1Who we are

The data controller responsible for the processing described in this Privacy Policy is:

Where we process personal data on behalf of a business customer, we act as a processor or service provider under applicable privacy laws. In those cases, our handling of that data is governed by our agreement with the customer, including any applicable data processing agreement (“DPA”).

2Scope of this Privacy Policy

This Privacy Policy applies to personal data we process when:

• you visit our website;
• you create or use an account with us;
• you use our Services, dashboards, APIs, plug-ins, or integrations;
• you communicate with our sales, support, compliance, or operations teams;
• you participate in demos, onboarding, surveys, research calls, events, or customer interviews;
• you receive marketing or product communications from us; or
• your information is processed through our Services as part of an AI voice, messaging, calendar, CRM, or workflow interaction.

This Privacy Policy does not apply to third-party websites, products, or services that may be linked from or integrated with our Services. Those third parties have their own privacy policies and practices.

3Our role: controller and processor

Cirel provides Services to businesses and other organizations. These organizations are our “Customers.”

3.1 When Cirel is a controller

We usually act as a controller when we process personal data for our own business purposes, such as:

• managing our website;
• handling account registration and administration;
• responding to sales, support, and compliance inquiries;
• sending service updates and marketing communications;
• managing billing and contracts;
• improving, securing, and monitoring our Services; and
• complying with legal obligations.

3.2 When Cirel is a processor

We usually act as a processor when we process personal data on behalf of a Customer through the Services. This may include data contained in calls, messages, transcripts, recordings, CRM records, calendar events, user prompts, outputs, uploaded materials, or other customer-provided content (“Customer Content”).

In those cases, the Customer determines why and how the personal data is processed. If your personal data appears in Customer Content and you want to exercise privacy rights, you should contact the relevant Customer directly. If you contact us, we may forward your request to the Customer where appropriate.

4Personal data we collect

We collect different categories of personal data depending on how you interact with us and the Services.

4.1 Account and profile information

When you or your organization creates an account, we may collect:

• name;
• work email address;
• phone number;
• company name;
• job title or role;
• login credentials or authentication identifiers;
• workspace, team, or organization membership;
• user preferences, such as language, region, timezone, and notification settings; and
• profile information you choose to provide.

4.2 Billing and commercial information

For paid Services, we may collect:

• billing contact details;
• billing address;
• company registration or tax details;
• plan, subscription, invoice, and payment status information; and
• contract and order information.

Where payment card information is required, it is handled by our payment processor. We do not intentionally store full payment card numbers on our own systems.

4.3 Communications with us

When you contact us or interact with our team, we may collect:

• your name and contact details;
• the content of your message;
• attachments or files you provide;
• support ticket information;
• meeting notes;
• demo, onboarding, or sales call details; and
• call recordings or transcripts where recording is disclosed and permitted by law.

We may record or transcribe calls, demos, onboarding sessions, customer support conversations, and similar interactions for documentation, troubleshooting, quality assurance, staff training, security, and service improvement purposes. Where required by law, we will provide notice and/or obtain consent before recording.

4.4 AI voice, call, and conversational data

If you use or interact with our conversational AI, voice agent, telephony, messaging, or workflow features, we may process:

• audio recordings;
• call transcripts;
• call summaries;
• call metadata, such as date, time, duration, participants, phone numbers, call status, routing, and disposition;
• user prompts, AI outputs, and interaction logs;
• CRM, lead, account, or ticket information connected to the interaction;
• calendar or booking information connected to the interaction;
• diagnostic logs used to identify errors, latency, failed calls, misrouting, or service issues; and
• customer-configured instructions, workflows, or agent settings.

Calls may be recorded and transcribed for user diagnosis, documentation, support, quality assurance, dispute resolution, compliance, and to provide the Services. Customers are responsible for giving any required notices and obtaining any required consents from their end users, callers, employees, agents, or other participants before enabling call recording, transcription, or AI voice features.

Unless otherwise agreed in writing, we do not use Customer Content from your workspace to train generalized AI or machine learning models. We may use aggregated, anonymized, or de-identified information to improve reliability, safety, analytics, and product performance, provided it does not identify a Customer, user, caller, or other individual.

4.5 Website, device, and usage information

When you access our website or Services, we may automatically collect technical and usage information, including:

• IP address;
• approximate location derived from IP address;
• browser type and version;
• device type;
• operating system;
• screen or viewport size;
• language and timezone settings;
• pages, screens, or features viewed;
• actions taken in the Services;
• referral and exit pages;
• dates and times of access;
• session duration;
• errors, crash reports, and performance data;
• unique device or session identifiers; and
• logs used for security, fraud prevention, debugging, and service reliability.

4.6 Cookies and similar technologies

We use cookies and similar technologies to operate, secure, analyze, and improve our website and Services.

Cookies may be used for:

• essential functionality, such as authentication and session management;
• security and fraud prevention;
• remembering preferences;
• analytics and performance measurement;
• product improvement; and
• marketing or campaign measurement, where permitted by law.

You can usually control cookies through your browser settings. Blocking certain cookies may affect how the website or Services function. Where required by law, we will request consent before using non-essential cookies.

4.7 Information from third parties and integrations

We may receive personal data from third parties, including:

• Customers that provision accounts or upload Customer Content;
• CRM, calendar, email, telephony, helpdesk, messaging, or workflow tools connected to the Services;
• identity and authentication providers;
• analytics and security providers;
• payment processors;
• business contact providers;
• event organizers; and
• public sources, where permitted by law.

If you connect a third-party integration to the Services, information may be exchanged between Cirel and that third-party service as needed for the integration to work. Once information is processed by the third-party service, its own terms and privacy policy may apply.

4.8 Sensitive personal data

We do not intentionally collect sensitive personal data unless it is necessary to provide the Services, required by law, or expressly provided by you or a Customer. Depending on how Customers configure and use the Services, Customer Content may contain sensitive personal data. Customers are responsible for ensuring that they have a lawful basis for providing such data to us and for configuring the Services appropriately.

5How we use personal data

We use personal data to:

• provide, operate, maintain, and improve the Services;
• create and administer accounts;
• authenticate users and manage access permissions;
• process subscriptions, billing, and payments;
• provide support and respond to inquiries;
• configure and operate AI voice agents, call workflows, CRM sync, calendar booking, messaging, and related features;
• record, transcribe, summarize, analyze, and document calls where enabled and legally permitted;
• diagnose technical issues, failed calls, latency, errors, bugs, and service disruptions;
• monitor service usage, reliability, and performance;
• detect, prevent, and investigate fraud, abuse, spam, security incidents, unauthorized access, and violations of our terms;
• send administrative notices, security alerts, product updates, and service communications;
• send marketing communications where permitted by law;
• run surveys, research, demos, onboarding, training, and customer feedback programs;
• comply with legal, tax, accounting, regulatory, and contractual obligations;
• establish, exercise, or defend legal claims; and
• carry out any other purpose described to you when the data is collected.

6Legal bases for processing

Where UK GDPR, EU GDPR, or similar laws apply, we rely on one or more of the following legal bases:

Where we rely on legitimate interests, we consider the impact on individuals and apply safeguards appropriate to the nature of the processing.

7AI systems and model usage

Our Services may use artificial intelligence and automation to support conversational AI, voice agents, transcription, summarization, classification, workflow routing, lead qualification, booking, support, analytics, and documentation.

When AI features process Customer Content, we process that Customer Content in accordance with our agreement with the relevant Customer.

Unless otherwise agreed in writing:

• we do not use Customer Content from a Customer workspace to train generalized AI or machine learning models;
• we do not sell Customer Content;
• we do not allow unrelated customers to access another Customer’s workspace data;
• we may use de-identified, anonymized, or aggregated operational data to improve service reliability, safety, analytics, and performance; and
• we may process logs and diagnostics to detect errors, troubleshoot calls, improve latency, and maintain service quality.

If our Services integrate with Google Workspace APIs, we do not use data obtained from Google Workspace APIs to develop, improve, or train generalized AI or machine learning models, unless Google’s applicable policies and the user’s consent expressly allow such use.

8How we share personal data

We do not sell personal data.

We may share personal data in the following circumstances:

8.1 With Customers and authorized workspace users

If you use the Services through a Customer workspace, your activity, profile information, call records, transcripts, summaries, CRM sync activity, and other workspace-related information may be visible to authorized users in that workspace, depending on permissions and product configuration.

8.2 With service providers and subprocessors

We use third-party service providers and subprocessors to help us operate the Services. These may include providers for:

• cloud infrastructure, database, storage, and hosting;
• authentication and identity management;
• telephony, voice, and messaging;
• AI model infrastructure, transcription, and speech processing;
• CRM, calendar, email, and workflow integrations;
• analytics and product monitoring;
• security, logging, and error tracking;
• billing and payment processing;
• customer support and communications;
• email delivery; and
• legal, accounting, compliance, and professional services.

These providers may process personal data only as needed to provide services to us and are subject to contractual confidentiality, security, and data protection obligations.

You may request information about our relevant subprocessors by contacting compliance@cirel.ai.

8.3 With third-party integrations you connect

If you or your organization connects the Services to a third-party tool, such as a CRM, calendar, email system, telephony provider, support platform, or automation tool, we may exchange data with that tool as necessary for the integration to function.

8.4 For legal, safety, and security reasons

We may disclose personal data where we reasonably believe it is necessary to:

• comply with applicable law, regulation, legal process, court order, or government request;
• protect the rights, property, or safety of Cirel, our Customers, users, callers, or the public;
• detect, prevent, or investigate fraud, abuse, security incidents, or technical issues;
• enforce our terms, contracts, and policies; or
• establish, exercise, or defend legal claims.

8.5 In connection with corporate transactions

If we are involved in a merger, acquisition, financing, reorganization, sale of assets, insolvency process, or similar transaction, personal data may be disclosed to relevant counterparties, advisers, and successors as part of that transaction, subject to appropriate safeguards.

9International transfers and EU data residency

We use EU data residency for production storage of Customer application data where available and applicable. This means that core Customer application data is intended to be stored in the European Union or European Economic Area unless otherwise configured, required, or agreed.

Some service providers, subprocessors, affiliates, or support operations may process personal data outside the United Kingdom, European Union, or European Economic Area. Where we transfer personal data internationally, we use appropriate safeguards as required by applicable law. These may include:

• adequacy regulations or adequacy decisions;
• the European Commission’s Standard Contractual Clauses;
• the UK International Data Transfer Agreement or UK Addendum;
• contractual, technical, and organizational safeguards;
• approved certification or transfer frameworks where applicable; and
• limited derogations under applicable law where no other mechanism is available.

You can contact compliance@cirel.ai to request more information about the safeguards used for a specific transfer.

10Security

We use technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

These measures may include:

• encryption in transit using TLS 1.2 or higher;
• access controls and permission management;
• authentication and session security;
• logging and monitoring;
• vulnerability management;
• separation of customer workspaces and access boundaries;
• least-privilege internal access practices;
• vendor and subprocessor due diligence;
• incident response procedures;
• backup and recovery processes; and
• staff confidentiality and security training.

Our backend data infrastructure is operated using third-party providers that maintain recognized security and compliance programs, which may include SOC 2 Type II, ISO/IEC 27001, CASA or similar application security validation where applicable, and other relevant frameworks. These provider certifications support the security of our infrastructure, but they do not mean that CIREL TECHNOLOGIES LTD itself is independently certified under every such framework.

No method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, but we work to apply safeguards appropriate to the nature and sensitivity of the data we process.

If we become aware of a personal data breach, we will investigate and, where required by law or contract, notify affected Customers, individuals, and/or regulators without undue delay.

11Data retention

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law, contract, or legitimate business need.

Retention periods depend on factors such as:

• the type and sensitivity of the data;
• the purpose for which it was collected;
• Customer configuration and contractual settings;
• legal, tax, accounting, and regulatory requirements;
• security, fraud prevention, and abuse monitoring needs;
• dispute resolution and legal claims; and
• whether the data can be anonymized or de-identified.

Customer Content is retained and deleted according to the relevant Customer agreement, DPA, product configuration, and applicable law.

Where we no longer need personal data, we will delete, anonymize, or de-identify it. If immediate deletion is not technically possible, such as where data remains in secure backups, we will protect it from further active processing until deletion becomes possible according to our backup lifecycle.

12Your privacy rights

Depending on where you live and which privacy laws apply, you may have rights over your personal data, including the right to:

• access personal data we hold about you;
• receive information about how we process your personal data;
• correct inaccurate or incomplete personal data;
• request deletion of personal data;
• restrict or object to certain processing;
• withdraw consent where processing is based on consent;
• receive a portable copy of certain personal data;
• opt out of marketing communications;
• object to processing based on legitimate interests;
• lodge a complaint with a data protection authority; and
• exercise additional rights available under applicable laws.

To exercise your rights, contact compliance@cirel.ai.

We may need to verify your identity before responding. If your request relates to data we process on behalf of a Customer, we may direct you to that Customer or forward your request to them.

12.1 UK and EEA rights

If UK GDPR or EU GDPR applies, you may have rights of access, rectification, erasure, restriction, objection, portability, and withdrawal of consent. You may also complain to your local supervisory authority. In the United Kingdom, this is the Information Commissioner’s Office.

12.2 California and other US state privacy rights

If you are a California resident or a resident of another US state with applicable privacy rights, you may have rights to know, access, correct, delete, and receive information about certain disclosures of personal information. You may also have rights to opt out of certain sales, sharing, targeted advertising, or profiling, where applicable.

We do not sell personal data for money. We also do not knowingly sell or share personal information of individuals under 16. If our practices change in a way that requires an opt-out right, we will provide the required mechanism.

We will not discriminate against you for exercising legally protected privacy rights.

13Marketing communications

We may send you marketing emails about our products, services, events, updates, and content where permitted by law. You can opt out of marketing emails at any time by using the unsubscribe link in the email or contacting compliance@cirel.ai.

You cannot opt out of essential service-related communications, such as security alerts, billing notices, account notices, and important product or legal updates.

14Children’s privacy

Our Services are intended for business and professional use and are not directed to children. We do not knowingly collect personal data from children under 13, or under 16 where that higher age threshold applies, without appropriate consent. If you believe a child has provided personal data to us, contact compliance@cirel.ai and we will take appropriate steps.

15Automated decision-making

Our Services may use AI and automation to assist with call routing, transcription, summarization, qualification, workflow triggers, analytics, and documentation. Unless expressly stated otherwise, we do not use the Services to make legal or similarly significant decisions about individuals without human involvement.

Customers are responsible for how they configure and use AI and automation features in their own workflows, including whether human review is required.

16Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, legal requirements, security practices, or business operations.

When we update this Privacy Policy, we will update the “Last updated” date above. If changes are material, we will provide additional notice where required by law, such as by email, in-product notice, or a prominent website notice.

17Contact us

For questions, requests, or complaints about this Privacy Policy or our privacy practices, contact: