Vocalenda logoVocalenda

Data Processing Agreement

Last updated: 14 July 2026

What this is, and why it exists

When your receptionist answers a call, it handles personal information belonging to the person who rang you: their number, their name, what they asked for. Under the UK GDPR that information is yours to answer for, and we handle it for you. The law calls you the data controller and us the processor, and it requires the two of us to have a written agreement setting out how we do that (Article 28). This page is that agreement.

It forms part of our Terms of Service, which you accepted when you set up your business, so it is already in force. You do not need to print, sign or return anything. If your accountant, your insurer or a client asks whether you have a data processing agreement with your phone provider, the answer is yes, and this is it.

Where this agreement and the Terms disagree about personal data, this agreement wins.

What we process, and for how long

Subject matter and purpose: answering your business phone with an AI assistant, and booking, changing and cancelling appointments in your calendar, together with the texts and records that go with that.

Duration: for as long as you have an account with us, plus the retention periods in our Privacy Policy.

Whose information: the people who call your business, and the staff you add to your account.

What information:

  • Phone numbers, and names where a caller gives one
  • Written transcripts of calls, and summaries of them
  • Appointment details, and any notes your receptionist takes at a caller's request
  • Text messages sent to confirm, remind or cancel
  • Call metadata: times, durations, and numbers dialled

Special category data: Vocalenda is not built for health records and never asks for them. But some of the businesses we serve are ones where a caller may volunteer health information without being asked, a dental practice, a massage therapist, a spa or wellness business, and once it is said on the call it is in the transcript. Health information carries extra duties under Article 9, and establishing the additional lawful basis for it is yours to do as the practice (usually Article 9(2)(h), provision of health care). We handle whatever reaches us to the same standard as everything else set out here.

If you are a trade visiting people at home, a plumber, electrician, builder, tiler or heating engineer, your call records will often contain someone's home address and when they will be out. That is not special category data, but it is worth treating with the same care, and it is one more reason not to put anything into your receptionist's settings that you would not want repeated to a caller.

Our obligations to you

We commit to all of the following.

  • We act only on your instructions.Using your settings and the service as offered is your instruction. We do not use your callers' information for our own purposes, we do not sell it, and we do not use it to advertise. The one exception is named plainly in our Privacy Policy: call audio helps improve our speech provider's accuracy, callers can object, and we honour it. If the law ever forces us to do something else with your data, we will tell you first unless we are legally barred from doing so.
  • Confidentiality. Everyone with access is bound to keep it confidential.
  • Security.Encryption in transit and at rest, access limited to those who need it, and separation so that one business can never see another's data. We do not keep call audio recordings.
  • We help you answer your callers. If someone asks you for a copy of their data, or asks you to correct or delete it, that request is yours to answer and we will give you what you need to answer it.
  • We tell you about breaches, within 24 hours. If your callers' information is caught up in a security incident, we will email you within 24 hours of becoming aware of it, and sooner where we can. That is a deliberate promise rather than a vague one: you are the data controller, so if it needs reporting to the ICO the 72-hour deadline is yours, and it starts when we tell you. We will send you what we know even while we are still working out the full picture, keep updating you, and give you whatever you need for your report.
  • We help with your assessments. If you need to carry out a data protection impact assessment, we will provide the information about our processing that you need.
  • Deletion. When you close your account, we delete or return your data in line with the retention periods in our Privacy Policy, except where the law requires us to keep something.
  • Proof. We will make available the information needed to show we are meeting these obligations, and allow reasonable audits on reasonable notice.
Sub-processors

Running a phone line needs specialist companies, and the law requires your permission for us to use them. By accepting our Terms you authorise the sub-processors named in our Privacy Policy, which lists every one of them and exactly what each sees. That list is the authoritative one, and we keep it current rather than burying changes here.

Each sub-processor is under a written contract holding it to obligations no weaker than these, and we remain answerable to you for what they do.

If we add or replace one, we will tell you before it starts handling your data, and you may object. If you object and we cannot offer you a reasonable alternative, you may end your subscription without penalty for the remainder of the term you have paid for. We would rather lose a subscription than move your callers' data somewhere you are not comfortable with.

Where your data is handled

Everything we store lives in the EU (Ireland). The live call is handled in the United States, because that is where the speech and language providers that make the receptionist good enough to trust with your phone currently run. Our Privacy Policy sets out exactly which provider does what and where, including the EU option we looked at and why we have not taken it yet.

Where data leaves the UK or EU, the transfer is covered by recognised safeguards, the UK International Data Transfer Agreement or Addendum, standard contractual clauses, or an adequacy decision, in each provider's contract with us.

Your obligations

This part is short but it is not filler. These are the things only you can do.

  • Have a lawful basis for the calls you take. For bookings this is straightforward: you need someone's name and number to book them in, so it is necessary for what they asked you to do.
  • Answer your callers' requests about their own data. We will help, but the duty is yours.
  • Do not use a caller's number for marketing unless they agreed, or they are an existing customer and every message offers a way out.
  • Only put information into your receptionist's settings that you are entitled to share with callers.
  • Keep your account credentials secure, and remove staff who leave.
Telling your callers

The law says people must be told what is happening to their information at the moment it is collected. A caller never visits a website, so a privacy policy cannot do that job for them, which is why we do it on the call instead: every caller is told they are speaking to an AI assistant and that the call is transcribed, before your greeting, on every call, and it cannot be edited or switched off. That is us discharging a duty that is legally yours, and it is deliberate. You do not have to do anything else, though you are welcome to mention it on your website too.

Liability, law and contact

Each of us is responsible for our own compliance with data protection law. Nothing here limits any right your callers have, or the ICO's powers over either of us. The liability limits in our Terms of Service apply to this agreement too.

This agreement is governed by the law of England and Wales.

Questions about this agreement, a caller's request, or a suspected breach: contact us using the details in our Privacy Policy. If something is urgent and involves a possible breach, say so in the subject line and we will treat it that way.