Version 1.0

Privacy Policy

1. Who We Are

Callsy AI OÜ is a private limited company registered in the Republic of Estonia, with its registered address in Estonia.

• Company: Callsy AI OÜ
• Jurisdiction: Republic of Estonia, European Union
• Email: privacy@callsy.ai
• Website: callsy.ai

In relation to personal data collected through our website (callsy.ai) and in our direct relationship with clients and contacts, Callsy AI acts as a data controller under the EU General Data Protection Regulation (GDPR).

In relation to advertising performance data and API credentials processed on behalf of our clients as part of the Sofia service, Callsy AI acts as a data processor. The client is the data controller in that relationship, and processing is governed by our Data Processing Agreement (DPA).

2. Data We Process

2.1 Client and Prospect Contact Data

• Name, email address, and phone number of the primary business contact
• Company name and registered address
• VAT number (for invoicing purposes)
• Communication history (emails and Slack messages)

Legal basis: performance of a contract and pre-contractual measures (Article 6(1)(b) GDPR); legitimate interests (Article 6(1)(f) GDPR).

2.2 Billing and Payment Data

• Invoice records, payment history, and banking details
• We do not store full payment card numbers

Legal basis: performance of a contract (Article 6(1)(b) GDPR); legal obligation — Estonian accounting law requires retention of financial records for 7 years (Article 6(1)(c) GDPR).

2.3 API Credentials

We store encrypted API credentials provided by clients to enable Sofia to connect to Meta Ads and Google Ads accounts:

• Meta App ID, App Secret, System User Access Token, Meta Ad Account ID
• Google Ads OAuth credentials

Stored in encrypted form on isolated, client-dedicated infrastructure. Deleted within 30 days of contract termination.

Legal basis: performance of a contract (Article 6(1)(b) GDPR).

2.4 Advertising Performance Data

Campaign metrics, creative performance data, spend, impressions, clicks, and conversion events. This data does not typically include personal data about the client's end-users.

Retention: Performance snapshots retained for up to 90 days.

2.5 Slack Message Content

Sofia operates as a Slack bot within the client's workspace. Message content is processed to generate responses and retained within the agent's conversational context. Context is cleared upon contract termination.

3. How We Use Your Data

• To deliver and operate the Sofia AI CMO service
• Manage contractual relationships including invoicing
• Provide technical support
• Comply with legal obligations
• Improve reliability (using anonymised data only)
• Communicate service updates

4. Sub-processors

Sub-processor	Location	Purpose
Anthropic (Claude AI)	United States	AI inference engine. Transfer mechanism: Standard Contractual Clauses (SCC).
Hetzner Online GmbH	Germany (EU)	Dedicated VPS hosting per client. All servers in EU data centres.
Slack Technologies LLC	United States	Messaging platform for Sofia's Slack bot delivery.

5. International Data Transfers

Transfers to Anthropic and Slack Technologies are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission under Article 46(2)(c) GDPR.

6. Data Retention

Data Category	Retention Period
API credentials	Deleted within 30 days of contract termination
Advertising performance snapshots	Deleted after 90 days from collection
Slack conversation context	Cleared upon contract termination
Billing and invoice records	7 years (Estonian Accounting Act)
Client contact data	Duration of contract + 2 years

7. Your Rights as a Data Subject

Under the GDPR, you have the following rights:

• Right of access
• Right to rectification
• Right to erasure
• Right to data portability
• Right to object
• Right to restrict processing

Contact: privacy@callsy.ai. We will respond within 30 days.

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, www.aki.ee).

8. Cookie Policy

• Essential cookies: No consent required.
• Analytics cookies: Set only with explicit consent.

9. Security

• Encrypted storage of API credentials
• Dedicated isolated VPS instances per client
• Access controls
• Regular security reviews
• DPAs with all sub-processors

10. Changes to This Policy

We will provide 30 days notice for material changes to this Privacy Policy.

11. Contact

Callsy AI OÜ
Email: privacy@callsy.ai