Privacy Policy

SunoVoice AI provides software that lets businesses deploy an AI voice agent to answer and place phone calls, book appointments, answer questions, and transfer calls to a human. We act as a data controller for your account, identity-verification, and billing information, and as a data processor for the call content and business data you process through the Service on behalf of your own end users.

We are a technology and communications-enablement provider. We are not a party to, and do not author, the calls or messages you originate through the Service; you are responsible for them as described in our Terms of Service.

• Account & profile data — name, email address, password (stored only as a salted hash by our authentication provider), organization details, and contact information.
• Identity & verification data (KYC) — information we collect or that you provide to verify your identity and eligibility, prevent fraud, and meet telecommunications and legal requirements (for example, the verification of a phone number you control, business details, and records relating to anti-fraud checks).
• Agent & business configuration — the instructions, prompts, knowledge-base documents, phone numbers, and settings you create to configure your agent.
• Call data — call recordings, transcripts, caller/called numbers, timestamps, duration, and post-call analysis (summary, sentiment, resolution) generated when your agent handles a call.
• Connected-calendar data — if you connect a Google or Microsoft calendar, the access and refresh tokens needed to create bookings, plus limited calendar metadata (see Section 3).
• Payment data — your plan, billing history, and invoices. Card details are entered directly with our payment processor (PayPal); we never receive or store full card numbers.
• Usage, technical & security data — log data, device and browser information, IP address, cookies, and signals we use to operate, secure, and detect misuse of the Service.

When you choose to connect your Google Calendar, we request the https://www.googleapis.com/auth/calendar scope together with your basic profile (openid email). We use this access solely to:

• create, update, and cancel the appointment events your AI agent books for you; and
• read your calendar’s default time zone so bookings are scheduled correctly.

We store an encrypted OAuth refresh token so the agent can continue managing bookings. We do not read, copy, or retain the contents of your existing calendar events beyond what is required to perform the actions above, and we do not use Google user data for advertising or sell it to anyone.

We do not allow humans to read your Google user data unless we have your consent for specific support requests, it is necessary for security or to comply with applicable law, or the data has been aggregated and anonymized. You can disconnect a calendar at any time from your dashboard, or revoke access directly in your Google Account permissions. The same principles apply to Microsoft Outlook calendars connected through the Service.

• To provide, operate, maintain, and improve the Service and your AI agent.
• To process calls, generate transcripts and analysis, and perform booking actions.
• To verify identity, assess eligibility, and prevent, detect, investigate, and respond to fraud, abuse, and unlawful use of the Service.
• To process payments, manage subscriptions, and send service and billing emails.
• To protect the security, integrity, and regulatory standing of the Service, our carriers, and our users, and to enforce our Terms.
• To comply with legal, regulatory, and law-enforcement obligations.

Where applicable law requires a legal basis, we rely on: performance of our contract with you; your consent (which you may withdraw); our legitimate interests in operating, securing, and protecting the Service and preventing fraud and abuse; and compliance with our legal obligations.

We do not sell your personal information. We share it only with:

• Service providers (sub-processors) — vetted vendors that power the Service on our behalf, including cloud hosting, telephony and real-time voice infrastructure, AI/ML model providers, email delivery, and payment processing. They may process data only to provide services to us and under confidentiality and security obligations.
• Telecommunications carriers — to provision and operate phone numbers and calls, and to comply with carrier and regulatory requirements.
• At your direction — services you connect (e.g. your Google or Microsoft calendar) and any webhooks or integrations you enable.
• Law enforcement, regulators & for fraud prevention — see Section 7.
• Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.

Because phone numbers and calling capacity are provisioned through regulated carriers and are tied to verified identities, we take misuse seriously. You acknowledge and agree that we may, to the extent permitted or required by law, and without further notice to you:

• monitor, review, and investigate accounts, calls, and content where we reasonably suspect fraud, abuse, or unlawful activity;
• disclose your identity, account, verification, call, and usage records to carriers, regulators, courts, and law-enforcement authorities in response to lawful requests or to investigate, prevent, or report suspected fraud, abuse, or illegal use; and
• retain and preserve relevant records for these purposes for as long as necessary.

These measures protect our users, our carriers, our lawful operation, and the individuals whose identities underpin our service.

We retain account, identity-verification, and business data for as long as your account is active. Call recordings, transcripts, and connected-calendar tokens are retained until you delete them, disconnect the integration, or close your account. We may retain certain information for a longer period where necessary to comply with legal obligations, resolve disputes, enforce our agreements, and prevent or investigate fraud and abuse.

We use industry-standard safeguards including encryption in transit, encryption of sensitive credentials at rest, access controls, and per-tenant data isolation. Learn more on our Security page. No method of transmission or storage is completely secure, but we work continuously to protect your information.

We operate globally and may process and store information in countries other than your own, including for hosting and sub-processing. Where we transfer personal data across borders, we use appropriate safeguards consistent with applicable data-protection law.

Subject to applicable law, you may have the right to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can manage much of your data in the dashboard, disconnect integrations at any time, or contact us to exercise these rights. Some information may be retained as permitted by law, including for fraud prevention and legal compliance. We will respond consistent with applicable law (including the GDPR and CCPA where they apply).

We use cookies and similar technologies that are necessary to operate the Service (such as keeping you signed in) and to keep it secure. You can control cookies through your browser, though disabling them may affect functionality.

The Service is intended for businesses and is not directed to children under 16. We do not knowingly collect personal information from children.

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, for material changes, provide additional notice where appropriate. Your continued use of the Service after changes take effect constitutes acceptance.

Questions about this Policy or your data? Email us at hello@sunovoice.com.