Privacy Policy | CallFlows AI
Legal

Privacy Policy

How we collect, use, and protect personal data.

Last Updated: 25/04/2026

Introduction

Call Flows LTD. (collectively referred to as "CallFlows", "CallFlows AI", "we", "our", or "us") is dedicated to protecting the privacy of your Personal Data. We are committed to ensuring that your data is processed securely, used appropriately, and that our practices are transparently communicated to our Clients, their end-users (referred to as "End-Users"), individuals who use our services on behalf of our clients ("Users"), and visitors to our website or other online properties ("Prospects").

Scope – the Services this Policy Covers

This Privacy Policy covers our AI-powered voice agent platform, which we make available through two product lanes plus cross-cutting access:

  • Shopify App. The CallFlows AI Shopify App, installed by Shopify merchants from the Shopify App Store and integrated with the merchant's Shopify store via the Shopify Admin API.
  • Enterprise Services. Our Enterprise product, consisting of standalone Enterprise AI voice agents, the Enterprise Portal (a unified operations layer covering multiple phone numbers, agents and, where linked by the Client, Shopify stores — including call history, transcripts, analytics, outcomes, usage reporting and billing), and Enterprise Connectors (ready-built integrations with systems such as Zendesk, HubSpot, Salesforce, Intercom, ServiceNow, Freshdesk, Jira Service Management and Slack).
  • CallFlows API. A programmatic REST API that may be used by Clients with an active subscription in either lane (Shopify App or Enterprise Services) to automate interactions with the Services.
  • Website and Communications. Our website at https://callflows.ai/, related microsites, blog, online advertisements, events, and our business communications.

We refer to all of the above collectively as the "Services", and to the underlying technology and infrastructure as the "Platform". Some data categories and practices apply only to one lane; where that is the case we say so.

Please read this Privacy Policy carefully. By using our Services, you acknowledge that you have understood and agree to the terms of this policy. If you are a Client, your use of our Services is also governed by our Terms of Service and, where applicable, our Data Processing Addendum (DPA).

You are not legally obligated to provide us with Personal Data. However, some Services may not be available or fully functional without it.

1. What Personal Data We Collect and How

We collect different types of Personal Data depending on your interaction with us.

1.1. Data Processed on Behalf of Our Clients ("Client-Owned Data")

Our Clients (Shopify merchants using the Shopify App, and organisations using the Enterprise Services) provide or instruct us to collect, access or generate Personal Data in order for us to operate the Services for them. Depending on which lane the Client uses, Client-Owned Data may include:

  • Shopify Store Data (Shopify App only). Information accessed via the Shopify Admin API as authorised by the Client, such as product details, order information (items, value, status), customer contact information (name, email, phone, shipping/billing address), customer purchase history, store policies and pages, and related store-level data that is necessary to operate the voice agent (for example, to look up an order or provide shipping status).
  • Integrated System Data (Enterprise Services only). Information accessed from business systems that the Client connects to the Enterprise Services via Enterprise Connectors, the CallFlows API, or other Client-authorised interfaces. This may include records such as CRM contacts, helpdesk tickets, case or order records, knowledge base content, calendar events, and other business-system data that the Client instructs us to retrieve, create, or update in order to run the Client's Enterprise AI agent.
  • End-User Interaction Data (both lanes). Voice recordings and transcripts of calls between End-Users (e.g. the Client's customers) and the AI voice agent, AI-generated summaries, sentiment and analytics signals, caller identifiers (in full to the Client via the dashboard and, where enabled, via the CallFlows API; masked in our email notifications — see Section 11), session identifiers, call metadata (duration, time, end reason, transfers to human, etc.), and outcomes.
  • End-User Contact Information (both lanes). Names, email addresses, phone numbers, and addresses collected during a call, synchronised from the Client's Shopify store (Shopify App lane), or obtained from integrated business systems (Enterprise lane).

Our Role. When processing Client-Owned Data, Call Flows LTD acts as a "data processor" (or "service provider" under laws such as the CCPA/CPRA) on behalf of our Client, who is the "data controller" (or "business"). Our processing is governed by our agreements with the Client, including our DPA, and their lawful instructions. Clients are responsible for (a) authorising our access to Shopify Store Data via the Shopify Admin API or to Integrated System Data via the Enterprise Connectors or the CallFlows API, and (b) ensuring they have a lawful basis for collecting and instructing us to process this data, including obtaining any consents from End-Users required by applicable law (for example, consent to call recording).

1.2. Data of Our Clients and Their Users ("User Data")

We collect Personal Data about our Clients and the individuals who use the Services on their behalf (account administrators, billing contacts, portal users, API operators). This User Data includes:

  • Account Information. Names, email addresses, company details, phone numbers, titles, and hashed passwords (where applicable). For the Shopify App, identity is primarily authenticated via Shopify OAuth; for the Enterprise Portal, we also maintain our own authenticated accounts.
  • Billing Information. Contract information, plan selection, usage, invoices, and transaction identifiers. Full payment card data is not stored by us — see Section 7 (Payment Processing).
  • Platform Usage Data. IP addresses, device information (type, OS, browser), activity and audit logs, session identifiers, and interaction data within the Services.
  • Communication Data. Records of calls, emails, in-product messages, support tickets, and other communications with us (e.g. for support, onboarding, or training).

Our Role. For User Data, Call Flows LTD generally acts as a "data controller" (or "business") for our own legitimate business purposes (service provision, billing, security, improvement). Where User Data is part of Client-Owned Data (for example, usage logs specific to a Client's account), we act as a "data processor".

1.3. Data of Our Website Visitors and Prospects ("Prospect Data")

We collect Personal Data from individuals who visit our website, interact with our online ads, or communicate with us as potential Clients or partners. This Prospect Data includes:

  • Website Usage Information. IP addresses, device data, browser type, activity logs, and information collected via cookies and similar technologies (see our Cookie Policy), including UTM parameters and click identifiers used for attribution.
  • Contact Information. Names, email addresses, company details, and other information provided through forms or communications.
  • Communication Data. Records of calls, emails, chat interactions, and form submissions.

Our Role. Call Flows LTD acts as a "data controller" (or "business") for Prospect Data.

1.4. Data from AI Interactions (specific to voice services)

Because our Services involve AI-powered voice agents, we specifically collect and process:

  • Voice Recordings and Transcripts. Audio of interactions between End-Users and the AI voice agent, and the corresponding text transcripts. This data is Client-Owned Data.
  • AI Interaction Data for Service Enhancement. Anonymised or aggregated data derived from voice interactions may be used to improve the performance, accuracy and capabilities of our Platform and how it utilises third-party AI models (such as those provided by OpenAI). This includes, for example, refining how our Platform constructs prompts, manages dialogue flow, or selects tools. We do not use Client-Owned Data to train the general underlying models of third-party AI providers such as OpenAI, unless explicitly agreed with a Client for a custom fine-tuning purpose and as permitted by the AI provider's terms. Our integration with OpenAI is configured so that Client-Owned Data is not used by OpenAI to train or improve their general-purpose models.

CCPA/CPRA Notice. In the past 12 months, we may have collected the following categories of Personal Data (as defined by the CCPA/CPRA): Identifiers; Commercial Information; Customer Record Information; Internet or other electronic network activity; Geolocation Data; Audio, Electronic, Visual or Similar Information; and Inferences. We do not knowingly collect "sensitive personal information" under the CCPA/CPRA without explicit consent or as directed by our Clients, and we do not "sell" Personal Data in exchange for money.

2. How We Use Your Personal Data

We use Personal Data for the following purposes, relying on the lawful bases indicated.

2.1. Client-Owned Data

  • Providing the Services. To deliver, operate and maintain the Services as instructed by our Clients. This includes operating the AI voice agent, integrating with the Client's Shopify store via the Shopify Admin API (Shopify App lane) or with connected business systems via the Enterprise Connectors or the CallFlows API (Enterprise Services), managing interactions, fulfilling requests, and providing related services. (Basis: performance of a contract with the Client; legitimate interest.)
  • Supporting Clients. Providing technical support and assistance related to Client-Owned Data and the Services (including troubleshooting the Client's Shopify integration or connectors). (Basis: performance of a contract with the Client; legitimate interest.)
  • Improving Services for the Client. Analysing and improving the AI voice agent's performance for the specific Client, based on their data and instructions. (Basis: performance of a contract with the Client; legitimate interest.)

2.2. User Data & Prospect Data

  • Service provision and operation: To facilitate access to and use of our Services, authenticate Users, and manage accounts. (Basis: performance of a contract; legitimate interest.)
  • Support and communication: To provide assistance, respond to inquiries, and send service-related communications. (Basis: performance of a contract; legitimate interest.)
  • Service improvement: To analyse usage patterns, develop new features, and enhance the overall performance and user experience of our Services. This includes using anonymised or aggregated data derived from AI interactions to improve the functionality and effectiveness of the AI-driven features within our Platform, including how it integrates with and utilises third-party AI models. (Basis: legitimate interest; consent where applicable.)
  • Billing and fraud prevention: Calculating fees and overage, reconciling usage, issuing invoices and receipts, managing retries and dunning, and coordinating with our payment processors (see Section 7). (Basis: performance of a contract; legitimate interest; compliance with legal obligations.)
  • Marketing and sales: To manage marketing campaigns, deliver targeted advertisements for our products and services (including on third-party websites and platforms such as Google Ads, Meta Ads, X Ads, LinkedIn Ads and Shopify Ads), and communicate promotional offers or information about our Services that may be of interest. This involves working with advertising partners and utilising tracking technologies as detailed in our Cookie Policy. (Basis: legitimate interest; consent where applicable for certain tracking or direct marketing activities.)
  • Business operations: To pursue growth opportunities, establish local presence, and tailor experiences. (Basis: legitimate interest.)
  • Events and promotions: To facilitate, sponsor, and offer events, contests, and promotions. (Basis: legitimate interest; consent where applicable.)
  • Feedback and content: To publish feedback or submissions on our Services or public forums (with consent where required). (Basis: legitimate interest; consent.)
  • Security and fraud prevention: To maintain security, prevent fraud, and mitigate risks of illegal or prohibited activities. (Basis: legitimate interest; performance of a contract; compliance with legal obligations.)
  • Aggregated / anonymised data: To create de-identified data for research, service improvement, or other business purposes. (Basis: legitimate interest.)
  • Legal compliance: To comply with applicable laws, regulations, and legal processes, including Shopify platform and App Store requirements where applicable. (Basis: compliance with legal obligations.)

3. Data Location and International Transfers

We and our authorised Service Providers (see Section 5) may maintain, store and process Personal Data in various locations globally. Our primary production environments are hosted on Amazon Web Services (AWS) in the European Union (Frankfurt, Germany) and in the United States (Ohio and Oregon). Our Service Providers may process data in other jurisdictions (including the United Kingdom and other countries where they operate) as reasonably necessary for the proper performance and delivery of our Services, or as required by law.

Client-Owned Data will only be processed in locations permitted by our DPA and other agreements with the Client.

Call Flows LTD is a Bulgarian company and therefore established in the European Union. Our processing is governed by the EU General Data Protection Regulation (GDPR). Data processing within the EEA is inherently covered by the GDPR. For transfers of Personal Data from the EEA, Switzerland or the UK to countries that are not considered by the European Commission or the relevant UK/Swiss authorities to offer an adequate level of data protection (such as, currently, the United States in certain scenarios), we rely on appropriate safeguards, primarily the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA) where applicable, or other legally approved transfer mechanisms such as adequacy decisions. Where a sub-processor is certified under the EU–U.S. Data Privacy Framework (DPF), the UK Extension thereto, or the Swiss–U.S. DPF, we may also rely on that framework with respect to that sub-processor. You can request a copy of the applicable SCCs or a summary of our transfer mechanisms by contacting us at contact@callflows.ai.

4. Data Retention

Client-Owned Data: We retain Client-Owned Data in accordance with our Client's configuration and instructions and as specified in our DPA and other agreements with them. Where we offer retention controls in the product (for example, call-recording retention or transcript deletion), Clients are responsible for configuring them to meet their own legal obligations.

User Data and Prospect Data: We retain this data for as long as is reasonably necessary to provide our Services, maintain our relationship with you, comply with legal and contractual obligations, and defend against potential disputes (e.g., for log-keeping and record-keeping). We determine retention periods based on the nature of the Personal Data, potential risks, processing purposes, and legal requirements.

We are not obligated to retain your Personal Data for any specific period unless required by law or agreement, and we may delete it at any time. For questions about our data retention policy, contact us at contact@callflows.ai.

5. Data Disclosure and Sharing

We do not sell your Personal Data for money. However, some data sharing, particularly in the context of online advertising technologies, may be considered a "sale" or "sharing" under certain US state privacy laws (see Section 10).

We may disclose Personal Data in the following circumstances:

  • Legal Compliance: If required by law, subpoena, court order, or similar legal process, or if we believe in good faith that disclosure is necessary to investigate or prevent illegal activity, fraud, or to protect our legitimate business interests or the security of our Services.
  • Service Providers (including Sub-processors for Client-Owned Data): We engage third-party companies ("Service Providers") to perform services complementary to our own or to process data on our behalf or on behalf of our Clients. When Call Flows LTD acts as a data controller (e.g., for User Data or Prospect Data), these Service Providers process data on our behalf. When Call Flows LTD acts as a data processor for our Clients (for Client-Owned Data), certain of these Service Providers act as sub-processors. Key categories of Service Providers who may act as sub-processors for Client-Owned Data include:
    • Hosting and infrastructure providers (Amazon Web Services).
    • AI model providers (such as OpenAI) for speech-to-text, natural-language understanding, response generation and sentiment analysis, configured so that Client-Owned Data is not used by the provider to train its general-purpose models.
    • Telecommunications / voice carriers (such as Voip.ms) for the origination and termination of inbound and outbound calls.
    • Email and notification providers (such as Mailjet) for transactional and service emails sent to Users and End-Users on the Client's behalf.
    • Shipment and logistics lookup APIs (such as USPS, UPS and TWBGO, where enabled) queried when an End-User asks about an order.
    • Data analytics or activity recording services used to support the Client's use of the Platform.
    Other Service Providers we use for our own business purposes (for which we are the controller) include providers for data and cyber security, payment processing (see Section 7), fraud detection and prevention, web and mobile analytics (for our website), data enrichment, email/SMS distribution (for our own communications), remote access, performance measurement, marketing, customer support systems, and our legal, financial and compliance advisors. All Service Providers are engaged under contract and are required to protect Personal Data and use it only for the specific purposes for which it was disclosed to them, consistent with their role as a processor or sub-processor. Clients will be informed of sub-processors involved in the processing of their Client-Owned Data and the process for changes to such sub-processors as outlined in the DPA.
  • Payment processors: See Section 7.
  • Advertising Partners: We may share certain information (such as data collected through cookies, usage data, or hashed identifiers) with advertising platforms and partners (e.g. Google, Meta, X, LinkedIn, Shopify) to help us deliver targeted advertising, measure the effectiveness of our campaigns, and reach relevant audiences. These partners may combine this information with other data they have collected. Their use of data is governed by their own privacy policies, which we encourage you to review.
  • Partners: We may share relevant contact, business, and usage details with business partners, resellers, or distributors to facilitate local presence and tailored experiences for Clients and Users. Engagements with Partners not directly related to our Services are governed by their own terms and privacy policies.
  • Event Sponsors: If you attend our events / webinars or access sponsored content, we may share your Personal Data with sponsors, with your consent where required by law. Their use of your data is subject to their privacy policies.
  • Within Client Accounts: Client-Owned Data and associated User Data are accessible to authorised Users and administrators within that Client's account (Shopify admin users and/or Enterprise Portal users, and API operators configured by the Client). The Client (as data controller) is responsible for any further disclosure or use of such Personal Data.
  • Protecting Rights and Safety: If we believe disclosure is necessary to protect the rights, property, or safety of Call Flows LTD, our Users, Clients, End-Users, or the public.
  • Corporate Transactions: If Call Flows LTD undergoes a merger, acquisition, reorganisation, or sale of assets, Personal Data may be transferred to the involved parties. We will notify you of such changes if they materially affect your Personal Data.
  • With Your Consent: We may disclose Personal Data in other ways if you provide explicit consent.
  • Non-Personal Data: We may use and disclose aggregated, anonymised, or de-identified data without restriction.

CCPA Disclosure Summary (last 12 months): We may have disclosed Identifiers; Internet/electronic network activity; Geolocation Data; Commercial Information; Customer Record Information; Audio/Electronic Information; and Inferences for legal compliance, to Service Providers, within Client accounts, for protecting rights/safety, and to payment processors. Identifiers; Internet/electronic network activity; Geolocation Data; Customer Record Information; Commercial Information; and Inferences may have been disclosed to Partners and Event Sponsors and, via advertising cookies, to advertising partners.

6. Cookies and Tracking Technologies

We and our Service Providers (including advertising partners such as Google, Meta, X, and Shopify) use cookies, pixels, web beacons, and similar tracking technologies to provide and monitor our Services, analyse performance, personalise your experience, and for advertising purposes (such as serving targeted ads and measuring campaign effectiveness). Such cookies and similar files or tags may also be temporarily placed on your device. Certain cookies and other technologies serve to recall Personal Data, such as an IP address, as indicated by you or collected automatically.

For detailed information about the types of cookies used (including those from third-party advertising partners), why we use them, and how you can manage your cookie preferences (including opting out of certain tracking for advertising purposes), please see our comprehensive Cookie Policy. You may also be able to manage some cookie preferences through our website's cookie settings banner or your browser settings.

7. Payment Processing

Billing for our Services is strictly separated between the two product lanes, and CallFlows does not store full payment card numbers, card authentication credentials, or equivalent payment instrument secrets:

  • Shopify App — Shopify Billing. If you use the CallFlows AI Shopify App, all subscription fees, metered overage charges, and other Shopify App-related fees are billed and collected exclusively through Shopify Billing, in accordance with Shopify's applicable payment terms. Shopify (Shopify Inc. and its affiliates) collects and processes your payment instrument information directly as part of Shopify Billing; CallFlows does not receive or store your Shopify payment instrument details. Shopify's handling of your payment data is governed by Shopify's privacy policy.
  • Enterprise Services — Stripe. If you use our Enterprise Services, all subscription fees, metered overage charges, plan changes, prorations and refunds are billed and collected exclusively through Stripe (Stripe, Inc. and/or Stripe Payments Europe, Limited, as applicable to your jurisdiction), our third-party payment processor, via Stripe Checkout and the Stripe Customer (Billing) Portal. Payment card data is collected and processed directly by Stripe as an independent controller of that payment data and is subject to Stripe's privacy policy and services agreement. CallFlows receives from Stripe only the information we need to operate and reconcile your Enterprise subscription (for example, Stripe customer and subscription identifiers, plan and product identifiers, status events such as invoice paid / payment failed / subscription cancelled, metered usage acknowledgements, invoice amounts and dates, country/postal code for tax purposes, and the last four digits and brand of the card for display).

8. Communications

Service Communications: We may contact you with important information about our Services, such as updates, billing issues, usage thresholds, failed-payment notices, subscription status, or security notices. You generally cannot opt out of these essential communications.

Promotional Communications: We may send you emails or other messages about new features, special offers, or events. You can opt out of promotional communications at any time by using the "unsubscribe" link in the communication, adjusting your user profile settings, or emailing contact@callflows.ai.

9. Data Security

We are committed to protecting the security of your Personal Data. We implement and maintain a range of reasonable and appropriate industry-standard security measures designed to prevent unauthorised access, use, alteration, disclosure, or destruction of Personal Data. These measures include:

  • Technical Measures: Encryption of data in transit (e.g. TLS for web and API traffic, TLS/SRTP for voice signalling and media) and at rest (e.g. AES-256 via AWS RDS, S3 and EBS encryption), firewalls, secure server configurations, intrusion detection and logging, and regular vulnerability assessments and penetration testing.
  • Organisational Measures: Internal policies and procedures for data handling, role-based access controls, multi-factor authentication for administrative access, employee confidentiality obligations and security awareness training, and vendor security assessments.
  • Physical Measures: Secure data-centre facilities (operated by our cloud provider AWS) with access controls and environmental safeguards for the physical protection of infrastructure processing Personal Data.

We regularly review and update our security practices to address new and evolving threats and to adapt to changes in industry standards and regulations. However, please be aware that no security system is impenetrable, and we cannot guarantee absolute security. The transmission of information via the internet is not completely secure, and any transmission is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on the Services by you or third parties.

If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us at contact@callflows.ai.

10. Your Data Subject Rights

Depending on applicable law (e.g. GDPR, UK GDPR, CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA and similar US state privacy laws), you may have rights concerning your Personal Data, including:

  • Right to Know / Access: To request information about the Personal Data we hold about you, including categories, sources, purposes of collection, and categories of third parties with whom we share it.
  • Right to Rectification: To request correction of inaccurate Personal Data.
  • Right to Erasure / Deletion: To request deletion of your Personal Data, subject to certain exceptions.
  • Right to Restrict Processing: To limit how we process your Personal Data.
  • Right to Object to Processing: To object to certain types of processing (e.g., for direct marketing).
  • Right to Data Portability: To receive your Personal Data in a structured, commonly used, and machine-readable format.
  • Right to Opt Out of "Sale" or "Sharing": (Under CCPA/CPRA and similar laws) To direct us not to "sell" or "share" your Personal Data for cross-context behavioural advertising.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, please email contact@callflows.ai. We may need to verify your identity before processing your request. If your request concerns Client-Owned Data, we will, as a processor, forward it to the relevant Client (the data controller), who is responsible for handling such requests.

You may also have the right to lodge a complaint with your local data protection authority. For Call Flows LTD, the primary lead authority is the Commission for Personal Data Protection (Bulgaria); UK-based data subjects may also complain to the UK Information Commissioner's Office (ICO).

Shopify merchants and their customers may also exercise certain GDPR rights through Shopify's standard compliance webhooks (customers/data_request, customers/redact and shop/redact); we honour such requests in accordance with Shopify's platform requirements and applicable law.

11. Caller Notifications

We send Clients email alerts when a new call is received. These alerts include only the first and last three digits of the caller's number (e.g., +123 *** *** 456) to help identify the call while protecting privacy. While masking reduces identifiability, the number may still be considered personal data if combined with other information the Client holds. We never send full caller numbers by email; full details are available only through the secure dashboard or, where enabled by the Client's plan, via the CallFlows API.

Caller Information in Notifications. Call Flows LTD, as Processor, will send the Client (Controller) email notifications when an inbound call is received. Such notifications will always include a partially masked telephone number consisting of the first and the last three digits only (e.g., +123 *** *** 456). The remaining digits will be replaced with masking characters and will not be transmitted via email.

Controller Instructions. By accepting the Agreement, the Client: instructs Call Flows LTD to send masked caller numbers in the above format in email notifications; confirms it has a lawful basis under applicable data protection laws (including GDPR) to process the caller's personal data in this format; acknowledges that the masked number may still be considered personal data if combined with other information it holds; and accepts responsibility for securing its email account and any personal data contained in notifications once received.

Processor Commitments. Call Flows LTD shall: only transmit masked caller numbers in the specified format via email notifications; never transmit full caller numbers in email notifications; and implement reasonable safeguards for the secure transmission of email notifications, noting that standard email protocols may not be encrypted end-to-end.

Risk Notice. The Client acknowledges that even masked numbers may be linkable to specific individuals when combined with other information in its possession, and accepts the associated risk.

12. Security and Data Breach Notification

We have internal incident-response policies to manage potential security incidents involving Personal Data. We employ reasonable administrative, technical, and organisational measures to protect Personal Data. In the event of a data breach involving Personal Data that is likely to result in a risk to the rights and freedoms of individuals, we will take steps in accordance with our procedures and applicable laws, which may include notifying affected individuals or authorities within the timeframes required by law. Sub-processor incidents are reported to us and managed in accordance with the DPA.

If you have questions about our security practices, contact us at contact@callflows.ai.

13. Data Controller and Processor Roles

Understanding these roles is important under laws such as GDPR and CCPA/CPRA:

  • Call Flows LTD as Data Controller: We are the data controller for Prospect Data and for User Data when processed for our own business purposes (as described in Section 2).
  • Call Flows LTD as Data Processor: We are the data processor for Client-Owned Data (including Shopify Store Data, Integrated System Data, and End-User Interaction Data), acting on behalf of our Clients. We also act as a processor for portions of User Data that are integral to a Client's account.
  • Independent Controllers: Our payment processors (Shopify for Shopify App billing, Stripe for Enterprise Services billing) act as independent controllers of the payment card data they collect from you, under their own privacy policies.

Our Clients, as data controllers for Client-Owned Data, are responsible for the lawful basis of processing and for responding to data-subject requests concerning that data.

14. Additional Notices

  • Updates and Amendments: We may update this Privacy Policy by posting an amended version on our Services. The new version is effective upon publication. We will provide prior notice of substantial changes. Continued use after the notice period constitutes acceptance.
  • Requirements under US State Privacy Laws (e.g., CCPA/CPRA): This policy describes categories of Personal Data we may collect (Section 1), sources (Section 1), retention (Section 4), and deletion (Section 10). Our processing purposes (Sections 2, 5, 6, 7) include "business purposes" under these laws. Disclosure of internet activity / device information via cookies may be a "sale" or "sharing" for "targeted advertising"; see our Cookie Policy and Section 10 for opt-out rights. You can designate an authorised agent to exercise rights on your behalf by emailing us.
  • External Links: Our Services may link to third-party sites. We are not responsible for their privacy practices. Please review their policies.
  • Children's Privacy: Our Services are not directed to children under the age of 16 (or a higher age threshold depending on the jurisdiction). We do not knowingly collect Personal Data from children. If we become aware that we have, we will take steps to delete it.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your Personal Data, please contact us at:
Call Flows LTD.
Email: contact@callflows.ai
Bulgaria, Sofia, blvd Vitosha 1A