Privacy policy page

1. Who is the controller?

For Client contacts and for personal data processed to improve our Services and models, we act as data controller. For interactions where we process personal data strictly on documented instructions from a Client (for example, handling that Client's customer conversations), we usually act as processor and the Client remains controller. The relevant role will be set out in our contract / data‑processing agreement.

Contact details:

Legal entity: Deep Voice AI Limited
Address: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: info@deepvoiceai.co
If applicable, EU/UK representative and DPO details.

2. Categories of personal data we process

Depending on configuration and channel (voice, chat, contact forms, integrations), we may process:

Identification and contact data: name, email, phone number, customer ID, account references.
Interaction data: call audio, transcripts, chat logs, timestamps, channel identifiers, agent IDs.
Context and metadata: issue type, queue, outcome tags, satisfaction scores, notes added by staff.
Technical data: IP address, device/browser info, log files, identifiers for security and fraud monitoring.
Profiling attributes derived from interactions: communication patterns, topic clusters, likely intent, churn or satisfaction indicators (always at the level agreed with the Client).

We do not intend to collect special‑category data (e.g. health, religion) or data on criminal offences through the Services. If a Client chooses to send such data, they must ensure a lawful basis and appropriate safeguards.

3. Purposes and legal bases

We use personal data for the purposes and legal bases below (under UK/EU GDPR Articles 6 and 22):

Provision of AI Business Agent Services
Handling and routing customer enquiries, generating responses, creating tickets, updating systems.
Legal basis: performance of contract with the Client or legitimate interests in providing B2B services (for end‑customers).
Training, evaluation and improvement of models and agents
Using interaction records (e.g. voice, transcripts) to train, fine‑tune and evaluate LLMs and task‑specific models, to improve accuracy, safety, routing and language understanding.
Legal basis: legitimate interests in improving and securing our AI models and Services, balanced with strong safeguards (pseudonymisation, access control, data‑minimisation).
AI profiling, performance monitoring and trend analysis
Analysing transcripts and metadata to produce non‑manual classifications (e.g. topic, sentiment, intent), agent quality metrics, capacity forecasts and customer‑journey insights for Clients.
Legal basis: legitimate interests (our and the Client's interest in quality assurance, service optimisation and analytics).
Automated decision‑making
Using automated logic to:
- route interactions to appropriate queues or channels;
- prioritise or label conversations;
- provide suggested or automated responses based on learned patterns.
These decisions typically do not produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.
Where a Client configures use‑cases that may have such effects, we will ensure an appropriate legal basis (contract necessity or explicit consent) and safeguards such as the right to obtain human intervention, express a view and contest the decision, as required by Article 22(3).
Client reporting
Producing dashboards and reports for Clients (e.g. volumes, handling times, satisfaction measures, trends and model performance).
Legal basis: performance of contract and legitimate interests in enabling Clients to understand and improve their operations.
Security, fraud prevention and compliance
Monitoring logs for abuse, intrusion attempts, misuse of AI agents and to comply with legal or regulatory obligations.
Legal basis: legal obligation and/or legitimate interests in securing systems.
Marketing and relationship management (B2B contacts only)
Communicating with Client contacts about service updates, new features and events.
Legal basis: legitimate interests or, where required by e‑privacy rules, consent.

4. Retention periods

We keep personal data only for as long as necessary for the purposes above:

Live service data (voice and text interactions, logs): retained for the duration of the Client agreement and then archived or deleted in line with Client instructions.
Training, evaluation and analytics data: unless a shorter period is agreed, we may retain pseudonymised or aggregated records for up to three (3) years after the end of the Client agreement to maintain, audit and improve models, defend legal claims and produce historic benchmarks.
Client contact details and contract records: kept for the contract term plus typical limitation periods (e.g. 6 years in the UK) for tax and legal purposes.

Where feasible, we will pseudonymise, aggregate, tokenise or anonymise data so individuals can no longer be identified.

5. Recipients and international transfers

We may share personal data with:

The relevant Client (as controller) and its authorised users.
Our sub‑processors (cloud hosting, telephony, analytics, security, support) under written data‑processing agreements.
Professional advisers (lawyers, auditors, insurers) where necessary.
Regulators or authorities where required by law.

If data is transferred outside the UK/EU/EEA, we will rely on an adequacy decision or appropriate safeguards such as Standard Contractual Clauses plus additional technical and organisational measures.

6. Automated decision‑making and profiling - more detail

Where our systems conduct profiling or automated decision‑making:

Logic involved: models analyse the content and metadata of interactions to classify topics, sentiment and intent, match them to pre‑defined workflows and generate likely responses. Models are trained on historic data and continuously improved.
Significance and consequences: outputs influence how quickly and where a query is routed, whether a suggested response is provided to an agent, and what is displayed in analytics dashboards. In standard configurations they do not make binding decisions about eligibility for services, pricing or legal rights.
Rights: where Article 22 GDPR applies, individuals have the right not to be subject to a decision based solely on automated processing that has legal or similarly significant effects, and to obtain human intervention, express their point of view and contest the decision. Requests can be made using the contact details in section 1.

7. Your GDPR / UK GDPR rights

Depending on the circumstances and whether we act as controller or processor, individuals have the right to:

access their personal data and receive a copy;
request correction of inaccurate or incomplete data;
request erasure ("right to be forgotten") in certain situations;
request restriction of processing;
object to processing based on legitimate interests, including profiling for analytics or marketing;
data portability for information provided to us in a structured, commonly used and machine‑readable format;
withdraw consent at any time where processing is based on consent;
lodge a complaint with a supervisory authority (e.g. ICO in the UK or their local data‑protection authority).

For most service interactions we process data on behalf of a Client. In those cases, individuals should address their requests to the relevant Client as controller; we will support the Client in responding.

Learn more

8. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit and at rest, role‑based access controls, logging and monitoring, regular security testing and staff training.

9. Contact and changes

If you have questions about this Privacy Policy or how we process personal data, contact us at: info@deepvoiceai.co.

We may update this Policy from time to time; the latest version will always be available on our website, with a revised "Last updated" date.