Privacy Policy

1. Our two roles: controller and processor

Telecom data involves two different relationships, and your rights and our obligations depend on which applies:

• Controller. For account, billing, KYC, website, marketing, and support data, UnlimCall decides why and how the data is processed and acts as a data controller (a "business" under U.S. state laws).
• Processor. When our customers use the Services to place calls, we transmit and may store data about those calls (such as call detail records and, where the customer enables it, call recordings) on the customer's behalf and under their instructions. For that data, our customer is the controller and UnlimCall is a processor (a "service provider"). This processing is governed by our Data Processing Addendum ("DPA").
• Carrier (CPNI) duties. As a U.S. telecom provider, we have independent legal duties over certain network and routing data—Customer Proprietary Network Information ("CPNI")—under Section 222 of the Communications Act and FCC rules. The same underlying call data can therefore be subject both to our carrier duties (under U.S. telecom law) and to a processor relationship with our customer (under data-protection laws such as GDPR). We honor both. See Section 3A.

If you are an individual who was called by, or who called, one of our customers, that customer—not UnlimCall—is the controller of your data and is your primary point of contact for privacy rights. See Section 11.

2. Information we collect

As a controller, we collect:

• Account and contact data — name, business email, phone, company name, role, and login identifiers. We use magic-link (email) authentication.
• KYC and verification data — business registration details, tax/company identifiers, beneficial-ownership and authorization information, government-ID and proof-of-address documents, licenses, sanctions-screening results, and, for higher-risk Markets or verticals, additional documentation you provide to verify legitimacy.
• Billing data — billing contact, transaction history, plan, Seat counts, Markets, and payment-processor identifiers. Card and payment-method details are collected and stored by our payment processor (Stripe), not by UnlimCall.
• Technical and device data — IP address, device and browser information, access times, pages viewed, portal activity, API logs, SIP authentication events, and security/error logs.
• Support and communications data — messages, tickets, and call/chat records you exchange with us (email, website chat, demo bookings).
• Website and marketing data — analytics events, pages viewed, forms submitted, campaign attribution, and email-engagement data, collected through cookies and similar technologies (see Section 12).

As a processor, on behalf of our customers we handle:

• Call detail records (CDRs) and messaging records — metadata such as calling and called numbers, sender/recipient numbers, SIP headers, timestamps, duration, routing, disposition, attestation status, and quality metrics.
• Numbering and Caller ID data associated with the customer's use.
• Call recordings and related content — only where the customer enables recording for a Market. We do not require or enable recording by default.
• Message content (SMS/MMS payload) — the body and media of messages our customers send through the Services, transmitted and handled on their instructions.
• AI Feature data — where enabled, prompts, scripts, knowledge-base content, transcripts, summaries, sentiment/emotion analysis, and AI-generated outputs.
• Voice-cloning and biometric-like data — where Voice Cloning is enabled, voice samples, consent attestations, voice-model identifiers, and deletion logs. Voice samples and models may be considered sensitive or biometric data under some laws (for example, U.S. state biometric-privacy laws).
• Integration data — where you connect a third-party service, account identifiers, OAuth tokens, calendar/email permissions and content, CRM fields, and webhook data needed to operate the integration.
• Contact and lead data the customer loads or transmits through connected dialers or applications.

We do not control what personal data our customers route through the Services.

Sources. We collect this data from you and your account users; from callers and recipients who interact with the Services; from third-party integrations you enable; from carriers, peering partners, traceback groups, numbering databases, and STIR/SHAKEN systems; from KYC, identity-verification, payment, and security providers; from public and corporate-registry sources; and through cookies and automated technologies.

3. How we use information (as controller)

We use controller data to:

• Provide, provision, maintain, secure, and support the Services;
• Verify identity and business legitimacy (KYC) and prevent fraud and abuse;
• Bill and process payments and manage subscriptions;
• Communicate with you about your account, service changes, security, and support;
• Operate, protect, and improve our website and network, including detecting and investigating abuse and security threats;
• Comply with legal, regulatory, telecom, and traceback obligations; and
• With appropriate consent or as permitted by law, send marketing communications you can opt out of at any time.

We do not use the content of our customers' calls or recordings to train AI or machine-learning models.

3A. CPNI notice

Under the U.S. Communications Act, you have a right, and UnlimCall has a duty, to protect the confidentiality of CPNI—network and routing information such as source and destination numbers, call duration and timing, routing, and the technical configuration and amount of your use of the Services. We use CPNI only to provision the Services, route and complete calls, calculate and collect billing, protect against telecom fraud and network abuse, troubleshoot, and comply with law. We do not sell CPNI or communications metadata to marketers or data brokers. We will not use or disclose CPNI for purposes outside these except with your consent or as required or permitted by law.

4. Legal bases (GDPR/UK GDPR)

Where the GDPR or UK GDPR applies, we rely on: performance of a contract (providing the Services and managing your account); legitimate interests (securing and improving the Services, preventing fraud and network abuse, and limited B2B marketing, balanced against your rights); legal obligation (tax, accounting, telecom, and traceback requirements); and consent (certain cookies and marketing, which you can withdraw). For processor activities, our customer is responsible for the legal basis to process End-User data and instructs us via the DPA.

5. Call detail records, recordings, and retention

• CDRs (customer access). The CDRs and recordings made available to you in the portal default to a 90-day retention, or a different period defined in your account or DPA.
• CDRs and toll/billing records (regulatory). Separately, as a carrier we retain certain CDRs, toll records, and billing records for longer where required for legal, tax, fraud-prevention, traceback, and regulatory purposes—typically a minimum of about 18 months (consistent with U.S. FCC toll-record retention) and up to approximately 7 years for tax and accounting records.
• Recordings, where enabled by the customer, are retained per the customer's configuration and stored in the region the customer selects.
• Voice samples and voice clones are retained while the clone is active and deleted after you delete the clone or close the account, subject to backups, legal holds, fraud prevention, and provider deletion processes.
• Support and communications records are retained as needed for support, quality, legal, and business purposes.
• We retain controller data (account, billing, KYC) for as long as your account is active and thereafter as needed to comply with legal, tax, and regulatory obligations and to resolve disputes. We may retain aggregated or de-identified data indefinitely.

6. Data residency

For EU customers and Markets, voice traffic terminates in-region and EU customer data is processed and stored in our EU regions (Frankfurt and London). Where call recording is enabled for an EU Market, recordings are stored in EU storage. We do not process EU recordings outside the selected region, and we do not use call content to train models. Data residency options are described per Market and in the DPA.

7. How we share information

We share personal data only as needed and as described here:

• Carriers and network partners — to route, terminate, sign (STIR/SHAKEN), and complete calls, certain CDR/signaling data is necessarily shared with upstream and downstream carriers (for example, Tier-1 mobile and fixed operators in the destination country) and our numbering and connectivity partners. These carriers act as independent controllers of the routing data they receive.
• Service providers / subprocessors — vendors that help us operate, under contracts that restrict their use of the data: Stripe, Inc. (card payment processing), NOWPayments OÜ (cryptocurrency payment processing), Cloudflare, Inc. (CDN, DDoS protection, edge routing, and our EU-resident R2 object storage), and Resend, Inc. (transactional email). A current list of subprocessors is available on request and, where applicable, referenced in the DPA.
• Single sign-on providers — if you choose "Continue with Google" or "Continue with Microsoft," Google LLC or Microsoft Corporation returns your verified email address, name, and a stable account identifier (no contacts, calendar, files, or other profile data). You can sign in via email magic link instead if you prefer not to use these providers.
• Identity, KYC, and compliance providers — to verify business legitimacy, beneficial ownership, and sanctions status, we share identity and business documents with verification and screening providers, including Didit OÜ, where required by the regulations of the country your numbers are issued in.
• AI and voice technology providers — where you enable AI Features, speech-to-text, text-to-speech, voice-cloning, language-model, transcription, and analytics providers may process prompts, voice samples, recordings, transcripts, and summaries to deliver those features. For KYC document analysis specifically, document images you upload are processed by Anthropic PBC to extract text fields (name, address, document number) for review, and are never used to train models. We do not use customer call recordings, transcripts, lead lists, or voice samples to train general-purpose AI models unless you give express permission or a Service Order says otherwise.
• Regulators, registries, traceback consortiums, carriers, and law enforcement — where required by law or to respond to lawful requests. As an interconnected voice provider, we comply with applicable lawful-interception and assistance obligations, including the Communications Assistance for Law Enforcement Act (CALEA), and we cooperate with traceback (including the Industry Traceback Group). We disclose data only when legally compelled by a valid subpoena, court order, or lawful emergency/exigent request, or to enforce our AUP and protect the network, our customers, or the public.
• Professional advisors — auditors, lawyers, and accountants under confidentiality.
• Corporate transactions — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

We do not sell personal data, and we do not "share" it for cross-context behavioral advertising as those terms are defined under U.S. state privacy laws.

8. International transfers

We may transfer personal data across borders, including between the EU/UK and the United States. Where we do, we use appropriate safeguards such as the EU Standard Contractual Clauses (and the UK Addendum) or another lawful transfer mechanism. EU Market data is handled with the residency commitments in Section 6.

9. Security

We protect data with administrative, technical, and organizational measures, including TLS 1.2+ for SIP signaling and SRTP for media (default-on for new tenants), encryption in transit, encryption at rest (AES-256) for stored data such as recordings, access controls, and network monitoring. By design, we do not capture DTMF in a way that brings cardholder data into scope (PCI out-of-scope). No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

10. Your privacy rights

Depending on where you are, you may have rights to:

• Access the personal data we hold about you;
• Correct inaccurate data;
• Delete your data;
• Restrict or object to certain processing;
• Port your data; and
• Withdraw consent where processing is based on consent.

For U.S. state privacy laws you may have rights to know, access, correct, delete, port, and to opt out of sale, sharing, or targeted advertising, and to appeal a denied request where applicable. We do not discriminate against you for exercising these rights.

California (CCPA/CPRA). In the past 12 months we may have collected the categories described in Section 2 (identifiers, commercial, internet/network activity, coarse geolocation from IP or routing, audio/call content where enabled, professional information, sensitive personal information for KYC or voice cloning, and inferences for fraud, security, and analytics), used for the purposes in Section 4 and disclosed to the recipient categories in Section 7. We do not sell personal data and do not use Customer Data, recordings, transcripts, lead lists, or voice samples for cross-context behavioral advertising. We use sensitive personal information only for permitted purposes such as identity verification, security, fraud prevention, compliance, voice cloning you request, and providing the Services.

Delaware and other states. Residents of Delaware and other states with applicable privacy laws have rights to access, correct, delete, port, opt out, obtain disclosure information, and appeal denied requests.

Opt-out preference signals. Where applicable and technically feasible, we honor legally recognized opt-out preference signals such as Global Privacy Control (GPC).

To exercise rights for data where we are the controller, contact [email protected]. We will verify your request and respond within the timeframe required by applicable law. You may use an authorized agent where the law permits.

Where we act as a processor (call/message data handled on a customer's behalf), please direct your request to the relevant UnlimCall customer (the controller); we will assist them in responding as required by the DPA.

If you are in the EEA or UK and have concerns, you may also lodge a complaint with your local data protection authority.

11. If you were called by an UnlimCall customer

UnlimCall is a voice carrier. When a business uses our network to call you, that business is the data controller responsible for the call, the consent relied on, and your data. If you received an unwanted call, you can report it to [email protected] with the date/time, the number called, and the displayed Caller ID, and we will investigate. For privacy requests about your personal data, contact the business that called you; we will support them as a processor as required.

12. Cookies and analytics

Our website uses cookies and similar technologies for essential functionality, security, and analytics. Where required by law, we request consent for non-essential cookies and offer the most privacy-protective default. You can control cookies through your browser settings and any consent tool we provide.

Communications. Service, billing, security, and compliance messages relate to the Services and are not optional. We may also send marketing communications where permitted; you can opt out of those at any time using the unsubscribe link or by contacting us, without affecting service messages.

13. Children

The Services and website are intended for businesses and individuals 18 or older. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact [email protected] and we will delete it.

14. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice where required. Continued use of the Services after the effective date constitutes acceptance.

15. Contact us

UnlimCall LLC 131 Continental Dr, Suite 305 Newark, DE 19713, USA

• Privacy requests: [email protected]
• General/support: [email protected]
• Abuse/unwanted calls: [email protected]
• Data Processing Addendum: available to customers on request