We handle calls and personal data on behalf of your business. Here is exactly what we collect, who we share it with, how long we keep it, and how we protect it.
| Data Type | Source | Purpose | Retention |
|---|---|---|---|
| Caller name | Captured during call | Lead identification | 180 days, then auto-deleted |
| Caller phone number | Caller-provided or Twilio Caller ID | Callback & lead record | 180 days, then auto-deleted |
| Call reason / message | Captured during call | Lead qualification & SMS summary | 180 days, then auto-deleted |
| Call recording (audio) | Twilio recording | Quality, dispute resolution | 60 days, then auto-deleted |
| Call transcript (text) | AI transcription | Lead summary generation | 60 days, then auto-deleted |
| Call metadata | Twilio logs | Billing, debugging | 90 days |
| Business owner phone | Client onboarding | SMS notifications | Duration of contract |
| Website contact form | Visitors to this site | Responding to enquiries | 12 months |
We use the following third-party providers to deliver our service. Each is a reputable provider with their own data protection commitments.
twilio.com | United States (with UK/EU data handling options)
Purpose: Voice call handling, SMS delivery, call routing. Twilio processes inbound and outbound calls and stores call recordings on our behalf. We use Twilio in compliance with UK GDPR standard contractual clauses.
supabase.com | AWS EU-West (Ireland)
Purpose: Secure database storage for call records, lead data, and client configuration. Data is stored in the EU (Ireland) region and is encrypted at rest and in transit.
openai.com | United States (data processing agreement in place)
Purpose: Intent classification and field extraction — used to understand the caller's reason for calling and urgency level, and to extract structured information (name, callback number, call reason) from the caller's spoken responses. Before any text is sent to OpenAI, phone numbers and email addresses are automatically stripped and replaced with placeholder tokens (e.g. [PHONE]). Phone numbers are extracted locally using regex first; OpenAI is only used as a fallback. Caller name is the only personal identifier that may be sent to OpenAI. OpenAI does not use API data to train models. All transfers are covered by OpenAI's Data Processing Agreement and UK GDPR standard contractual clauses.
Railway or Render | United States or EU
Purpose: Hosting the application server that handles call routing and lead processing. The server does not store personal data directly — it writes to Supabase and passes calls through Twilio.
We do not sell, rent, or share personal data with any third party for marketing or advertising purposes. We will update this subprocessor list when we make changes. Business clients with a Data Processing Addendum will be notified of material changes.
All data transmitted between your callers, Twilio, and our servers uses TLS encryption. No data travels over unencrypted connections.
Data stored in our database (Supabase/PostgreSQL) is encrypted at rest using AES-256 encryption provided by the cloud infrastructure.
Database access is restricted to the application server using service role keys. No public access to raw data. Admin access is limited to authorised personnel only.
A scheduled job runs every 6 hours and automatically nulls call recording links and transcripts after 60 days, deletes lead records after 180 days, and deletes call metadata after 90 days. Every run is logged to a cleanup audit table. No manual step required.
All call events are logged with timestamps. This provides an audit trail for disputes and ensures accountability.
Lead and call data is stored in EU-region databases (AWS Ireland). International transfers use appropriate safeguards under UK GDPR.
Every call handled by our AI plays a recording disclaimer at the very start: "This call may be recorded for quality and training purposes." This is a non-negotiable part of the system and cannot be disabled by clients.
We process caller data on the lawful basis of legitimate interests (providing a call management service that the calling business has contracted with us to deliver). Lead data is processed under contract (performing our service agreement with clients).
Callers whose data we hold have the right to:
To exercise any of these rights, contact: support@dlxsolutions.co.uk
If you have an unresolved complaint about how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
If you become aware of or suspect a data breach or security incident involving our services, please contact us immediately at support@dlxsolutions.co.uk. We take all reports seriously and will respond within 24 hours.
A Data Processing Addendum (DPA) is provided to every business client as a standard part of onboarding — not just on request. Because we process personal data (caller information) on behalf of our clients, a signed DPA is required before the service goes live. You can read our standard DPA here. See also our full Privacy Policy.