We handle calls and personal data on behalf of your business. Here is exactly what we collect, who we share it with, how long we keep it, and how we protect it.
| Data Type | Source | Purpose | Retention |
|---|---|---|---|
| Caller name | Captured during call | Lead identification | Until deletion request or contract end |
| Caller phone number | Caller-provided or Twilio CLI | Callback & lead record | Until deletion request or contract end |
| Call reason / message | Captured during call | Lead qualification & SMS summary | Until deletion request or contract end |
| Call recording (audio) | Twilio recording | Quality, dispute resolution | 60 days, then auto-deleted |
| Call transcript (text) | AI transcription | Lead summary generation | 60 days, then auto-deleted |
| Call metadata | Twilio logs | Billing, debugging | 90 days |
| Business owner phone | Client onboarding | SMS notifications | Duration of contract |
| Website contact form | Visitors to this site | Responding to enquiries | 12 months |
We use the following third-party providers to deliver our service. Each is a reputable provider with their own data protection commitments.
twilio.com | United States (with UK/EU data handling options)
Purpose: Voice call handling, SMS delivery, call routing. Twilio processes inbound and outbound calls and stores call recordings on our behalf. We use Twilio in compliance with UK GDPR standard contractual clauses.
supabase.com | AWS EU-West (Ireland)
Purpose: Secure database storage for call records, lead data, and client configuration. Data is stored in the EU (Ireland) region and is encrypted at rest and in transit.
openai.com | United States (data processing agreement in place)
Purpose: Intent classification only — used to understand the caller's reason for calling and urgency level. We do not send full call content or personal identifiers to OpenAI. OpenAI does not use API data to train models.
Railway or Render | United States or EU
Purpose: Hosting the application server that handles call routing and lead processing. The server does not store personal data directly — it writes to Supabase and passes calls through Twilio.
We do not sell, rent, or share personal data with any third party for marketing or advertising purposes. We will update this subprocessor list when we make changes. Business clients with a Data Processing Addendum will be notified of material changes.
All data transmitted between your callers, Twilio, and our servers uses TLS encryption. No data travels over unencrypted connections.
Data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256 encryption provided by the cloud infrastructure.
Database access is restricted to the application server using service role keys. No public access to raw data. Admin access is limited to authorised personnel only.
Call recordings are automatically deleted after 60 days. Call transcripts are automatically deleted after 60 days. No manual step required.
All call events are logged with timestamps. This provides an audit trail for disputes and ensures accountability.
Lead and call data is stored in EU-region databases (AWS Ireland). International transfers use appropriate safeguards under UK GDPR.
Every call handled by our AI plays a recording disclaimer at the very start: "This call may be recorded for quality and training purposes." This is a non-negotiable part of the system and cannot be disabled by clients.
We process caller data on the lawful basis of legitimate interests (providing a call management service that the calling business has contracted with us to deliver). Lead data is processed under contract (performing our service agreement with clients).
Callers whose data we hold have the right to:
To exercise any of these rights, contact: support@dlxsolutions.co.uk
If you have an unresolved complaint about how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
If you become aware of or suspect a data breach or security incident involving our services, please contact us immediately at support@dlxsolutions.co.uk. We take all reports seriously and will respond within 24 hours.
For business clients requiring a formal Data Processing Addendum (DPA) for their own GDPR compliance, please contact us and we will provide one. See also our full Privacy Policy.