Privacy Policy

1. Information we collect

Information you provide

• Account details (name, business name, email, securely hashed password, and — if you enable it — multi-factor authentication secrets).
• Billing details handled entirely by our payment processor (Stripe). We never see or store your full card number.
• Business configuration (locations, phone numbers, hours, scripts, integrations).
• Consent records (timestamp of acceptance for these Terms, Privacy Policy, and marketing opt-in).

Information collected through the Service

• Call audio, transcripts, voicemail, SMS message content, caller phone numbers, timestamps, and AI responses.
• Appointments, leads, and follow-up activity created in your Control Center.
• Usage and device data: IP address, browser, pages viewed, server log files, rate-limit counters, and security audit logs (sign-ins, admin actions, billing events).

2. How we use information

• To provide, secure, and improve the Service.
• To process payments and manage subscriptions.
• To send service announcements, billing notices, and (with consent) marketing emails.
• To detect and prevent fraud, abuse, and security incidents.
• To comply with legal obligations and enforce our agreements.

3. Legal bases (EEA/UK users)

We process personal data under the legal bases of contract performance, legitimate interests (operating and securing the Service), legal obligation, and consent (where required, e.g. marketing emails).

4. How we share information — sub-processors

We do not sell personal information. We share data only with the sub-processors below, under contracts that require them to protect your data:

• Twilio, Inc. — telephony, SMS delivery, and call recording transport (USA).
• ElevenLabs, Inc. — AI voice synthesis and conversational AI (USA).
• Stripe, Inc. — payment processing, subscriptions, and tax (USA).
• Lovable Cloud (powered by Supabase, Inc.) — application hosting, database, authentication, and file storage (USA / EU).
• Cloudflare, Inc. — edge runtime, DDoS protection, and CDN (global).

We also share information with authorities when required by law, subpoena, or to protect rights, safety, or property, and with successors in a merger, acquisition, or sale of assets, subject to this Policy.

5. Call recording and AI processing

Calls handled by Relay may be recorded and transcribed for the purpose of providing the Service, generating records for your business, and improving model quality (only where you have not opted out in your settings). Recording laws vary by jurisdiction; you are responsible for ensuring callers receive any disclosures required by law. Relay's default greeting includes a notice that the call may be recorded.

6. Data retention

• Call recordings & transcripts: retained for the duration of your subscription. You may delete individual records at any time from the Control Center.
• Appointments, leads, customer records: retained until you delete them or your account is closed.
• Account & profile data: retained for the duration of your subscription, then deleted within 30 days of account termination (or immediately, if you use the in-app "Delete my account" tool).
• Security & audit logs: retained for up to 12 months for fraud detection and incident response.
• Billing records: retained for as long as required by tax and accounting laws (typically 7 years).

7. Security

We use industry-standard safeguards including encryption in transit (TLS 1.2+), encryption at rest, row-level database security, role-based access controls, leaked-password screening, optional multi-factor authentication, rate limiting on public endpoints, signed webhooks, and a tamper-evident security audit log. No system is perfectly secure; you use the Service at your own risk.

Breach notification. If we confirm a security incident that affects your personal information, we will notify you without undue delay and, where required, within the timeframes specified by applicable law (including GDPR Article 33 and US state breach-notification statutes).

8. Your rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port your personal information, and to object to certain processing. Customers can exercise the access and deletion rights immediately and self-serve from Dashboard → Settings → Privacy & Data ("Download my data" and "Delete account"). For any other request, email privacy@relaysystems.org. California residents have additional rights under the CCPA/CPRA; see Section 11.

9. International transfers

We may process data in the United States and other countries. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from them.

11. California privacy notice

In the past 12 months we have collected the categories of personal information described in Section 1 for the purposes described in Section 2. We do not 'sell' or 'share' personal information for cross-context behavioral advertising. California residents may submit verifiable requests to know, delete, or correct personal information from Dashboard → Settings → Privacy & Data, or by emailing privacy@relaysystems.org.

12. Health information / HIPAA

Relay is not a HIPAA-covered entity or business associate, and the Service is not designed for the storage or transmission of Protected Health Information ("PHI") as defined under HIPAA. You must not submit PHI to the Service unless you have a separate written Business Associate Agreement with Relay. Use of the Service for PHI without such an agreement is a violation of our Terms.

13. Changes

We may update this Policy from time to time. Material changes will be posted here with an updated 'Last updated' date.

14. Contact

Relay Systems — privacy@relaysystems.org

Security reports: security@relaysystems.org (see also /.well-known/security.txt).