Privacy Policy — Callio

Effective date: 2026-06-04 · Last updated: 2026-06-11

This Privacy Policy explains how Wojciech Szymański (Alchemicy AI) ("Callio", "we", "us") collects, uses, and shares information in connection with the Callio AI voice receptionist service, our website, dashboard, and mobile app (the "Service").

Controller / contact: Wojciech Szymański (Alchemicy AI), Poznań, Poland. Email: [email protected].

1. Who our users are

• Business customers ("Customers"): businesses that subscribe to Callio to answer their phone calls.
• Callers ("End Callers"): people who call a Customer's business phone number that Callio answers.

2. Information we collect

From Customers (account): name, business name, business phone number, email, login credentials (hashed), billing details (processed by Stripe — we do not store card numbers), agent configuration, and usage data (minutes, call counts).

From End Callers (during calls): the phone number you call from, the audio recording and transcript of the call, and information you provide during the call (e.g., name, vehicle/appointment details, the reason for your call). We generate an AI summary of the call for the Customer, and we keep a per-caller profile (e.g., name and prior-call facts) so the Customer can recognise returning callers.

Automatically: device/app diagnostics, log data, and (for the website) standard analytics and cookies.

3. Call recording, transcription & AI disclosure

• Calls answered by Callio are recorded and transcribed to book appointments and provide the Customer with a summary. At the start of each call, the AI assistant discloses that the call is recorded and that the caller is speaking with an automated AI assistant. By continuing the call after this disclosure, the caller consents to the recording and transcription.
• We apply an all-party-consent standard to call recording across all U.S. states.
• We do not create or store voiceprints/biometric voice identifiers of callers.

4. How we use information

• Provide the Service: answer calls, book appointments, generate summaries, recognise returning callers, and send the Customer (business owner) an in-app push notification summary.
• Billing, support, security, fraud prevention, and service improvement.
• Comply with legal obligations.

Notification policy: We deliver operational notifications (e.g., call summaries) to the Customer (business owner) as in-app push notifications. We do not send SMS or any messages to End Callers. Customers can disable push notifications in their device settings.

5. How we share information

We share information with service providers (subprocessors) strictly to operate the Service:

• Twilio — telephony and phone numbers. · ElevenLabs — AI voice / conversational AI + transcription. · Anthropic (Claude) — call summarization. · Stripe — payments. · Hetzner (Germany, EU) — hosting/infrastructure.

We require these providers to protect information under data-processing terms. We do not sell personal information. We may disclose information to comply with law or protect rights/safety.

6. Legal bases (GDPR / EEA)

Where GDPR/RODO applies, we process: (a) to perform our contract with Customers; (b) on legitimate interests (operating, securing, and improving the Service; B2B outreach) balanced against your rights; (c) to comply with legal obligations; and (d) on consent where required (e.g., call recording).

7. Your rights

• EEA/UK (GDPR/RODO): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority (in Poland: Prezes Urzędu Ochrony Danych Osobowych, UODO).
• California (CCPA/CPRA): know, delete, correct, and opt out of "sale"/"sharing" (we do not sell). We do not discriminate for exercising rights.
• Account holders can delete their account and associated data in-app (Settings → Delete account) or by emailing [email protected].

To exercise rights, contact [email protected]. End Callers may request deletion of their call data by contacting us or the relevant Customer.

8. Data retention

We retain End-Caller call recordings, transcripts, summaries, and per-caller profiles for up to 12 months (or a shorter period the Customer configures, or longer where required by law), after which they are deleted or anonymised. Account data is retained while the account is active and for a reasonable period afterward for legal/accounting needs.

9. International transfers

We are based in Poland (EU); our providers may process data in the United States and elsewhere. Where required, transfers rely on appropriate safeguards (e.g., Standard Contractual Clauses).

10. Security

We use industry-standard measures (encryption in transit, hashed passwords, access controls, JWT-based auth, tenant isolation). No method is 100% secure.

11. Children

The Service is for businesses and is not directed to children under 16. We do not knowingly collect their data.

12. Google API Services & Google Calendar integration

Callio offers an optional integration with Google Calendar so your AI receptionist can check availability and create, update, or cancel appointment events on calendars you own. If you connect Google Calendar:

• What we access: with your explicit OAuth consent, we access events on calendars you own (scope: calendar.events.owned) solely to read availability for booking and to create, update, or cancel appointment events made through Callio.
• Limited Use: Callio's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. The use of information received from Google Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
• No advertising, no AI training: we do not use Google Calendar data for advertising, and we do not use any Google user data to develop, improve, or train generalized or foundation artificial-intelligence and/or machine-learning models. Calendar data is processed per customer, in isolation, only to deliver the booking feature you enabled.
• No human access: humans do not read your calendar data except with your explicit permission (e.g., a support request), where required for security or legal compliance, or where the data is aggregated and anonymised.
• Retention & revocation: Google OAuth tokens are stored encrypted and deleted when you disconnect the integration or delete your account. You can revoke Callio's access at any time in the app or at myaccount.google.com/permissions.

13. Changes

We may update this Policy; we will post the new effective date and, for material changes, notify Customers.

14. Contact

Wojciech Szymański (Alchemicy AI), Poznań, Poland · [email protected]