Privacy Policy

1. Lawful Basis and Transparency

We process personal data based on:

• Contract: To provide the Service and manage your subscription
• Consent: For non-essential cookies or optional communications
• Legitimate Interests: For analytics to improve the Service, balanced against your rights
• Legal Obligation: To comply with laws (e.g., tax reporting, data protection)

We inform you of data collection via this Privacy Policy, accessible on www.greetemma.com and in-app. Processing is fair, not detrimental, unexpected, or misleading.

2. Information We Collect

We minimize data collection for specific purposes. We collect the following information to provide and improve the Service:

a. Account and Subscription Data

• Email address and user ID (via Clerk authentication with Google OAuth)
• Business name and contact information
• Subscription tier and billing information
• Usage metrics and feature interactions

Purpose: Account creation, subscription management, and service delivery.

b. Voice and Call Data

• Call audio recordings and voice input from callers (processed in real-time via third-party AI services)
• Call transcripts and conversation analysis
• Call metadata (duration, timestamp, caller information)
• AI agent responses and conversation outcomes

Purpose: Provide AI voice agent services, appointment booking, and conversation analysis.

Important: Voice recordings are processed through third-party AI providers (Pipecat Cloud, OpenAI, Google) and are not permanently stored on GreetEmma servers unless required for service delivery.

c. Calendar Integration Data

• Google Calendar access tokens and refresh tokens
• Calendar availability and appointment data
• Scheduled appointments and booking confirmations

Purpose: Enable appointment scheduling and calendar integration features.

d. Analytics and Usage Data

• Anonymized usage patterns and feature interactions
• Performance metrics and service quality data
• Device and browser information

Purpose: Improve service quality and user experience.

e. Cookies and Tracking (Website Only)

Data: Essential cookies (e.g., session IDs, authentication tokens) for functionality.

Purpose: Maintain user sessions and ensure Service operation.

Management: You can disable cookies in your browser settings, but this may affect functionality. Non-essential cookies require consent per GDPR.

3. Purpose and Data Minimization

We use your data strictly to:

• Deliver AI voice agent services for front-door automation and appointment booking
• Process incoming calls and provide intelligent responses
• Schedule appointments through Google Calendar integration
• Manage your subscription and billing
• Provide customer support and technical assistance
• Analyze aggregated usage to improve the product
• Fulfill our legal obligations and prevent service abuse

Anonymized data may be retained indefinitely for statistical purposes. We do not use your personal data for advertising or sell it to third parties.

4. Data Accuracy and Security

We implement industry-standard technical and organizational measures to protect data:

• Encryption in transit (TLS) and at rest for sensitive data
• Access controls and role-based permissions
• Regular security assessments and monitoring
• Secure API integrations with third-party services
• Employee training on data protection practices

Voice data is processed through secure third-party AI providers with appropriate data processing agreements. We rely on user-supplied accuracy (editable in account settings). No system is fully secure; you use the Service at your own risk.

5. Storage Limitation and Data Retention

We retain personal data only as long as necessary for service delivery and legal compliance:

• Account Data: Retained while your account is active and for 30 days after deletion
• Voice Recordings: Processed in real-time through third-party AI services; not permanently stored unless required for quality assurance (maximum 90 days)
• Call Transcripts: Retained for 12 months for service improvement and support
• Calendar Data: Access tokens retained while calendar integration is active
• Analytics Data: Anonymized and aggregated data may be retained indefinitely
• Billing Data: Retained for 7 years for tax and legal compliance

You may request account deletion at any time, which will trigger data deletion according to our retention schedule and legal requirements.

6. Privacy by Design and Impact Assessment

We embed privacy by design through:

• Minimal data collection (only necessary for service delivery)
• User-controlled data deletion and privacy settings
• Real-time voice processing without permanent storage
• Secure OAuth integration for calendar access
• Anonymized analytics and usage reporting
• Regular privacy impact assessments for new features
• Data processing agreements with all third-party providers

7. Third-Party Services and Integrations

We rely on external services for processing and functionality. These are bound by contractual obligations and privacy safeguards:

• Google (OAuth & Calendar): Authentication and calendar integration (see policies.google.com/privacy)
• Clerk: User authentication and account management (see clerk.com/privacy)
• Pipecat Cloud: Voice agent hosting and real-time conversation processing (see pipecat.ai/privacy)
• OpenAI: AI conversation capabilities and natural language processing (see openai.com/privacy)
• Google Gemini: AI language model processing and natural language understanding (see policies.google.com/privacy)
• Deepgram: Speech-to-text transcription services (see deepgram.com/privacy)
• Cartesia: Text-to-speech voice synthesis (see cartesia.ai/privacy)
• Twilio: Telephony services and call routing (see twilio.com/legal/privacy)
• Cloudflare: Infrastructure, CDN, and security services (see cloudflare.com/privacy)

Your data is shared with these providers only as needed to operate the Service. GreetEmma is not responsible for third-party privacy practices. We encourage you to review their privacy policies.

We do not permit AI providers to use your voice or conversation data for model training without explicit consent.

8. Data Subject Rights

You have the following rights regarding your personal information:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data ("right to be forgotten")
• Restriction: Limit processing of your data in certain circumstances
• Portability: Export your data in a machine-readable format
• Object: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent for processing where applicable

For California Residents (CCPA):

• Right to Know: Details about personal information we collect, use, or disclose
• Right to Delete: Request deletion of personal information, subject to exceptions
• Right to Opt-Out: GreetEmma does not sell personal information
• Non-Discrimination: We will not discriminate against you for exercising your rights

Exercise rights via account settings or privacy@greetemma.com. We respond within one month (may extend if complex). Requests may be denied if legally permitted (e.g., unverifiable identity, legal obligations).

9. Data Protection Officer and Compliance

Contact our Data Protection Officer at privacy@greetemma.com for GDPR matters or supervisory authority liaison.

For privacy complaints:

• EU users: Contact your local supervisory authority or the UAE Data Protection Authority
• UK users: Information Commissioner's Office (ico.org.uk)
• California residents: California Attorney General

10. International Data Transfers

As a UAE-based company, your data is primarily processed in the UAE and may be transferred to other countries where our service providers operate (including the US for AI processing). We ensure such transfers comply with GDPR/UK GDPR via Standard Contractual Clauses and appropriate safeguards.

11. Data Breach Reporting

If a breach risks your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay. Service providers must notify us immediately of any breaches.

12. How We Use Your Information

We process your information based on the legal bases outlined in Section 1. Specific uses include:

• Service Delivery: Provide AI voice agent services, handle calls, schedule appointments
• Account Management: Manage subscriptions, billing, and customer support
• Integration Services: Connect with Google Calendar for appointment scheduling
• Improvement: Analyze usage patterns to enhance features and performance
• Communication: Send service notifications, updates, and support messages
• Compliance: Meet legal requirements and prevent service abuse

We use automated processing to analyze voice interactions and generate AI responses. This is done solely for service delivery and business automation purposes. Automated decision-making does not produce legal or similarly significant effects under GDPR Article 22.

13. Sharing Your Information

We do not sell your personal data. We only share information in these limited circumstances:

• Service Providers: Third-party processors listed in Section 7, bound by data processing agreements
• Legal Requirements: When required by law, court order, or to protect legal rights
• Business Transfers: In connection with merger, acquisition, or asset sale (with notice and choices)
• Consent: With your explicit consent for specific purposes
• Safety: To prevent fraud, abuse, or protect user safety

All disclosures comply with GDPR, CCPA, and other applicable regulations with appropriate safeguards in place.

14. Business and End-User Data

When you use GreetEmma for your business, we process two types of data:

• Your Business Data: Account information, settings, and usage data (you are the data subject)
• Caller Data: Information from people who call your AI agent (your customers are the data subjects)

For caller data, you act as the data controller and are responsible for:

• Informing callers about AI voice agent usage and data processing
• Obtaining necessary consents for call recording and processing
• Complying with applicable privacy laws in your jurisdiction
• Handling caller privacy rights requests

GreetEmma acts as a data processor for caller data and will assist you with compliance obligations as outlined in our Data Processing Agreement.

15. Updates to This Policy

We may update this Privacy Policy to reflect Service changes or legal requirements. Updates will be posted on www.greetemma.com at least 7 days before taking effect, with in-app or email notices for material changes where required. Continued use after updates constitutes consent.

16. Contact Information

GreetEmma is the data controller under GDPR. For privacy inquiries, please contact us:

17. Additional Information for California Residents

If you are a California resident, you may request information regarding the disclosure of personal information to third parties for their direct marketing purposes during the immediately preceding calendar year.

We do not sell your data. You have the right to:

• Access the categories and specific data we've collected
• Request deletion of personal information
• Be informed about data usage and sharing
• Appoint an authorized agent to act on your behalf

Exercise CCPA rights via privacy@greetemma.com