Legal
GDPR & Data Processing
How we handle personal data under the EU and UK General Data Protection Regulation — the roles we play, the safeguards in place, and the rights you can exercise.
Last updated · June 2026
Our commitment
At TelVox, data protection is a design principle, not an afterthought. We process personal data in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR, and we apply the same standards of transparency, security and accountability to everyone whose data we touch. This statement explains the roles we play, the lawful bases we rely on, the rights you hold, and how to reach the people responsible for protecting your data.
It should be read alongside our Privacy Policy, our Cookie Policy and our list of subprocessors. Where this statement refers to entity-specific details that the controller must complete, those appear as bracketed placeholders.
Controller vs processor
The role TelVox plays depends on whose data is involved and why.
TelVox as controller — this website
For personal data collected through telvox.dev — for example, the details you submit through our demo and contact forms (name, work email, company, topic and message) or the email address you provide to receive our newsletter — TelVox acts as the data controller. We decide why and how that data is processed, and we are accountable for it under this statement and our Privacy Policy.
TelVox as processor — the platform
For the personal data our customers route through the TelVox platform — contact records, call recordings, dispositions and related operational data — TelVox acts as a data processor. Our customer is the controller; we process that data only on the customer’s documented instructions, under the terms of a Data Processing Agreement (DPA). The customer remains responsible for the lawful basis, notices and data-subject requests relating to the individuals they contact.
Lawful bases
When TelVox is the controller for this website, we rely on the following lawful bases under Article 6 of the GDPR:
- Legitimate interests — to respond to demo and contact enquiries, to operate and secure the website, and to communicate with prospective customers about our products, balanced against your rights and freedoms.
- Consent — for newsletter subscriptions and for any non-essential cookies, which you can withdraw at any time.
- Contract — where processing is necessary to take steps at your request before entering into, or to perform, a contract with you.
- Legal obligation — where we must process data to comply with a legal or regulatory requirement.
When TelVox is a processor, the lawful basis for processing platform data is determined and documented by our customer as controller.
Your data subject rights
Subject to the conditions in the GDPR, you have the right to:
- Be informed about how your personal data is used.
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasureof your data (the “right to be forgotten”) where applicable.
- Restrict or object to processing in certain circumstances, including direct marketing.
- Data portability — to receive your data in a structured, machine-readable format.
- Withdraw consent at any time where processing is based on consent.
- Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects.
How to exercise your rights
To exercise any of these rights for data where TelVox is the controller, email privacy@telvox.dev or our Data Protection Officer at dpo@telvox.dev. We will respond within one month of receiving your request, as required by the GDPR; where a request is complex or numerous, we may extend this by up to two further months and will tell you if we do. Exercising your rights is free of charge in ordinary circumstances. If your request concerns data held by a TelVox customer in the platform (where we are a processor), please contact that customer directly; we will support them in responding.
International data transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, we put appropriate safeguards in place as required by Chapter V of the GDPR. These may include transfers to countries covered by an adequacy decision, or transfers protected by the European Commission’s Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, together with supplementary technical and organisational measures such as encryption in transit and at rest. The specific mechanism applied to a given transfer is [appropriate safeguards / SCCs]; details are available from our Data Protection Officer on request.
Data Processing Agreement
Customers who process personal data through the TelVox platform can enter into a Data Processing Agreement with us. The DPA sets out the subject matter and duration of processing, the nature and purpose of processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller — in line with Article 28 of the GDPR. Our DPA is available to customers on request: contact us to put one in place. The DPA incorporates our list of subprocessors and the safeguards that apply when we engage them.
Security measures
We apply technical and organisational measures appropriate to the risk, as required by Article 32 of the GDPR. These include:
- AES-256-GCM encryption at rest for recordings and stored secrets, with TLS in transit.
- An append-only audit trail on every sensitive write, with sensitive fields redacted in the log.
- Org-scoped tenant isolation— a request for another organisation’s record returns “not found,” never a leak.
- Short-lived JWT access tokens with single-use refresh rotation, plus configurable retention controls and soft-delete.
TelVox is built for HIPAA workloads — a Business Associate Agreement (BAA) is available — and is engineered to SOC 2 Type II and ISO 27001 controls, with certification in progress. See our security overview for the full set of controls.
Personal-data breach process
We maintain procedures to detect, investigate and respond to personal data breaches. Where TelVox is the controller and a breach is likely to result in a risk to individuals’ rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, and will inform affected individuals where the breach is likely to result in a high risk to them. Where TelVox is a processor, we will notify the affected customer (as controller) without undue delay after becoming aware of a breach so they can meet their own obligations.
Our Data Protection Officer
You can reach our Data Protection Officer with any question, request or concern about how your personal data is handled:
- Data Protection Officer: [Data Protection Officer — name & email]
- Email: dpo@telvox.dev
- Controller: [TelVox legal entity name], [registered office address]
Supervisory authority & complaints
We hope to resolve any concern you raise directly. You also have the right to lodge a complaint with a data protection supervisory authority — in particular, the authority in the EU or UK country where you live, work, or where you believe an infringement has taken place. In the United Kingdom this is the Information Commissioner’s Office (ICO); in the EU, your lead supervisory authority is [jurisdiction]. Contacting our Data Protection Officer first will not affect your right to complain to a supervisory authority.