Privacy Policy
RingBack AI Ltd ("RingBack", "we", "us") provides an AI-powered call answering service. This policy explains what personal data we collect when you use our website (ringbackai.co.uk) and our service, how we use it, and the rights you have under the UK GDPR and the Data Protection Act 2018.
1. Who we are
RingBack AI Ltd is a company being established in England and Wales. For the purposes of UK and EU data protection law, RingBack is the data controller for personal data of website visitors and account holders, and a data processor when we handle call data on behalf of our business customers.
You can contact our data protection team at privacy@ringbackai.co.uk.
2. Information we collect
- Account data — name, business name, email, phone number and billing details.
- Call data — audio recordings, transcripts, caller phone numbers, timestamps and AI-generated summaries of calls handled by our service.
- Configuration data — the documents, FAQs and instructions you upload to train your AI agent.
- Google account data — when you connect a Google account, we receive the data described in section 6 below.
- Microsoft account data — equivalent data when you connect a Microsoft 365 / Outlook account.
- Usage data — log data, IP address, device and browser information, pages visited, and product analytics.
- Cookies — strictly-necessary cookies for authentication and a limited set of analytics cookies (only with your consent).
3. How we use your information
We process personal data to:
- Provide the RingBack service — answering, transcribing and summarising calls, and routing emergencies.
- Authenticate users, prevent fraud, and keep the service secure.
- Improve product quality, including evaluating AI agent accuracy on aggregated, de-identified data.
- Send service-related communications and, with your consent, marketing emails (you can opt out at any time).
- Comply with our legal obligations, including responding to lawful requests from public authorities.
We do not sell personal data, we do not use it for advertising, and we do not use it to train generalised AI models.
4. Lawful bases
We rely on the following lawful bases under UK GDPR Article 6:
- Contract — to deliver the service you've signed up for.
- Legitimate interests — to secure, monitor and improve the service in a way you would reasonably expect.
- Consent — for optional analytics cookies and marketing.
- Legal obligation — where we are required to retain or disclose data by law.
5. Call recordings and AI processing
When RingBack handles an inbound call on behalf of a business customer, the AI agent informs the caller that the call is being answered by an automated assistant and may be recorded. Recordings and transcripts are stored encrypted at rest, processed by our large-language-model providers under written data-processing agreements, and are never used to train public foundation models.
6. Google API services and Limited Use
RingBack uses Google APIs to deliver calendar booking features. The following statement applies to all data we receive from Google APIs:
RingBack's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, we affirm that we:
- do not use Google user data to develop, improve or train generalised AI/ML models;
- do not transfer Google user data to third parties except as needed to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition or sale of assets with user notification;
- do not use or transfer Google user data for serving advertisements, including retargeted, personalised or interest-based advertising;
- do not allow humans to read Google user data, unless we have your explicit consent for specific messages, doing so is necessary for security purposes (e.g. investigating abuse), to comply with applicable law, or for internal operations on data that has been aggregated and anonymised.
The exact Google API scopes we request, and what we do with each, are
documented at ringbackai.co.uk/scopes. In
summary, we request: openid, userinfo.email,
userinfo.profile and
https://www.googleapis.com/auth/calendar.events.
You can revoke RingBack's access to your Google account at any time via your RingBack settings or directly at myaccount.google.com/permissions.
7. Sharing your data
We share data only with:
- Sub-processors — telephony providers, cloud hosting (Microsoft Azure, Google Cloud, UK and EU regions), speech-to-text and LLM vendors, our CRM and analytics tools. A current list is available on request from privacy@ringbackai.co.uk.
- Your integrations — calendars, CRMs and messaging tools you authorise us to connect to.
- Authorities — where required by law, regulation or valid legal process.
We do not sell personal data and we do not share it for cross-context behavioural advertising.
8. International transfers
Your data is primarily processed in the UK and EU. Where data is transferred outside the UK/EEA, we rely on adequacy decisions or implement the UK International Data Transfer Addendum and Standard Contractual Clauses, with supplementary measures where required.
9. Retention
- Call recordings and transcripts: retained for the period configured by the business customer (default 90 days), then permanently deleted.
- Google OAuth refresh tokens: deleted within 24 hours of you disconnecting Google or closing your RingBack account.
- Account and billing records: retained for up to 7 years to meet UK accounting and tax obligations.
- Marketing data: until you unsubscribe or after 24 months of inactivity.
10. Your rights
Subject to UK GDPR, you have the right to:
- access the personal data we hold about you,
- have it corrected or erased,
- restrict or object to processing,
- request portability of data you provided to us, and
- withdraw any consent you have given.
To exercise any of these rights, email privacy@ringbackai.co.uk. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk).
11. Security
We follow industry-standard security practices: encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, network isolation, regular penetration testing, and 24/7 monitoring. Despite our best efforts, no system is perfectly secure; we will notify affected users and the ICO of any qualifying personal-data breach without undue delay (within 72 hours). Full security overview: ringbackai.co.uk/security.
12. Children
RingBack is a B2B service and is not directed at children under 16. We do not knowingly collect data from children.
13. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email or in-product notice at least 14 days before they take effect. The latest version is always available on this page.
14. Contact
RingBack AI Ltd, London, United Kingdom.
Email: privacy@ringbackai.co.uk
Web: ringbackai.co.uk
This document is provided for general information and does not constitute legal advice. You should review it with qualified counsel before relying on it for your business.