At CALLKOM, we use artificial intelligence to make your calls smoother, your teams more efficient, and your customers better served, without compromising on confidentiality, security, and compliance. Our commitment: clearly explained AI components, finely tuned and always under human control.

This policy has a clear objective: to show you concretely how AI is integrated, what data is processed, for what purposes, with what choices available for your organization, and what guarantees we implement. We apply GDPR, the French Data Protection Act, and the transparency requirements of the AI Act. When certain technical components operate outside the EU, Standard Contractual Clauses (SCCs) and additional measures govern these flows.

You remain in control. You choose the use cases, parameters (recording, durations, transfer to a human, fields excluded from prompts), and the applicable legal basis for your calls. On our side, we ensure the architecture, security, and support: risk prevention, rapid anomaly detection, continuous improvements. Incidents remain rare; when they occur, we correct quickly and inform you.

Our services are designed for professional use (B2B) and are not intended for minors.

For any questions or to exercise your rights: [email protected].

In short, transparency and control: you know what the AI does, why, with what data, and how we put it at the service of your business with complete confidence.

1. Purpose and Scope of the Policy

This artificial intelligence technology usage policy (hereinafter the “AI Policy”) describes in a transparent, technical, and legally structured manner how CALLKOM integrates, calls upon, and uses AI components in its AI telephone agent services and its SaaS platform.

It complements CALLKOM’s Privacy Policy: the concepts of data controller/processor, individuals’ rights, general retention periods, and security principles are already established there.

To date, the AI uses offered by CALLKOM (transcription, conversational assistance, voice synthesis) do not fall into the “high-risk” categories of the AI Act. If a use case were to fall under a more demanding regime, we would adapt the documentation, transparency, and required controls, and would inform the affected customers.

2. General Principles

Necessity: we only send to an AI the data necessary for the assistant to do what the customer asks (understand, respond, deliver).

Customer control: it is the customer who decides who is called, why they are called, and therefore what the legal basis is vis-à-vis the person called.

Third-party supervision: when certain technical components are operated outside the EU, we combine data minimization, Standard Contractual Clauses (SCCs), and selection of solutions offering the best level of performance compatible with GDPR.

Traceability: we log AI calls to be able to explain what was done if the customer or an authority requests it.

Equivalent security: AI data benefits from the same level of security as other data processed in the platform.

3. AI Processing Chain at CALLKOM

To understand where data goes, one must look at the flow of a typical AI call.

Call Initiation

The customer programs an outbound call or receives an inbound call on a number linked to CALLKOM.

CALLKOM receives the audio stream from the called/calling person.

Speech Recognition (Speech-to-Text – STT)

CALLKOM sends the audio to a speech recognition engine.

The engine returns a text transcription of what was said.

Understanding and Response Generation (LLM / Conversational Engine)

CALLKOM sends to the conversational engine:

• the person’s text,
• the business context transmitted by the customer (schedules, activity, qualification instructions, documents),
• the agent’s system instructions (“you are the assistant of office X”, “you schedule appointments”, “you remain polite”),
• call metadata (date, agent type, language).

The AI engine returns a proposed text response, controlled by the safeguards defined by CALLKOM (system prompts, limits, supervision).

Voice Synthesis (Text-to-Speech – TTS)

The text response is sent to a voice engine.

A synthetic voice is generated and returned to the interlocutor.

Post-Processing / Delivery

CALLKOM generates a call summary, a structured report (name, contact details, need, appointment), and metadata.

These elements are stored in the customer’s environment within CALLKOM’s infrastructure.

Depending on the activated features, the chain may call one or more AI providers (STT, LLM, TTS). In all cases, CALLKOM applies minimization: only the elements necessary for proper functioning for the situation concerned.

4. Roles and Responsibilities

4.1 CALLKOM’s Role

CALLKOM:

• provides the SaaS platform and AI agents;
• selects and documents the integrated AI providers (type of service, main location, supervisory mechanism);
• implements security measures (encryption, access control, logging);
• minimizes the data sent;
• maintains an internal inventory of third-party AI services used;
• assists the customer when a person exercises a right.

CALLKOM does not create contact databases or business scenarios: these choices are the customer’s responsibility. We provide the infrastructure and support so that these choices are implemented in a secure and traceable framework.

4.2 Customer’s Role

The customer:

• is the data controller for the persons they have called via CALLKOM;
• defines the purpose and appropriate legal basis;
• informs their interlocutors;
• handles requests to exercise rights and objections;
• configures the AI agent proportionately.

5. Categories of Data Processed by AI Components

Depending on the use case, AI components may receive or generate the following categories:

Indirect Identification or Contact Data

• phone number (called or calling),
• call date and time,
• session identifier,
• CALLKOM customer identifier,
• sometimes the person’s name if the customer provided it.

Call Content

• audio of the called person (voice),
• audio of the AI agent,
• text transcription of this audio.

Business Data Provided by the Customer

• response instructions, script, tone,
• business documents or parameters (schedules, appointment procedure, customer type),
• contact or import files.

Data Generated by AI

• text response sent to voice synthesis,
• call summary,
• structured report,
• status (successful call, transfer to human, to be called back).

Technical and Performance Data

• execution logs,
• response times,
• error codes,
• comprehension indicators.

CALLKOM does not request so-called “sensitive” data within the meaning of GDPR (health, beliefs, criminal data). If the called person spontaneously communicates such information, these elements will be transcribed like the rest of the call. In this case, CALLKOM protects this data, but the lawfulness of the processing remains on the customer’s side.

6. Purposes of AI Processing

AI processing is carried out for the following purposes:

Provision of Real-Time AI Agent Service

Enable the agent to understand the interlocutor, generate an appropriate response, and deliver it immediately by voice.

Delivery to the Customer

Make available to the customer the transcription, summary, and structured information (contact, need, appointment) so they can continue their commercial or service follow-up.

Support and Maintenance

Occasionally replay a call, analyze an error residue, understand why an agent did not respond correctly.

Functional Improvement and Quality

Verify that the script is properly followed, that the voice does not cut out, that comprehension is sufficient. These are functional product improvements, not massive training.

Security and Traceability

Keep AI call logs to detect abnormal uses, unauthorized access, and abuse.

Compliance and Audit

Be able to demonstrate what was transmitted to an AI in case of a request from the customer or an authority.

CALLKOM does not reuse call data for prospecting and does not create a shared database of customer content.

7. Legal Bases

Three cases must be distinguished:

Call / Processing Performed on Behalf of a Customer

Vis-à-vis the called person, the legal basis is determined by the customer (B2B legitimate interest, contract with their own customer, consent in B2C or if recording requires it).

CALLKOM then acts as a processor (Art. 28 GDPR) and processes on the customer’s instruction.

AI Service Improvement and Security

Legal basis: CALLKOM’s legitimate interest (Art. 6.1.f GDPR) in ensuring the proper functioning, security, and quality of its service, with minimization and limited duration.

Support / Debugging on Incident

Legal basis: contract performance (provide the stipulated support) + legitimate interest (resolve the incident).

8. AI Providers, Location, and Transfers

CALLKOM may use, depending on the activated features, the following providers or technical components (list subject to change and kept up to date).

CALLKOM seeks the best technical compromise + SCCs.

We use specialized providers (STT, LLM, TTS, hosting, and message queues). When EU regions are available, they are preferred. If processing requires a provider established outside the EU, the flow is legally governed (SCCs) and technically minimized.

The updated list of subprocessors and AI components (provider name, role, main region, supervisory mechanism) is kept up to date on our “Subprocessors / AI” page and within the DPA.

When the customer themselves connects CALLKOM to their own tools (external CRM, cloud calendar, third-party emailing), the additional transfers that result are initiated by the customer and are their responsibility.

9. Reuse, Pooling, “No Training”

CALLKOM does not voluntarily authorize the reuse of its customers’ data by an AI provider to train a public model when a “no training” option or equivalent is offered by that provider. When the provider offers a “no training / zero data retention” option, CALLKOM activates it by default for the relevant flows.

However, CALLKOM may reuse internally and in a targeted manner:

• prompts,
• technical logs, only to:
• correct a malfunction,
• improve a system instruction,
• adjust a voice connector.

These reuses are limited and without personal data. Product improvements (e.g., better report format) may benefit everyone without pooling customer data.

10. Informing Individuals and “In-Call” Transparency

CALLKOM provides its customers with:

• template wordings to inform the person that they are interacting with an AI agent;
• notices indicating that the call may be recorded and transcribed;
• the possibility of switching to a human when the person requests it or in case of AI failure.

But it is indeed the customer, as data controller, who must:

• insert these notices in their own processes (voice message, privacy policy, T&Cs, HR documents, etc.);
• check whether, in their sector or for their recipients (B2C in particular), prior consent is required;
• handle objections.

CALLKOM cannot, in place of the customer, know whether the called person is a private individual, whether they are in a country with stricter rules, or whether a specific legal basis is required.

11. Security Applied to AI Processing

AI processing benefits from the same measures as the rest of the SaaS, including:

• restricted access to recordings and transcriptions (authorized roles/profiles);
• flow encryption (HTTPS/TLS) between the browser, telephony, and CALLKOM servers;
• priority hosting in the EU for stored data;
• logging of access to call content;
• regular backups and restoration testing;
• updating security components and dependencies.

12. Logging, Monitoring, and AI Incidents

CALLKOM:

• logs AI calls (timestamp, model type, technical result);
• maintains an internal inventory of integrated third-party AIs (name, role, main country of processing, supervision);
• monitors abnormal behaviors (inappropriate response, inappropriate content, context leak);
• may temporarily disable an AI provider or feature that presents a risk.

In case of an AI incident likely to have a significant impact on individuals’ rights (e.g., insulting response, disclosure of a fragment of another call), CALLKOM:

• analyzes the incident,
• informs the affected customer,
• and, if regulations require it, may inform the authority.

To date, incidents remain very rare.

13. Individuals’ Rights Regarding AI Processing

Individuals may exercise their rights:

• primarily with the customer who initiated the call,
• or with CALLKOM: [email protected]

If the request concerns processing performed for a customer:

• CALLKOM identifies the customer,
• forwards the request to them without delay,
• and technically assists them (locating a recording, deleting a transcription, blocking an identifier).

If the customer decides not to honor the request or to continue the calls, CALLKOM cannot be held responsible as a processor.

14. AI-Specific Responsibility

We implement safeguards (system prompts, roles, filters, supervision) to reduce errors inherent to probabilistic models and prevent bad outputs. Some components (voice, LLM) rely on third parties: we monitor their availability and plan workarounds (alternative models, temporary deactivation). When a database provided by a customer presents a risk (unaccounted objections, disproportionate collection), we alert and propose adjustments.

15. AI Policy Updates

AI technologies, available regions, and provider conditions evolve rapidly. CALLKOM may therefore update this AI Policy to:

• add or remove an AI provider,
• specify a transfer method,
• integrate new minimization or security measures,
• take into account legal or regulatory developments (AI Act).

The most recent version will be made available on the CALLKOM website or in the platform. In case of substantial change (new purpose, new non-EU provider), CALLKOM may inform its customers.