← Back to HulloDesk

Privacy Policy

Effective Date: March 1, 2026 • Last Updated: March 1, 2026 • Version 2.0.0

1. Introduction & Scope

This Privacy Policy ("Policy") describes how HulloDesk ("we", "us", "our", or "Company") collects, uses, processes, stores, shares, and protects personal information when you ("Customer", "User", or "you") use our AI voice agent platform and related services ("Services").

By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must immediately discontinue use of the Services.

Business Entity: HulloDesk is operated by HulloDesk LLC ("Company"), located at [Address — update before launch]. For privacy inquiries, contact us at privacy@hullodesk.com.

2. Legal Compliance Framework

HulloDesk is designed to comply with the following regulations and industry standards:

  • TCPA & TSR ComplianceTelephone Consumer Protection Act

    Prior express written consent tracking, Do-Not-Call (DNC) registry enforcement, and automated STOP request handling.

  • GDPR (EU Regulation 2016/679)General Data Protection Regulation

    Data minimization, lawful processing basis, automated Subject Access Request (SAR), and Right to Erasure tools.

  • CCPA & CPRA (California)California Privacy Rights Act

    Consumer rights to know, delete, opt-out of sale/sharing, and limit use of sensitive personal information.

  • BIPA (Illinois)Biometric Information Privacy Act

    We do NOT collect, store, or process biometric identifiers, voiceprints, or faceprints.

  • HIPAA SafeguardsHealthcare Data (if applicable)

    If you process Protected Health Information (PHI), a Business Associate Agreement (BAA) is required. Contact us to execute a BAA.

  • SOC 2 Type II & ISO 27001Security Certifications

    Our infrastructure partners maintain SOC 2 Type II and ISO 27001 certifications. Audit reports available upon request to enterprise customers.

3. Information We Collect

3.1 Information You Provide Directly

  • Account Information: Name, email address, business name, phone number, and billing address.
  • Payment Information: Credit card details processed and stored by our PCI-DSS Level 1 certified payment processor. We do NOT store full credit card numbers.
  • Lead & Customer Data: Names, phone numbers, email addresses, appointment data, and custom notes that you upload or input into the platform.
  • Consent Records: Date, time, IP address, and method of consent collection (required for TCPA compliance).

3.2 Information Collected Automatically

  • Call Data: Audio recordings, AI-generated transcripts, call duration, timestamps, and call outcomes (e.g., qualified, booked, voicemail).
  • Usage Analytics: IP addresses, browser type, device information, pages visited, and feature usage (via third-party analytics tools).
  • Cookies: Authentication tokens, session identifiers, and analytics cookies. See Section 9 for cookie management.
  • Log Data: Server logs including IP addresses, timestamps, and API request metadata.

3.3 Information from Third Parties

  • CRM Integrations: If you connect third-party CRM systems, we receive lead and job data from those platforms as authorized by you.
  • Calendar Integrations: Appointment scheduling data from third-party calendar services you choose to connect.

4. How We Use Your Information

We use collected information for the following lawful purposes:

  • Service Delivery: Processing AI voice calls, SMS follow-ups, appointment bookings, and post-job review calls.
  • Billing & Payment: Processing subscriptions, metered usage billing, and invoicing through our payment processor.
  • Compliance & Legal Obligations: Maintaining TCPA consent records, DNC registry enforcement, and responding to lawful requests from authorities.
  • Platform Improvement: Analyzing usage patterns to improve AI agent performance, add features, and optimize user experience.
  • Customer Support: Responding to inquiries, troubleshooting technical issues, and providing training resources.
  • Security & Fraud Prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity.
  • Marketing (with opt-in consent): Sending product updates, feature announcements, and promotional offers. You may opt-out anytime via the unsubscribe link.

5. Third-Party Service Providers & Data Processors

We engage trusted third-party processors to deliver our Services. All processors are bound by Data Processing Agreements (DPAs) and contractually required to maintain equivalent security standards.

Service CategoryPurposeData SharedLocation
Database & AuthenticationSecure data storage, user authenticationAccount data, lead informationUS (SOC 2 certified)
AI Voice ProcessingVoice agent interactions, call analysisCall audio, transcripts, metadataUS
Cloud CommunicationsSMS delivery, telephony infrastructurePhone numbers, message contentUS
Payment ProcessingSubscription billing, payment handlingBilling details, payment cardsUS (PCI-DSS Level 1 certified)
Product AnalyticsUsage tracking, feature optimizationAnonymized usage patterns, IP addressesUS (GDPR-compliant)
File StorageCall recording storage, backupAudio files, transcriptsUS (AES-256 encrypted)
Appointment SchedulingCalendar sync, booking managementCalendar availability, appointment dataUS/EU
Transactional EmailAutomated notifications, receiptsEmail addresses, notification contentUS

Vendor Disclosure: A complete list of our current data processors is available upon request to enterprise customers. Contact privacy@hullodesk.com for vendor-specific Data Processing Agreements (DPAs).

International Data Transfers: If you are located outside the United States, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance.

6. Data Retention & Deletion

  • Account Data: Retained for the duration of your active subscription plus 90 days after cancellation (for billing reconciliation and potential reactivation).
  • Call Recordings & Transcripts: Retained for 2 years by default for quality assurance and compliance audits. You may request earlier deletion.
  • TCPA Consent Records: Retained for 5 years as required by FCC regulations and legal defensibility requirements.
  • Financial Records: Retained for 7 years to comply with tax and accounting regulations.
  • Backups: Deleted data may persist in encrypted backups for up to 90 days before permanent purging.

7. Your Privacy Rights

7.1 GDPR Rights (EU/UK/EEA Residents)

  • Right to Access: Request a copy of all personal data we hold about you (Subject Access Request).
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal retention obligations).
  • Right to Restriction: Limit how we process your data in certain circumstances.
  • Right to Data Portability: Receive your data in a machine-readable format (JSON export).
  • Right to Object: Opt-out of processing for direct marketing or legitimate interest purposes.
  • Right to Withdraw Consent: Revoke previously granted consent at any time.
  • Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA).

7.2 CCPA/CPRA Rights (California Residents)

  • Right to Know: Request disclosure of data collected, sources, purposes, and third-party sharing.
  • Right to Delete: Request deletion of personal information (with exceptions for legal compliance).
  • Right to Opt-Out of Sale/Sharing: We do NOT sell or share personal information for cross-context behavioral advertising.
  • Right to Limit Use of Sensitive Personal Information: Applicable if we process sensitive data beyond service delivery.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

📧 How to Exercise Your Rights

To exercise any of the above rights, email us at: privacy@hullodesk.com

Or use our automated tools in your account dashboard:

  • Data Export: Settings → Privacy → Download My Data (JSON format)
  • Account Deletion: Settings → Privacy → Delete My Account (irreversible)

Response Time: We will respond to verifiable requests within 30 days (45 days if complex). We may require identity verification to prevent fraudulent requests.

8. Security Measures

We implement industry-standard technical and organizational measures to protect your data:

  • Encryption: AES-256 encryption at rest for all database records and file storage. TLS 1.3 for all data in transit.
  • Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for admin accounts, and least-privilege principle enforcement.
  • Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure. Regular penetration testing and vulnerability scanning.
  • Logging & Monitoring: Real-time intrusion detection, automated anomaly alerts, and comprehensive audit trails.
  • Data Anonymization: Automated PII redaction for analytics and AI model training (opt-in only).
  • Incident Response: Documented breach notification procedures compliant with GDPR (72-hour notification) and state breach notification laws.

No system is 100% secure. While we implement best-in-class security, you are responsible for maintaining the confidentiality of your account credentials and notifying us immediately of any unauthorized access.

9. Cookies & Tracking Technologies

We use cookies and similar technologies for authentication, analytics, and user experience optimization:

  • Strictly Necessary Cookies: Authentication tokens, session management (cannot be disabled without breaking functionality).
  • Analytics Cookies: Third-party usage tracking for product improvement (can be opted out via Do Not Track browser settings).
  • Preference Cookies: Theme selection, language settings, and UI customization.

Cookie Management: Configure your browser to block or delete cookies. Note that disabling necessary cookies will impair platform functionality.

10. Children's Privacy (COPPA Compliance)

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected data from a child under 13, we will delete it immediately. If you believe we have collected such data, contact us at privacy@hullodesk.com.

11. Do Not Track (DNT) Signals

We honor Do Not Track (DNT) browser signals. When DNT is enabled, we disable optional analytics tracking (PostHog). Note that essential authentication and security cookies remain active.

12. Data Breach Notification

In the event of a data breach that compromises your personal information, we will:

  • Notify affected users via email within 72 hours of discovering the breach (GDPR requirement).
  • Report the breach to relevant supervisory authorities as required by law.
  • Provide details on the nature of the breach, types of data affected, and remediation steps taken.
  • Offer credit monitoring services (if applicable) for breaches involving financial or identity data.

13. California Shine the Light Law

California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do NOT share personal information with third parties for their direct marketing purposes.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via:

  • Email notification to your registered account email address.
  • Prominent in-app banner notification for 30 days.
  • Updated "Last Updated" date at the top of this page.

Continued use of the Services after the effective date constitutes acceptance of the updated Policy. If you do not agree, you must discontinue use and may request account deletion.

15. Contact Information & Data Protection Officer

For privacy inquiries, data subject requests, or security concerns:

  • Email: privacy@hullodesk.com
  • Mailing Address: HulloDesk LLC, [Address — update before launch]
  • Data Protection Officer (DPO): Not applicable (US-based B2B SaaS; no EU establishment)
  • EU Representative: Not applicable (US-based B2B SaaS; no EU establishment)

Revision History & Audit Log

Mar 1, 2026v2.0.0 Enhanced Industry-Standard Protections
Feb 28, 2026v1.0.0 Initial Enterprise Release
ComplianceTCPA • GDPR • CCPA • BIPA • COPPA • SOC 2 Validated

Disclaimer: This Privacy Policy is provided for informational purposes and does not constitute legal advice. Consult with a licensed attorney to ensure compliance with applicable laws in your jurisdiction. HulloDesk makes no warranties regarding the legal sufficiency of this Policy.