Privacy
Policy

Dialvora Inc. is a Delaware-incorporated company providing an AI-native contact center and dialer platform. For European customers, we are the "controller" of our own marketing data and the "processor" of customer call data you upload or generate using the Service. See our Data Processing Agreement for the processor-side terms.

Our registered office is in Wilmington, Delaware, USA. EU representative information is available on request at privacy@dialvora.ai.

We collect data in three buckets — what you give us, what your customers give us through the Service, and what we collect automatically.

From you (the customer / admin)

• Name, email, phone, company, and billing address when you sign up
• Payment information (handled by our payment processor — we never store full card numbers)
• Configuration choices: campaigns, scripts, dispositions, voice clones, API keys
• Support tickets, emails, and demo-call recordings

From your call recipients (data subjects)

• Phone number, name, and any fields you upload in a lead list
• Call audio recordings and transcripts (when recording is enabled)
• Spoken responses captured by the AI bot during conversation
• Disposition outcomes (interested, not interested, callback, DNC, etc.)
• Consent records via TrustedForm, Jornaya LeadiD, or other verification tools

Collected automatically

• IP address, browser type, device, and operating system
• Pages visited, features used, and time on each screen
• Crash logs, API request logs, and webhook delivery logs
• Cookies and similar technologies — see Section 09

We use the data above only for these purposes:

• Run the Service — place calls, route dispositions, store recordings, send transcripts
• Bill you — process subscriptions and usage charges
• Support — diagnose issues, answer tickets, train our own staff
• Improve the platform — usage analytics, A/B tests, performance tuning (always on aggregated or anonymized data)
• Comply with law — respond to subpoenas, court orders, and regulatory requests
• Marketing to you — product updates and pitches; you can unsubscribe anytime

If you're in the EU/UK, here are the legal bases we rely on for each processing purpose:

• Contract — running the Service for paying customers
• Legitimate interest — fraud prevention, security monitoring, product analytics
• Consent — marketing emails, optional cookies, voice cloning of your own voice
• Legal obligation — tax records, regulator response, lawful interception

For call data that flows through the Service from your campaigns, you (the customer) are the controller and we are the processor. You're responsible for establishing the legal basis for those calls (typically prior express written consent in the US, explicit consent in the EU).

We share data only with the following parties, and only as needed:

The full, current subprocessor list — with sub-processor names and jurisdictions — is at dialvora.ai/dpa. We will give you 30 days' notice before adding or replacing a subprocessor.

The Service can record every call leg — bot, agent, three-way, full-mix — and produce a transcript for each. Recordings and transcripts are customer data stored in your account and accessible only to you and the staff you grant access.

You alone are responsible for obtaining required consents to record. Many U.S. states and most non-U.S. jurisdictions require two-party (all-party) consent. Use the bot's opening disclosure or your agent's script to capture consent on the recorded line.

We use recordings strictly for the purpose you configured (playback, QA, dispute resolution, compliance audit). We do not use them for training, model improvement, or any purpose outside your account.

We keep data only as long as we need it:

• Account info — for the life of the account, plus 12 months after closure (for tax / audit)
• Lead lists & CRM data — until you delete them, or 90 days after account closure
• Call recordings & transcripts — for the retention period you choose in settings (default: 90 days). Enterprise customers can configure longer or shorter retention
• Usage logs & analytics — 13 months in aggregate form
• Backups — encrypted daily backups retained for 30 days, then deleted
• Support tickets & emails — 3 years for legal/regulatory purposes

You can shorten retention or trigger immediate deletion by emailing privacy@dialvora.ai.

Depending on where you live, you have some or all of these rights over your personal data:

• Access — get a copy of the data we hold about you
• Rectify — correct inaccurate data
• Delete — have your data erased ("right to be forgotten")
• Restrict — pause processing of your data
• Portability — export your data in a machine-readable format
• Object — opt out of processing based on legitimate interest
• Withdraw consent — for any consent-based processing
• Complain — to your local data protection authority

To exercise any of these rights, email privacy@dialvora.ai from the email tied to your account. We respond within 30 days.

We use a small number of cookies. We don't use ad-network tracking pixels on the dashboard.

• Strictly necessary — login sessions, CSRF tokens, language preference. Cannot be disabled.
• Analytics — usage patterns and feature adoption (first-party only, IP-anonymized)
• Marketing — only on the public marketing site (not the app), for conversion measurement

You can manage cookie preferences from the cookie banner on first visit, or in your browser settings. Blocking strictly necessary cookies will break login.

We take security seriously. Our controls include:

• Encryption in transit — TLS 1.2+ for all web and API traffic; SRTP for media
• Encryption at rest — AES-256 for databases, recordings, and backups
• Access control — role-based permissions, MFA available on every account, audit logs on every change
• Network isolation — production databases not exposed to the public internet
• Vulnerability management — automated dependency scanning and quarterly penetration tests
• Incident response — 24-hour breach-notification commitment to affected customers

For the full security white paper and certifications, see our Security page.

Dialvora is U.S.-headquartered. If you are outside the U.S., your data will be transferred to and processed in the United States and other countries where our subprocessors operate.

For data transferred from the EU, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and supplementary measures per the European Data Protection Board's guidance. A copy of the SCCs is in our DPA.

The Service is intended for businesses, not consumers, and is not directed at children under 16. We do not knowingly collect personal information from anyone under 16. If we learn that we have, we will delete it. If you are a parent or guardian and believe your child has provided us data, email privacy@dialvora.ai.

We may update this Privacy Policy from time to time. Material changes will be announced by email or in-product notice at least 14 days before they take effect. The "Last Updated" date at the top of this page always reflects the most recent change.

For any privacy question — access requests, deletion, complaints, or general curiosity — reach out directly. We don't bury privacy contact behind ticket systems.

For EU/UK data subjects, we have a Data Protection Officer reachable at the email below.