Privacy Policy

This Privacy Policy ("Policy") describes how Sodaka Digital SEO Agency Limited (Company Number 10561689), trading as NeverMissACallPro and NeverMissACall Pro("we," "us," or "our"), collects, uses, stores, shares, and protects personal information when you use our AI-powered virtual receptionist platform and related services (collectively, the "Service").

We are registered with the UK Information Commissioner's Office (ICO) under registration number ZC163976. Our registered office is Unit 9a Dalton House, 60 Windsor Avenue, London, England, SW19 2RR, United Kingdom.

Effective date: 5 June 2026

Privacy inquiries: hello@nevermissacallpro.com (or contact us at hello@nevermissacallpro.com).

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree, you must not use the Service.

This Policy applies to two categories of individuals:

Platform Users

Business owners, authorised representatives, and account holders who register for and administer accounts on NeverMissACall Pro. Platform Users configure AI receptionists, manage billing, and access call logs, transcripts, recordings, and lead data through the dashboard.

End-Users (Callers)

Third parties who place telephone calls to phone numbers provisioned through the Service and interact with an AI virtual receptionist on behalf of a Platform User. End-Users do not create accounts on our platform but their personal data is processed when they call a business using our Service.

Important data controller / processor distinction: For End-User (caller) data collected during inbound calls, the relevant Platform User (the business whose number was dialled) acts as the data controller. Sodaka Digital SEO Agency Limited acts as a data processor on behalf of that Platform User, processing caller data solely to deliver the Service as instructed by the Platform User. Platform Users are responsible for providing appropriate privacy notices to their callers and for responding to data subject requests relating to caller interactions, except where we are legally required to respond directly.

This Policy covers our website at nevermissacallpro.com, our web application, APIs, worker services, and all related infrastructure used to operate the Service.

3.1 Information Collected from Platform Users

When you register for and use an account, we may collect:

• Account and identity data: full name, email address, password (stored only as a salted cryptographic hash — we never store plaintext passwords), email-verification status, and optional profile information.
• Authentication data: JWT access tokens, refresh tokens (stored as hashes), session cookies, one-time passcodes for email verification and password reset, and optional Google OAuth identifiers if you choose to sign in with Google.
• Billing and subscription data: subscription plan tier (Free, Starter, Growth, Pro, or Enterprise), Stripe customer ID, Stripe subscription ID, payment status, billing period dates, included and used minute allowances, top-up minute credits, invoice history, and failed-payment counters. Payment card details are collected and processed directly by Stripe, Inc. — we do not store full card numbers, CVV codes, or magnetic-stripe data on our servers.
• Business and AI agent configuration data: business name, industry, services offered, working hours, timezone, voice preferences, custom AI system prompts, capture-field rules (e.g., name, email, reason for calling), Twilio phone numbers assigned to your businesses, call-forwarding settings, escalation rules, and knowledge-base content you provide.
• Usage and operational data: call minute consumption, number-slot provisioning events, dashboard activity, API interactions, and aggregated usage metrics.
• Technical and session data: IP address, browser type and version, device identifiers, operating system, referring URLs, session logs, user-agent strings associated with refresh tokens, and error/diagnostic logs.
• Communications: messages you send to our support team and transactional emails we send to you (via Resend).

3.2 Information Collected from End-Users (Callers)

When a caller dials a phone number associated with a Platform User's AI receptionist, we collect the following data on behalf of and for access by that Platform User:

• Call metadata: caller phone number (From), dialed business number (To), Twilio Call SID, call direction, call start and end timestamps, call duration in seconds, call status, and whether the call was answered by the AI receptionist or escalated to a human.
• Real-time voice audio:the caller's voice is streamed in real time from Twilio through our worker infrastructure to OpenAI's Realtime API for AI-powered conversation. Raw live audio streams are not permanently stored on our servers; however, see Section 8 regarding call recordings.
• Call transcripts: a full text log of the AI conversation, generated from speech-to-text processing during and after the call, including both caller utterances and AI responses.
• Structured lead data extracted by AI: using OpenAI (gpt-4o-mini), we analyse call transcripts to extract structured fields such as lead name, lead email, phone number, reason for calling, requested service, urgency level, call outcome status, lead temperature (Hot/Warm/Cold), and any custom capture fields configured by the Platform User.
• GDPR consent records: whether the caller provided, declined, or did not complete recording/consent prompts, the number of consent attempts, and timestamps associated with consent decisions.
• Call recordings: where the caller provides explicit consent and recording is enabled, audio recordings of the call may be archived to AWS S3 storage and made available to the Platform User through the dashboard.

All End-User data described above is accessible to the Platform User whose business received the call, through their CRM dashboard (leads, calls, transcripts, and recordings).

We use personal information for the following purposes:

• Provide and operate the Service: provision AI virtual receptionist capabilities, answer inbound calls, route and escalate calls, capture lead information, display call history and analytics, and manage business configurations.
• Verify account status and billing before connecting calls: before answering an inbound call, our systems verify that the Platform User has an active account, valid subscription (where required), and sufficient available minutes. Calls may be rejected or terminated if verification fails.
• Generate AI responses:stream caller audio to OpenAI's Realtime API (gpt-realtime) to generate natural-language voice responses configured by the Platform User.
• Extract structured lead data: process call transcripts via OpenAI (gpt-4o-mini) to normalise conversation content into structured CRM records.
• Store call records:persist call metadata, transcripts, lead data, and (where consented) recordings in the Platform User's dashboard and our PostgreSQL database.
• Billing management and fraud prevention: process subscriptions and one-time top-up purchases through Stripe, track minute usage, enforce plan limits, send billing lifecycle emails, and detect suspicious account activity.
• Authentication and account security: verify identities, manage sessions, send verification and password-reset communications, and protect against unauthorised access.
• Service improvement and debugging: analyse aggregated and anonymised usage patterns, monitor system performance, diagnose errors, and improve platform reliability. We do not use caller voice data to train our own AI models.
• Legal compliance:comply with applicable laws, respond to lawful requests, enforce our Terms & Conditions, and protect our rights and the rights of others.

Where the UK GDPR and EU GDPR apply, we process personal data on the following legal bases:

• Contractual necessity (Article 6(1)(b)): processing necessary to perform our contract with Platform Users, including account creation, service delivery, billing, and customer support.
• Legitimate interests (Article 6(1)(f)): fraud prevention, network and information security, service improvement using aggregated/anonymised data, and enforcing our terms. We balance these interests against your rights and freedoms.
• Consent (Article 6(1)(a)): where required, including End-User call recording and transcription after explicit consent is obtained during the call flow. Consent may be withdrawn by the caller during the call; Platform Users must ensure their own lawful basis for any additional processing.
• Legal obligation (Article 6(1)(c)): compliance with tax, accounting, and regulatory requirements, including retention of billing records.

Controller / processor roles: For Platform User account data, Sodaka Digital SEO Agency Limited is the data controller. For End-User (caller) data processed during inbound calls, the Platform User is the data controller and Sodaka Digital SEO Agency Limited is the data processor. A Data Processing Agreement (DPA) is available on request for Platform Users who require one under Article 28 GDPR.

We use trusted third-party service providers to operate the Service. The following sub-processors may receive personal data:

We maintain appropriate contractual safeguards with each sub-processor, including data processing terms where required. A current list of sub-processors is available on request.

• Call transcripts and lead data:retained for as long as the Platform User's account remains active, or for the retention period configured by the Platform User (default: 90 days per business settings), whichever applies first. Upon account termination, this data is deleted within 30 days, unless a longer retention period is required by law or a valid data export request is pending.
• Call recordings:retained in AWS S3 for the same period as associated call records, subject to the Platform User's retention settings. Recordings are only created where the caller has provided explicit consent during the call.
• Real-time voice audio streams: not permanently stored on our servers. Audio is streamed in real time to OpenAI for the duration of the call and is not retained by us after the call ends, except where a consented call recording is archived as described above.
• Billing and financial records: retained for up to 7 years after the relevant transaction, in accordance with UK tax and accounting legal requirements.
• Platform User account data: deleted upon verified erasure request or account closure, subject to retention of billing records and any data we are legally required to keep.
• Authentication tokens and session logs: refresh tokens expire per configured lifetime (default: 7 days); revoked tokens are retained only as long as needed for security auditing.
• Anonymised and aggregated data: may be retained indefinitely for analytics and service improvement, as it no longer identifies individuals.

CRITICAL: The Service records, transcribes, and analyses inbound telephone calls. Call recording is initiated only after a caller provides explicit consent during the automated GDPR consent prompt at the start of a call. However, transcripts are generated from all calls handled by the AI receptionist regardless of recording status.

Platform Users (business owners) are SOLELY responsible for ensuring they comply with all applicable call recording, wiretapping, and electronic communications consent laws in their jurisdiction and in the jurisdictions of their callers, including but not limited to:

• UK GDPR and Data Protection Act 2018: lawful basis and transparency requirements for processing caller personal data.
• California two-party consent law (Cal. Penal Code § 632): all-party consent requirements for recording confidential communications.
• Federal Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2511: federal wiretap and recording prohibitions in the United States.
• GDPR Article 6 and Article 7 (EU/EEA): consent requirements where calls involve individuals in the European Economic Area.
• Telecommunications and privacy laws of England and Wales, Scotland, Northern Ireland, and any other applicable state, federal, or international laws.

The platform provides a default greeting and GDPR consent prompt informing callers that they are interacting with an AI assistant and asking for consent to record the call. This default prompt is provided as a courtesy only and does NOT constitute legal compliance with recording consent laws in your jurisdiction. Platform Users must review, configure, and supplement disclosures to meet their own legal obligations, including providing appropriate privacy notices to callers outside the call flow.

If a caller declines recording consent, the Service will continue the call without creating an audio recording, but conversation transcripts may still be generated for lead capture purposes. Platform Users must ensure this processing has a valid lawful basis.

Callers who use the Service interact with an artificial intelligence system, not a human operator. The AI virtual receptionist is powered by OpenAI's models, including the Realtime API for voice conversation and gpt-4o-mini for transcript analysis.

• Voice and conversation data is processed by OpenAI's systems during live calls.
• The AI may not perfectly understand, transcribe, or respond to all queries, accents, or background conditions.
• Extracted lead information (names, emails, phone numbers) may contain errors due to speech recognition or AI interpretation limitations.
• The AI is configured by Platform Users and responds based on their prompts and business rules — we do not guarantee the accuracy or appropriateness of AI-generated responses.
• Sensitive data categories (health information, financial account details, legal advice, government identifiers, payment card numbers, or other special-category data under Article 9 GDPR) should not be solicited or collected via this platform unless the Platform User has implemented appropriate lawful bases, safeguards, and disclosures. We do not design the Service for processing special-category data.

10.1 Rights for UK and EU/EEA Individuals (GDPR)

If you are located in the UK or European Economic Area, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
• Restriction of processing — request that we limit how we use your data.
• Data portability — receive your data in a structured, machine-readable format where technically feasible.
• Object to processing — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaintwith a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.

We will respond to verified requests within 30 days, extendable by a further 60 days for complex requests with notice.

10.2 Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell.
• Delete personal information we hold about you, subject to exceptions.
• Opt out of sale or sharing — we do not sell personal information to third parties for monetary consideration.
• Non-discrimination — we will not discriminate against you for exercising your privacy rights.
• Correct inaccurate personal information.
• Limit use of sensitive personal information — where applicable.

10.3 End-Users (Callers)

If you are a caller (End-User) whose data was collected during a call to a business using our Service, you should submit privacy requests to the business owner (Platform User) whose number you called, as they are the data controller for that interaction. We will assist Platform Users in responding to such requests as their data processor. You may also contact us at the address in Section 15 and we will forward your request to the relevant Platform User where possible.

10.4 How to Exercise Your Rights

Platform Users may submit requests via the account settings dashboard or by emailing hello@nevermissacallpro.com. We may require identity verification before fulfilling requests.

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit using TLS/HTTPS across all service endpoints.
• Passwords hashed using bcrypt with industry-standard salt rounds — plaintext passwords are never stored.
• API keys, secrets, and credentials stored in environment variables and secure configuration — never committed to source code repositories.
• Access controls and role-based permissions on production databases and infrastructure.
• Authenticated worker-to-backend communication using shared bearer secrets.
• Twilio webhook signature validation to prevent spoofed requests.
• Stripe webhook signature verification for payment events.
• JWT-based authentication with short-lived access tokens and revocable refresh tokens.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. In the event of a personal data breach affecting your rights, we will notify you and relevant supervisory authorities as required by applicable law.

We are not liable for security incidents, data breaches, or unauthorised access caused by the independent security failures of third-party sub-processors, provided we have selected processors with appropriate safeguards and notified you as required by law.

Personal data may be transferred to and processed in the United States and other countries where our sub-processors operate, which may have different data protection laws than your country of residence.

For transfers of UK and EU personal data to countries without an adequacy decision, we rely on appropriate safeguards including:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses, as applicable.
• EU Standard Contractual Clauses (SCCs) approved under Commission Implementing Decision (EU) 2021/914.
• Sub-processor contractual commitments and, where available, certification under approved frameworks.

You may request a copy of the relevant transfer safeguards by contacting us at the address in Section 15.

The Service is not directed at, marketed to, or intended for use by individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately and we will take steps to delete such information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. When we make material changes, we will provide at least 14 days' advance notice by email to Platform Users and/or via a prominent banner in the dashboard before the changes take effect.

The "Last updated" date at the top of this page indicates when this Policy was most recently revised. Your continued use of the Service after the effective date of revised Policy constitutes acceptance of the changes. If you do not agree to the revised Policy, you must stop using the Service and may close your account.

For privacy-related inquiries, data subject requests, or Data Processing Agreement requests:

• Privacy inquiries: hello@nevermissacallpro.com
• General contact: hello@nevermissacallpro.com
• Website: nevermissacallpro.com
• Postal address:
  Sodaka Digital SEO Agency Limited
  Unit 9a Dalton House
  60 Windsor Avenue
  London, SW19 2RR
  United Kingdom
• ICO registration: ZC163976
• DPA / Data Protection enquiries: hello@nevermissacallpro.com