Privacy Policy

Last updated: 1 May 2026

1. Data Controller

Company: [FILL: legal company name]
Registered address: [FILL: registered address]
Organisation number: [FILL: org number]
Privacy contact: [FILL: privacy email]

2. What Data We Collect

From You Directly:

Form submissions: Name, email, phone number, company name, company size, call volume, preferred time slots
Call data: Phone numbers, names, call duration, call audio recordings, call transcripts
CRM sync: Customer records synced to Salesforce, HubSpot, Pipedrive, or other integrations

Automatically Collected:

Cookies: Consent preferences, language, theme preference, session IDs
Analytics: [FILL: if applicable — page views, user agent, referrer]

3. Legal Basis for Processing (GDPR Article 6)

Contract performance (Art. 6(1)(b)): Processing your data to deliver the AW Receptionist AI service
Legitimate interest (Art. 6(1)(f)): Analytics, product improvement, service security
Consent (Art. 6(1)(a)): Marketing communications (only after you opt-in)

4. Data Retention Periods

⚠️ [FILL: Retention periods]
E.g., "Call recordings: 90 days. Customer contact records: Until account deletion or 3 years of inactivity. Cookies: 12 months."

5. Sub-processors (Data Processors)

Your data may be shared with these third parties to deliver the service:

⚠️ [FILL: List of sub-processors]
E.g., "AWS (Ireland for EU data storage), OpenAI (USA), Twilio (call handling), Salesforce/HubSpot (CRM), Stripe (payments)"

6. International Data Transfers

Some data is processed by sub-processors in the USA (e.g., OpenAI, AWS US). We rely on:

⚠️ [FILL: Transfer mechanism]
E.g., "Standard Contractual Clauses (SCCs) under GDPR Chapter V. We assess adequacy decisions as required by Schrems II."

7. Your Rights Under GDPR

You have the right to:

Access (Art. 15): Request a copy of your personal data
Rectification (Art. 16): Correct inaccurate data
Erasure (Art. 17): Delete your data ("right to be forgotten")
Restriction (Art. 18): Limit how we use your data
Portability (Art. 20): Receive your data in machine-readable format
Objection (Art. 21): Opt-out of marketing or legitimate-interest processing
Withdraw consent: Revoke consent for marketing at any time

To exercise any of these rights, contact: [FILL: privacy email]

8. Data Subject Rights Requests

We will respond to all data subject access requests (DSARs) within 30 days of receipt, in accordance with GDPR Article 12.

9. Right to Lodge a Complaint

If you believe we have mishandled your data, you have the right to lodge a complaint with the Swedish Data Protection Authority:

Integritetsskyddsmyndigheten (IMY)
https://www.imy.se/

10. Cookies & Consent

We use cookies only after you provide explicit consent via our cookie banner. See our Cookie Settings to manage preferences at any time.

11. Security

Your data is protected by TLS encryption in transit and [FILL: encryption at rest — e.g. AES-256]. We store call recordings in [FILL: region/location]. We follow industry best practices for access control and incident response.

12. Changes to This Policy

We may update this policy. We will notify you of material changes via email.

13. Contact Us

Questions about this privacy policy?
Email: [FILL: privacy email]