CallNest Cloud - AI Intelligent Call Tracking & Management System

Effective Date: May 2025

I. Introduction

Purpose of the Privacy Policy

This Privacy Policy ("Policy") aims to inform users ("you," "your") about how CallNest Cloud ("CallNest Cloud," "we," "us," "our") collects, uses, shares, and protects Personal Data and Organizational Data when you access or use our Services. It also outlines your privacy rights and explains how you can exercise them. We are committed to transparency and protecting your privacy in compliance with applicable data protection laws.[1, 2] The first interaction a user has with our data handling practices is often through this document, and we intend for it to build trust by being clear and comprehensive.

About CallNest Cloud

CallNest Cloud is a multi-tenant Software-as-a-Service (SaaS) communication platform. We provide a suite of tools for voice communications, call routing, call recording, transcription, and related communication services. Our platform is built using Laravel and React technologies and integrates with Twilio Inc. ("Twilio") for core communication functionalities, including voice calls, call routing, and transcription services. This integration is fundamental to our Service delivery, and understanding Twilio's role, as further detailed in this Policy, is important.

Acceptance of the Policy

By accessing or using the CallNest Cloud Services, you signify that you have read, understood, and agree to the collection, use, disclosure, and procedures regarding your information as described in this Privacy Policy and our Terms of Service.[3, 4] This Policy is an integral part of our agreement with you.

Effective Date & Last Updated Date

The Effective Date of this Policy is stated at the top of this page. The "Last Updated" date indicates the date of the most recent revisions. We encourage you to review this Policy periodically.

II. Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address or cookie identifier), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Examples include, but are not limited to, name, email address, phone number, call recordings, and transcriptions.[5, 6, 7]

Organizational Data: Information related to a company, business, or other organization ("Customer") that subscribes to and uses CallNest Cloud Services. This may include the Customer's company name, billing information, Workspace configurations, user lists within the Workspace, and aggregated usage statistics. While privacy laws primarily focus on Personal Data, we recognize the sensitivity of Organizational Data and are committed to its security and confidentiality.

User: Any individual who accesses or uses the CallNest Cloud Services. This includes administrators who manage a Customer's Workspace and individual team members or agents authorized by a Customer to use the Services within that Workspace.[7, 8] It is important to distinguish between the Customer (the organization) and the individual Users. The Customer organization is typically the Data Controller for the content and data generated by its Users within their Workspace.

Workspace: A distinct, segregated environment within the CallNest Cloud platform created and managed by a Customer organization. The Workspace allows the Customer to manage its Users, data, communication settings, and integrations.

Services: All products, services, features, applications (web and mobile, if applicable), and platforms offered by CallNest Cloud, including our website (callnestcloud.com) and any associated software or Application Programming Interfaces (APIs).

Processing: Any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. For Personal Data related to your User account with us (e.g., your registration information, billing details if you are a Customer), CallNest Cloud is the Data Controller. For Personal Data contained within the communications and content you or your Users generate and manage within your Workspace (e.g., call recordings, transcriptions), the Customer (your organization) is typically the Data Controller, and CallNest Cloud acts as a Data Processor on the Customer's behalf.[1, 5, 7]

Data Processor: A natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller. Twilio is a key Data Processor for CallNest Cloud, handling voice communications, call routing, and transcription services under our instruction and on behalf of our Customers.[5, 7, 8, 9] Other third-party service providers may also act as Data Processors as described in Section V.

Twilio: Twilio Inc., a third-party communications platform as a service (CPaaS) provider, which CallNest Cloud utilizes for essential voice communication, call routing, call recording storage, and transcription functionalities.

Cookies: Small text files that are stored on a User's computer or mobile device when they visit our website or use our Services. Cookies are used to remember User preferences, session information, and for analytical and marketing purposes.

GDPR: The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

CCPA: The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (CPRA).

III. Information We Collect

We collect various types of information in connection with the Services, including Personal Data and Organizational Data. The specific information we collect depends on how you interact with us and our Services.

A. Personal Data Collected:

User Account and Profile Information: When you create an account or a User profile is created for you within a Customer's Workspace, we collect information such as your full name, email address, phone number, chosen password, job title, and the name of your company or organization. We may also collect a physical address if provided for billing or account verification purposes.[1, 5, 8, 10]

Communication Data (Metadata): We collect metadata related to your communications through our Services. This includes call logs (detailing caller and callee phone numbers, date, time, and duration of calls, call status such as answered, missed, or voicemail), and information about how calls are routed through our system. If SMS/MMS functionality is offered and used, similar metadata for messages (sender/receiver numbers, timestamps, delivery status) will be collected.[7, 8, 9] While often viewed as less sensitive than call content, we recognize that communication metadata can itself be revealing and treat it with appropriate confidentiality and security.

Call Content Data:

Voice Recordings: If the call recording feature is enabled by a User with appropriate permissions or by a Workspace administrator, we will facilitate the recording of voice calls. These recordings are stored securely.

Transcriptions: For recorded calls where transcription is enabled, we utilize Twilio's services to generate text transcriptions of the audio content.

Both voice recordings and their transcriptions constitute highly sensitive Personal Data. Their collection is contingent upon the features enabled by our Customers and their Users, who are responsible for ensuring they have lawful basis, including any necessary consents, to record and transcribe communications.[7, 9, 11] The platform provides the tools, but the responsibility for the content of recorded conversations and its lawful processing (including obtaining consent for recording sensitive topics) rests primarily with the Customer organization.

Workspace and Team Member Information: When a Customer sets up a Workspace, we collect information related to its configuration, such as custom settings and preferences. If an administrator invites other individuals to join the Workspace as Users, we will collect information about those invited Users, typically their email address and name, to facilitate their access and participation.

Billing and Payment Information: For Customers subscribing to paid Services, we collect billing and payment information, which may include credit card details, bank account information, and billing addresses. This information is typically processed by a secure third-party payment processor, as detailed in Section V.[1, 7]

Technical Information (Automatically Collected): When you access our website or use our Services, we automatically collect certain technical information. This includes your IP address, browser type and version, operating system, device type (e.g., desktop, mobile), unique device identifiers, and general location data derived from your IP address. We also collect usage data, such as the features you use, the pages you visit on our platform, the time spent on those pages, clickstream data (the sequence of your interactions), and error logs if issues occur.[1, 5, 9, 10, 12]

Cookie and Tracking Data: We collect information through the use of cookies, web beacons, pixels, and similar tracking technologies when you interact with our website or Services. This data helps us understand user preferences, improve site navigation, analyze usage patterns, and for other purposes detailed in Section VI (Cookies and Tracking Technologies).[1, 2, 5, 10]

Support and Feedback Information: If you contact our customer support team or provide feedback, we collect the information you provide in your communications, such as the content of your emails, chat logs, the nature of your query, and any survey responses or testimonials you choose to submit.[8, 9, 10]

B. Organizational Data Collected:

Workspace Configuration Data: This includes settings and configurations applied by Customer administrators to their organization's Workspace, such as call routing rules, user roles and permissions, integration settings, and other preferences that define how the Services operate for that specific Customer. This data is critical for the tailored provision of our Services and is considered confidential information of the Customer.

Aggregated Usage Data: We may compile anonymized and aggregated statistics about how a Customer organization and its Users collectively utilize the Services. This can include metrics like total call volume, feature adoption rates, and overall activity levels. This data is processed in a way that does not personally identify individual Users or disclose specific Customer content and is used for our internal analytics and service improvement.

C. Information We Do Not Intentionally Collect (Special Categories):

CallNest Cloud does not intentionally collect, nor are the Services designed to solicit or process, "special categories of personal data" as defined under Article 9 of the GDPR (e.g., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation), or similarly sensitive information as defined by other applicable laws like the CCPA (e.g., social security number, financial account or debit/credit card number in combination with any required security or access code, precise geolocation, genetic data). However, Users and Customers control the content of their communications. If Users choose to discuss or include such sensitive information in calls that are subsequently recorded and transcribed using our Services, this data may be incidentally processed by CallNest Cloud as part of the call content. Customers and Users are solely responsible for ensuring compliance with all applicable laws, including obtaining any necessary consents, before recording or transcribing conversations that may contain special categories of Personal Data or other sensitive information.[8, 11] CallNest Cloud acts as a processor for such content based on the Customer's instructions. We may explore features like PII redaction in the future to assist Customers in managing such data.[6]

D. Data Processing Summary Table

To enhance transparency, particularly in line with GDPR requirements (Art. 13 & 14), the following table summarizes the main categories of Personal Data we process, examples of data points within those categories, the primary purposes for which we process them, and the legal bases under GDPR for such processing. This table serves as a quick reference and complements the detailed descriptions throughout this Policy.

Category of Data: User Account and Profile Information

Specific Examples of Data Points: Name, email, phone number, password, job title, company name

Primary Purpose(s) of Collection & Use: Account creation, authentication, service provision, communication with user

Legal Basis for Processing (GDPR): Performance of Contract; Legitimate Interest (for business contact information within a corporate account)

Category of Data: Communication Data (Metadata)

Specific Examples of Data Points: Call logs (numbers, date, time, duration, status), routing information

Primary Purpose(s) of Collection & Use: Service provision (call routing, logging), billing, analytics, troubleshooting

Legal Basis for Processing (GDPR): Performance of Contract; Legitimate Interest (for service improvement and security)

Category of Data: Call Content Data

Specific Examples of Data Points: Voice recordings, call transcriptions

Primary Purpose(s) of Collection & Use: Service provision (if feature enabled by Customer/User), enabling Customer review and analysis

Legal Basis for Processing (GDPR): Performance of Contract (provision of the recording/transcription feature as requested by Customer); Customer's legal basis (e.g., consent obtained by Customer from call participants) – CallNest Cloud acts as Processor.

Category of Data: Workspace and Team Member Information

Specific Examples of Data Points: Invited user emails, Workspace settings

Primary Purpose(s) of Collection & Use: Service provision, enabling collaboration within a Customer's team

Legal Basis for Processing (GDPR): Performance of Contract; Legitimate Interest (for managing multi-user accounts)

Category of Data: Billing and Payment Information

Specific Examples of Data Points: Credit card details, billing address

Primary Purpose(s) of Collection & Use: Processing payments for subscribed Services

Legal Basis for Processing (GDPR): Performance of Contract; Legal Obligation (for financial record-keeping)

Category of Data: Technical Information

Specific Examples of Data Points: IP address, browser type, OS, device ID, usage data, error logs

Primary Purpose(s) of Collection & Use: Service operation and maintenance, security, analytics, service improvement, troubleshooting

Legal Basis for Processing (GDPR): Legitimate Interest (to ensure service functionality, security, and improvement); Performance of Contract (for data essential to service delivery)

Category of Data: Cookie and Tracking Data

Specific Examples of Data Points: Cookie IDs, browsing history on our site, ad interaction data

Primary Purpose(s) of Collection & Use: Website functionality, user experience personalization, analytics, marketing (with consent)

Legal Basis for Processing (GDPR): Consent (for non-essential cookies); Legitimate Interest (for strictly necessary cookies ensuring site operation and security)

Category of Data: Support and Feedback Information

Specific Examples of Data Points: Email content, chat logs, query details, survey responses

Primary Purpose(s) of Collection & Use: Providing customer support, resolving issues, service improvement

Legal Basis for Processing (GDPR): Performance of Contract (if support is part of the service agreement); Legitimate Interest (to improve services and address user concerns)

IV. How We Use Your Information

We use the information we collect for various purposes related to providing and improving our Services, maintaining security, and complying with legal obligations. Our use of your information is guided by the legal bases outlined in the table above and detailed further below.

To Provide, Operate, and Maintain the Services:

A primary use of your information is to deliver the core functionalities of CallNest Cloud. This includes enabling you to create and manage your User account and Customer Workspaces, facilitating call routing, processing voice communications, and providing features like call recording and transcription.[8, 9, 10] For these core communication services, we rely significantly on Twilio as a sub-processor. We also use your information to send important notifications and communications regarding the operation of the Services, such as scheduled maintenance, service updates, or security alerts. This usage is typically based on the performance of our contract with you or our legitimate interest in operating the service effectively.

For Customer Support:

When you contact us for assistance, we use your information (such as your account details, technical information, and the content of your query) to respond to your inquiries, troubleshoot technical issues, and provide overall customer support.[8, 9, 10] This is essential for ensuring a positive user experience and is based on our contractual obligations or legitimate interests.

For Analytics and Service Improvement:

We analyze usage patterns and technical data to understand how Users interact with our Services. This helps us identify popular features, areas for improvement, develop new functionalities, and generally enhance the user experience.[6, 8, 9, 10] For these purposes, we often use aggregated and anonymized data to protect individual privacy. This processing is based on our legitimate interest as a SaaS provider to continuously improve our offerings and ensure they meet the evolving needs of our Users.

For Security, Fraud Prevention, and Legal Compliance:

Maintaining the security and integrity of our platform is paramount. We use collected information to monitor for and prevent fraudulent, abusive, or illegal activities, and to protect the rights, property, and safety of CallNest Cloud, our Users, and the public.[8, 9, 10] This includes enforcing our Terms of Service and other policies. Such monitoring can be both reactive (investigating reported incidents) and proactive (using automated tools to detect suspicious patterns). Furthermore, we may need to use and disclose your information to comply with applicable laws, regulations, legal processes (such as subpoenas or court orders), or valid governmental requests. These uses are based on our legitimate interests in protecting our Services and Users, and our legal obligations.

For Marketing and Promotional Communications (with consent where required):

Subject to your preferences and applicable law (such as obtaining explicit opt-in consent where required, particularly for individuals who are not yet existing customers, or providing clear opt-out mechanisms for existing customers regarding similar products or services), we may send you information about new CallNest Cloud products, features, special offers, or events.[1, 6, 8, 10] You can manage your marketing preferences as described in Section IX (Your Data Protection Rights). This processing is typically based on your consent or our legitimate interest (for existing customers, balanced against your rights).

To Personalize User Experience:

We may use information about your preferences or past usage to tailor certain content or features within the Services to enhance your experience.[6] Any such personalization will be done transparently, and where appropriate, we will provide you with controls over these features. This is generally based on legitimate interest or, for more significant personalization, your consent.

It's important to note that while Twilio processes data to provide services to CallNest Cloud (and by extension, to our Users), Twilio may also use anonymized or aggregated data derived from its overall service provision to improve its own platform.[9] CallNest Cloud's contractual agreements with Twilio ensure that your specific, identifiable data is not used by Twilio for purposes beyond providing the contracted services to CallNest Cloud without appropriate legal basis.

V. How We Share Your Information

CallNest Cloud does not sell your Personal Data. We share your information only in the circumstances described below, and always with a commitment to protecting your privacy.

A. With Third-Party Service Providers (Sub-processors):

We engage trusted third-party companies and individuals to perform certain services on our behalf that are necessary to provide and operate the CallNest Cloud Services. These providers are our sub-processors and are contractually obligated to protect your data and use it only for the specific services they provide to us. We maintain a "chain of trust" by carefully vetting these providers and ensuring they have adequate data protection measures in place, typically through Data Processing Agreements (DPAs).

Twilio: As previously mentioned, Twilio is a critical sub-processor. We share information with Twilio to enable core communication functionalities, including initiating and receiving voice calls, routing calls, storing call recordings (if enabled by you), and generating call transcriptions. The data shared with Twilio includes necessary account information to provision these services for your CallNest Cloud account, communication metadata, and, when applicable, call content (audio recordings and transcriptions).[9] Twilio is responsible for the security and privacy of the data it processes on our behalf, as governed by our DPA with them.

Other Service Providers: We may also share information with other categories of service providers, including:

Payment Processors: (e.g., Stripe, PayPal) To securely process your payments for subscribed Services. We do not store your full credit card information on our servers.

Cloud Hosting Providers: (e.g., Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure) For hosting our application, databases, and storing your data, including backups.

Analytics Providers: (e.g., Google Analytics) To help us understand website and platform usage, typically using anonymized or aggregated data.

Customer Support Platforms: (e.g., Zendesk, Intercom) To manage and respond to your support inquiries.

Email Service Providers: (e.g., SendGrid, Mailchimp) To send transactional emails (like account notifications) and marketing communications (subject to your preferences). [1, 2, 8, 10]

B. For Legal Reasons and Protection:

We may disclose your information if we believe in good faith that such disclosure is necessary to:

Comply with applicable law, regulation, subpoena, court order, or other legal process or governmental request.

Protect the rights, property, or safety of CallNest Cloud, our Users, our personnel, or the public, as required or permitted by law.

Prevent, detect, or investigate illegal activity, fraud, security breaches, or technical issues.

Enforce our Terms of Service or other agreements.

When responding to legal requests for data, we will carefully review their validity and scope before disclosing any information, aiming to protect user privacy to the extent legally permissible.[1, 9, 10]

C. Business Transfers:

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of CallNest Cloud's assets or stock, financing, public offering of securities, or similar transaction or proceeding, your information may be shared or transferred as part of that transaction. We will ensure that any such transfer is subject to appropriate confidentiality agreements, and we will notify you as required by applicable law if your Personal Data becomes subject to a different privacy policy.[1, 2]

D. With Your Consent (e.g., Third-Party Integrations):

We may share your information with other third parties when we have your explicit consent to do so. This is particularly relevant if you choose to enable integrations between CallNest Cloud and other third-party applications or services that are not our core sub-processors (e.g., integrating your CRM with CallNest Cloud). In such cases, you are directing CallNest Cloud to share specific data with that third party. The use of your data by such third-party services will be governed by their own terms and privacy policies, and you enable these integrations at your own discretion and risk.[1, 3, 13, 14]

E. Sharing within a Workspace (Organizational Sharing):

The CallNest Cloud Services are designed for collaborative use within a Customer's organization. Information such as call logs, shared contacts, and, if enabled, call recordings and transcriptions, may be accessible to other Users within the same Customer Workspace. The extent of this sharing is determined by the roles, permissions, and configurations set by the Customer's Workspace administrator(s). CallNest Cloud facilitates this internal sharing based on the Customer's instructions and configurations.

VI. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (such as web beacons, pixels, and scripts) to collect information about your interactions with our website and Services. This section explains what these technologies are, how we use them, and your choices regarding them.

What are Cookies:

Cookies are small text files placed on your device (computer, tablet, or mobile phone) when you visit a website. They are widely used to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Web beacons (or "pixels") are tiny graphics files that contain a unique identifier that enable us to recognize when someone has visited our website or opened an email that we have sent them.

How We Use Cookies:

We use cookies for several purposes:

Strictly Necessary/Essential Cookies: These cookies are essential for the basic functionality of our website and Services. They enable core features such as user authentication (keeping you logged in), session management, security (e.g., preventing cross-site request forgery), and ensuring the stability and performance of the platform. These cookies are typically set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in, or filling in forms. You cannot opt out of these cookies as the Services cannot function properly without them.[10, 12]

Performance/Analytical Cookies: These cookies collect anonymous information about how you and other Users interact with our website and Services. They help us understand which pages are most and least popular, see how visitors move around the site, identify trends, count visits, and determine traffic sources. This data is aggregated and helps us improve the performance and design of our Services. Examples include cookies from services like Google Analytics.[2, 10, 12]

Functionality/Preference Cookies: These cookies allow our website and Services to remember choices you make and provide enhanced, more personal features. For example, they may remember your username, language preference, or region. The information these cookies collect may be anonymized, and they cannot track your browsing activity on other websites.[2, 10, 12]

Targeting/Advertising Cookies: (If used) These cookies may be set through our site by us or our advertising partners. They may be used to build a profile of your interests and show you relevant advertisements for CallNest Cloud services on other sites (remarketing). They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.[2, 10]

Third-Party Cookies:

Some cookies may be placed by third-party service providers, such as analytics services (e.g., Google Analytics) or advertising networks, when you visit our website or use our Services. These third parties collect and use this information under their own privacy policies.[2]

Your Choices / Managing Cookies:

We provide you with control over non-essential cookies. When you first visit our website, you will be presented with a cookie consent banner or tool that allows you to accept or decline different categories of cookies.[5, 6, 7] You can typically change your cookie preferences at any time through this tool or via a link in the footer of our website. Most web browsers also allow you to control cookies through their settings. You can usually find these settings in the "options" or "preferences" menu of your browser. Please note that if you choose to disable or block certain cookies, particularly strictly necessary cookies, some parts of our website or Services may not function correctly or be accessible.[12] For more detailed information about the specific cookies we use, their purposes, and duration, please refer to our dedicated Cookie Policy [Link to Cookie Policy, if separate]. The use of a clear and user-friendly cookie consent mechanism is important to us, as we understand users are often presented with many such requests and we aim to make this process straightforward while respecting your choices.

VII. Data Retention and Deletion

CallNest Cloud retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected, including to provide our Services, comply with our legal and regulatory obligations, resolve disputes, and enforce our agreements.[1] Our retention periods vary depending on the type of data and the context in which it is processed.

General Principles:

Our data retention policies are designed to ensure that Personal Data is not kept longer than needed. When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the Personal Data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and applicable legal requirements.

Specific Retention Periods (Illustrative Examples – CallNest Cloud to define precise periods):

User Account Data: Personal Data associated with your User account (e.g., name, email, profile information) is retained for as long as your account remains active. If an account is closed or terminated, this data will be deleted or anonymized within a defined period (e.g., 90 days), unless retention is required for legal or legitimate business purposes (e.g., financial records, unresolved disputes).[8]

Call Logs and Metadata: Communication metadata, such as call logs, may be retained for a period necessary for billing, operational analytics, troubleshooting, and compliance with telecommunications regulations (e.g., 12-24 months). After this period, it may be anonymized or deleted.

Call Recordings and Transcriptions: The retention of call recordings and transcriptions is primarily controlled by the Customer (Workspace administrator). Customers may have options within their Workspace settings to configure automatic deletion of recordings/transcriptions after a specified period (e.g., 30, 60, 90 days). If a Customer's account is terminated, all associated call recordings and transcriptions will be scheduled for deletion from our active systems within a defined timeframe (e.g., 30-60 days), unless subject to a legal hold or other overriding retention requirement.[15] The ability for customers to define retention periods for their own data is an important feature that supports their own compliance efforts.

Billing and Payment Information: Financial records related to Customer subscriptions and payments are retained for the period required by applicable tax and accounting laws (e.g., 7-10 years).

Backup Data: Personal Data contained in our system backups will be retained according to our backup schedule and lifecycle. Backups are securely stored and isolated. If data is deleted from our live systems, it will remain in backups until the backup media expires and is overwritten or securely destroyed. We will not restore data from backups for purposes other than disaster recovery.[1]

Deletion Procedures:

User/Administrator Requests: You may have the right to request the deletion of your Personal Data, as outlined in Section IX (Your Data Protection Rights). Workspace administrators may also have tools to delete data within their Workspace.

Account Termination: Upon termination or closure of a Customer's account, we will initiate procedures to delete or de-identify the Personal Data associated with that account and its Users, subject to our retention policies and any overriding legal obligations.[8, 15] Data may first be disabled or made inaccessible, followed by permanent deletion from active systems.

It is important to understand that all deletion procedures are subject to any overriding legal or regulatory requirements that may compel us to retain certain data for longer periods, such as for litigation, investigations, or compliance with specific laws.[1, 9]

VIII. Security Measures

CallNest Cloud is committed to protecting the security and confidentiality of your Personal Data and Organizational Data. We implement and maintain reasonable and appropriate administrative, physical, and technical safeguards designed to protect against unauthorized access, use, disclosure, alteration, or destruction of the information we process.

Implemented Safeguards:

Our security measures include, but are not limited to:

Encryption: We use encryption to protect data in transit (e.g., using SSL/TLS for all communications with our platform) and at rest (e.g., employing AES-256 or similar strong encryption standards for databases, call recordings, and transcriptions stored on our servers or with our cloud providers).[5, 6, 7, 9, 14]

Access Controls: Access to Personal Data is restricted based on the principle of least privilege. We utilize role-based access controls, require unique user credentials (usernames and passwords) for access to our Services, and strongly encourage or may require the use of multi-factor authentication (MFA) for User accounts to add an extra layer of security.[5, 6, 8, 15]

Network Security: Our network infrastructure is protected by firewalls, intrusion detection and prevention systems, and other security technologies. Sensitive systems, such as databases and application servers, are isolated within private networks to limit exposure.[5, 6]

Secure Software Development: We follow secure software development lifecycle (SSDLC) practices to identify and mitigate security vulnerabilities in our code.

Regular Security Assessments: We conduct regular security assessments, which may include vulnerability scanning and penetration testing (potentially performed by independent third parties), to proactively identify and address potential weaknesses in our systems.[8, 14, 15] The security landscape is constantly evolving, and we are committed to adapting our measures accordingly.

Employee Training and Awareness: Our employees and contractors with access to Personal Data receive training on data security, privacy principles, and their responsibilities in protecting user information.[14]

Physical Security: For data centers where our Services are hosted (typically managed by our cloud infrastructure providers like AWS, GCP, or Azure), we rely on their robust physical security measures, which include controlled access, surveillance, and environmental controls.[14] We select providers who demonstrate a strong commitment to security and hold relevant certifications.

Vendor Management: We conduct due diligence on our third-party vendors and sub-processors (like Twilio) to ensure they meet our security and privacy standards, and we enter into contractual agreements that include data protection obligations.

User Responsibilities:

While we take significant steps to protect your data, security is a shared responsibility. You play a crucial role in safeguarding your information by:

Creating strong, unique passwords for your CallNest Cloud account and not reusing them for other services.

Keeping your login credentials confidential and not sharing them with others.

Enabling multi-factor authentication (MFA) if available.

Ensuring the security of your own devices and networks used to access our Services.

Promptly notifying us if you suspect any unauthorized access to your account.[10]

Disclaimer:

Despite our efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. Aspiring to and potentially achieving recognized security certifications such as SOC 2 or ISO 27001 in the future is a goal for CallNest Cloud, as these provide independent validation of security practices and can significantly enhance trust, particularly for our business customers.[8, 9]

IX. Your Data Protection Rights

CallNest Cloud is committed to respecting your data protection rights. Depending on your location and applicable data protection laws, you may have certain rights regarding the Personal Data we hold about you.

Rights under GDPR (for individuals in the European Economic Area (EEA), UK, and Switzerland):

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR:

Right of Access: You have the right to request access to the Personal Data we hold about you and to receive a copy of it.

Right to Rectification: You have the right to request correction of any inaccurate or incomplete Personal Data we hold about you.

Right to Erasure ("Right to be Forgotten"): You have the right to request the deletion of your Personal Data under certain conditions (e.g., if the data is no longer necessary for the purposes for which it was collected, or if you withdraw consent and there is no other legal ground for processing).

Right to Restrict Processing: You have the right to request the restriction of processing of your Personal Data under certain circumstances (e.g., if you contest the accuracy of the data, or if the processing is unlawful).

Right to Data Portability: You have the right to receive the Personal Data you have provided to us in a structured,...[source](https://store.google.com/intl/en_uk/about/device-trade-in/) and you have the right to transmit that data to another controller without hindrance from us, where technically feasible.

Right to Object: You have the right to object to the processing of your Personal Data when it is based on our legitimate interests or for direct marketing purposes. If you object to processing for direct marketing, we will no longer process your Personal Data for such purposes.

Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except under certain conditions.

Right to Withdraw Consent: If we are processing your Personal Data based on your consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority (data protection authority) in your country of residence, place of work, or place of the alleged infringement if you believe that our processing of your PersonalData infringes the GDPR. [1, 5, 7, 8, 10]

Rights under CCPA (for California residents):

If you are a California resident, you have the following rights under the CCPA:

Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the categories of personal information that we sold or shared and the categories of third parties to whom it was sold or shared.

Right to Delete: You have the right to request the deletion of your personal information that we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale or Sharing: CallNest Cloud does not "sell" your Personal Data as that term is traditionally understood or as defined by the CCPA. We also do not "share" your Personal Data for cross-context behavioral advertising. If our practices were to change, we would update this Policy and provide you with the necessary opt-out mechanisms.

Right to Non-Discrimination: You have the right not to receive discriminatory treatment by us for the exercise of your CCPA privacy rights.

Right to Correct: You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Limit Use and Disclosure of Sensitive Personal Information: If we collect sensitive personal information (as defined by CCPA), you may have the right to limit its use and disclosure to that which is necessary to perform the services or provide the goods reasonably expected by an average consumer. As stated in Section III.C, we do not intentionally collect sensitive personal information unless it is incidentally part of user-generated call content, for which the Customer is primarily responsible. [6, 9, 10]

How to Exercise Your Rights:

To exercise any of your data protection rights, please contact us using the contact information provided in Section XVII (Contact Information). You can typically send an email to info@callnest.cloud. We will respond to your request in accordance with applicable data protection laws. We may need to verify your identity before processing your request to protect your Personal Data from unauthorized access or alteration.[12] We will generally respond to verifiable consumer requests within one month (under GDPR) or 45 days (under CCPA) of receipt, though this period may be extended where necessary, taking into account the complexity and number of requests. Please note that for Personal Data processed by CallNest Cloud on behalf of a Customer within their Workspace (i.e., where CallNest Cloud is a Data Processor and the Customer is the Data Controller, such as for call recordings initiated by a Customer's employee), you should typically direct your request to the respective Customer (your employer or the organization whose Workspace you are using). We will assist our Customers in responding to such Data Subject Requests (DSRs) as required by our agreements with them and applicable law.[8] This operational approach is crucial for SaaS platforms to correctly manage DSRs in a multi-tenant environment where data ownership and control vary.

X. International Data Transfers

CallNest Cloud may process and store Personal Data in various locations around the world where we or our third-party service providers (sub-processors) operate facilities. This may involve transferring your Personal Data to, and processing it in, countries other than your own, including countries outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland.

Where Data is Processed:

Our primary servers and processing facilities are located in. However, to provide our Services and for operational purposes, your Personal Data may be accessed or processed by our personnel or service providers in other locations.

Transfers Outside EEA/UK/Switzerland:

If we transfer Personal Data collected from individuals in the EEA, UK, or Switzerland to countries that have not been deemed by the European Commission (or the UK or Swiss authorities, as applicable) to provide an adequate level of data protection, we will ensure that appropriate safeguards are in place to protect your Personal Data. These safeguards may include:

Standard Contractual Clauses (SCCs): Implementing SCCs as approved by the European Commission (or equivalent clauses for UK/Swiss transfers) between CallNest Cloud and the data recipient.

Binding Corporate Rules (BCRs): For transfers to our sub-processors like Twilio, we may rely on their approved BCRs, which provide a framework for lawful international data transfers within their corporate group.[9]

EU-U.S. Data Privacy Framework (DPF) and UK/Swiss Extensions: Where applicable, for transfers to U.S.-based sub-processors who are certified under the DPF (and its UK and Swiss extensions), we may rely on this framework.[7, 8, 9]

Other Valid Transfer Mechanisms: Utilizing other data transfer mechanisms recognized by applicable data protection laws.

We ensure that our Data Processing Agreements (DPAs) with sub-processors like Twilio adequately address international data transfer requirements, reflecting the dynamic nature of these regulations post-Schrems II. You can request more information about the specific safeguards we apply to international transfers by contacting us.

XI. Children's Privacy

The CallNest Cloud Services are not intended for or directed at individuals under the age of 16 (or a higher age if stipulated by local law for certain processing activities, such as 18 in some contexts). We do not knowingly collect Personal Data from children under this age without verifiable parental consent.[8, 12] If we become aware that we have inadvertently collected Personal Data from a child under the applicable age limit without such consent, we will take commercially reasonable steps to delete that information as soon as possible. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us using the information in Section XVII, and we will take steps to remove that information from our systems. It is important to note that if an adult User of CallNest Cloud utilizes the Services to communicate with a child (e.g., records a call with a minor), the responsibility for complying with all applicable laws concerning children's data in that specific context (including obtaining any necessary parental consents for recording or other processing) rests with that adult User or the Customer organization they represent.

XII. SaaS-Specific Legal Protections for CallNest Cloud

This section outlines certain legal protections for CallNest Cloud, which are typically detailed further in our Terms of Service. This Privacy Policy and our Terms of Service work in conjunction to govern your use of our Services.

A. Limitation of Liability (as it pertains to Privacy/Data):

Our Terms of Service contain detailed provisions regarding limitations on our liability. To the fullest extent permitted by applicable law, CallNest Cloud's liability for any claims, losses, damages, or expenses arising out of or in connection with this Privacy Policy, or the collection, use, or disclosure of your Personal Data, including in the event of a data breach, will be limited as set forth in our Terms of Service.[3, 14, 16] This typically includes limitations on the types of damages recoverable and a cap on the total monetary liability.

B. Disclaimer of Warranties (as relevant to data and privacy):

Our Terms of Service include disclaimers of warranties. While CallNest Cloud implements the security measures described in this Policy, we cannot and do not guarantee that your Personal Data will always be secure or that unauthorized access, disclosure, alteration, or destruction will never occur. Except as expressly stated in this Policy or our Terms of Service, and to the extent permitted by applicable law, the Services are provided "as is" and "as available" with respect to data security and privacy, without any warranties of absolute security or invulnerability.[16, 17]

C. Third-Party Services Disclaimer (especially Twilio and User-Enabled Integrations):

CallNest Cloud relies on third-party service providers, most notably Twilio, for core functionalities of our Services. While we contractually require these providers to protect your data, CallNest Cloud is not responsible for the data processing practices of these third parties beyond our direct contractual obligations with them and the instructions we provide as a controller or processor.[18] Furthermore, if you choose to integrate CallNest Cloud with other third-party applications or services that are not our core sub-processors (e.g., connecting your CRM), you do so at your own risk. Your use of such third-party integrations, and any data shared with them, will be governed by the terms and privacy policies of those third-party providers. CallNest Cloud is not responsible for, and disclaims all liability for, the actions, security practices, or data handling of such user-enabled third-party integrations.[3, 14, 16] Specifically concerning AI-driven features like call transcription (provided via Twilio), while we and Twilio strive for accuracy, these services are based on complex algorithms and may not always be perfectly accurate or complete. CallNest Cloud cannot guarantee the absolute accuracy, completeness, or timeliness of AI-generated outputs such as transcriptions. Customers and Users are responsible for reviewing and verifying the accuracy of such outputs before relying on them.[11, 19]

D. Indemnification (User to CallNest Cloud):

Our Terms of Service include provisions under which you agree to indemnify, defend, and hold harmless CallNest Cloud from and against certain claims and liabilities. This includes, but is not limited to, claims arising from your (or your Users') misuse of the Services in violation of applicable privacy laws, this Privacy Policy, or our Terms of Service. For example, if you record calls without obtaining necessary consents required by law, or unlawfully share data obtained through the CallNest Cloud platform, you would be responsible for any resulting claims against CallNest Cloud [[20] (conceptually, though it's provider indemnifying customer there), [3, 14, 16]]. This allocation of responsibility is standard for SaaS agreements and is essential for protecting CallNest Cloud from liabilities caused by non-compliant actions of its users.

XIII. Data Breach Response

CallNest Cloud is committed to managing and responding to incidents involving the security of Personal Data in a timely and effective manner.

Commitment:

We have implemented procedures to detect, investigate, and respond to suspected or actual Personal Data breaches.

Notification to Users:

In the event of a Personal Data breach that is likely to result in a high risk to the rights and freedoms of individuals (as defined by GDPR) or as otherwise required by applicable law (e.g., CCPA), CallNest Cloud will notify affected Users (or the affected Customer organization, as appropriate) without undue delay after becoming aware of the breach.[3, 14] The "high risk" threshold under GDPR means that not every incident will necessarily result in direct notification to all individuals, but rather those where significant impact is anticipated.

Notification to Authorities:

We will notify the relevant supervisory data protection authorities of a Personal Data breach as required by applicable law, for instance, under GDPR, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.

Investigation and Remediation:

Upon discovery of a potential data breach, we will take immediate steps to:

Contain the breach and secure our systems.

Investigate the nature and scope of the breach, including the type of data involved and the individuals affected.

Take appropriate measures to mitigate any potential harm and prevent future similar incidents. [20, 21]

Cooperation:

We will cooperate with affected Users, Customers, and relevant authorities as necessary to address the breach and comply with our legal obligations. In a multi-tenant environment, if a breach affects data primarily within a specific Customer's Workspace, our primary notification will be to that Customer organization. The Customer organization may then have its own obligations to notify its individual Users or employees, and we will provide reasonable assistance to them in fulfilling these obligations.

XIV. Compliance with Specific Regulations

GDPR (General Data Protection Regulation):

CallNest Cloud is committed to complying with the GDPR for all Personal Data collected from individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. We have implemented measures and policies, as described herein, to uphold the principles of data protection by design and by default, ensure lawful processing, and respect the rights of Data Subjects under the GDPR.[5, 9, 10]

CCPA (California Consumer Privacy Act):

CallNest Cloud is committed to complying with the CCPA, as amended by the California Privacy Rights Act (CPRA), for Personal Data collected from residents of California. We provide California residents with the rights described in Section IX of this Policy and adhere to the transparency and accountability requirements of the CCPA.[6, 10]

Other Laws:

CallNest Cloud intends to comply with all other applicable data protection and privacy laws in the jurisdictions where we offer our Services. Users of CallNest Cloud are also responsible for ensuring their use of the Services, including features like call recording, complies with all applicable local, state, national, and international laws and regulations.[3, 11, 22] This shared responsibility is critical, especially concerning specific requirements like call recording consent laws, which vary significantly by jurisdiction (e.g., one-party vs. two-party consent).

XV. Changes to This Privacy Policy

CallNest Cloud reserves the right to update or modify this Privacy Policy at any time to reflect changes in our practices, Service offerings, or applicable laws.

Notification of Changes:

If we make material changes to this Privacy Policy, we will provide notice through our website, by sending an email to the address associated with your account, or through an in-app notification before the changes take effect.[1, 3, 4, 7, 10, 14, 16] We will also update the "Last Updated" date at the top of this Policy. A "material change" is one that substantively alters how we collect, use, or share your Personal Data, or significantly affects your rights.

Review Encouraged:

We encourage you to review this Privacy Policy periodically to stay informed about our information practices.

Acceptance of Changes:

Your continued use of the CallNest Cloud Services after any changes or revisions to this Privacy Policy have been posted will indicate your agreement with the terms of such revised Policy. If you do not agree with the changes, you should discontinue your use of the Services.

XVI. Governing Law and Jurisdiction

Governing Law:

This Privacy Policy and any disputes arising out of or related to it or your use of the CallNest Cloud Services shall be governed by and construed in accordance with the laws of the State of, United States of America, without regard to its conflict of law principles. This choice of governing law should be consistent across all our legal agreements and reflect our primary place of business or incorporation.[3, 14, 16, 17]

Jurisdiction:

You agree that any legal action or proceeding arising out of or related to this Privacy Policy shall be brought exclusively in the state or federal courts located in, and you hereby consent to the exclusive jurisdiction and venue of such courts.

XVII. Contact Information

If you have any questions, concerns, or complaints about this Privacy Policy, our data handling practices, or if you wish to exercise your data protection rights, please contact us:

By Email:

info@callnest.cloud

(Please include "Privacy Inquiry" in the subject line for faster routing)

Attn: Privacy Officer / Legal Department

If CallNest Cloud appoints a Data Protection Officer (DPO), their contact details will also be provided here. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. We aim to respond to privacy-related inquiries and requests in a timely manner, in accordance with applicable legal requirements.[1, 5, 6, 7, 10, 12, 23]

Last Updated: May 2025