
Speech transcription and analysis
Appointment scheduling recommendations
Call and message routing decisions

Conversation Analytics

We automatically analyze voice and text widget conversations to generate:

Sentiment analysis: Positive, neutral, or negative sentiment scoring
Intent detection: Identifying the purpose of the conversation
Topic extraction: Key subjects and points discussed
Outcome classification: Whether the conversation was resolved, escalated, or requires follow-up

These analytics are generated to help our customers improve their service quality. No automated decisions with legal or similarly significant effects are made solely on the basis of this analysis.

Learning Suggestions

We periodically analyze patterns across call transfers and support tickets to generate improvement suggestions for our customers (e.g., common reasons for escalation). This analysis uses aggregated, anonymized patterns — not individual-level profiling.

We maintain human oversight capabilities and logging for transparency and safety. Customers can configure AI behavior and transfer calls to human agents when needed.

13 Children's Privacy

The Service is not directed to children and is intended for individuals 16 years and older. We do not knowingly collect personal data from children under 16.

If you believe a child has provided data to us, contact support@staffifyai.com to request deletion.

14 Third-Party Links

Our site may link to third-party websites or services. Their privacy practices are governed by their own policies. We are not responsible for the privacy practices of third parties.

15 Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., by email or in-app notification) and update the "Last updated" date at the top of this page.

16 Contact Us

Questions or requests about this Policy or your data rights:

Email: support@staffifyai.com

Data Processing Agreement (DPA) requests: