Legal

Privacy Policy

Last updated: 26 May 2026 · Effective immediately

RINGBACKAI LTD ("RingBack", "we", "us") provides an AI-powered call answering service. This policy explains what personal data we collect when you use our website (ringbackai.co.uk) and our service, how we use it, and the rights you have under the UK GDPR and the Data Protection Act 2018.

1. Who we are

RINGBACKAI LTD is a company registered in England and Wales with company number 17195962. For the purposes of UK and EU data protection law, RingBack is the data controller for personal data of website visitors and account holders, and a data processor when we handle call data on behalf of our business customers.

You can contact our data protection team at privacy@ringbackai.co.uk.

2. Information we collect

• Account data — name, business name, email, phone number and billing details.
• Call data — audio recordings, transcripts, caller phone numbers, timestamps and AI-generated summaries of calls handled by our service.
• Configuration data — the documents, FAQs and instructions you upload to train your AI agent.
• Google account data — when you connect a Google account, we receive the data described in section 6 below.
• Microsoft account data — equivalent data when you connect a Microsoft 365 / Outlook account.
• Usage data — log data, IP address, device and browser information, pages visited, and product analytics.
• Cookies — strictly-necessary cookies for authentication and a limited set of analytics cookies (only with your consent).

3. How we use your information

We process personal data to:

• Provide the RingBack service — answering, transcribing and summarising calls, and routing emergencies.
• Authenticate users, prevent fraud, and keep the service secure.
• Improve product quality, including evaluating AI agent accuracy on aggregated, de-identified data.
• Send service-related communications and, with your consent, marketing emails (you can opt out at any time).
• Comply with our legal obligations, including responding to lawful requests from public authorities.

We do not sell personal data, we do not use it for advertising, and we do not use it to train generalised AI models.

4. Lawful bases

We rely on the following lawful bases under UK GDPR Article 6:

• Contract — to deliver the service you've signed up for.
• Legitimate interests — to secure, monitor and improve the service in a way you would reasonably expect.
• Consent — for optional analytics cookies and marketing.
• Legal obligation — where we are required to retain or disclose data by law.

5. Call recordings and AI processing

When RingBack handles an inbound call on behalf of a business customer, the AI agent informs the caller that the call is being answered by an automated assistant and may be recorded. Recordings and transcripts are stored encrypted at rest, processed by our large-language-model providers under written data-processing agreements, and are never used to train public foundation models.

6. Google API services and Limited Use

RingBack uses Google APIs to deliver calendar booking features. The following statement applies to all data we receive from Google APIs:

RingBack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we affirm that we:

• do not use Google user data to develop, improve or train generalised AI/ML models;
• do not transfer Google user data to third parties except as needed to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition or sale of assets with user notification;
• do not use or transfer Google user data for serving advertisements, including retargeted, personalised or interest-based advertising;
• do not allow humans to read Google user data, unless we have your explicit consent for specific messages, doing so is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for internal operations on data that has been aggregated and anonymised.

We request the following Google API scopes, each limited strictly to its stated purpose:

• openid — standard OpenID Connect identifier; gives us a stable Google user ID to recognise your account on return visits.
• email — your primary Google email address, used to identify your RingBack account and send booking confirmations and security alerts. Not used for marketing without separate consent.
• profile — your given name, family name and profile picture URL, displayed only within your RingBack dashboard.
• https://www.googleapis.com/auth/calendar.events — read free/busy availability windows and create, modify or cancel calendar events. Used solely to book appointments on your primary Google Calendar when our AI agent answers a call on your behalf. We do not read the contents of events we did not create.

Full technical detail — including what we never do with each scope — is at ringbackai.co.uk/scopes.

How we protect Google data: OAuth access and refresh tokens are stored encrypted at rest (AES-256) in an isolated secrets vault, accessible only to the minimal set of production services that need them. All communication with Google APIs is over TLS 1.2+. Free/busy and event data fetched during a live call is held only in volatile memory and is never written to persistent storage. Tokens are permanently deleted within 24 hours of you disconnecting your Google account or closing your RingBack account.

You can revoke RingBack's access to your Google account at any time via your RingBack settings or directly at myaccount.google.com/permissions.

7. Sharing your data

We share data only with:

• Sub-processors — the current list (which we keep up to date) is:
  • Google Cloud (Cloud Run, Cloud SQL, Cloud Storage, Firebase Hosting, Secret Manager) — application hosting, database, object storage and secrets, region europe-west1 (Belgium) where configured.
  • Vapi.ai — real-time voice AI orchestration (EU region where supported, otherwise US under SCCs / UK IDTA).
  • OpenAI — large-language-model inference for call understanding (EU residency where available, otherwise US under SCCs).
  • Deepgram — real-time speech-to-text transcription (US, under SCCs).
  • Anthropic — optional fallback language-model inference (US, under SCCs / UK IDTA).
  • ElevenLabs — optional text-to-speech generation (US, under SCCs / UK IDTA).
  • Twilio — telephony carrier and SMS (US/UK, under SCCs).
  • Stripe Payments UK Ltd — subscription billing (UK / Ireland).
  • SendGrid (Twilio) — transactional email (US, under SCCs).
  • PostHog — product analytics, EU instance only (eu.i.posthog.com).
  • Google or Microsoft customer accounts — booking calendar integrations authorised by the customer.
  All sub-processors are bound by written data-processing agreements containing UK GDPR‑compliant clauses. The list above is reviewed at least annually; any material change will be notified to customers in advance. Our public Data Processing Addendum sets out the processor terms and transfer safeguards.
• Your integrations — calendars (Google, Microsoft), CRMs and messaging tools you authorise us to connect to.
• Authorities — where required by law, regulation or valid legal process.

We do not sell personal data and we do not share it for cross‑context behavioural advertising.

8. International transfers

Your data is primarily processed in the UK and EU. Where data is transferred outside the UK/EEA, we rely on adequacy decisions or implement the UK International Data Transfer Addendum and Standard Contractual Clauses, with supplementary measures where required.

9. Retention

• Call audio recordings: retained for 30 days by default (configurable per business customer), then permanently deleted from our storage and from our voice sub-processor (Vapi).
• Call transcripts and AI summaries: retained for 365 days by default (configurable per business customer), then permanently deleted.
• Call metadata (date/time, duration, caller number, outcome, billed minutes): retained for up to 6 years to meet UK accounting and tax obligations.
• Google / Microsoft OAuth refresh tokens: deleted within 24 hours of you disconnecting the calendar or closing your RingBack account.
• Account and billing records: retained for up to 7 years after account closure to meet UK accounting and tax obligations.
• Marketing data: until you unsubscribe or after 24 months of inactivity.
• Magic-link login audit and security logs: 2 years.

A summary of these retention periods, and the secure-deletion procedures we use, is set out in our internal Retention & Erasure Policy (available to customers and to data subjects on request from privacy@ringbackai.co.uk).

10. Your rights

Subject to UK GDPR you have the following rights, free of charge:

• Right to be informed — to know how your personal data is being used (this notice).
• Right of access — to a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure — to have your personal data deleted in certain circumstances ('right to be forgotten').
• Right to restrict processing — to limit how we use your data.
• Right to data portability — to receive your data in a structured, machine‑readable format.
• Right to object — to processing based on legitimate interests, and to direct marketing at any time.
• Rights related to automated decision‑making and profiling — see section 11 below.
• Right to withdraw consent — where consent is the lawful basis we are relying on.
• Right to lodge a complaint with the UK Information Commissioner's Office.

To exercise any of these rights, email privacy@ringbackai.co.uk. We will respond within one calendar month of receiving your request. If your request is complex or you have made several requests, we may extend this by a further two months and will tell you why. We may ask you for proof of identity before responding so we share information only with the person it concerns.

If you are not satisfied with our response, you can complain to the UK Information Commissioner's Office:

• Website: ico.org.uk/make-a-complaint
• Helpline: 0303 123 1113 (Mon–Fri, 9am–5pm)
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

11. Automated decision‑making and profiling

RingBack uses generative AI to answer phone calls, transcribe and summarise them, and to suggest follow‑up actions. This is assisted decision‑making: a human at the customer business reviews the AI's output before any action with legal or similarly significant effect is taken on a caller (e.g. refusing service or escalating an emergency). RingBack does not make solely automated decisions that produce legal effects on you. If we ever introduce such processing we will update this notice and obtain explicit consent where required.

12. Security

We follow industry-standard security practices: encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, network isolation, regular penetration testing, and 24/7 monitoring. Despite our best efforts, no system is perfectly secure; we will notify affected users and the ICO of any qualifying personal-data breach without undue delay (within 72 hours of becoming aware). Full security overview: ringbackai.co.uk/security.

13. Children

RingBack is a B2B service and is not directed at children under 16. We do not knowingly collect data from children.

14. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or in-product notice at least 14 days before they take effect. The latest version is always available on this page.

15. Contact

RINGBACKAI LTD, London, United Kingdom.
Company number: 17195962
Data‐protection contact: privacy@ringbackai.co.uk
Web: ringbackai.co.uk
ICO registration number: ZC140951

We have not appointed a statutory Data Protection Officer because our processing does not meet the UK GDPR Art. 37 thresholds (we act as processor in respect of customer call data; the customer is the controller for those calls). Our named data‐protection contact above is responsible for data‐protection compliance at RINGBACKAI LTD and will respond to all requests.

← Back to home