Effective Date: March 1, 2026 • Last Updated: March 30, 2026 • Version 2.3.0
1. Introduction & Scope
This Privacy Policy ("Policy") describes how HulloDesk ("we", "us", "our", or "Company") collects, uses, processes, stores, shares, and protects personal information when you ("Customer", "User", or "you") use our AI voice agent platform and related services ("Services").
By using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must immediately discontinue use of the Services.
Business Entity:HulloDesk is operated by PKR Innovations LLC ("Company"), a California limited liability company. For privacy inquiries, contact us at privacy@hullodesk.com.
2. Legal Compliance Framework
HulloDesk is designed to comply with the following regulations and industry standards:
TCPA & TSR ComplianceTelephone Consumer Protection Act
Prior express written consent tracking, Do-Not-Call (DNC) registry enforcement, and automated STOP request handling.
GDPR (EU Regulation 2016/679)General Data Protection Regulation
Data minimization, lawful processing basis, automated Subject Access Request (SAR), and Right to Erasure tools.
CCPA & CPRA (California)California Privacy Rights Act
Consumer rights to know, delete, opt-out of sale/sharing, and limit use of sensitive personal information.
BIPA (Illinois)Biometric Information Privacy Act
We do NOT collect, store, or process biometric identifiers, voiceprints, or faceprints.
HIPAA SafeguardsHealthcare Data (if applicable)
If you process Protected Health Information (PHI), a Business Associate Agreement (BAA) is required. Contact us to execute a BAA.
SOC 2 Type II & ISO 27001Security Certifications
Our infrastructure partners maintain SOC 2 Type II and ISO 27001 certifications. Audit reports available upon request to enterprise customers. Enterprise customers may request our latest SOC 2 Type II audit report by contacting security@hullodesk.com.
3. Information We Collect
3.1 Information You Provide Directly
Account Information: Name, email address, business name, phone number, and billing address.
Payment Information: Credit card details processed and stored by our PCI-DSS Level 1 certified payment processor. We do NOT store full credit card numbers.
Lead & Customer Data: Names, phone numbers, email addresses, appointment data, and custom notes that you upload or input into the platform.
Consent Records: Date, time, IP address, and method of consent collection (required for TCPA compliance).
Usage Analytics: IP addresses, browser type, device information, pages visited, and feature usage (via third-party analytics tools).
Cookies: Authentication tokens, session identifiers, and analytics cookies. See Section 9 for cookie management.
Log Data: Server logs including IP addresses, timestamps, and API request metadata.
3.3 Information from Third Parties
CRM Integrations: If you connect third-party CRM systems, we receive lead and job data from those platforms as authorized by you.
Calendar Integrations: Appointment scheduling data from third-party calendar services you choose to connect.
Third-Party Data Sources: We may receive information about you from third-party sources including lead generation platforms, public business directories, and data enrichment providers. This data is used solely to provide and improve our services.
3.4 Geolocation Data
We may collect approximate location data derived from your IP address to provide region-relevant services and comply with applicable state privacy laws. We do not collect precise GPS-level location data unless you explicitly grant such permission.
4. How We Use Your Information
We use collected information for the following lawful purposes:
Service Delivery: Processing AI voice calls, SMS follow-ups, appointment bookings, and post-job review calls.
Billing & Payment: Processing subscriptions, metered usage billing, and invoicing through our payment processor.
Compliance & Legal Obligations: Maintaining TCPA consent records, DNC registry enforcement, and responding to lawful requests from authorities.
Platform Improvement: Analyzing usage patterns to improve AI agent performance, add features, and optimize user experience.
Customer Support: Responding to inquiries, troubleshooting technical issues, and providing training resources.
Security & Fraud Prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity.
Marketing (with opt-in consent): Sending product updates, feature announcements, and promotional offers. You may opt-out anytime via the unsubscribe link.
5. Third-Party Service Providers & Data Processors
We engage trusted third-party processors to deliver our Services. All processors are bound by Data Processing Agreements (DPAs) and contractually required to maintain equivalent security standards.
Subprocessor List
We maintain a public, comprehensive list of all third-party subprocessors used to process Customer data.
International Data Transfers: If you are located outside the United States, your data may be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for GDPR compliance as detailed in our DPA.
6. Data Retention & Deletion
Account Data: Retained for the duration of your active subscription plus 90 days after cancellation (for billing reconciliation and potential reactivation).
Call Recordings & Transcripts: Retained for 2 years by default for quality assurance and compliance audits. You may request earlier deletion.
TCPA Consent Records: Retained for 5 years as required by FCC regulations and legal defensibility requirements.
Financial Records: Retained for 7 years to comply with tax and accounting regulations.
Backups: Deleted data may persist in encrypted backups for up to 90 days before permanent purging.
7. Your Privacy Rights
7.1 GDPR Rights (EU/UK/EEA Residents)
Right to Access: Request a copy of all personal data we hold about you (Subject Access Request).
Right to Rectification: Correct inaccurate or incomplete data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data (subject to legal retention obligations).
Right to Restriction: Limit how we process your data in certain circumstances.
Right to Data Portability: Receive your data in a machine-readable format (JSON export).
Right to Object: Opt-out of processing for direct marketing or legitimate interest purposes.
Right to Withdraw Consent: Revoke previously granted consent at any time.
Right to Lodge a Complaint: File a complaint with your local Data Protection Authority (DPA).
7.2 CCPA/CPRA Rights (California Residents)
Right to Know: Request disclosure of data collected, sources, purposes, and third-party sharing.
Right to Delete: Request deletion of personal information (with exceptions for legal compliance).
Right to Opt-Out of Sale/Sharing: We do NOT sell or share personal information for cross-context behavioral advertising.
Right to Limit Use of Sensitive Personal Information: Applicable if we process sensitive data beyond service delivery.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
7.3 Other US State Privacy Rights (VA, CO, TX, CT)
Residents of Virginia, Colorado, Texas, and Connecticut have specific privacy rights under their respective state laws (VCDPA, CPA, TDPSA, and CTDPA):
Right to Confirm & Access: Confirm whether we are processing your personal data and access such data.
Right to Correct: Correct inaccuracies in your personal data, taking into account the nature of the data and purposes of processing.
Right to Delete: Delete personal data provided by or obtained about you.
Right to Portability: Obtain a copy of your personal data in a portable and readily usable format.
Right to Opt-Out: Opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
Right to Appeal: If we decline to take action regarding your request, you have the right to appeal our decision within a reasonable period.
📧 How to Exercise Your Rights
To exercise any of the above rights, email us at: privacy@hullodesk.com
Or use our automated tools in your account dashboard:
Data Export: Settings → Privacy → Download My Data (JSON format)
Account Deletion: Settings → Privacy → Delete My Account (irreversible)
Response Time: We will respond to verifiable requests within 30 days (45 days if complex). We may require identity verification to prevent fraudulent requests.
8. GDPR Lawful Bases for Processing (Article 6)
For users in the EU, UK, or EEA, we identify the following lawful bases under GDPR Article 6 for each processing activity:
Processing Activity
Lawful Basis
Notes
Account creation & service delivery
Art. 6(1)(b) — Contract
Necessary to perform the subscription contract
Billing & payment processing
Art. 6(1)(b) — Contract
Required for subscription management and metered billing
AI voice call processing & transcripts
Art. 6(1)(b) — Contract
Core service feature; also relies on TCPA consent collected separately
TCPA consent records & DNC enforcement
Art. 6(1)(c) — Legal obligation
FCC regulations require 5-year consent record retention
Product analytics & usage tracking
Art. 6(1)(f) — Legitimate interest
Improving platform performance; opt-out available via cookie settings
Marketing emails & product updates
Art. 6(1)(a) — Consent
Opt-in at signup; unsubscribe link in every email
Security, fraud prevention & logging
Art. 6(1)(f) — Legitimate interest
Protecting platform integrity and preventing unauthorized access
Customer support & troubleshooting
Art. 6(1)(b) — Contract
Required to deliver support services under the subscription
Financial record retention (7 years)
Art. 6(1)(c) — Legal obligation
US tax and accounting regulations require 7-year retention
Legitimate Interest Balancing Test: Where we rely on legitimate interests, we have conducted a balancing test confirming that our interests are not overridden by your fundamental rights. You may request our balancing test documentation by emailing privacy@hullodesk.com.
9. AI Data Practices & Automated Decision-Making (GDPR Article 22)
9.1 Call Transcript & Recording Storage
HulloDesk processes voice call audio through our AI voice provider to generate transcripts, sentiment analysis, and call summaries. These are stored in our database and associated with your customer records. Transcripts are retained for 2 years by default and may be deleted earlier upon request to privacy@hullodesk.com.
9.2 AI Training Data
We do NOT use your call recordings, transcripts, or customer data to train AI models without your explicit written consent. Our AI voice models are operated by our AI voice provider, which is bound by its own data processing terms. If you wish to contribute anonymized interaction data to model improvement programs, you may opt in via Settings → Privacy.
HulloDesk uses automated processing that may produce decisions affecting your customers. Specifically:
Sentiment classification: AI analyzes call audio to classify customer sentiment (happy/unhappy/neutral). This affects whether a review request SMS is sent.
Lead qualification scoring: AI classifies whether a caller is a qualified lead based on conversation content. This affects follow-up sequencing.
Call outcome categorization: AI determines if a call ended in a booking, voicemail, or no-answer, affecting retry scheduling.
Your rights under Article 22: If you are subject to these automated decisions and believe they have significant effects on you, you have the right to: (1) request human review of any decision, (2) express your point of view, and (3) contest the decision. Contact privacy@hullodesk.com to exercise these rights.
Note for business operators: You are responsible for ensuring your customers are aware that AI agents are used in your business communications, as required by FCC AI disclosure rules effective 2025.
9.4 Profiling
We create call outcome profiles for leads (e.g., "called twice, no answer, voicemail left") to manage follow-up sequences. This profiling is limited to service delivery and does not involve any evaluation of personal characteristics unrelated to call outcomes. No profiling data is sold or shared with third parties.
10. Security Measures
We implement industry-standard technical and organizational measures to protect your data:
Encryption: AES-256 encryption at rest for all database records and file storage. TLS 1.3 for all data in transit.
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA) for admin accounts, and least-privilege principle enforcement.
Infrastructure Security: Hosted on SOC 2 Type II certified cloud infrastructure. Regular penetration testing and vulnerability scanning.
Data Anonymization: Automated PII redaction for analytics and AI model training (opt-in only).
Incident Response: Documented breach notification procedures compliant with GDPR (72-hour notification) and state breach notification laws.
No system is 100% secure. While we implement best-in-class security, you are responsible for maintaining the confidentiality of your account credentials and notifying us immediately of any unauthorized access.
11. Cookies & Tracking Technologies
We use cookies and similar tracking technologies. The following table describes each cookie type in use:
Category
Cookie / Technology
Purpose
Can Opt Out?
Strictly Necessary
Supabase auth tokens, session cookies
Authentication, session management
No — required
Preference
Theme selection (light/dark)
UI customization
Optional
Analytics
PostHog (session replay, funnel analysis)
Product improvement, feature usage tracking
Yes — see below
Analytics
Google Analytics 4 (if enabled)
Traffic analysis, conversion tracking
Yes — see below
Compliance
hullodesk_cookie_consent (localStorage)
Storing your cookie preferences
No — required
Manage Your Cookie Preferences
You can change your analytics cookie preferences at any time. Your choice is stored in your browser and will persist across visits.
Browser Controls: You may also configure your browser to block or delete all cookies. Note that blocking strictly necessary cookies will impair platform authentication.
12. Children's Privacy (COPPA Compliance)
Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we discover that we have inadvertently collected data from a child under 13, we will delete it immediately. If you believe we have collected such data, contact us at privacy@hullodesk.com.
13. Do Not Track (DNT) Signals
We honor Do Not Track (DNT) browser signals. When DNT is enabled, we disable optional analytics tracking (PostHog). Note that essential authentication and security cookies remain active.
14. Data Breach Notification
In the event of a data breach that compromises your personal information, we will:
Notify affected users via email within 72 hours of discovering the breach (GDPR requirement).
Report the breach to relevant supervisory authorities as required by law.
Provide details on the nature of the breach, types of data affected, and remediation steps taken.
Offer credit monitoring services (if applicable) for breaches involving financial or identity data.
15. California Shine the Light Law
California residents may request information about our disclosure of personal information to third parties for direct marketing purposes. We do NOT share personal information with third parties for their direct marketing purposes.
16. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service features. Material changes will be communicated via:
Email notification to your registered account email address.
Prominent in-app banner notification for 30 days.
Updated "Last Updated" date at the top of this page.
Continued use of the Services after the effective date constitutes acceptance of the updated Policy. If you do not agree, you must discontinue use and may request account deletion.
17. Contact Information & Data Protection Officer
For privacy inquiries, data subject requests, or security concerns:
Email: privacy@hullodesk.com
Mailing Address: PKR Innovations LLC, 28 Geary St., Suite 650 PMB 5345, San Francisco, CA 94108, United States
Data Protection Officer (DPO): Not applicable (US-based B2B SaaS; no EU establishment)
EU Representative: Not applicable (US-based B2B SaaS; no EU establishment)
18. Data Residency & Sovereignty
HulloDesk is committed to providing transparency regarding where your data is stored and processed.
Primary Storage: All primary production data, including lead records, job data, and account information, is stored on SOC 2 Type II certified servers located exclusively within the United States.
AI Processing: Voice and text processing performed by our AI models occurs on US-based infrastructure. We do not use non-US data centers for real-time inference.
Backup Sovereignty: Encrypted backups are stored in geo-redundant US-based data centers to ensure disaster recovery without cross-border data transfer.
For international customers requiring specific regional data residency (e.g., EU-only), please contact enterprise@hullodesk.com to discuss custom deployment options.
Revision History & Audit Log
Mar 30, 2026v2.4.0 Standalone Subprocessors & DPA Pages Linked
Mar 30, 2026v2.3.0 US State Privacy Rights (VA, CO, TX, CT) Added
Mar 30, 2026v2.2.0 GDPR Lawful Bases Table + AI Data Practices Disclosure Added
Mar 26, 2026v2.1.0 Data Residency & Sovereignty Clause Added
Mar 1, 2026v2.0.0 Enhanced Industry-Standard Protections
Disclaimer: This Privacy Policy is provided for informational purposes and does not constitute legal advice. Consult with a licensed attorney to ensure compliance with applicable laws in your jurisdiction. HulloDesk makes no warranties regarding the legal sufficiency of this Policy.