Last updated: 14 July 2026
When your receptionist answers a call, it handles personal information belonging to the person who rang you: their number, their name, what they asked for. Under the UK GDPR that information is yours to answer for, and we handle it for you. The law calls you the data controller and us the processor, and it requires the two of us to have a written agreement setting out how we do that (Article 28). This page is that agreement.
It forms part of our Terms of Service, which you accepted when you set up your business, so it is already in force. You do not need to print, sign or return anything. If your accountant, your insurer or a client asks whether you have a data processing agreement with your phone provider, the answer is yes, and this is it.
Where this agreement and the Terms disagree about personal data, this agreement wins.
Subject matter and purpose: answering your business phone with an AI assistant, and booking, changing and cancelling appointments in your calendar, together with the texts and records that go with that.
Duration: for as long as you have an account with us, plus the retention periods in our Privacy Policy.
Whose information: the people who call your business, and the staff you add to your account.
What information:
Special category data: Vocalenda is not built for health records and never asks for them. But some of the businesses we serve are ones where a caller may volunteer health information without being asked, a dental practice, a massage therapist, a spa or wellness business, and once it is said on the call it is in the transcript. Health information carries extra duties under Article 9, and establishing the additional lawful basis for it is yours to do as the practice (usually Article 9(2)(h), provision of health care). We handle whatever reaches us to the same standard as everything else set out here.
If you are a trade visiting people at home, a plumber, electrician, builder, tiler or heating engineer, your call records will often contain someone's home address and when they will be out. That is not special category data, but it is worth treating with the same care, and it is one more reason not to put anything into your receptionist's settings that you would not want repeated to a caller.
We commit to all of the following.
Running a phone line needs specialist companies, and the law requires your permission for us to use them. By accepting our Terms you authorise the sub-processors named in our Privacy Policy, which lists every one of them and exactly what each sees. That list is the authoritative one, and we keep it current rather than burying changes here.
Each sub-processor is under a written contract holding it to obligations no weaker than these, and we remain answerable to you for what they do.
If we add or replace one, we will tell you before it starts handling your data, and you may object. If you object and we cannot offer you a reasonable alternative, you may end your subscription without penalty for the remainder of the term you have paid for. We would rather lose a subscription than move your callers' data somewhere you are not comfortable with.
Everything we store lives in the EU (Ireland). The live call is handled in the United States, because that is where the speech and language providers that make the receptionist good enough to trust with your phone currently run. Our Privacy Policy sets out exactly which provider does what and where, including the EU option we looked at and why we have not taken it yet.
Where data leaves the UK or EU, the transfer is covered by recognised safeguards, the UK International Data Transfer Agreement or Addendum, standard contractual clauses, or an adequacy decision, in each provider's contract with us.
This part is short but it is not filler. These are the things only you can do.
The law says people must be told what is happening to their information at the moment it is collected. A caller never visits a website, so a privacy policy cannot do that job for them, which is why we do it on the call instead: every caller is told they are speaking to an AI assistant and that the call is transcribed, before your greeting, on every call, and it cannot be edited or switched off. That is us discharging a duty that is legally yours, and it is deliberate. You do not have to do anything else, though you are welcome to mention it on your website too.
Each of us is responsible for our own compliance with data protection law. Nothing here limits any right your callers have, or the ICO's powers over either of us. The liability limits in our Terms of Service apply to this agreement too.
This agreement is governed by the law of England and Wales.
Questions about this agreement, a caller's request, or a suspected breach: contact us using the details in our Privacy Policy. If something is urgent and involves a possible breach, say so in the subject line and we will treat it that way.