Privacy Policy | CallFlows AI
Legal

Privacy Policy

How we collect, use, and protect personal data.

Last Updated: 22/05/2025

Introduction

Call Flows LTD. (along with our affiliated companies, collectively referred to as "CallFlows", "we", "our", or "us") is dedicated to protecting the privacy of your Personal Data. We are committed to ensuring that your data is processed securely, used appropriately, and that our practices are transparently communicated to our Clients, their end-users (referred to as "End-Users"), individuals who use our services on behalf of our clients (Users), and visitors to our website or other online properties (Prospects).

This Privacy Policy outlines how we collect, use, store, disclose, and otherwise process Personal Data in connection with our AI-powered voice assistant services for Shopify stores (the "Platform"), our website (https://callflows.ai/), and other related services, online advertisements, content, and communications (collectively, the "Services").

Please read this Privacy Policy carefully. By using our Services, you acknowledge that you have understood and agree to the terms of this policy. If you are a Client, your use of our Services is also governed by our Terms of Service.

You are not legally obligated to provide us with Personal Data. However, some Services may not be available or fully functional without it.

1. What Personal Data We Collect and How

We collect different types of Personal Data depending on your interaction with us:

1.1. Data Processed on Behalf of Our Clients ("Client-Owned Data")

As part of our Platform, we process Personal Data that our Clients (Shopify store owners) provide or instruct us to collect. A core function of our Platform involves integration with our Clients' Shopify stores via the Shopify API, as authorized by the Client. This means much of the Client-Owned Data is sourced directly from, or synchronized with, the Client's Shopify account. This Client-Owned Data may include:

  • Shopify Store Data: Information about products, orders, customers (End-Users), and other store-related data accessed via the Shopify API as necessary to provide our Services.
  • End-User Interaction Data: Information about End-Users' interactions with our Clients' online stores, including voice recordings of interactions with the AI voice assistant, transcripts of these interactions, purchase history (often sourced via Shopify API), browsing activity, and communications with the AI.
  • End-User Contact Information: If provided by the Client (often via Shopify API synchronization) or End-User, this may include names, email addresses, phone numbers, and shipping addresses.

Our Role: When processing Client-Owned Data, Call Flows LTD acts as a "data processor" (or "service provider" under laws like CCPA/CPRA) on behalf of our Client, who is the "data controller" (or "business"). Our processing is governed by our agreements with the Client, including our Data Processing Addendum (DPA), and their lawful instructions. Clients are responsible for authorizing our access to their Shopify store data via the Shopify API and for ensuring they have a lawful basis for collecting and instructing us to process this Client-Owned Data, including obtaining necessary consents from End-Users.

1.2. Data of Our Clients and Their Users ("User Data")

We collect Personal Data about our Clients and individuals who use the Platform on their behalf (e.g., account administrators, billing contacts). This User Data includes:

  • Account Information: Names, email addresses, company details, phone numbers, titles, and hashed passwords.
  • Billing Information: Payment details and transaction history.
  • Platform Usage Data: IP addresses, device information (type, OS, browser), activity logs, session recordings, and interaction data within the Platform.
  • Communication Data: Records of calls, emails, and other communications with us (e.g., for support or training).

Our Role: For User Data, Call Flows LTD acts as a "data controller" (or "business") for our own legitimate business purposes (e.g., service provision, billing, improvement of services). When User Data is part of Client-Owned Data (e.g., usage logs specific to a Client's account), we act as a "data processor".

1.3. Data of Our Website Visitors and Prospects ("Prospect Data")

We collect Personal Data from individuals who visit our website, interact with our online ads, or communicate with us as potential clients or partners. This Prospect Data includes:

  • Website Usage Information: IP addresses, device data, browser type, activity logs, session recordings, and information collected via cookies and similar technologies (see our Cookie Policy).
  • Contact Information: Names, email addresses, company details, and other information provided through forms or communications.
  • Communication Data: Records of calls, emails, chat interactions, and form submissions.

Our Role: Call Flows LTD acts as a "data controller" (or "business") for Prospect Data.

1.4. Data from AI Interactions (Specific to Voice Services)

Given our service involves AI-powered voice assistants, we specifically collect and process:

  • Voice Recordings and Transcripts: Audio of interactions between End-Users and the AI voice assistant, and the corresponding text transcripts. This data is primarily Client-Owned Data.
  • AI Interaction Data for Service Enhancement: Anonymized or aggregated data derived from voice interactions may be used to improve the performance, accuracy, and capabilities of our Platform and how it utilizes AI models (which may be provided by third-party services such as OpenAI). This includes, for example, refining how our Platform processes queries, manages dialogue flow, or integrates with these AI models. We do not use Client-Owned Data to train the general underlying models of third-party AI providers like OpenAI, unless explicitly agreed with a Client for a custom fine-tuning purpose and as permitted by the AI provider's terms.

CCPA Notice: In the past 12 months, we may have collected the following categories of Personal Data (as defined by the CCPA): Identifiers; Commercial Information; Customer Record Information; Internet or other electronic network activity; Geolocation Data; Audio, Electronic, Visual, or Similar Information; and Inferences. We do not knowingly collect sensitive Personal Data as defined by the CCPA without explicit consent or as directed by our Clients.

2. How We Use Your Personal Data

We use Personal Data for the following purposes, relying on the lawful bases indicated:

2.1. Client-Owned Data:

  • Providing Services to Clients: To deliver, operate, and maintain the Platform as instructed by our Clients. This includes accessing and processing Client-Owned Data (including data obtained via the Shopify API with Client authorization) to enable the AI voice assistant functionalities, manage interactions, fulfill requests, and provide related services. (Basis: Performance of a contract with the Client; Legitimate Interest)
  • Supporting Clients: To provide technical support and assistance related to the Client-Owned Data and the Platform's integration with their Shopify store. (Basis: Performance of a contract with the Client; Legitimate Interest)
  • Improving Services (on Client's behalf): To analyze and improve the AI voice assistant's performance for the specific Client, based on their data (including data processed via the Shopify API) and instructions. (Basis: Performance of a contract with the Client; Legitimate Interest)

2.2. User Data & Prospect Data:

  • Service Provision and Operation: To facilitate access to and use of our Services, authenticate Users, and manage accounts. (Basis: Performance of a Contract; Legitimate Interest)
  • Support and Communication: To provide assistance, respond to inquiries, and send service-related communications. (Basis: Performance of a Contract; Legitimate Interest)
  • Service Improvement: To analyze usage patterns, develop new features, and enhance the overall performance and user experience of our Services. This includes using anonymized or aggregated data derived from AI interactions to improve the functionality and effectiveness of the AI-driven features within our Platform, including how it integrates with and utilizes third-party AI models. (Basis: Legitimate Interest; Consent where applicable)
  • Marketing and Sales: To manage marketing campaigns, deliver targeted advertisements for our products and services (including on third-party websites and platforms like Google Ads, Facebook Ads, X Ads, and Shopify Ads), and communicate promotional offers or information about our Services that may be of interest. This involves working with advertising partners and utilizing tracking technologies as detailed in our Cookie Policy. (Basis: Legitimate Interest; Consent where applicable for certain tracking or direct marketing activities)
  • Business Operations: To pursue growth opportunities, establish local presence, and tailor experiences. (Basis: Legitimate Interest)
  • Events and Promotions: To facilitate, sponsor, and offer events, contests, and promotions. (Basis: Legitimate Interest; Consent where applicable)
  • Feedback and Content: To publish feedback or submissions on our Sites or public forums (with consent where required). (Basis: Legitimate Interest; Consent)
  • Security and Fraud Prevention: To maintain security, prevent fraud, and mitigate risks of illegal or prohibited activities. (Basis: Legitimate Interest; Performance of a Contract; Compliance with legal obligations)
  • Aggregated/Anonymized Data: To create de-identified data for research, service improvement, or other business purposes. (Basis: Legitimate Interest)
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes. (Basis: Compliance with legal obligations)

3. Data Location and International Transfers

We and our authorized Service Providers (see Section 5) may maintain, store, and process Personal Data in various locations globally. Our primary data storage servers for Call Flows LTD are located in the European Union (EU) and the United States (US). Our Service Providers may process data in other jurisdictions, including but not limited to the United Kingdom, Australia, and the Philippines, as reasonably necessary for the proper performance and delivery of our Services, or as may be required by law.

Client-Owned Data will only be processed in locations permitted by our Data Processing Addendum and other agreements with the Client.

Call Flows LTD. is headquartered in Bulgaria, a member state of the European Union, and as such, operates under the General Data Protection Regulation (GDPR). Data processing within the EEA is inherently covered by GDPR. For transfers of Personal Data from the EEA, Switzerland, and the UK to countries outside of these areas that are not considered to offer an adequate level of data protection (such as to some of our Service Providers or to our US-based operations), we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, the UK Information Commissioner's Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), or other legally approved transfer mechanisms. You can request a copy of the applicable SCCs by contacting us.

Call Flows Inc. (our US entity) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. We adhere to the DPF Principles for Personal Data received from the EU, UK, and Switzerland in reliance on these frameworks. In cases of onward transfers to third parties, we remain liable under the DPF Principles. To learn more and view our certification, please visit https://www.dataprivacyframework.gov/.

4. Data Retention

Client-Owned Data: We retain Client-Owned Data according to our Client's instructions and as specified in our DPA and other agreements with them.

User Data and Prospect Data: We retain this data for as long as reasonably necessary to provide our Services, maintain our relationship with you, comply with legal and contractual obligations, and protect ourselves from potential disputes (e.g., for log-keeping, record-keeping). We determine retention periods based on the nature of the Personal Data, potential risks, processing purposes, and legal requirements.

We are not obligated to retain your Personal Data for any specific period unless required by law or agreement and may delete it at any time. For questions about our data retention policy, contact us at contact@callflows.ai.

5. Data Disclosure and Sharing

We do not sell your Personal Data in the traditional sense. However, some data sharing, particularly in the context of online advertising technologies, might be considered a "sale" or "sharing" under certain US state privacy laws (see Section 12).

We may disclose Personal Data in the following circumstances:

  • Legal Compliance: If required by law, subpoena, court order, or similar legal process, or if we believe in good faith that disclosure is necessary to investigate or prevent illegal activity, fraud, or to protect our legitimate business interests or the security of our Services.
  • Service Providers (including Sub-processors for Client-Owned Data): We engage third-party companies ("Service Providers") to perform services complementary to our own or to process data on our behalf or on behalf of our Clients. When Call Flows LTD acts as a data controller (e.g., for User Data or Prospect Data), these Service Providers process data on our behalf. When Call Flows LTD acts as a data processor for our Clients (for Client-Owned Data), certain of these Service Providers act as sub-processors. Key categories of Service Providers who may act as sub-processors for Client-Owned Data include:
    • Hosting and server co-location providers (for storing Client-Owned Data).
    • AI service providers (such as OpenAI for processing voice and text data to enable AI functionalities within the Platform, as instructed by the Client).
    • Communication service providers (e.g., for transmitting messages or notifications related to the service on behalf of the Client).
    • Data analytics or activity recording services used to support the Client's use of the Platform.
    Other Service Providers we use for our own business purposes (for which we are the controller) include providers for data and cyber security, billing and payment processing, fraud detection and prevention, web and mobile analytics (for our Sites), data enrichment, email/SMS distribution (for our communications), remote access, performance measurement, marketing, customer support systems, and our legal, financial, and compliance advisors. All Service Providers are engaged under contract and are required to protect Personal Data and use it only for the specific purposes for which it was disclosed to them, consistent with their role as a processor or sub-processor. Clients will be informed of sub-processors involved in the processing of their Client-Owned Data and the process for changes to such sub-processors as outlined in their agreement (e.g., Data Processing Addendum) with Call Flows LTD.
  • Advertising Partners: We may share certain information (such as data collected through cookies, usage data, or hashed identifiers) with advertising platforms and partners (e.g., Google, Facebook/Meta, X, Shopify) to help us deliver targeted advertising, measure the effectiveness of our campaigns, and reach relevant audiences. These partners may combine this information with other data they have collected. Their use of data is governed by their own privacy policies, which we encourage you to review.
  • Partners: We may share relevant contact, business, and usage details with business partners, resellers, or distributors to facilitate local presence and tailored experiences for Clients and Users. Engagements with Partners not directly related to our Services are governed by their own terms and privacy policies.
  • Event Sponsors: If you attend our events/webinars or access sponsored content, we may share your Personal Data with sponsors, with your consent where required by law. Their use of your data is subject to their privacy policies.
  • Within Client Accounts: Client-Owned Data and associated User Data are accessible to authorized Users and administrators within that Client's account. The Client (as data controller) is responsible for any further disclosure or use of such Personal Data.
  • Protecting Rights and Safety: If we believe disclosure is necessary to protect the rights, property, or safety of Call Flows LTD, our Users, Clients, or the public.
  • Corporate Affiliates and Transactions: We may share Personal Data within our corporate group. If Call Flows LTD undergoes a merger, acquisition, or sale of assets, Personal Data may be transferred to the involved parties. We will notify you of such changes if they materially affect your Personal Data.
  • With Your Consent: We may disclose Personal Data in other ways if you provide explicit approval.
  • Non-Personal Data: We may use and disclose aggregated, anonymized, or de-identified data without restriction.

CCPA Disclosure Summary (Last 12 Months): We may have disclosed Identifiers; Internet/electronic network activity; Geolocation Data; Commercial Information; Customer Record Information; Audio/Electronic Information; and Inferences for legal compliance, to Service Providers, within Client accounts, for protecting rights/safety, and to our affiliates. Identifiers; Internet/electronic network activity; Geolocation Data; Customer Record Information; Commercial Information; and Inferences may have been disclosed to Partners and Event Sponsors.

6. Cookies and Tracking Technologies

We and our Service Providers (including advertising partners like Google, Facebook/Meta, X, and Shopify) use cookies, pixels, web beacons, and similar tracking technologies to provide and monitor our Services, analyze performance, personalize your experience, and for advertising purposes (such as serving targeted ads and measuring campaign effectiveness). Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall Personal Data, such as an IP address, as indicated by you or collected automatically.

For detailed information about the types of cookies used (including those from third-party advertising partners), why we use them, and how you can manage your cookie preferences (including opting out of certain tracking for advertising purposes), please see our comprehensive Cookie Policy. You may also be able to manage some cookie preferences through our website's "Cookie Settings" feature (if available) or your browser settings.

7. Communications

Service Communications: We may contact you with important information about our Services, such as updates, billing issues, or security notices. You generally cannot opt out of these essential communications.

Promotional Communications: We may send you emails or other messages about new features, special offers, or events. You can opt out of promotional communications at any time by using the "unsubscribe" link in the communication, adjusting your user profile settings, or emailing contact@callflows.ai.

8. Data Security

We are committed to protecting the security of your Personal Data. We implement and maintain a range of reasonable and appropriate industry-standard security measures designed to prevent unauthorized access, use, alteration, disclosure, or destruction of Personal Data. These measures include:

  • Technical Measures: Such as encryption of data at rest and in transit where appropriate, use of firewalls, secure server configurations, intrusion detection and prevention systems, and regular vulnerability assessments and penetration testing.
  • Organizational Measures: Including internal policies and procedures for data handling, access controls (such as role-based access and multi-factor authentication where appropriate) to limit access to Personal Data to authorized personnel, employee training on data protection and security, and vendor security assessments.
  • Physical Measures: Secure data center facilities with access controls and environmental safeguards for the physical protection of our IT infrastructure.

We regularly review and update our security practices to address new and evolving threats and to adapt to changes in industry standards and regulations. However, please be aware that despite our best efforts, no security system is impenetrable, and we cannot guarantee the absolute security of any Personal Data stored with us or with any third parties. The transmission of information via the internet is not completely secure, and any transmission is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on the Services by you or third parties.

If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us by contacting us at contact@callflows.ai.

9. Your Data Subject Rights

Depending on applicable law (e.g., GDPR, CCPA/CPRA, VCDPA), you may have rights concerning your Personal Data, including:

  • Right to Know/Access: To request information about the Personal Data we hold about you, including categories, sources, purposes of collection, and categories of third parties with whom we share it.
  • Right to Rectification: To request correction of inaccurate Personal Data.
  • Right to Erasure/Deletion: To request deletion of your Personal Data, subject to certain exceptions.
  • Right to Restrict Processing: To limit how we process your Personal Data.
  • Right to Object to Processing: To object to certain types of processing (e.g., for direct marketing).
  • Right to Data Portability: To receive your Personal Data in a structured, commonly used, and machine-readable format.
  • Right to Opt-Out of Sale/Sharing: (Under CCPA/CPRA and similar laws) To direct us not to "sell" or "share" your Personal Data for cross-context behavioral advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, please email contact@callflows.ai. We may need to verify your identity before processing your request. If your request concerns Client-Owned Data, we will forward it to the relevant Client (the data controller) as they are responsible for handling such requests.

You may also have the right to lodge a complaint with your local data protection authority.

DPF Inquiries: For complaints related to our Data Privacy Framework compliance, please contact contact@callflows.ai. If unresolved, Call Flows Inc. has committed to cooperate with EU DPAs, the UK ICO, and the Swiss FDPIC. Under certain conditions, you may invoke binding arbitration (see DPF Principles). The FTC has investigatory and enforcement powers over Call Flows Inc.

10. Data Controller and Processor Roles

Understanding these roles is important under laws like GDPR and CCPA/CPRA:

  • Call Flows LTD as Data Controller: We are the data controller for Prospect Data and for User Data when processed for our own business purposes (as described in Section 2).
  • Call Flows LTD as Data Processor: We are the data processor for Client-Owned Data, acting on behalf of our Clients. We also act as a processor for portions of User Data that are integral to a Client's account.

Our Clients, as data controllers for Client-Owned Data, are responsible for the lawful basis of processing and for responding to data subject requests concerning that data.

11. Caller Notifications

We send store owners email alerts when a new call is received. These alerts include only the first and last three digits of the caller’s number (e.g., +123 *** *** 456) to help identify the call while protecting privacy. While masking reduces identifiability, the number may still be considered personal data if combined with other information the store owner holds. We never send full caller numbers by email, and full details are available only through the secure dashboard.

Caller Information in Notifications

The Processor will send the Controller email notifications when an inbound call is received. Such notifications will always include a partially masked telephone number consisting of the first and the last three digits only (e.g., +123 *** *** 456). The remaining digits will be replaced with masking characters and will not be transmitted via email.

Controller Instructions

By accepting this Agreement, the Controller: Instructs the Processor to send masked caller numbers in the above format in email notifications; Confirms they have a lawful basis under applicable data protection laws (including GDPR) to process the caller’s personal data in this format; Acknowledges that the masked number may still be considered personal data if combined with other information they hold; Accepts responsibility for securing their email account and any personal data contained in notifications once received.

Processor Commitments

The Processor shall: Only transmit masked caller numbers in the specified format via email notifications; Never transmit full caller numbers in email notifications; Implement reasonable safeguards for the secure transmission of email notifications, noting that standard email protocols may not be encrypted end-to-end.

Risk Notice

The Controller acknowledges that even masked numbers may be linkable to specific individuals when combined with other information in their possession, and accepts the associated risk.

12. Security and Data Breach Notification

We have internal incident response policies to manage potential security incidents involving Personal Data. We employ reasonable administrative, technical, and organizational measures to protect Personal Data. In the event of a data breach involving Personal Data that is likely to result in a risk to the rights and freedoms of individuals, we will take steps according to our procedures and applicable laws, which may include notifying affected individuals or authorities in a timely manner as required.

If you have questions about our security practices, contact us at contact@callflows.ai.

13. Additional Notices

  • Updates and Amendments: We may update this Privacy Policy by posting an amended version on our Services. The new version is effective upon publication. We will provide prior notice of substantial changes. Continued use after the notice period constitutes acceptance.
  • Requirements under US State Privacy Laws (e.g., CCPA/CPRA): This policy describes categories of Personal Data we may collect (Section 1), sources (Section 1), retention (Section 4), and deletion (Section 9). Our processing purposes (Sections 2, 5, 6, 7) include "business purposes" under these laws. Disclosure of internet activity/device info via cookies may be a "sale" or "sharing" for "targeted advertising"; see our Cookie Policy and Section 9 for opt-out rights. You can designate an authorized agent to exercise rights by emailing us.
  • External Links: Our Services may link to third-party sites. We are not responsible for their privacy practices. Please review their policies.
  • Children's Privacy: Our Services are not directed to children under the age of 16 (or a higher age threshold depending on the jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have, we will take steps to delete it.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please contact us at:
Call Flows LTD.
Email: contact@callflows.ai
Bulgaria, Sofia, blvd Vitosha 1A