Welcome to CALLKOM’s privacy policy (hereinafter “CALLKOM”, “we”, or “our”).

At CALLKOM, we place particular importance on protecting your personal data. We know that the trust you place in us to host your professional data and operate your automated call flows is primarily based on the clarity of what we do with that data. This is why we are committed to implementing appropriate technical and organizational measures to ensure its security, confidentiality, and integrity.

Our services (website https://callkom.io, SaaS platform, and AI telephone agents) are designed for professional use (B2B) and are not intended for minors.

We process data to operate a useful, secure, and transparent service. We apply minimization, strict access controls, and priority hosting in the EU, and we govern essential flows with contractual guarantees compliant with GDPR.

This policy explains what data we use, why, how long we keep it, with whom we share it if necessary, and how to exercise your rights.

We process your data in compliance with applicable regulations, particularly:

• Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter “GDPR”);
• French Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files, and freedoms.

CALLKOM operates two main levels of processing:

• on the one hand, processing that we carry out in our capacity as data controller, for example to manage the Website, create and administer SaaS platform user accounts, invoice, provide support, and secure our infrastructure;
• on the other hand, processing that we carry out as a processor, when our customers use our platform to operate their AI telephone agents, call their own contacts (B2B or B2C), transcribe and analyze calls, or automatically create contact records. In this second case, our customer remains responsible for the database called and the purpose of the call, and we act on their instructions.

We also invite you to consult, as applicable:

• our cookie management policy, which details the trackers used on the Website and application;
• our artificial intelligence (AI) policy, which describes more technically the data exchanges with AI services (speech recognition, response generation, post-call analysis) used by CALLKOM;
• our legal notice which details the identity of the data controller of this policy.

1. What Processing is Covered by This Policy?

This privacy policy applies to all personal data processing carried out by CALLKOM (hereinafter “CALLKOM”, “we”, or “our”), in the context of:

• publishing and operating the website https://callkom.io and its associated pages;
• providing and using the SaaS software platform published by CALLKOM;
• operating, on behalf of its customers, AI telephone agent services (inbound and/or outbound calls) allowing the recording, transcription, or summarization of conversations;
• managing commercial, contractual, support, and billing relationships with its customers and prospects;
• managing applications and requests addressed to CALLKOM;
• and, more generally, any operation falling within the scope of services offered by CALLKOM to which a link to this policy is displayed.

Our services are intended for professionals (B2B) and are not designed for minors.

1.1. Who Are the Data Subjects?

The following are particularly concerned by this processing:

• visitors and users of the website;
• prospects who request a demo, contact, or fill out a form;
• CALLKOM customers, as well as their collaborators authorized to access the SaaS platform;
• persons called or contacted by an AI agent operated via the platform on behalf of a customer;
• service providers, partners, and professional contacts of CALLKOM;
• candidates for job offers or open positions.

(collectively referred to hereinafter as “you”).

1.2. In What Contexts Do We Process Your Personal Data?

We process your data when, for example:

• you visit the website, fill out a form, or use the chat;
• you create or use an account on the CALLKOM SaaS platform;
• you are called or welcomed by an AI agent set up by one of our customers, and the call is recorded, transcribed, or summarized by the platform;
• you communicate with us by email, telephone, or any other support channel;
• you sign a contract with CALLKOM;
• you apply for a position.

Depending on the case, CALLKOM acts as data controller (e.g., website management, accounts, billing) or as a processor when it operates an AI agent service on the instruction of a customer. In the latter case, the customer remains responsible for the database they have processed.

The Case of Data Collected on the Website

When we mention our “website” or “web site”, we primarily refer to the site accessible at https://callkom.io as well as its presentation, contact, and demo pages.

At this level, the following may be collected:

• identification and contact data (name, first name, email, telephone, company, position) that you enter in a form;
• browsing data (IP address, pages viewed, date and time of visit, cookie and other tracker identifiers according to our cookie policy);
• content of your messages or demonstration requests;
• data exchanged via a chat or online assistance tool.

This data is used in particular to respond to your requests, organize a demo, ensure website security, and, with your consent, to contact you again.

The Case of Data Collected on the SaaS Platform

When you access the CALLKOM platform (authenticated space), we collect and process in particular:

• account creation data (name, first name, professional email, role, organization);
• settings of the assistant or AI agent you configure;
• usage and logging data (connection, actions performed, consultation of transcriptions);
• billing and contractual tracking data.

This processing is carried out to provide the service, secure access, and enable customer relationship monitoring.

The Case of Data Collected by AI Agents on Behalf of Customers

In the context of call or reception services operated via CALLKOM, certain data may be collected or generated:

• call audio (if the option is activated or provided in the scenario);
• call transcription (speech-to-text conversion);
• a report or summary of the conversation (purpose of the call, contact details, expressed need, appointment slot);
• call metadata (date, time, duration, agent used, customer concerned).

This data is collected to enable CALLKOM’s customer to process the request, create their reports, or continue their relationship with the called person. CALLKOM then operates primarily on the customer’s instruction, who remains responsible for the database called and the legal basis of the contact.

2. What is CALLKOM’s Role?

Our objective is twofold: to provide a reliable and secure service, as well as to support our customers in the compliant use of the platform and AI agents. Depending on the situation, CALLKOM acts either as data controller or as processor within the meaning of GDPR.

2.1. CALLKOM Acting as Data Controller

CALLKOM acts as data controller when the processing serves its own purposes, particularly for:

• publishing and securing the website (forms, chat if applicable, audience measurement according to cookie policy);
• creating and managing SaaS accounts (authentication, access logs for security);
• contractual relationship and billing (issuing invoices, payment tracking);
• B2B prospecting related to our services (with right to object at any time);
• security, maintenance, and improvement of the platform;
• processing rights addressed directly to us.

2.2. CALLKOM Acting as Processor

When the customer uses the platform to process their own contact files or to deploy an AI agent that calls their contacts, CALLKOM acts as technical processor, on the customer’s instruction. This covers in particular:

• importing or creating contacts and call lists;
• triggering AI calls (inbound or outbound);
• recording and transcribing these calls, when provided in the scenario;
• generating reports and creating contact records in the SaaS.

In this context, the customer determines the purpose and legal basis vis-à-vis the persons called.

When CALLKOM directly receives a “do not contact me anymore” request, it identifies the customer concerned and forwards the request to them without delay. Updating the database and stopping reminders is the customer’s responsibility.

2.3. Operations Performed Directly by Customers in the Platform

Through the platform, customers can in particular:

• import and enrich their own contact databases;
• segment, follow up, export, or delete data;
• connect third-party tools (CRM, telephony, calendars);
• decide whether or not to continue a contact.

We do not perform individual prior reviews; we provide the means (deletion, export, duration settings) and support to enable the customer to apply their own GDPR obligations.

3. What Personal Data Do We Collect and Why?

The main categories of data we process as part of the Website, the SaaS platform, and AI agent services, as well as their purposes, legal bases, and retention periods, are presented below.

3.1 Website Visitors and People Who Contact Us

Data Collected

Data you voluntarily communicate to us: name, first name, email address, telephone number, company, position, content of message or demo request.

Browsing and audience measurement data: IP address, pages viewed, date and time of visit, cookie identifier or other tracker, browser technical data.

Chat or online assistance data (if activated on the website): identity, message, browsing context.

Purposes

• process and respond to your requests (demonstration, commercial contact, support);
• contact you again regarding our offers and services when you have expressed interest;
• ensure website security and improvement;
• measure audience and personalize certain pages (according to your cookie choice).

Legal Bases

• CALLKOM’s legitimate interest in responding and securing its website;
• your consent for non-necessary cookies and trackers.

3.2 Customers and Users of the CALLKOM SaaS Platform

Data Collected

Account data: name, first name, professional email, organization to which you are attached, role/profile.

Usage data: dates and times of connection, actions performed in the interface, consultation of recordings or transcriptions.

Contractual and billing data (account holders): company, billing address, invoice history, payment methods processed by a provider (e.g., Stripe).

Data exchanged with support: identity, content of request, attachments.

Purposes

• create and administer your account on the platform;
• enable you to use the functionalities (configure an AI agent, import contacts, view calls);
• ensure security, traceability, and platform maintenance;
• manage the contractual relationship and billing;
• assist users.

Legal Bases

• contract performance (provide the SaaS service);
• CALLKOM’s legitimate interest in securing and improving its service;
• legal obligation for billing.

3.3 Persons Called or Contacted by an AI Agent Using CALLKOM

This section is specific to CALLKOM.

Data Origin

This data is most often provided to CALLKOM by its customers (contact files, CRM, calendars, call instructions). CALLKOM then acts as a processor: the customer remains responsible for the database called and informing individuals.

Data That May Be Processed

Identity and contact details from the customer’s file: name, first name, telephone number (landline or mobile), possible email address;

Data from the call: call audio (if activated), conversation transcription, automatically generated summary or report, information collected during the call (expressed need, appointment request, schedule confirmation);

Call metadata: date, time, duration, type of AI agent used, customer concerned.

Purposes

• perform the call or telephone reception on behalf of the customer;
• provide the customer with the call, transcription, and report so they can continue their relationship with you;
• ensure traceability and service security (logging);
• help the customer respond to an access or objection request.

Legal Bases

Contract performance between CALLKOM and its customer / processing on customer instruction (Art. 28 GDPR);

The legal basis vis-à-vis the called person (B2B legitimate interest, contract, consent in B2C or if recording) is determined by the customer who provided the file or requested the call.

When you exercise a right directly with CALLKOM (for example “do not call me anymore”), CALLKOM identifies the responsible customer and forwards the request to them so they can update their database.

3.4 Prospects and Commercial Contacts

Data Collected

Contact data: name, first name, professional email, telephone;

Professional data: company, position, sector;

Contact origin: form, demo requested, trade show, professional social network;

Exchange history (e.g., in HubSpot).

Purposes

• contact you following a demo or information request;
• send you communications related to the CALLKOM product;
• track the commercial relationship history.

Legal Basis

CALLKOM’s legitimate interest in developing its B2B activity, with right to object at any time (unsubscribe link).

3.5 Candidates

Data Collected

Identity and contact details (name, first name, email, telephone);

Data related to professional and educational background (CV, experience, skills);

Where applicable, notes from exchanges or interviews.

Purposes

• receive and review your application;
• contact you as part of recruitment;
• build a candidate pool.

Legal Bases

• pre-contractual measures (application review);
• CALLKOM’s legitimate interest in organizing its recruitment;
• your consent to keep the file longer.

3.6 CALLKOM Suppliers, Subprocessors, and Service Providers

Data Collected

Professional identity and contact details (name, first name, email, telephone, company);

Data necessary for contracting and billing.

Purposes

• manage the contractual and operational relationship;
• track billing and payments;
• verify certain security or compliance prerequisites.

Legal Bases

• contract performance;
• CALLKOM’s legitimate interest in securing its subprocessing chain.

4. Who Are the Recipients of Your Data?

Your data is accessible only to authorized CALLKOM teams (support, technical, billing, commercial) within the limit of need-to-know.

We use subprocessors to operate certain components (hosting, authentication, telephony/VoIP, emailing, payment, CRM, AI); they act on our instructions for the sole purposes provided, with contractual obligations of confidentiality and security.

We do not sell your data to third parties for marketing purposes without your explicit consent.

5. How Long Do We Keep Your Data?

CALLKOM only retains personal data for the time necessary to achieve the purposes for which it was collected, increased, when necessary, by legal limitation periods or accounting retention requirements.

The main retention periods are as follows:

6. Summary Table of Processing Activities

For greater clarity, here is an overview of the main processing operations carried out by CALLKOM, with their purposes, legal bases, durations, and typical recipients. This summary does not exclude the details given in the detailed sections of the policy.

7. Do We Transfer the Collected Data?

CALLKOM processes and hosts data primarily within the European Union. When certain essential technical components (cloud hosting, telephony/VoIP, AI, emailing, CRM, payment) involve processing outside the EU/EEA, we apply a legal and technical framework compliant with GDPR.

7.1 Transfers Within the EU/EEA

Subprocessors located in the EU/EEA are contractually required to:

• act on CALLKOM’s instruction,
• apply appropriate technical and organizational measures (confidentiality, encryption, access control, logging, redundancy),
• notify without delay any security incident concerning them.

7.2 Transfers to Third Countries

When processing is operated from a country not offering an equivalent level of protection:

• we use the European Commission’s Standard Contractual Clauses (SCCs) (or equivalent mechanism in force), supplemented if necessary by additional measures (minimization, encryption, reduced durations, compartmentalization),
• we systematically minimize the data transmitted (e.g., audio excerpt necessary for STT/TTS, context strictly useful for LLM query, never the customer’s complete database),
• we prefer, when available, EU regional offers or zero retention.

7.3 Transfers Initiated by the Customer

If the customer connects the platform to their own tools (CRM, calendar, emailing, telephony…), the additional transfers thus generated are their responsibility and under their control. It is their responsibility to verify the compliance and adequate supervision of their service providers. CALLKOM cannot be held responsible for flows outside the contractual scope that a customer decides to activate.

7.4 Authorities and Legal Requests

In the presence of a requisition or regular request from a competent authority, CALLKOM only transmits the data strictly required by applicable law and, when permitted, informs the customer concerned.

7.5 Transparency on the Subprocessing Chain

CALLKOM makes available, upon request, an overview of the categories of subprocessors involved (hosting, authentication, telephony/VoIP, AI, emailing, payment, CRM) with their role and main processing region. When relevant, configuration options (e.g., durations, audio deactivation, alternative providers) may be offered contractually.

8. How We Secure Personal Data

CALLKOM implements appropriate technical and organizational measures within the meaning of Article 32 of GDPR, adapted to the nature of the data processed (including audio and transcriptions) and to the risks presented by the processing (AI calls, administration access).

8.1. Organizational Measures (Human, Process)

Awareness and supervision: employees authorized to access data (support, technical, billing) are informed of their confidentiality obligations.

Authorization management: rights are assigned according to the principle of least privilege and are reviewed as soon as a person changes function or leaves the company.

Internal procedures: incident response procedures, backup/restoration, notification, and transmission of rights requests to the customer when CALLKOM is a processor.

Traceability: access to sensitive data is logged.

8.2. Access Control Measures

Secure authentication for SaaS access;

Passwords not stored in plain text;

Environment segmentation (production, testing);

Roles/profiles in the SaaS to limit access to only necessary data;

Administration access reserved for authorized CALLKOM personnel.

8.3. Technical Security Measures

Flow encryption (HTTPS/TLS) for all communications between the customer’s browser/tool and CALLKOM servers;

Firewall and filtering at cloud infrastructure level;

Intrusion detection/prevention systems offered by hosting providers;

Antivirus / anti-malware protection on work environments;

Regular backups of data necessary for the service, with verification of restoration capability;

Proactive monitoring of platform availability and security;

Logging of security events and sensitive actions.

8.4. Testing, Patches, and Continuity

CALLKOM keeps its components up to date (server security patches, libraries, dependencies);

In case of a security incident concerning personal data, CALLKOM applies its breach management process (detection, containment, correction) and, where applicable, notification to the customer and/or authority.

9. What Are Your Rights Regarding Personal Data?

In accordance with GDPR and the French Data Protection Act, you have, as applicable, the following rights:

Access: obtain confirmation that processing is taking place and receive a copy, as well as associated information.

Rectification: correct inaccurate/incomplete data.

Erasure (“right to be forgotten”): when one of the grounds provided by law applies.

Objection: at any time for processing based on legitimate interest, including prospecting.

Limitation: request temporary suspension of processing.

Portability: receive the data you have provided, in a structured format, if legal conditions are met.

Post-mortem directives: define the fate of your data after your death (France).

These rights are exercised under the conditions and with the limits provided by regulations (particularly when we must retain certain data to comply with a legal obligation or ensure service security).

9.1. How to Exercise Your Rights?

To exercise your rights or ask a question, contact us: [email protected].

To facilitate processing, please specify:

• the right exercised and the scope of data concerned,
• a response address,
• any element allowing identification of the processing (e.g., date/time of a call if your request concerns an AI call).

In case of reasonable doubt about your identity, CALLKOM may ask you for proof of identity (in compliance with the minimization principle).

9.2. What Is the Response Time for a Rights Request?

We respond within one month from receipt of the request. This period may be extended by two months considering the complexity or number of requests; in this case, you will be informed.

9.3. What Are the Limits to Exercising Your Rights?

Your request may be refused or limited if:

• it is manifestly unfounded or excessive (repetitive),
• retention of certain data is legally required (e.g., billing 10 years),
• the request concerns data whose erasure would seriously compromise the security or integrity of the service (to the strictly necessary extent),
• the request involves third-party data that we cannot disclose.

9.4. Case of Data Processed on Behalf of a Customer

When your data is processed on behalf of a customer (e.g., you were called by an AI agent on behalf of a customer company):

• the customer is the data controller vis-à-vis you;
• if you write to CALLKOM, we identify the customer concerned, forward your request to them without delay, and assist them technically (search/deletion of a recording, transcription, report, blocking a number);
• updating the database and stopping reminders is the customer’s responsibility; CALLKOM cannot substitute for them in deciding the substantive response.

9.5. Recourse in Case of Dispute

If you believe, after contacting us, that your rights are not being respected, you may contact the competent authority, particularly in France: CNIL (www.cnil.fr).

10. Modify Your Choices

Depending on how you use CALLKOM services, you can at any time modify certain of your data choices.

10.1. Prospecting and Marketing Communications

If you receive prospecting or information emails from CALLKOM, you can:

• click on the unsubscribe link at the bottom of each email, to no longer receive this type of message;
• or write to us at [email protected] indicating that you no longer wish to be contacted for commercial purposes.

We will keep a record of your unsubscription so as not to contact you again (opt-out list).

10.2. Cookies and Audience Measurement

For cookies and other trackers placed on the Website:

• you can configure your browser to refuse all or part of cookies;
• you can, when the CMP (cookie banner) is displayed, withdraw your consent or modify your preferences (for example, only authorize strictly necessary cookies);
• you can consult our cookie management policy to know, service by service, what is placed.

Refusing certain cookies may degrade certain functionalities, but will not prevent access to the website.

10.3. Limiting Collection of Browsing Data

You can also:

• use “Do Not Track” or equivalent settings in your browser;
• refuse the placement of third-party cookies;
• or directly ask us to limit the retention of certain connection logs when technically possible and compatible with our security obligations.

11. Modification and Update of the Policy

This Privacy Policy may evolve, particularly to take into account:

• a legal or regulatory development;
• the addition of a new service or a new subprocessor (particularly AI);
• an evolution of our internal security or retention practices.

In case of substantial modification (change of purpose, new recipients, new categories of data), CALLKOM may inform you by any useful means (banner on the website, email, information in the SaaS).

The most recent version is always the one available on the website https://callkom.io. We invite you to consult it regularly.