Privacy Policy

We collect information you provide directly when you use our services, including:

• Account information — name, email address, phone number, company name, and billing details when you create an account or subscribe to a plan.
• Call data — caller phone numbers, call duration, timestamps, call recordings (where consented), transcriptions, and receptionist notes created during calls handled on your behalf.
• Communication data — messages you send us via email, contact forms, or live chat, including any attachments.
• Usage data — how you interact with our dashboard, including pages visited, features used, and session duration.
• Device & technical data — IP address, browser type, operating system, device identifiers, and referring URLs collected automatically through cookies and similar technologies.

We use the information we collect for the following purposes:

• Providing our services — answering calls, scheduling appointments, qualifying leads, and delivering messages to you.
• Account management — processing payments, sending invoices, and managing your subscription.
• Service improvement — analysing usage patterns to improve call handling quality, train our receptionists, and enhance our platform.
• Communication — sending service updates, security alerts, and (with your consent) marketing materials about new features or offerings.
• Legal compliance — meeting our obligations under applicable laws, responding to legal requests, and protecting our rights.

If you are in the UK or EEA, we process your personal data under the following legal bases:

• Contract performance — processing necessary to provide the services you have subscribed to.
• Legitimate interests — improving our services, preventing fraud, and ensuring network security, where these interests are not overridden by your rights.
• Consent — where you have given explicit consent, such as for marketing communications or call recording.
• Legal obligation — where processing is required to comply with applicable law.

Call recording and transcription are core features of our service. Important details:

• Calls are recorded only when enabled in your account settings or required by your service plan.
• All callers are informed that the call may be recorded at the start of each call, in compliance with UK regulations.
• Recordings are stored encrypted (AES-256) and automatically deleted after your configured retention period (default: 90 days).
• Transcriptions are generated using secure, HIPAA-compliant AI models and are stored alongside recordings with the same encryption and retention policies.
• You can disable recording at any time from your dashboard. Existing recordings can be deleted individually or in bulk.

We do not sell your personal data. We share information only in these circumstances:

• Service providers — cloud hosting (AWS, UK region), payment processing (Stripe), analytics, and communication tools that help us deliver our services. All providers are contractually bound to protect your data.
• Your integrations — when you connect third-party tools (e.g., Clio, Calendly, Salesforce), we share call data as configured by you.
• Legal requirements — if required by law, court order, or governmental request.
• Business transfers — in the event of a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction.

We use cookies and similar technologies to provide and improve our services. For full details on what cookies we use and how to manage them, please see our Cookies Policy.

We retain your data only for as long as necessary:

• Account data — retained for the duration of your account plus 12 months after closure, unless longer retention is required by law.
• Call recordings & transcriptions — retained per your account settings (default 90 days). HIPAA-covered accounts may have different retention requirements.
• Billing records — retained for 7 years in accordance with UK tax regulations.
• Usage & analytics data — retained in anonymised form indefinitely for statistical purposes.

PhoneSteward Ltd is based in the United Kingdom. Your data is primarily stored in AWS data centres in the UK (eu-west-2, London).

• Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO.
• We do not transfer call recordings or transcriptions outside the UK unless explicitly configured by you.
• Our sub-processors are listed in our Data Processing Agreement, available on request.

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your data (subject to legal retention requirements).
• Right to restrict processing — request that we limit how we use your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — where processing is based on consent, withdraw it at any time.

We implement industry-leading security measures to protect your data. For a comprehensive overview of our security practices, certifications, and infrastructure, please visit our Security page.

• All data encrypted in transit (TLS 1.3) and at rest (AES-256).
• SOC 2 Type II certified infrastructure.
• Regular penetration testing and vulnerability assessments.
• Role-based access controls with multi-factor authentication.

Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the updated policy on this page with a revised "Last updated" date.
• Notify you via email or in-dashboard notification at least 14 days before changes take effect.
• Where required by law, obtain your consent before applying material changes.