1. Introduction and Scope

This Privacy Policy explains how Callilio (in Gründung) (“Callilio,” “we,” “us,” or “our”) collects, uses, processes, stores, transfers and discloses personal data when individuals access or use our AI-powered business communication platform and related services (collectively, the “Services”).

Our Services empower businesses such as dental clinics, law firms, salons, hotels, restaurants, veterinary practices and many other industries to automate communications using an AI voice agent powered by large language models (LLMs). These Services include inbound call handling, appointment scheduling via voice, chat, SMS and web widgets, automated reminders, outbound marketing campaigns with consent tracking, waitlist management, a unified inbox for multichannel communications, call recording and transcription, calendar integrations, directory/IVR routing, webhooks and a REST API. The specific features are described in our Terms of Service.

This Policy applies to personal data we collect through our website (callilio.com and sub-domains), web applications, telephony services and any other means through which we provide the Services. It also covers personal data processed by our AI voice agent for end-consumers (“callers”) on behalf of our business customers. It does not apply to third-party websites or services that we do not control.

We respect your privacy and comply with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Austrian Data Protection Act (DSG), the Swiss Federal Act on Data Protection (FADP), the ePrivacy Directive, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable U.S. state privacy laws.

2. Who We Are

Callilio (in Gründung) is a company being formed in Austria with headquarters in Vienna. Our platform is hosted in the EU and the United States through trusted cloud providers. For purposes of the GDPR and DSG, Callilio acts as the controller of personal data relating to our own customers (i.e., businesses that sign up for a Callilio account) and website visitors. We act as a processor when we process the personal data of end-consumers (patients, clients, guests, or other individuals) on behalf of our business customers.

3. Our Role: Controller and Processor

Depending on your relationship with Callilio, we may act as a data controller or data processor:

Role

Description

Controller

We are a controller for personal data collected from individuals who visit our website, create accounts, subscribe to our Services, or otherwise interact with us. As a controller, we determine the purposes and means of the processing.

Processor

We are a processor when our customers use our platform to process personal data about their end-consumers. For example, when our AI voice agent schedules an appointment on behalf of a dental clinic, we process the caller's name, contact details and appointment details strictly under the customer's instructions. In these cases, the customer is the controller and we process data pursuant to a Data Processing Agreement (DPA).

4. Personal Data We Collect

We collect different categories of personal data depending on how you interact with our Services.

4.1 Account and Business Data

When customers sign up for a Callilio account or otherwise communicate with us, we collect:

Contact details: name, business name, email address, phone number, billing and mailing addresses.
Authentication data: usernames, hashed passwords, OAuth tokens.
Profile information: industry, company size, roles and preferences.
Billing information: last four digits of payment card, billing address and tax ID numbers. Payments are processed by Stripe; we do not store full card details.
Marketing preferences: consents for email and SMS communications.

4.2 End-Consumer Data

When our customers use the Services to interact with their clients or patients, we process:

Identifying information: name, phone number, email address, and sometimes age or unique identifiers if provided by the caller.
Appointment data: date, time, service requested, and notes related to the booking.
Interaction content: audio recordings of calls, transcripts of conversations, chat logs, and requests captured via the web widget or SMS. This may include sensitive data such as health-related information if the conversation relates to a medical appointment.
Consent status: records of consent for call recording, SMS messages and email communications.

4.3 Communications and Usage Data

To deliver and improve our Services, we automatically collect:

Call metadata: timestamps, duration, destination and origin phone numbers, call routing, and transfer logs.
System logs: IP addresses, device identifiers, browser type, operating system, error logs and performance metrics.
Usage analytics: aggregated feature-usage statistics and performance metrics. Optional analytics tools (such as Google Analytics 4 and Microsoft Clarity) load only after you give explicit consent; until you opt in, no non-essential analytics scripts run. We never use analytics for advertising or cross-site tracking. See Section 7 for details.
Cookies: We use strictly necessary cookies to maintain secure sessions and deliver our Services. Any non-essential (analytics) cookies load only with your prior consent. We do not serve advertising cookies. See Section 7 for details.

4.4 Billing and Financial Data

For paid subscriptions we collect billing information such as payment amounts, subscription plans, usage records, invoices and payment status. Stripe processes payment card data; we only store tokens and last four digits for identification purposes.

4.5 Sensitive Data

Depending on the industry and customer configuration, we may process special categories of data within the meaning of Article 9 GDPR. For example, a dental practice may discuss health conditions during an appointment booking. We process such data on behalf of our customers and under their instructions. We do not use this data for profiling or marketing.

5. Purposes and Legal Bases for Processing

We rely on various legal bases under the GDPR, DSG, FADP and other laws to process personal data. For each category of data, we state the purpose and legal basis:

Data category	Purpose	Legal basis
Account and business data	To create and manage customer accounts; provide access to the Services; authenticate users; communicate about service updates, security alerts and administrative messages; respond to inquiries; and provide customer support.	Performance of a contract (Art. 6(1)(b) GDPR); legitimate interests (Art. 6(1)(f) GDPR) for customer support; legal obligation when required for invoices or tax compliance.
End-consumer data	To provide appointment scheduling, call routing, FAQ responses and other AI-powered communications on behalf of our customers; to record and transcribe calls where permitted; to send reminders and notifications; and to provide analytics to our customers.	Performance of a contract (Art. 6(1)(b) GDPR) when acting as processor; legitimate interests (Art. 6(1)(f) GDPR) in improving our Services; consent (Art. 6(1)(a) GDPR) for call recording and marketing communications as required.
Communications and usage data	To secure and operate our platform; monitor performance and troubleshoot issues; analyse usage and improve features; prevent fraud and abuse.	Legitimate interests (Art. 6(1)(f) GDPR) in ensuring network and information security and improving the Services.
Billing and financial data	To process payments, manage subscriptions, invoice customers, calculate usage fees and comply with tax and accounting obligations.	Performance of a contract (Art. 6(1)(b) GDPR); legal obligation (Art. 6(1)(c) GDPR) to comply with financial regulations.
Sensitive data	To schedule healthcare or legal appointments when authorised by our customers; to process health-related information for appointment booking; to record consents.	Explicit consent (Art. 9(2)(a) GDPR) or other applicable derogations; performance of a contract when processing is necessary for provision of care.

We do not make solely automated decisions that produce legal or similarly significant effects without human oversight. Any automated recommendations from our AI systems are subject to human review by our customers or their staff.

6. Automated Decision-Making and AI Transparency

Callilio uses large language models to understand and respond to callers in over 30 languages. Our AI voice agents rely on speech-to-text (Deepgram), LLM orchestration (OpenAI GPT-4o, Anthropic Claude) and text-to-speech (Amazon Polly, ElevenLabs) to provide conversational responses. We implement retrieval-augmented generation (RAG) to answer frequently asked questions from a business-specific knowledge base and to schedule appointments with integrated calendars.

In accordance with Article 22 GDPR and the EU AI Act, we inform you that:

No automated decisions with legal effect. We do not use AI to make decisions that produce legal or similarly significant effects without human involvement. Our AI agents provide recommendations or actions (e.g., booking appointments) based on customer-defined parameters. Customers remain responsible for reviewing AI-generated outcomes.

Transparency. Callers interacting with our AI are informed that they are speaking with an AI system. When required by law, we obtain consent for call recording and processing.

Human oversight. Our systems allow customers to override or correct any action taken by the AI. Customers can review call logs, transcripts and bookings.

Safety measures. We implement prompt injection protections and guardrails to prevent the AI from generating harmful or inappropriate content. Sub-processors such as OpenAI and Anthropic are contractually prohibited from training their models on our customer data.

7. Cookies and Similar Technologies

We use a minimal set of cookies and similar technologies. By default — before you give consent — we load only strictly necessary and functional storage. We never use advertising cookies, retargeting pixels, or cross-site trackers. Optional analytics technologies load only after your explicit opt-in (see Sections 7.4 and 7.5).

7.1 Cookies

Cookie	Provider	Purpose	Category	Duration
`sb-*-auth-token`	Supabase (first-party)	Maintains your authenticated session after login. Required for the platform to function.	Strictly necessary	Session / refresh cycle

7.2 Local Storage (browser)

We use your browser's local storage for functional purposes only. These items are never transmitted to third parties and are not used for tracking or profiling:

Key	Purpose	Category
`theme`	Remembers your light/dark mode preference	Functional
`callilio_active_business`	Remembers which business you last viewed (logged-in users)	Strictly necessary
`callilio_visitor_id`	Anonymous session identifier for the homepage chat widget so conversation history persists across page loads	Functional
`callilio_pricing_vid`	Anonymous identifier to persist your pricing calculator session	Functional
`current_location_id`	Remembers your last selected location for multi-location businesses.	Strictly necessary
`copilot_chat_history`	Persists the last 30 messages of the AI copilot chat for continuity across page loads. Stored only in your browser, never transmitted to third parties.	Functional
`callilio_cookie_notice_dismissed`	Remembers that you have dismissed the cookie notice.	Functional
`preferredBusinessName`	Temporary signup helper that is cleared after onboarding completes.	Functional
UI state keys	Sidebar collapsed state, onboarding progress, staff filters, and similar interface preferences	Functional

Note: For backward compatibility, the active business identifier is mirrored in two legacy keys (current_business_id and currentBusinessId) that hold the same value as callilio_active_business. These legacy keys will be consolidated in a future release and do not represent additional data collection.

7.3 Embeddable Widget

If a business embeds our chat or booking widget on their website, the widget stores a widget_visitor_id in local storage on the visitor's browser. This anonymous identifier allows the chat conversation to persist across page loads within the same session. It is not used for cross-site tracking and is not shared with any third party.

7.4 Advertising and Tracking We Never Use

We do not use: advertising cookies, retargeting pixels, social media trackers, Facebook Pixel, Google Tag Manager, or any third-party marketing scripts. We do not engage in behavioural advertising or cross-site tracking. We may use optional, consent-gated product analytics (such as Google Analytics 4 and Microsoft Clarity, which can include aggregated usage statistics and session-replay heatmaps) — these load only after you opt in via our cookie consent controls and never run by default.

7.5 Managing Cookies

By default we use only strictly necessary and functional storage, which requires no consent. Optional analytics technologies load only after you opt in, and you can withdraw that consent at any time. You can also clear cookies and local storage through your browser settings at any time; however, doing so will end your authenticated session and reset your interface preferences. When we enable additional non-essential technologies we update this section and apply appropriate consent mechanisms before they are activated.

8. Sub-Processors

We engage third-party providers (“sub-processors”) to support our Services. Each sub-processor is carefully evaluated for security, compliance and data protection.

Sub-processor	Purpose	Data processed	Data location
Vercel	Web front-end hosting and edge delivery	Website content, IP addresses (server logs)	EU and U.S. (EU region available)
Supabase	Database, authentication, storage, edge functions	Account data, business data, call metadata, transcripts, recordings, API keys	EU region by default; U.S. optional
Twilio	Primary telephony provider (voice calls and SMS)	Caller ID, call recordings, call metadata, SMS content	EU (Twilio Ireland Ltd.) and U.S. (with SCCs)
Telnyx	Secondary telephony provider	Same as Twilio	EU and U.S.
OpenAI	LLM API for conversational orchestration	Transcripts and prompts (pseudonymised)	EU (Azure OpenAI EU) or U.S.
Anthropic	Alternative LLM provider (Claude)	Same as OpenAI	U.S. with SCCs
Deepgram	Speech-to-text transcription	Audio data, transcripts	U.S.
Amazon Polly / ElevenLabs	Text-to-speech synthesis	Text prompts	U.S. and EU
Resend	Transactional email delivery	Email addresses, message content	U.S.
Stripe	Payment processing	Payment card tokens, billing information	U.S. and EU (Data Privacy Framework)
Google Calendar API	Calendar integration (two-way sync)	Calendar events, attendee names/contact details	Global with EU SCCs
Microsoft Graph API	Calendar integration	Same as Google Calendar	Global with SCCs
Sentry (optional)	Server-side error monitoring (activated only if we enable monitoring)	Stack traces, error context, business metadata (pseudonymised)	U.S. with SCCs

Note: Sentry is conditionally enabled. When the MONITORING_PROVIDER environment variable is not set to sentry, no data is transmitted to Sentry servers.

If we engage new sub-processors or materially change our use of existing sub-processors, we will update this list and notify customers in accordance with our DPA and Terms of Service.

9. International Data Transfers

We operate globally and may transfer personal data to countries outside of the European Economic Area (“EEA”), Switzerland and the UK. When we do so, we implement appropriate safeguards, including:

Adequacy decisions: We rely on the EU–U.S. Data Privacy Framework where applicable.
Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we implement the European Commission's SCCs and require our sub-processors to do the same.
Additional safeguards: Encryption in transit and at rest, pseudonymisation and contractual commitments prohibiting onward transfers without equivalent protection.

You may contact us to obtain copies of the SCCs used for your data transfers.

10. Retention of Personal Data

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, comply with our legal obligations and resolve disputes. Retention periods vary by category:

Account data: Retained for the duration of the customer relationship and up to seven years thereafter to satisfy tax and accounting requirements.
Call recordings and transcripts: Default retention is 90 days but customers may configure shorter or longer periods via account settings. Recordings may be retained longer if required by law.
Chat logs and widget interactions: Retained for two years unless a shorter period is specified by the customer.
Billing records: Retained for ten years under Austrian accounting laws.
Analytics and usage data: Aggregated and anonymised data may be retained indefinitely for statistical purposes. Non-aggregated logs are deleted or anonymised within six months.
Sensitive data: Processed on behalf of customers; retention period is determined by the customer's instructions and applicable healthcare or legal regulations.

11. Your Rights

Depending on your jurisdiction, you have certain rights regarding your personal data. If we act as a controller, you may exercise these rights directly with Callilio; if we act as a processor, you should contact the relevant business that uses our Services. Your rights may include:

Right of access. Obtain confirmation whether we process your personal data and receive a copy of the data.

Right to rectification. Request correction of inaccurate or incomplete data.

Right to erasure (“right to be forgotten”). Request deletion of personal data under certain conditions.

Right to restriction. Request that we temporarily or permanently stop processing all or some of your personal data.

Right to data portability. Receive personal data you provided to us in a structured, commonly used and machine-readable format and transmit it to another controller.

Right to object. Object to our processing of your personal data based on our legitimate interests or for direct marketing.

Right to withdraw consent. Withdraw any consent you have given at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

Right not to be subject to automated decision-making. As noted above, we do not engage in fully automated decision-making with significant effects.

Right to lodge a complaint. Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde) or your local supervisory authority.

To exercise your rights, please contact us using the details in the Contact Information section. We may need to verify your identity before responding to your request.

12. California and U.S. State Privacy Disclosures

If you are a resident of California or certain other U.S. states with privacy laws, you have specific rights under the CCPA/CPRA and similar statutes. The categories of personal information we collect correspond to the categories enumerated in the CCPA (identifiers, commercial information, internet activity, audio recordings, sensitive personal information, etc.). We do not sell your personal information or share it for cross-context behavioural advertising.

You have the right to know what personal information we collect, the purpose of collection, the categories of third parties with whom we share information, and the right to request deletion or correction of your personal information. We will not discriminate against you for exercising your rights. To submit a consumer rights request, please contact us using the information below. You may also designate an authorised agent to make requests on your behalf.

13. Swiss Privacy Disclosures

For individuals located in Switzerland, we process personal data in accordance with the revised Swiss FADP. The terms “controller,” “processor” and “personal data” have the meanings given under the FADP. Our processing activities, legal bases and rights are similar to those described above. You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) if you believe that your rights under Swiss law have been infringed.

14. Children's Privacy

Our Services are intended for use by businesses and their clients who are at least 16 years old (or older if required by local law). We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will take steps to delete such data. If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

15. Security Measures

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include:

Encryption: All data in transit is encrypted using TLS 1.2 or higher, and data at rest is encrypted with AES-256. Payment information processed by Stripe is stored and transmitted according to PCI DSS standards.
Access control: Access to systems and databases is restricted based on role and need-to-know. Multi-factor authentication is enforced for administrators. User access is logged and audited.
Network security: Our infrastructure providers (Vercel and Supabase) maintain industry-standard security controls including firewalls, network isolation and DDoS protection. Telephony traffic uses secure protocols (e.g., TLS for SIP and SRTP for media).
Application security: We use secure coding practices, code reviews on non-trivial changes, input validation, parameterised queries, and automated dependency scanning (npm audit, GitHub Dependabot) to mitigate vulnerabilities. We conduct internal security reviews of new features and will publish a formal penetration-testing cadence prior to enterprise pilot onboarding.

For more details, please review our Security Page. Despite our efforts, no system is completely secure; therefore, we cannot guarantee absolute security. You can help keep your data secure by selecting strong passwords, enabling multi-factor authentication and notifying us of any suspected security incidents.

16. Changes to this Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies or legal requirements. When we make material changes, we will notify users through the Services or by email. The date of the most recent revision is indicated at the top of this Policy. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the revised terms.

17. Contact Information

If you have any questions, concerns or requests regarding this Privacy Policy or our data practices, please contact:

Callilio (in Gründung)

Attn: Data Protection Officer

Vienna, Austria

Email: privacy@callilio.com

For EU/EEA residents, you also have the right to lodge a complaint with your local supervisory authority. In Austria, the competent authority is the Datenschutzbehörde (www.dsb.gv.at). In Switzerland, you may contact the FDPIC (www.edoeb.admin.ch). In the United States, you may contact the relevant state Attorney General for privacy complaints.