GDPR Compliance

Last updated: January 10, 2026

1. Overview

ProtoVoice is committed to protecting the personal data of individuals in the European Economic Area (EEA), United Kingdom, and Switzerland in accordance with the General Data Protection Regulation (GDPR). This page outlines how we comply with GDPR requirements and support our customers in meeting their own GDPR obligations.

3. Our Role Under GDPR

When you use ProtoVoice to handle calls from individuals in the EEA, ProtoVoice typically acts as a Data Processor on your behalf. You, as our customer, are the Data Controller who determines the purposes and means of processing. In some cases, such as for our own marketing or account management, ProtoVoice acts as a Data Controller.

4. Data Processing Agreement (DPA)

ProtoVoice provides a GDPR-compliant Data Processing Agreement to all customers.
The DPA defines the scope, nature, and purpose of data processing.
It includes our obligations as a processor and your rights as a controller.
Sub-processor lists and notification procedures are documented.
To execute a DPA, contact our privacy team at privacy@protovoice.ai.

5. Lawful Basis for Processing

Contract Performance: Processing necessary to provide our services to you.
Legitimate Interests: Processing for security, fraud prevention, and service improvement where balanced against individual rights.
Consent: Where required, we obtain clear and specific consent.
Legal Obligation: Processing required to comply with applicable laws.
We help customers document their lawful basis for using ProtoVoice to process caller data.

6. Data Subject Rights

Right of Access: Individuals can request a copy of their personal data. We provide tools to help you respond to access requests.
Right to Rectification: Individuals can request correction of inaccurate data. Our platform allows data updates.
Right to Erasure: The "right to be forgotten." We support data deletion requests with configurable retention.
Right to Restriction: Individuals can request limited processing. We can flag records for restricted processing.
Right to Portability: Individuals can request data in a portable format. We provide data export functionality.
Right to Object: Individuals can object to certain processing. We provide mechanisms to honor objections.

7. International Data Transfers

ProtoVoice processes data primarily in the United States.
For transfers from the EEA to the US, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
We implement supplementary measures including encryption, access controls, and data minimization.
Our sub-processors are contractually bound to equivalent data protection standards.
We monitor legal developments affecting international transfers and update our approach as needed.

8. Technical & Organizational Measures

Encryption: All personal data is encrypted at rest (AES-256) and in transit (TLS 1.3).
Access Controls: Role-based access with multi-factor authentication.
Data Minimization: We only collect and process data necessary for the specified purposes.
Pseudonymization: Where possible, we use pseudonymized identifiers.
Security Testing: Regular penetration testing and vulnerability assessments.
Employee Training: All staff receive GDPR and data protection training.
Incident Response: Documented procedures for detecting and responding to data breaches.

9. Data Breach Notification

In the event of a personal data breach affecting your data, ProtoVoice will notify you without undue delay, and in any event within 72 hours of becoming aware of the breach. Our notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed. We will cooperate fully with your obligations to notify supervisory authorities and affected individuals.

10. Sub-Processors

ProtoVoice engages sub-processors to help deliver our services. All sub-processors are bound by data processing agreements with equivalent protections. We maintain a list of current sub-processors and will notify customers before adding new sub-processors, allowing time to object. Current sub-processors include cloud infrastructure providers (AWS, GCP), communication providers, and analytics services.

11. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected.
Default retention periods are configurable per customer.
Call recordings: Configurable from 30 days to 7 years based on your requirements.
Account data: Retained while your account is active plus a reasonable period after.
Upon request, we can delete personal data subject to legal retention requirements.

12. Data Protection Officer

ProtoVoice has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance program. The DPO is responsible for monitoring compliance, providing advice on data protection matters, and serving as a contact point for supervisory authorities. You can reach our DPO at dpo@protovoice.ai.

13. Your Obligations as Controller

Ensure you have a lawful basis for processing caller personal data through ProtoVoice.
Provide appropriate privacy notices to callers about the use of AI voice agents.
Respond to data subject requests using tools we provide.
Report any data protection concerns or incidents to us promptly.
Execute a Data Processing Agreement with ProtoVoice before processing EEA personal data.

14. Contact Us

For GDPR-related inquiries, to request a Data Processing Agreement, or to exercise data subject rights, contact our Privacy Team at privacy@protovoice.ai or our Data Protection Officer at dpo@protovoice.ai. You can also write to: ProtoVoice, Inc., Attn: Privacy Team, 7975 N Hayden Rd STE A210, Scottsdale, Arizona 85258.

Need a Data Processing Agreement? Contact our privacy team to get started.

← Back to Compliance Overview