1. Our roles
We act in two capacities depending on the data:
- Controller for personal data about website visitors, sales prospects, our direct customer contacts, suppliers, and employees.
- Processorfor personal data captured by Ava when answering calls on behalf of a customer. The customer is the controller. Our processing is governed by the DPA included in the customer’s contract.
This page covers both roles.
2. Lawful bases we rely on
| Activity | Role | Lawful basis (UK GDPR Article 6) |
|---|---|---|
| Replying to enquiries you sent us | Controller | Legitimate interest (Art. 6(1)(f)) |
| Performing a customer contract | Controller | Contract (Art. 6(1)(b)) |
| Sending invoices and meeting accounting duties | Controller | Legal obligation (Art. 6(1)(c)) |
| Marketing emails to opted-in subscribers | Controller | Consent (Art. 6(1)(a)) |
| Operating Ava on a customer’s calls | Processor | Customer’s documented instructions |
| Detecting fraud and abuse on our platform | Controller | Legitimate interest (Art. 6(1)(f)) |
We do not knowingly process special category data (health, biometric, and similar). If a caller volunteers special category data during a call, we treat it as confidential and the customer’s lawful basis under Article 9 applies.
3. Data subject categories
Depending on the activity we may process personal data about:
- Visitors to avacallai.com.
- People who request a demo or quote.
- Direct contacts at customer organisations — decision makers, billing contacts, technical contacts.
- Callers who interact with Ava on a customer’s line.
- Suppliers and subprocessor contacts.
4. Categories of personal data
- Identifiers: name, business email, business phone number.
- Contact metadata: organisation, role, country.
- Account and billing data for customers.
- Call data, where we process for a customer: voice recording, transcript, caller-supplied details, call metadata.
- Technical data: IP address, user agent, request logs.
- Marketing preferences.
5. Subprocessors
We use a limited set of subprocessors to deliver the Services:
- Cloud hosting and storage.
- Telephony and call routing.
- Speech and language processing infrastructure.
- Payment processing.
- CRM, helpdesk, and email tooling.
- Privacy-respecting analytics.
A current named list, with the country in which each subprocessor stores data and the safeguards in place, is available to customers on request. We give customers reasonable advance notice before adding or replacing a subprocessor and will record any objection raised within the notice period.
6. Security measures
We apply technical and organisational measures appropriate to the risk, including:
- TLS encryption for data in transit.
- Encryption at rest for stored recordings, transcripts, and account data.
- Role-based access control with least-privilege defaults.
- Centralised audit logging.
- Network segmentation between customer environments where applicable.
- Mandatory security review for any change touching customer data.
- Documented incident response and breach notification procedures.
- Regular access reviews and credential rotation.
7. International transfers
Where data crosses the UK border we rely on:
- A UK adequacy decision, where applicable.
- The UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
- Other lawful transfer mechanisms recognised by UK data protection law.
We complete a transfer impact assessment before approving any new cross-border data flow.
8. Retention
We retain personal data only as long as necessary. Default retention periods are set out in our privacy policy. Customers can configure shorter retention for call recordings and transcripts under their DPA.
9. Subject rights
Data subjects have the right to:
- Access the personal data we hold about them (subject access request).
- Rectify inaccurate or incomplete data.
- Erase personal data where there is no continuing lawful basis to keep it.
- Restrict or object to processing.
- Receive a portable copy of data they provided.
- Object to direct marketing.
- Not be subject to a decision based solely on automated processing that produces a legal or similarly significant effect — see “Automated decision-making” below.
- Withdraw consent where processing is based on consent.
Send any request to hello@avacallai.com. We aim to respond within one calendar month and will tell you if we need longer or further information to verify the request.
If a request relates to a call answered by Ava on behalf of one of our customers, please contact that customer first — they are the controller. We will help the customer fulfil the request.
10. Automated decision-making
Ava books appointments, captures lead information, and routes calls. None of these decisions has a legal or similarly significant effect on the caller within the meaning of Article 22. Where a request requires professional judgement, Ava is configured to escalate to a human. Customers can request human review of any specific case.
11. Breach notification
If we become aware of a personal data breach affecting customer or caller data, we will notify the affected customer without undue delay and, where required, in line with the timing committed to in the DPA. For breaches affecting data we control, we will notify the ICO within 72 hours where notification is legally required.
12. Data protection contact
For data protection questions or to exercise your rights:
- Email hello@avacallai.com and mark your message “Data protection”.
- Post: registered office address to be published once company registration completes.
You also have the right to complain to the UK Information Commissioner’s Office. See ico.org.uk or call 0303 123 1113.
