Legal
Privacy Policy & DPA
Last updated: 28/06/2026
This Privacy Policy explains how Callmate Ltd ("Callmate", "we", "us", or "our") collects, uses, and protects personal data when you visit our website at callmate.io (the "Site"), use our platform, dashboard, and application (the "App"), contact us, request a demo, or otherwise interact with us. It also contains, in Part B, the Data Processing Addendum that apply where Callmate processes personal data on behalf of a customer in providing the Services.
Callmate Ltd is a company incorporated in England and Wales with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom.
PART A — PRIVACY POLICY
1. Two roles: controller and processor
Callmate handles personal data in two different capacities, and it is important to understand which applies:
As a controller. For personal data we collect about visitors to our Site, people who contact us or request a demo, and the account/administrator users of our App, Callmate is the controller under the UK GDPR and the Data Protection Act 2018. Part A of this policy describes that processing.
As a processor. When our business customers use the App to provide our AI voice Services, the customer is the controller of the personal data processed through the platform (including call data, transcripts, summaries, and recordings), and Callmate acts as a processor on the customer's behalf. That processing is governed by the Data Processing Terms in Part B below, together with our Terms of Service.
The rest of Part A concerns personal data for which Callmate is the controller.
2. Personal data we collect
Depending on how you interact with us, we may collect:
Contact and enquiry details — your name, email address, phone number, company name, and job title, for example when you submit a contact form, request a demo, or email us.
Demo booking details — information you provide when booking a demonstration or call with us, including any scheduling information and the date and time you select. Where we use a third-party scheduling or calendar tool to arrange demos, that tool may also process this information.
Interaction data — information about how you interact with content on our Site, such as whether you play a sample audio recording or submit a form, used to understand engagement and improve the Site.
Account data — registration and authentication details for App users, and account configuration and settings.
Communications — the content of messages you send us and our correspondence with you, including emails, form submissions, and demo discussions.
Usage and technical data — information about how you use our Site and App, such as IP address, browser type, device information, pages viewed, time spent, and referring URLs, collected through cookies and similar technologies.
Marketing data — your preferences for receiving communications from us, and information about how you respond to our marketing.
The sample audio recordings on our Site are illustrative demonstrations of our Services. They do not collect information about you simply by playing them, beyond the interaction data described above.
We do not intentionally collect special category data (such as health or biometric data) through our Site or App as controller. Please do not submit such information to us through web forms.
3. How we use your personal data
We use personal data for which we are the controller to:
respond to your enquiries and provide information you request;
arrange, schedule, and conduct product demonstrations and calls;
understand how visitors engage with our Site (such as which content is viewed or played) so we can improve it;
create, administer, and secure App accounts;
provide, operate, support, and improve our Site, App, and Services;
send you marketing communications where permitted;
comply with our legal and regulatory obligations; and
protect the security and integrity of our Site, App, and business.
We may also use data derived from use of the Services in de-identified and aggregated form to operate, maintain, and improve the Services, as described in our Terms of Service.
4. Legal bases for processing
We rely on the following legal bases under the UK GDPR:
Consent — for example, where you opt in to marketing communications. You can withdraw consent at any time.
Legitimate interests — to operate and improve our Site, App, and business, respond to enquiries, and promote our business, provided our interests are not overridden by your rights.
Contract — to take steps at your request before entering into a contract, and to perform our contract with you (including under our Terms of Service and any Order Form).
Legal obligation — where we must process data to comply with applicable law.
5. Cookies
Our Site and App use cookies and similar technologies to function correctly, analyse usage, and improve your experience. You can control cookies through your browser settings and, where applicable, through our cookie banner.
6. Sharing your personal data
We may share personal data with:
Service providers and subprocessors who help us operate our Site, App, and Services (such as website hosting and analytics, demo scheduling and calendar tools, form and CRM providers, email providers, and telephony infrastructure), under appropriate confidentiality and data protection terms. The subprocessors used to provide the Services are listed in Part C below;
Professional advisers such as lawyers and accountants;
Authorities or third parties where required by law, court order, or to protect our rights; and
A buyer or successor in the event of a merger, acquisition, or sale of our business or assets.
We do not sell your personal data.
7. International transfers
We are based in the United Kingdom and some of our service providers and subprocessors may process data outside the UK or European Economic Area. Where we transfer personal data internationally, we put in place appropriate safeguards (such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism). For Services data, the transfer arrangements are set out in Part B below.
8. How long we keep your data
We keep personal data only for as long as necessary for the purposes set out in this policy, including to satisfy any legal, accounting, or reporting requirements. When we no longer need your data, we securely delete or anonymise it. Retention and deletion of customer data processed through the Services is governed by Part B below.
9. Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, including encryption in transit and at rest, access controls, and monitoring appropriate to the nature of our processing. The security measures applicable to Services data are set out in Part B below.
10. Your rights
Subject to applicable law, you have the right to:
access the personal data we hold about you;
request correction of inaccurate data;
request erasure of your data;
restrict or object to our processing;
request portability of your data; and
withdraw consent at any time where we rely on consent.
To exercise any of these rights, contact us at dennis@callmate.io. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.
If your request relates to personal data processed through the Services (where Callmate acts as a processor), we will direct your request to the relevant customer (the controller) and assist them as required under Part B below.
11. Marketing
Where you have opted in or we are otherwise permitted, we may send you marketing communications about our products and services. You can opt out at any time using the unsubscribe link in our emails or by contacting us at dennis@callmate.io.
12. Third-party links
Our Site and App may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties, and we encourage you to review their privacy policies.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version on our Site and update the "Last updated" date above.
PART B — DATA PROCESSING ADDENDUM
These Data Processing Terms apply where Callmate processes personal data on behalf of a customer ("Customer") in the course of providing the Services, and form part of the agreement between Callmate and the Customer (together with the Terms of Service and any Order Form). In these terms, Callmate is the "Processor" and the Customer is the "Controller".
B1. Definitions
"EU Data Protection Laws" means the UK GDPR and the Data Protection Act 2018, the EU GDPR to the extent applicable, and any other applicable data protection laws relating to the processing of personal data under the agreement.
The terms "Personal Data", "Processing", "Controller", "Processor", and "Supervisory Authority" have the meanings given to them in the EU Data Protection Laws.
"Customer Data" means any personal data processed by Callmate on behalf of the Customer under the agreement.
"Security Incident" means a personal data breach or other breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Data.
B2. Roles of the parties
The Customer is the Controller of Customer Data and determines the purposes and means of processing. The Customer is responsible for maintaining a valid lawful basis for processing and for providing all required notices and obtaining all required consents, including where call recording is enabled.
Callmate is the Processor and shall process Customer Data only on the Customer's documented instructions, which include the Customer's use of the Services, configuration settings, feature selections, and other actions taken through the Services, and as otherwise necessary to provide, maintain, secure, and improve the Services in accordance with the agreement and these terms. Callmate shall notify the Customer if, in Callmate's reasonable opinion, an instruction infringes EU Data Protection Laws or cannot reasonably be complied with through the Services' functionality. Callmate is not required to comply with any instruction that is unlawful, technically infeasible, or would expose Callmate to material risk.
B3. Details of processing
Subject matter and duration — processing of Customer Data to provide the Callmate voice AI platform and related Services for the duration of the agreement and any post-termination deletion or return period.
Nature and purpose — providing, operating, supporting, securing, and improving the Services, including call handling, routing, dashboards, workflows, transcription, summarisation, analytics (where enabled), knowledge base ingestion, abuse prevention, and service integrity.
Categories of data subjects — the Customer's authorised users and end users or call recipients contacted by the Customer.
Types of Personal Data — contact details, call metadata, conversation data (including transcripts and summaries), Customer-provided content, account and authentication data, and technical and security data.
Special categories — the Services are not designed to process special category data, but such data may be included by the Customer depending on use case, for which the Customer remains responsible.
Processing operations — collection, storage, transmission, analysis, access for support, de-identification and aggregation for service improvement, and deletion or return in accordance with these terms.
B4. Technical and organisational measures
Callmate shall implement appropriate technical and organisational measures designed to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Such measures shall include, as a minimum, encryption in transit and at rest, access controls, and monitoring appropriate to the nature of the Services. Callmate shall limit access to Customer Data to personnel who require access to perform the Services and shall apply role-based or function-based access controls.
B5. Subprocessors
The Customer provides Callmate with a general authorisation to appoint subprocessors to process Customer Data for the purposes of providing the Services. The current list of subprocessors is set out in Part C below. Where Callmate appoints a subprocessor, Callmate shall ensure that the subprocessor is engaged under a written agreement imposing data protection obligations substantially equivalent to those set out in these terms, including appropriate confidentiality and security obligations. Callmate shall remain responsible for the performance of its subprocessors' obligations to the extent required under EU Data Protection Laws and subject to the limitations of liability set out in the agreement.
B6. Data subject requests
The Customer is solely responsible for responding to requests from data subjects and consumers relating to Customer Data (including access, rectification, erasure, restriction, objection, and portability requests). Callmate shall provide reasonable assistance to the Customer to enable it to respond to such requests to the extent the Customer cannot address the request through self-service functionality made available via the Services. Such assistance shall be limited to information and actions within Callmate's reasonable control and shall be provided at the Customer's cost where the request requires material effort beyond Callmate's standard support. If Callmate receives a request, complaint, or inquiry from a data subject or a Supervisory Authority relating to Customer Data, Callmate shall, to the extent legally permitted, promptly notify the Customer and shall not respond except on the Customer's documented instructions, unless otherwise required by applicable law.
B7. Security incidents
Callmate shall maintain and follow an incident response process designed to detect, investigate, contain, and remediate Security Incidents affecting Customer Data. Callmate shall notify the Customer without undue delay after becoming aware of a Security Incident affecting Customer Data and shall provide information reasonably necessary to assist the Customer in meeting its notification and reporting obligations under EU Data Protection Laws. Callmate shall take reasonable steps to mitigate and remediate the effects of any Security Incident affecting Customer Data.
B8. Return or deletion of Customer Data
Upon termination or expiry of the agreement, Callmate shall, at the Customer's written request, either delete or return Customer Data within a reasonable period, provided that Callmate may retain Customer Data to the extent required by applicable law or to the extent necessary for legitimate security purposes, fraud prevention, backup integrity, dispute resolution, or enforcement of legal rights. To the extent Callmate retains any Customer Data, such retained data shall remain subject to the confidentiality, security, and access control obligations set out in these terms.
B9. International data transfers
The Customer acknowledges that Callmate and its subprocessors may process Customer Data in the United Kingdom and, where applicable, in other locations identified in Part C below. Where EU Data Protection Laws require a transfer mechanism for international transfers of Customer Data outside the UK, EEA, or adequacy decision jurisdictions, Callmate shall implement appropriate transfer safeguards, such as applicable standard contractual clauses, an International Data Transfer Agreement, an addendum recognised under UK law, or another lawful transfer mechanism, as appropriate.
B10. Audits
The Customer may audit Callmate's compliance with these terms by submitting a written request no more than once in any twelve (12) month period, unless an audit is required by a Supervisory Authority or is reasonably necessary due to a confirmed Security Incident affecting Customer Data. Any audit shall be conducted in a manner that minimises disruption to Callmate's business and preserves confidentiality and security. The Customer shall treat all audit findings, security documentation, and information disclosed by Callmate in connection with any audit as Callmate's confidential information.
B11. General
These Data Processing Terms are governed by the same law and dispute resolution provisions as the Terms of Service. In the event of any conflict between these terms and the Terms of Service in respect of data protection and processing matters, these terms prevail. The limitations and exclusions of liability set out in the Terms of Service apply to these terms.
PART C — SUBPROCESSORS
Callmate engages the subprocessors listed below to help provide the Services. Subprocessors may change from time to time in accordance with Part B5; we will update this list when they do.
Subprocessor | Purpose | Location |
|---|---|---|
Hetzner Online GmbH | Server hosting | Datacenters in Falkenstein (Germany) and Helsinki (Finland) |
Cloudflare, Inc | DNS, VPN, DDoS protection and data buckets | European locations. Some data is encrypted and stored in R2 buckets. Traffic passes through to/from Hetzner servers. |
Twilio Ireland Limited | Telephony and SIP | Data doesn't leave the European region (Ireland region only) |
OpenAI Ireland Ltd. | Large language models | Processing through OpenAI's EU locations with zero data retention (ZDR) |
Groq, Inc. | Text-to-speech models | Optional service. Servers in the USA |
Eleven Labs Inc. | Text-to-speech models | Optional service. Processing mostly inside Europe with zero data retention (ZDR) |
Stripe Payments Europe, Ltd. | Payment processing, fraud detection, and financial reporting. | Servers in the USA |
Contact us
If you have any questions about this Privacy Policy or how we handle your personal data, contact:
Callmate Ltd 128 City Road, London, EC1V 2NX, United Kingdom Email: dennis@callmate.io