Privacy Policy

VICIagent ("we", "us", "our") operates an AI phone agent platform at viciagent.com and app.viciagent.com. This Privacy Policy explains what data we collect, why we collect it, who we share it with, and what rights you have.

We treat two categories of people separately throughout this policy: Customers (the businesses and individuals who sign up to use VICIagent) and End Users (the people our Customers' agents call or who call our Customers' phone numbers). When we describe data handling, we name which category each applies to.

1. Customer data we collect

1.1 Account data

When you sign up for VICIagent, we collect:

• Email address
• Hashed password (bcrypt; we never store plaintext passwords)
• Account / company name
• Data residency preference (US or EU)
• Optional: payment method via our regulated payment processor, name and billing address
• Optional: 2FA TOTP secret + recovery code hashes
• Optional: linked Google or Microsoft OAuth identifiers (the provider's stable user id, email-at-link, and display name)

1.2 Usage and operational data

• IP address, user agent, and timestamps of authentication events
• Audit log of administrative actions (account changes, member invitations, plan changes, etc.)
• Records of calls placed or received through your account (see "End User data" below)
• Aggregated billing usage (minutes consumed, line-item costs)

1.3 Compliance ("KYC") data for telephony

To comply with telephony regulations (FCC, Ofcom, ARCEP, etc.) when assigning phone numbers, you provide an "end-user record" for each number: the individual or business the number is registered to. This includes name, address, country, contact details, and identifiers (e.g. tax ID, company registration number). We treat this data as sensitive and use it solely for regulatory compliance and number-provisioning purposes.

2. End User data we process

When our Customers' agents place or receive calls, we process data about the End Users on those calls. This data belongs to our Customer; we act as a data processoron their behalf. The Customer is the data controller and is responsible for obtaining any necessary consents from End Users.

2.1 Call data we process

• Phone numbers (both the Customer's and the End User's)
• Call duration, direction (inbound / outbound), disposition, and timing
• Optional, Customer-configurable: call audio recordings and transcripts
• Lead score, sentiment, summary, and structured fields extracted by AI
• Quality metrics (echo cancellation, latency, turn count)

2.2 Two-party consent announcements

For calls into states or jurisdictions that require all-party consent to record (e.g. CA, FL, IL, PA, WA, MD, MA, NH, OR, NV, CT in the United States; the EU, UK), our platform auto-injects a recording-disclosure announcement before any recording starts. End Users who do not consent can decline and the recording stops.

2.3 In-call DNC (Do-Not-Call)

If an End User says "stop calling" or similar phrases during a call, our platform flags the number in real time and never calls it again from the same Customer account. This is logged with a timestamp and a recording timestamp for compliance auditing.

3. Categories of sub-processors

We use third-party service providers ("sub-processors") to operate the platform. Each is contractually bound to handle your data consistently with this policy and applicable law. The categories below describe the function of each provider; the current named list is available on request — email privacy@viciagent.com.

• AI inference providers — speech-to-text, large language models, and text-to-speech engines that power live conversation and post-call analysis. Call audio, transcripts, and conversational context are sent to these providers in real time to generate agent responses. None of our AI inference providers train on our API traffic.
• Telephony carriers — SIP signaling and RTP audio routes through regulated telecom carriers to deliver calls to the public switched network.
• Cloud infrastructure providers — compute, content delivery, DNS, and object storage. Recordings and transcripts are stored in region-isolated buckets (US or EU) per your residency preference.
• Payment processing — when applicable, billing details (card, ACH, tax data) are handled directly by our regulated payment processor. We store only customer IDs and invoice metadata on our side.
• Transactional email — login notifications, invitations, password reset emails, billing receipts are delivered via a transactional email service.
• Error monitoring — stack traces, request IDs, and aggregate performance data. We deliberately do not send personally identifiable information (including email addresses) to our error-monitoring provider.
• Identity providers (optional) — when you choose to sign in with Google or Microsoft, we receive your verified email, display name, and a stable user identifier from that provider.

We may add, replace, or remove sub-processors over time as the platform evolves. Material changes (e.g. moving call data to a new jurisdiction) will be announced via email to account owners with at least 30 days' notice.

4. How long we keep data

• Account data: retained while your account is active. After deletion, we retain billing records for 7 years (US tax requirement) and remove the rest within 30 days.
• Call recordings & transcripts: Customer-configurable. Default is 90 days for Starter / Growth, 1 year for Pro, 3 years for Agency, and custom retention for Enterprise. HIPAA-mode accounts: no recordings, 30-day max retention on any other call data.
• Audit log: retained for the lifetime of the account; minimum 1 year after account deletion for security-incident investigation.
• Failed-login / rate-limit logs: 90 days.

5. Your rights

If you are a Customer or an End User based in the European Economic Area, the United Kingdom, California, or any other jurisdiction with comparable rights, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion ("right to be forgotten")
• Request portability of your data in a machine-readable format
• Object to processing or restrict it in certain cases
• Withdraw consent for any processing based on consent
• Lodge a complaint with your local supervisory authority

Customers can exercise most of these rights directly in the app at Settings. For requests we can't fulfill in-app, or if you are an End User, email privacy@viciagent.com. We respond within 30 days as required by applicable law.

6. Security

We protect your data with measures including:

• TLS 1.2+ for all data in transit
• AES-256 at rest for recordings and database backups
• Bcrypt-hashed passwords (rounds=12) and recovery codes
• Hashed (sha256) password-reset and invitation tokens — plaintext tokens are never stored
• RS256 JWT session signing
• 2FA TOTP support, plus single-use recovery codes
• Rate-limiting on authentication endpoints
• Tunneled administrative access — no public SSH on production hosts
• Audit logging of all administrative actions

No system is 100% secure. We will notify affected Customers within 72 hours of a confirmed breach involving their data, as required by GDPR Article 33.

7. International transfers

We default new Customer accounts to US data residency. Customers can elect EU residency at signup, in which case call recordings, transcripts, and account data are stored in EU regions of our cloud infrastructure providers. Once selected, residency is immutable.

Some sub-processors may process data outside the EU/UK to deliver low-latency AI inference. Where transfers occur to jurisdictions without adequacy decisions, we rely on Standard Contractual Clauses (SCCs) and operate only with sub-processors whose own privacy programs meet GDPR standards.

8. Cookies

We use a small number of strictly necessary cookies:

• vsid — signed session JWT, HttpOnly, Secure, SameSite=Lax. 14-day expiry.
• voauth — short-lived (10 min) signed cookie used during OAuth sign-in to prevent CSRF.
• theme — non-essential, stores your light/dark preference. Local to your browser.

We do not use third-party analytics, advertising, or tracking cookies. If we add product analytics in the future, we will update this policy and provide an opt-out.

9. Children

VICIagent is a B2B platform not directed to children under 16. We do not knowingly collect data about anyone under 16. If you believe we have inadvertently collected such data, contact privacy@viciagent.com and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. Material changes will be announced via email to Customer account owners at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.

11. Contact us

Questions, data requests, or complaints: email privacy@viciagent.com or write to us at the postal address on our Contact page.