Privacy policy
Last updated: 29 May 2026
This Privacy Policy explains how VoxApp Ltd, a company registered in New Zealand (VoxApp, we, us or our), handles personal data. VoxApp provides an AI voice and messaging platform exclusively to businesses. This policy should be read together with our Terms of Service and, where we process data on behalf of a customer, our Data Processing Addendum.
1. The two roles we play
VoxApp handles personal data in two distinct roles. Which one applies determines who is responsible and which parts of this policy are relevant to you.
Where we are the controller
We decide how and why personal data is processed — and this policy governs that data — when the data relates to:
- Visitors to voxapp.com and people who contact us or request a demo;
- Our customers' account holders and users — the people at a business who sign up for and administer a VoxApp account.
Where we are the processor
When a customer uses VoxApp to engage the individuals it interacts with — the people who are called, messaged or who join a conversation (Contacts) — the customer is the controller of that personal data and decides why and how it is used. VoxApp is the processor, acting on the customer's instructions. For that data, the customer's own privacy notice and our Data Processing Addendum govern the relationship, and Contacts should refer to the privacy notice of the business that contacted them. This policy describes that processing only at a high level; we do not independently decide how Contact data is used.
2. Information we collect
From website visitors
When you visit voxapp.com we capture page views, scroll depth and call-to-action clicks for product analytics, plus standard technical data (such as IP address, browser and device type). We use a three-level consent banner — Reject all, Analytics only, or Accept all. At "Reject all" we drop visitor identifiers and capture only essential page-view data. We also use Cloudflare Turnstile to protect forms from bots, which processes limited technical signals (such as IP address and browser characteristics).
From customer account holders
- Account and identity data — name, business email, role, login credentials, and authentication data (including where you sign in with Google or Microsoft).
- Billing data — billing contact, address, plan, usage and payment records. Card payments are processed by our payment provider; we do not store full card numbers.
- Usage and support data — configuration, logs, diagnostics and the content of support requests.
From Contacts (as processor)
When operating on a customer's instructions, the platform processes the data needed to conduct a conversation — such as a Contact's name, phone number or email, the conversation transcript, any structured outputs, and, where the customer has enabled it, a call recording. This data is processed on the customer's behalf under the DPA; see clause 1 above.
3. How and why we use personal data
As a controller, we use personal data to:
- provide, secure, maintain, support and improve the Service;
- create and administer accounts, authenticate users and manage billing;
- communicate with you about your account, service updates and security;
- detect, prevent and investigate fraud, abuse and security incidents;
- produce de-identified, aggregated analytics to improve the Service; and
- comply with our legal obligations and enforce our Terms.
Where the EU or UK GDPR applies, our lawful bases are: performance of our contract with you; our legitimate interests in operating and improving the Service and keeping it secure (balanced against your rights); your consent (for example, non-essential analytics cookies); and compliance with legal obligations. You may withdraw consent at any time where consent is the basis.
We do not sell personal data, and we do not use the content of customer conversations to train general-purpose AI models without the customer's express written consent.
4. Call and conversation recording
Recording is disabled by default and is enabled by a customer on a per-AI-Agent basis. Where recording is enabled, a recording notification is given at the start of the conversation, and the AI Agent identifies itself as artificial intelligence at the start of every interaction. Customers are responsible for obtaining any consents required in their jurisdiction (including two-party consent jurisdictions). See clauses 3 and 9 of the Terms.
5. Who we share data with
We share personal data with service providers (sub-processors) who help us operate the Service — including hosting, telephony, speech-to-text, text-to-speech, AI model providers, video transport, email delivery, payments and bot-protection. Each is bound by contract to protect the data and use it only to provide their service to us. Our current sub-processors, their role and location are published at voxapp.com/subprocessors.
We may also disclose personal data where required by law, regulator or court order, to enforce our Terms or protect rights and safety, and to a successor in connection with a merger, acquisition or sale of assets (subject to this policy).
6. Where your data is stored and processed
Customer data at rest is stored in AWS Australia (Sydney) or the European Union, depending on the customer's region; a United States region is on our roadmap. For EU customers, VoxApp uses EU-resident processing endpoints where its sub-processors support them.
Operating an AI conversation requires real-time processing by the sub-processors listed at voxapp.com/subprocessors, some of which are located in the United States or process data globally. Where a sub-processor processes personal data outside the customer's region, those transfers are governed by appropriate safeguards, including the EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and the EU-US Data Privacy Framework where applicable.
7. How long we keep data
Unless otherwise agreed or configured by the customer, our default retention periods are:
- conversation transcripts: 12 months from the date of the conversation;
- call recordings (where enabled): 90 days from the date of the recording;
- conversation metadata (date, time, duration, channel, Contact identifier): 24 months for billing and audit;
- account data and configuration: for the life of the account plus 7 years for tax, legal and audit purposes; and
- aggregated, de-identified analytics data: indefinitely.
We may retain data for longer where required by law or to defend legal claims. Where the Service permits, customers can configure shorter retention for transcripts and recordings.
8. Security
We protect personal data with encryption in transit (TLS 1.2+) and at rest (AES-256), role-based and least-privilege access, audit logging of administrative actions, and tenant isolation so data is not shared across customers. More detail is on our security page.
9. Your privacy rights
Your rights depend on where you are and which law applies. In every case you can reach us at privacy@voxapp.com. Where we act as a processor for Contact data, we will refer your request to the relevant customer (the controller) or assist them in responding.
New Zealand — Privacy Act 2020
You may request access to, and correction of, your personal information held by us, consistent with the Information Privacy Principles. If you are not satisfied with how we handle a request or your information, you may complain to the Office of the Privacy Commissioner (privacy.org.nz).
Australia — Privacy Act 1988 and the Australian Privacy Principles
You may request access to, and correction of, your personal information, and complain about how we handle it. If we cannot resolve a complaint, you may contact the Office of the Australian Information Commissioner (oaic.gov.au). We will not disclose your information overseas except as described in clause 6.
United Kingdom and European Union — UK GDPR and EU GDPR
You have the rights of access, rectification, erasure, restriction of processing, data portability, and objection to processing (including processing based on legitimate interests), and the right not to be subject to solely automated decisions producing legal or similarly significant effects. Where processing is based on consent, you may withdraw it at any time. You may lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ico.org.uk). Where required, we appoint a representative in the UK and/or EU; contact details are available from privacy@voxapp.com.
United States — California (CCPA/CPRA) and other state laws
If you are a California resident, you have the right to know what personal information we collect and how we use and disclose it; to access and delete it; to correct it; and to opt out of the "sale" or "sharing" of personal information. We do not sell personal information, and we do not share it for cross-context behavioural advertising. We do not use or disclose sensitive personal information beyond the purposes permitted under the CPRA. We will not discriminate against you for exercising your rights, and you may use an authorised agent to make a request. Residents of other US states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas and others) have similar rights, which we honour where those laws apply.
10. Cookies and tracking
We use essential cookies to run the site and, subject to your choice in our consent banner, analytics cookies to understand usage. You can change your choice at any time using the banner controls. We do not use advertising or cross-site tracking cookies.
11. Children
VoxApp is a business product and is not directed to, or intended for use by, children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. Where changes are material, we will notify customers by email or by notice in the Service. The "last updated" date above shows the current version.
13. Contact
Privacy questions, rights requests, DPAs, or sub-processor queries: privacy@voxapp.com.