Privacy Policy — Vocaryx
Effective date: 2026-05-11 Last updated: 2026-05-11
This Privacy Policy explains what data Vocaryx (“we,” “us”) collects when you (a “Customer”) use our service, what data we process about your customers (the “End Users”) who call you or chat with you on your website, and how we handle that data. Vocaryx is operated by Zephryx LLC, an Oklahoma limited liability company doing business as Vocaryx.
This is a B2B service. Vocaryx is the data processor; you (the business) are the data controller for your End Users. You are responsible for your End Users’ privacy — Vocaryx’s job is to handle their data on your behalf in line with this policy and applicable law.
1. What data we collect
From you (the Customer)
- Account info: business name, contact email, phone, billing address
- Payment info: handled by Stripe; we don’t store full card numbers
- Configuration data: your service catalog, providers, business hours, FAQ, transfer phone number, Google Calendar credentials
- Admin access logs: who logged in, when, from what IP
From your End Users (callers and chatters)
When an End User calls your Vocaryx number or chats via your widget, we process:
- Phone number of the caller (received from Twilio’s webhook)
- Voice audio during the call (passed through our server to a speech-to-text service in real time; not stored as audio)
- Voice transcripts — the text version of the conversation. Stored in our
call_logdatabase. - Caller name + email if they provide it during booking
- Appointment details (service, time, provider) when they book
- Chat messages if they use the web widget
- Caller’s session ID + IP address captured by Twilio (we do not display or store the IP separately)
Data we do NOT collect
- We do not record or store the raw audio of calls. The audio passes through our server transiently for transcription.
- We do not collect financial data from End Users (Vocaryx doesn’t process payments).
- We do not collect data from End Users’ devices beyond what they tell us in conversation.
- We do not use cookies on the chat widget for advertising or cross-site tracking. The widget uses a single session cookie to maintain conversation state during a chat.
2. Why we process this data
| Purpose | Lawful basis (GDPR-style) |
|---|---|
| Operating the AI agent on your behalf | Contract with you (the Customer) |
| Booking appointments and sending confirmations | Contract with you, on instruction from your End User |
| Answering FAQ and routing calls to a human | Legitimate interest (operating the service you hired us for) |
| Sending appointment reminders to End Users | Contract performance (the End User booked an appointment expecting reminders) |
| Logging calls for your debugging and review | Legitimate interest (you need to audit the service) |
| Detecting abuse or operational errors | Legitimate interest (security) |
We do NOT use End User data for marketing, training third-party AI models, advertising, or anything beyond providing the service.
3. Who we share data with
Vocaryx is built on top of several third-party services (“sub-processors”). Each one only receives the minimum data needed to do its job:
| Sub-processor | Data they receive |
|---|---|
| Twilio | Caller phone numbers, voice audio (in real time), webhook events |
| Deepgram | Voice audio (real-time transcription) |
| Anthropic (Claude) | Voice and chat transcript text (full conversation, no PII scrubbing) |
| ElevenLabs / PlayHT | Text the agent will speak (no End User PII unless the agent reads it back) |
| Resend | Email recipient address + email body for confirmations |
| Sentry | Error reports with PII redacted (see “PII scrubbing” below) |
| Neon (Postgres) | All persisted data (call logs, appointment records, tenant configs) |
| Cloudflare | Marketing-site hosting only — no End User data |
| Google Calendar | Appointments, attendee names + emails (on your behalf) |
We do not sell End User data. Ever. We don’t share it with marketers, data brokers, or AI training pipelines.
Aggregate / anonymized data
We may use aggregate, anonymized usage statistics (e.g., “X% of calls result in a booking”) to improve the service. Anonymized data cannot be linked back to a specific End User.
PII scrubbing in error reports
When we send error reports to Sentry, we automatically redact phone numbers, email addresses, transcript content, and other identifiers before the event leaves our server.
4. Where data is stored
- Primary database: Neon Postgres, US-East.
- Application servers: Fly.io, US-East (Ashburn, Virginia).
- Sub-processor data: stored by each sub-processor in their own infrastructure.
If you have End Users in a jurisdiction with data-residency requirements (EU, UK, Canada, etc.), please tell us before going live — Vocaryx’s current architecture stores data in the US, which may require additional contractual safeguards under those laws.
5. How long we keep data
| Data type | Retention period |
|---|---|
Call transcripts (call_log) | 12 months from call date |
| Appointment records (Google Calendar) | Indefinite (managed by you in your calendar) |
| Email and SMS notification logs | 6 months |
| Tenant configuration (your business config) | Lifetime of your subscription + 90 days post-termination |
| Application error logs (Sentry) | 90 days |
| Server access logs | 30 days |
After the retention period expires, data is automatically deleted. If you need data deleted earlier, contact us — we can do it on demand.
After your subscription terminates, see Section 7 of the Terms of Service for the offboarding timeline.
6. Recording and consent (US states)
Vocaryx transcribes every inbound voice call. In some states, this counts as “recording” under all-party consent laws.
Two-party (all-party) consent states: California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, Washington (and a few others depending on interpretation).
To comply, the agent’s opening greeting must include a disclosure when serving callers in or from these states. Vocaryx’s default greeting always includes a generic disclosure (“This call may be monitored or recorded for quality and to help us serve you better”) on every inbound call, regardless of whether audio recording is enabled — because transcripts are always retained and that counts as recording for two-party-consent purposes. You are responsible for ensuring the wording is correct for your jurisdiction.
If you want the agent to use a different disclosure or no disclosure, we can configure that — but only with your written instruction and at your legal risk.
7. End User rights
End Users (your customers who call or chat) have rights under various privacy laws. Because Vocaryx is the processor, not the controller, requests from End Users normally go to you (the controller). When you receive a request, we will help you respond.
Specifically, on your instruction we can:
- Access: export an End User’s data (call transcripts, appointment records) from our system
- Delete: remove an End User’s data from our system, subject to legal retention obligations
- Correct: update incorrect data
- Object / restrict processing: stop using their data for specific purposes
Turnaround: we’ll respond to your forwarded request within 30 days, or sooner where the law requires it (CCPA: 45 days; GDPR: 1 month).
If an End User contacts us directly: we will forward the request to you and confirm to them that you (the business they actually interacted with) is the party responsible for responding.
8. Security
- All data in transit is encrypted via TLS 1.2+
- Stored credentials (Google service account keys, Twilio auth tokens) are encrypted at rest with AES-256-GCM
- Database backups are encrypted
- Access to production data is limited to the platform operator and is audited via Sentry
- We have a documented security incident response plan; serious incidents trigger notification to affected Customers within 72 hours of discovery (or sooner where law requires)
This isn’t a HIPAA-eligible service. Do not use Vocaryx to handle Protected Health Information (PHI) without a separately negotiated Business Associate Agreement; we currently do not offer one.
9. Children
Vocaryx is a B2B service. We do not knowingly process data from children under 13. If you operate a business that serves children (e.g., pediatric clinics), it is your responsibility to ensure your use of Vocaryx complies with COPPA and equivalent laws.
10. International data transfers
If you or your End Users are outside the United States, your data is transferred to the US for processing. We rely on Standard Contractual Clauses (SCCs) for transfers from the EU/UK to the US where applicable.
11. SMS / text messaging — TCPA and CTIA
Vocaryx sends SMS messages on behalf of you (the Customer) to your End Users in three situations:
- Appointment confirmations, reschedules, cancellations — sent when the End User books, reschedules, or cancels through the agent.
- Appointment reminders — sent 24 hours and 1 hour before a scheduled appointment.
- Lead capture confirmations — sent immediately after the agent captures a lead (e.g., a new service request), confirming receipt to the caller.
We do not send marketing SMS. We do not send recurring promotional messages. Every SMS we send is transactional, triggered by a specific End User action (booking, calling, requesting service).
Consent. The End User’s interaction with you — booking through the agent, calling your published business number, or requesting service via your chat widget — is the consent basis for the messages above. You as the Customer are responsible for confirming that this consent flow meets the requirements of TCPA (47 U.S.C. § 227), the CAN-SPAM analog for SMS, and any state-level texting statutes (e.g., Florida’s FTSA, Oklahoma’s TCPA mirror) applicable to the End Users you serve.
Opt-out. Every SMS we send to an End User includes the phrase “Reply STOP to opt out.” Once an End User replies STOP, Twilio (our SMS provider) automatically blocks further messages from your dedicated number to that recipient at the carrier-compliance layer — no further messages can be sent regardless of subsequent triggers. To re-subscribe, the End User must reply START.
HELP. End Users can text HELP at any time. Twilio returns a generic informational reply identifying you (the Customer) as the message source and how to contact you for support.
Frequency. Frequency is event-driven, not scheduled. For a single booked appointment, an End User receives at most: 1 confirmation, 1 reminder-24h, 1 reminder-1h, and (if applicable) 1 reschedule or cancellation notice. For lead capture, 1 confirmation per lead.
Carrier disclaimer. Message and data rates may apply per the End User’s mobile carrier. Vocaryx does not bill End Users; any per-message charges are the End User’s responsibility.
If you (the Customer) want SMS disabled for your tenant entirely, contact us and we will turn off the channel — the agent will continue to operate via voice and email only.
12. California residents — CCPA / CPRA notice
If an End User you serve is a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants them specific rights regarding their personal information. Because Vocaryx is the service provider (the CCPA equivalent of “processor”) and you (the Customer) are the business (controller), End User requests under CCPA normally come to you first; we assist you in responding.
Categories of personal information we process for California End Users (mapped to CCPA categories under Cal. Civ. Code § 1798.140):
- Identifiers — name, phone number, email address
- Commercial information — services requested, appointment history with you
- Internet activity — chat session metadata (timestamps, IP for security)
- Audio information — voice transcripts (audio itself is not stored — see §1)
- Inferences — none (we do not profile End Users)
Purposes — see §2 of this policy. We process only as needed to provide the service you contracted for.
Sources — directly from the End User during the call or chat; not from data brokers or third-party enrichment.
Sale of personal information. We do not sell End User personal information. We do not share End User personal information for cross-context behavioral advertising. This has never been done and is not part of our business model. Vocaryx has no advertising business, no marketing data partnerships, and no resale of any End User data to any third party.
End User rights under CCPA/CPRA — End Users may request to:
- Know what categories of personal information we have collected about them
- Access the specific pieces of personal information we have
- Delete their personal information, subject to legal retention obligations
- Correct inaccurate personal information
- Limit the use of sensitive personal information (we do not collect sensitive PI as defined by CPRA)
- Opt out of sale/sharing (already not happening — see above)
- Non-discrimination for exercising these rights
How to exercise. Direct requests should go to the Customer (the business the End User interacted with). If the End User contacts us directly, we will forward the request and notify them within 10 business days. We will assist the Customer in responding within 45 days (or 90 days with notice, per CCPA § 1798.130).
Authorized agents — End Users may designate an authorized agent to make a request on their behalf, subject to verification of the agent’s authority and the End User’s identity per CCPA regulations.
Complaints — California residents who believe we have violated their rights under CCPA/CPRA may file a complaint with the California Privacy Protection Agency at https://cppa.ca.gov.
13. Changes to this policy
We may update this Privacy Policy from time to time. For material changes, we will notify Customers via email at least 30 days before the change takes effect. The “Last updated” date at the top reflects the most recent revision.
14. Contact us
Privacy questions, requests, or complaints can be sent to:
- Email: privacy@vocaryx.com
If you are not satisfied with our response, you have the right to file a complaint with your local data protection authority (e.g., your state attorney general in the US, your DPA in the EU).