Privacy Policy

This policy covers:

• Account holders — people who sign up for Call My Agent to use the AI phone agent for their business.
• Callers — people who phone in to (or get a return call from) a business that uses Call My Agent. We process callers’ voice and conversation data on behalf of the account-holding business.
• Visitors to our website — people who browse callmyagent.ai, try the Demo, or sign up for the free 30-minute Trial.

If you’re an account holder, you’re our customer. If you’re a caller, the business you called is our customer, and your data is governed by both this policy and the business’s own practices.

2.1 From account holders

• Account information: name, email, phone number, business name, business type, time zone, business hours.
• Authentication data: sign-in credentials handled by Clerk (our authentication provider). We don’t store your password.
• Calendar integration data: if you connect a calendar, we read availability and create events. We don’t read events we didn’t create.
• Custom instructions: the prompts and rules you give your AI agent (“the agent”) — greeting wording, escalation contacts, business-specific guidance.
• Billing information: handled by Stripe. We see invoice IDs, plan, payment status. We never see your full card number.
• Cookies and session tokens: to keep you signed in and to remember your settings.
• IP address and basic device info: for security, fraud prevention, and rate-limiting.

2.2 From phone calls (inbound, Demo, outbound tasks)

• Call metadata: the calling number, the called number, time of call, duration, direction (inbound or outbound).
• Call audio: in real time so the AI can hear and respond. If recording is enabled for your business phone number, we also store the recording; recording is off by default and you opt in per number.
• Transcripts: every call is transcribed into text. This is how the AI works — it operates on text. Transcripts are stored.
• Summaries and structured data: the AI extracts things like “caller wants to reschedule Tuesday’s appointment” and stores that alongside the transcript.

2.3 What we do NOT collect

• Voiceprints. We do not create or store a unique voice fingerprint for any caller. We do not run speaker identification. We do not perform biometric voice analysis. This is an architectural commitment, not a setting you can turn on. (See section 6.)
• Health information. Call My Agent is not a HIPAA-covered service. If you transmit protected health information through it, you’re violating our Terms of Service and we may suspend your account.
• Children’s data. The service is not directed at people under 16. We do not knowingly collect data from minors. If you believe we have, email privacy@callmyagent.ai and we’ll delete it.
• Marketing data from third-party brokers. We do not buy or enrich customer lists from data brokers.

Call My Agent collects mobile phone numbers from account holders who voluntarily provide them in order to deliver service notifications, account verification (passwordless sign-in links sent via SMS), and ongoing communications related to their AI phone agent.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes.

All categories of mobile information collected — including text-messaging originator opt-in data and consent — will not be shared with any third parties for marketing or promotional purposes.

When you opt in to SMS — by checking the consent box at sign-up — you consent to receive transactional SMS messages from Call My Agent, including (but not limited to) sign-in links, agent-handled call notifications, and service-related communications. The SMS consent checkbox is optional: providing your mobile number alone does not opt you in, and you can sign up by email instead. Message and data rates may apply. Reply STOP to unsubscribe; reply HELP for support information. Message frequency varies based on agent activity (typically 1–10 messages per month for an active user).

We do not sell, rent, or share mobile information with third parties for promotional purposes. We may share mobile information with our messaging subprocessor (Telnyx) strictly for the purpose of delivering SMS the user has requested. Telnyx is contractually prohibited from using this information for any other purpose.

If you opt out via STOP, we honor the opt-out immediately. To resubscribe, reply START to the same number. Opt-out events are persisted and audited for compliance.

Under California law, some of what we process is “sensitive personal information”: call audio recordings and transcripts that may reveal precise personal details (health, location, family, finances) depending on what callers say.

We treat this category with extra care:

• We process it only to provide and improve the service for the account-holding business.
• We don’t use it to infer characteristics about you for advertising.
• You can ask us to limit certain processing of your sensitive PI (see section 8).

We process data only for these purposes:

1. Run the AI phone agent. Hear the caller, transcribe, generate a response, speak it back, store the transcript so the account holder can review.
2. Notify the account holder about calls that came in (push, SMS, email).
3. Bill you for paid plans (via Stripe).
4. Keep the service secure and prevent fraud, abuse, and account takeover.
5. Measure how the service is performing — specifically: how often the agent escalates to the account holder, how often it books vs takes a message, how often calls fall outside business hours, and similar operational metrics. These are computed across all calls and produce only counts and rates — no individual call audio, transcript, or caller identity feeds into them.
6. Respond to your support requests.

We do not use your data for these:

• We do not train our own AI models on your transcripts or call audio.
• We do not sell or rent your data, and we do not share it for cross-context behavioral advertising. We have no data brokers in our supply chain.
• We do not use call content to evaluate you for credit, insurance, or employment.

To run the service we use a small set of vendors (“processors”). Each is contractually limited to processing data only as we instruct, and each is US-based.

All processors operate in the United States. If a processor changes data-residency or training posture in a material way, we’ll update this policy and notify active account holders at least 30 days before that change takes effect (see section 13).

We have no data brokers. We don’t share data for cross-context advertising.

Call My Agent does not collect, store, or process voiceprints, speaker-identification fingerprints, or biometric voice analysis of callers or account holders. This applies whether your business is in Illinois, California, Texas, or anywhere else.

This is a hard architectural choice — there is no setting that turns it on. Our text-to-speech provider (ElevenLabs) generates the agent’s outgoing voice from text. Our speech-to-text provider (Whisper) converts caller audio into text. Neither path involves storing a unique voice fingerprint per caller.

If you (the account holder) ever want to clone your own voice as the agent voice in a future feature, we would only do so with your explicit, written, ElevenLabs-flow consent, and only of your voice — not callers’.

These rights apply to everyone whose data we process, whether you are an account holder or a caller. Many of them come from the California Consumer Privacy Act (CCPA / CPRA). California residents have these rights as a matter of state law; we extend them to everyone in the United States for simplicity.

• Right to know. Ask us what categories of data we have about you, what specific pieces of data we have, where we got them, why we use them, and who we share them with. We respond within 45 days.
• Right to delete. Ask us to delete your data. We complete deletion across our own systems and instruct each processor listed in section 5 to delete their copy. Section 8 explains how fast.
• Right to correct. Ask us to fix inaccurate data we hold about you.
• Right to limit use of sensitive personal information. Ask us to limit how we process your sensitive PI (see section 4). For account holders, this is available as a flag in your account settings; for callers, email privacy@callmyagent.ai and we’ll act on it.
• Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but you have the right to know that.
• Right to non-discrimination. We will not deny you service, charge you a different price, or give you a lower quality of service because you exercised a privacy right.
• Authorized agent. You can have someone act on your behalf. We will verify both your identity and the agent’s authority before fulfilling the request.

How to make a request:

• Email: privacy@callmyagent.ai
• Web form: (linked from this page once live)

We verify your identity before responding — typically by matching the request to your account’s verified email or phone, or by other reasonable means for callers without an account. If we cannot verify, we’ll tell you and explain what’s needed.

If you believe we’ve handled your data wrongly, you can also complain to the California Privacy Protection Agency (cppa.ca.gov) or the Federal Trade Commission (ftc.gov).

How long we keep your data depends on your plan:

All retention windows are configurable in your account settings. You can set a shorter window on any plan. You can delete a single call, a date range, or your entire account at any time.

When you delete, here is what happens:

1. We mark the records for deletion immediately and remove them from your view in the app.
2. We delete from our database and instruct each processor (Telnyx call recordings, ElevenLabs caches if any, transcripts in our database) to delete their copy.
3. Cascading deletion across our processors completes within 30 days.
4. After deletion, we cannot recover the data. We will not respond to legal process for data we no longer hold.

Account-level deletion: cancel via the Stripe Customer Portal stops billing immediately; account-deletion (a separate action) removes your data per the 30-day SLA above. Within 30 days of cancellation you can reinstate without data loss; after 30 days the data is gone.

Some records we retain longer for legal or operational reasons:

• Billing records: retained for 7 years for tax, audit, and chargeback purposes.
• Security logs (failed sign-ins, abuse signals): retained for up to 24 months.
• Privacy-request logs: retained for 24 months as required by CCPA recordkeeping rules.

The AI phone agent makes routine decisions on every call: what to say next, whether to take a message versus book directly, whether a caller is asking about an emergency, whether to escalate to the account holder. These are automated decisions, made by AI, in real time.

You have the right to know:

• What decisions the AI makes: routing, message-taking, calendar booking, escalation, emergency-intent detection.
• What data the AI considers: the live conversation, your account’s custom instructions, your business hours and calendar availability if connected.
• Your right to a human alternative. The service is the AI agent — opting out of automated decision-making means not using the service. We provide a “request human review” path inside the account dashboard for any specific call you want re-handled; we’ll work with you to address it, though we cannot retroactively change what the AI said on a live call.

If California’s regulations on automated decision-making technology (ADMT) become applicable to us — for example, if our revenue or customer count crosses the CCPA thresholds — we’ll update this section and notify active accounts.

Transcripts and recordings are encrypted in transit and at rest. Authentication is handled by Clerk with industry-standard session security.

We don’t claim SOC 2 certification. If and when we earn one, we will update this policy.

If you discover a security issue, email security@callmyagent.ai. We aim to acknowledge within 2 business days. Our responsible-disclosure terms (no DDoS, no social engineering of staff, give us 90 days before public disclosure, no data exfiltration beyond proof-of-concept) appear on our Trust page; researchers who follow them are safe from legal action.

All processing is in the United States. We do not transfer your personal information to processors outside the US. If we ever need to, we’ll update this section and give you a chance to opt out before we do.

We are based in the United States. If you’re outside the US and use our service, you are sending your data to the United States.

We update this policy when our practices change. For substantive changes (new categories of data, new processors, changed retention windows, changes to automated decision-making), we notify all active account holders by email at least 30 days before the change takes effect. The “Last updated” date at the top always reflects the most recent revision.

For minor edits (typos, clarifications, link fixes) we update the date but don’t email.

Privacy questions, rights requests, and concerns:

• Email: privacy@callmyagent.ai
• Web form: (linked here once live)
• Postal mail: The Madera Group, LLC, 7160 Dallas Pkwy Ste 340, Plano, TX 75024

If you’re a caller and you don’t know the account-holding business’s privacy practices, contact them directly first. We’ll help if they can’t.