1. Who We Are
Callzy is an AI automation service for home service contractors. The service is operated from Barcelona, Spain (European Union). For GDPR purposes, Callzy acts as the data controller for website visitor data and as a data processor on behalf of contractor clients when handling their customers' SMS conversations.
Contact: privacy@callzy.io
2. Data We Collect
We collect only what is necessary to deliver our service:
- Website visitors: Email address (if you submit the demo request form), IP address, browser type, pages visited, and time on site (via server logs).
- Contractor clients: Business name, owner name, business phone number, email address, Google Calendar credentials (OAuth token — never stored as plain text), service area, and billing information (handled by Stripe — we never see card numbers).
- End consumers (your customers' leads): Phone number (from the missed call event), SMS message content during the AI qualification conversation, address, and job type. This data is processed on behalf of our contractor clients.
We do not collect sensitive personal data (race, health, religion, political views) and we do not sell or rent any data to third parties, ever.
3. Legal Basis for Processing (GDPR)
If you are in the EU/EEA, we rely on the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to deliver our service to contractor clients.
- Legitimate interests (Art. 6(1)(f)): Sending an automated SMS to a person who called a contractor's number (they initiated contact). The legitimate interest is recovering the lead for the business they called — proportionate and expected.
- Consent (Art. 6(1)(a)): Demo request form submissions and any marketing emails (we always include an unsubscribe link).
4. SMS and TCPA Compliance
Callzy's core function — sending an automated SMS in response to a missed call — is fully compliant with the US Telephone Consumer Protection Act (TCPA) because:
- The recipient initiated contact by placing a phone call to the business number. This constitutes an existing business relationship and implied consent for a follow-up SMS.
- SMS messages are sent only to the number that called — never to cold lists or purchased databases.
- Every automated SMS includes the business name and an easy opt-out path ("Reply STOP to unsubscribe").
- All client phone numbers are registered through A2P 10DLC (10-Digit Long Code) with US carriers, as required by the CTIA.
Contractor clients are responsible for ensuring their own business practices comply with applicable local regulations beyond what Callzy configures by default.
5. How We Use Your Data
- To send the demo link you requested
- To set up and operate the Callzy system for contractor clients
- To send AI-generated SMS replies on behalf of contractor clients
- To create Google Calendar events
- To generate performance reports for clients
- To improve our AI conversation quality (using anonymized, aggregated data)
- To send billing-related communications via Stripe
We do not use your data for advertising profiling, automated decision-making that produces legal effects, or any purpose not listed above.
6. Third-Party Processors
We share data with the following processors, each under a Data Processing Agreement:
- GoHighLevel — CRM and SMS automation platform (US-based, Standard Contractual Clauses apply)
- Google LLC — Calendar integration and Google Workspace (Standard Contractual Clauses apply)
- Stripe, Inc. — Payment processing (PCI-DSS compliant, Standard Contractual Clauses apply)
- Formspree, Inc. — Demo request form processing
- Netlify, Inc. — Website hosting (no personal data processed beyond access logs)
7. Data Retention
- Website leads (demo requests): 24 months from submission, or until you ask us to delete.
- Active client data: Duration of the contract plus 12 months for accounting purposes.
- SMS conversation logs: 90 days rolling window (sufficient for dispute resolution), then automatically deleted.
- Billing records: 7 years (required by Spanish tax law).
8. Your Rights (GDPR — EU/EEA Residents)
You have the right to:
- Access — request a copy of all personal data we hold about you (Art. 15)
- Rectification — correct inaccurate data (Art. 16)
- Erasure — request deletion ("right to be forgotten") (Art. 17)
- Restriction — ask us to pause processing while a dispute is resolved (Art. 18)
- Portability — receive your data in a machine-readable format (Art. 20)
- Object — opt out of processing based on legitimate interests (Art. 21)
- Withdraw consent at any time for consent-based processing
To exercise any right, email privacy@callzy.io. We respond within 30 days. You also have the right to lodge a complaint with the Spanish data protection authority (AEPD) or your local supervisory authority.
9. California Residents (CCPA)
California residents have the right to know what personal information we collect, to request deletion, and to opt out of the "sale" of personal information. We do not sell personal information. To submit a CCPA request, email privacy@callzy.io with the subject "CCPA Request".
10. Cookies
This website uses no advertising or tracking cookies. We use only essential functionality (no third-party analytics scripts, no retargeting pixels). Server logs (IP address, pages visited) are retained for 30 days for security purposes.
11. International Data Transfers
Callzy operates from Spain (EU) and serves US clients. Data transfers from the EU to the US (for GoHighLevel, Google, Stripe) are covered by Standard Contractual Clauses (SCCs) pursuant to GDPR Art. 46(2)(c). US data processed on behalf of contractor clients is subject to the contractor's own compliance obligations.
12. Changes to This Policy
We may update this policy when our service changes or when regulations require. Material changes will be communicated by email to active clients at least 14 days before they take effect. The "last updated" date at the top of this page always reflects the current version.
13. Contact
For any privacy-related questions, data requests, or complaints:
Email: privacy@callzy.io
Response time: within 5 business days for general questions, within 30 days for formal data requests.