Privacy Policy

1. Introduction

Welcome to VAissistant, a product of Ragencia SAS (hereinafter referred to as "Ragencia," "we," "our," or "us"), a company incorporated under French law with its registered office at 18 Rue Masséna, 06000 Nice, France.

We are committed to protecting your privacy and personal data in accordance with Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"), the French Data Protection Act (Loi Informatique et Libertés), and all other applicable data protection legislation.

This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you use our AI-powered phone assistant service, website (vaissistant.com), dashboard, APIs, and all related applications (collectively, the "Service"). It applies to all users of our Service, including our business customers ("Customers"), their employees and agents, and the individuals who call phone numbers managed by VAissistant ("Callers").

By accessing or using our Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use our Service.

2. Data Controller

The data controller for the processing activities described in this Privacy Policy is:

Ragencia SAS
18 Rue Masséna
06000 Nice, France
Email: support@vaissistant.com

For any questions, concerns, or requests relating to this Privacy Policy or our data practices, you may contact us at support@vaissistant.com.

3. Information We Collect

3.1 Information You Provide to Us (Customer Data)

When you register for an account or use our Service, we may collect:

• Account Information: Full name, email address, phone number, password (hashed), and preferred language.
• Profile and Business Information: Company name, job title, business address, industry, website URL, and any business-related information you provide to configure your AI assistant.
• Payment and Billing Information: Payment method details, billing address, credit package selections, and transaction history. Payment card data is processed by our payment processor and is not stored on our servers.
• Knowledge Base Data: Information you upload or that is generated from crawling your website to train your AI assistant, including business descriptions, FAQs, product information, and service details.
• Contact Lists: Names, phone numbers, and other contact details you provide for call management and routing purposes.
• Agent Configuration: Custom prompts, voice preferences, call-handling rules, transfer rules, and other configuration settings for your AI assistant.

3.2 Information Generated Through the Service (Call Data)

When calls are handled by your AI assistant, the following data is generated and stored:

• Call Recordings: Audio recordings of telephone conversations between Callers and the AI assistant. By default, Callers are informed at the beginning of the call that the conversation is being recorded. Customers may modify this notification setting in their account configuration; if they do so, they assume full responsibility for compliance with applicable laws regarding call recording and consent.
• Call Transcripts: Automated text transcriptions of conversations.
• Call Metadata: Caller phone number, call duration, date and time, call status (answered, missed, transferred), and AI assistant performance data.
• Call Summaries: AI-generated summaries of conversations, including extracted caller intent, follow-up actions, and any information captured during the call.
• Notes and Internal Actions: Notes taken by the AI during calls, email summaries sent to Customers, and records of call transfers.

3.3 Automatically Collected Information (Technical Data)

When you access our website or dashboard, we automatically collect:

• Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers.
• Log Data: Pages visited, features used, access times, referring URLs, and clickstream data.
• Location Data: Approximate geographic location derived from your IP address.
• Cookies and Similar Technologies: Please refer to our Cookie Policy for full details.

3.4 Information Obtained from Google API Services

If you choose to connect your Google account to VAissistant, we access and process the following data via the Google Calendar API:

• Calendar Events: Event titles, descriptions, start and end times, locations, time zones, recurrence rules, and event status (confirmed, tentative, cancelled).
• Attendee Information: Names and email addresses of event attendees, as displayed on your Google Calendar events.
• Calendar Metadata: Calendar names, calendar identifiers, and your free/busy status.

This data is accessed only when you explicitly authorise VAissistant to connect to your Google Calendar through the OAuth consent flow. You may revoke this access at any time (see Section 7 below).

3.5 Information Relating to Callers

When an individual calls a phone number managed by VAissistant, we process:

• The caller's phone number (as provided by the telecommunications network).
• The content of the conversation (audio recording and transcript).
• Any personal information the Caller voluntarily discloses during the call (e.g., name, email, reason for calling).
• Call metadata (duration, time, date).

Our Customer is the data controller for Caller data processed through their VAissistant account. Ragencia acts as a data processor on behalf of the Customer with respect to this data. Callers with questions about how their data is handled should contact the business they called directly.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1 Service Delivery and Operations

• Providing, operating, maintaining, and improving the Service.
• Processing and handling telephone calls through our AI assistant.
• Generating call transcripts, summaries, and analytics.
• Building and maintaining knowledge bases for AI assistants.
• Processing payments and managing billing.
• Providing customer support and responding to inquiries.

4.2 Use of Google Calendar Data

If you have connected your Google Calendar, we use your Google Calendar data exclusively for the following purposes:

• Availability Checking: Allowing the AI phone assistant to check your real-time availability when callers request appointments or meetings.
• Appointment Creation: Creating new calendar events on your behalf when a caller books an appointment through the AI assistant.
• Appointment Management: Rescheduling or cancelling existing calendar events upon request from authorised callers or at your instruction.
• Conflict Prevention: Ensuring that new bookings do not overlap with existing commitments on your calendar.

Important: Your Google Calendar data is never used for advertising, market research, building user profiles for unrelated purposes, training AI models, or any purpose other than providing or improving the user-facing features of VAissistant described above.

4.3 Service Improvement and AI Training

• Improving the quality, accuracy, and reliability of our AI voice assistant technology.
• Analyzing usage patterns to enhance features and user experience.
• Monitoring system performance, detecting errors, and troubleshooting technical issues.

Important: We do not use your individual call recordings or transcripts to train general-purpose AI models that serve other customers. Any use of data for AI improvement is limited to aggregated, anonymized, and de-identified data, unless you have provided explicit consent for broader use.

4.4 Communication

• Sending service-related notifications, security alerts, and system updates.
• Providing call summaries and reports by email.
• Sending promotional and marketing communications (only with your consent, and you may opt out at any time).

4.5 Security and Legal Compliance

• Detecting, preventing, and responding to fraud, abuse, security incidents, and illegal activities.
• Complying with applicable laws, regulations, legal processes, and governmental requests.
• Enforcing our Terms of Service and other agreements.

5. Legal Basis for Processing (Article 6 GDPR)

We process your personal data on the following legal grounds:

• Performance of a Contract (Art. 6(1)(b)): Processing necessary to perform the contract we have with you, including providing the Service, processing payments, and managing your account.
• Legitimate Interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, preventing fraud, and conducting analytics -- provided these interests are not overridden by your rights and freedoms.
• Legal Obligation (Art. 6(1)(c)): Processing necessary to comply with legal obligations to which we are subject, including tax, accounting, and anti-money laundering requirements.
• Consent (Art. 6(1)(a)): Where you have given explicit consent for specific processing activities, such as receiving marketing communications or the use of non-essential cookies. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

For call recordings: The processing of call recordings is primarily based on the legitimate interest of our Customers in providing quality customer service, capturing leads, and maintaining records of business interactions. Our Customers are responsible for ensuring they have a valid legal basis (e.g., consent, legitimate interest) for recording calls with their Callers in their jurisdiction.

6. Data Sharing and Sub-Processors

We share your personal data only when necessary and with appropriate safeguards. We may disclose your information to the following categories of recipients:

6.1 Sub-Processors and Service Providers

We engage trusted third-party service providers who process personal data on our behalf to operate and deliver the Service. Our current sub-processors include:

Each sub-processor is contractually obligated to process personal data only on our instructions, to maintain appropriate security measures, and to comply with applicable data protection laws. We conduct due diligence on all sub-processors before engagement.

6.2 Other Disclosures

We may also share your information:

• Legal Requirements: When required to do so by law, regulation, court order, or governmental authority.
• Protection of Rights: When we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, to investigate fraud, or to respond to a government request.
• Business Transfers: In connection with a merger, acquisition, reorganisation, sale of assets, or bankruptcy, in which case your data may be transferred to the acquiring entity.
• With Your Consent: To any other third party with your prior consent.

We do not sell your personal data to third parties.

6.3 Restrictions on Google User Data

Google Calendar data obtained through the Google Calendar API is subject to additional restrictions. We do not transfer, share, or disclose Google user data to third parties except:

• As necessary to provide or improve the user-facing features of VAissistant that are visible and prominent in the application's user interface.
• To comply with applicable laws, regulations, or valid legal process.
• As part of a merger, acquisition, or sale of assets, with notice to affected users.
• With your explicit, affirmative consent.

Google user data is never transferred or disclosed for:

• Targeted or personalized advertising, retargeting, or interest-based advertisements.
• Selling to or sharing with data brokers, information resellers, or any equivalent parties.
• Determining creditworthiness or for lending purposes.
• Training generalized or general-purpose AI or machine learning models.
• Any purpose unrelated to providing or improving the user-facing features of VAissistant.

7. Google API Services -- Limited Use Disclosure

VAissistant's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, VAissistant:

1. Only uses Google user data to provide or improve user-facing features that are prominent in VAissistant's user interface. The sole purpose is enabling the AI phone assistant to check calendar availability, create appointments, reschedule events, and cancel bookings on behalf of the user.
2. Does not transfer Google user data to third parties unless: (a) it is necessary to provide or improve user-facing features and only with the user's knowledge; (b) it is necessary to comply with applicable law or regulation; (c) it is necessary for security purposes such as investigating abuse; or (d) the user provides explicit, affirmative consent.
3. Does not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
4. Does not allow humans to read Google user data unless: (a) the data has been aggregated and anonymized and is used for internal operations; (b) it is necessary for security purposes (such as investigating abuse); (c) it is necessary to comply with applicable law; or (d) the user has provided explicit, affirmative consent for a specific message or piece of content.

7.1 Revoking Google Calendar Access

You may revoke VAissistant's access to your Google Calendar data at any time by:

• From your VAissistant dashboard: Navigate to Settings > Integrations > Google Calendar and click "Disconnect."
• From your Google Account: Visit myaccount.google.com/permissions, find VAissistant, and click "Remove Access."

Upon revocation, VAissistant will immediately cease accessing your Google Calendar data. Any cached session data will be cleared, and records of appointments created or modified by VAissistant will be retained as part of your call history unless you request their deletion by contacting support@vaissistant.com.

7.2 Requesting Deletion of Google User Data

You may request deletion of all Google Calendar-related data that VAissistant has stored by sending a request to support@vaissistant.com. We will process your request within 30 days and confirm deletion in writing. This includes appointment records stored in call summaries and any metadata referencing your Google Calendar events.

8. International Data Transfers

As several of our sub-processors are located in the United States and other countries outside the European Economic Area (EEA), your personal data may be transferred to and processed in countries that may not provide the same level of data protection as your country of residence.

When we transfer personal data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs): We enter into the European Commission-approved Standard Contractual Clauses with our sub-processors to ensure an adequate level of data protection.
• EU-U.S. Data Privacy Framework: Where applicable, we rely on our sub-processors' certifications under the EU-U.S. Data Privacy Framework.
• Adequacy Decisions: Where transfers are made to countries that have received an adequacy decision from the European Commission.

You may request a copy of the applicable transfer safeguards by contacting us at support@vaissistant.com.

9. Data Retention

We retain your personal data for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Account Data: Retained for the duration of your account and for up to 3 years after account closure for legal and regulatory purposes.
• Call Recordings and Transcripts: Retained for the duration of the Customer's account. Customers may delete individual recordings and transcripts at any time through the dashboard. Upon account termination, call data is deleted within 90 days unless legal retention obligations apply.
• Payment Data: Transaction records are retained for 10 years in compliance with French commercial and tax law.
• Technical Logs: Server logs and security-related data are retained for up to 12 months.
• Marketing Consent Records: Retained for 3 years from the last interaction.
• Google Calendar Data: Calendar event data retrieved from the Google Calendar API is cached temporarily in memory solely for the duration of a phone call session to perform availability checks and appointment operations. This cached data is not persisted to our databases after the call session ends. Records of appointments created or modified by VAissistant (e.g., event ID, date, and time) are retained as part of the call summary for the duration of the Customer's account and are deleted within 90 days of account termination. You may request deletion of this data at any time (see Section 7.2 and Section 11).

When personal data is no longer necessary for its original purpose, we securely delete or anonymise it.

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest.
• Secure authentication mechanisms including password hashing.
• Regular security assessments and vulnerability testing.
• Access controls based on the principle of least privilege.
• Employee training on data protection and security best practices.
• Incident response procedures for data breaches.

While we strive to protect your personal data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining the highest practicable standards.

11. Your Rights Under GDPR

If you are located in the European Economic Area, you have the following rights regarding your personal data under the GDPR:

• Right of Access (Art. 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive a copy.
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.
• Right to Restriction of Processing (Art. 18): You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data).
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes.
• Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you.

How to exercise your rights: Send your request to support@vaissistant.com. We will respond within 30 days (extendable by a further 60 days for complex requests). We may ask you to verify your identity before processing your request. These rights are provided free of charge, unless requests are manifestly unfounded or excessive.

Callers: If you are a Caller who was connected with a VAissistant AI assistant and wish to exercise your data protection rights, please contact the business you called directly. As our Customer is the data controller for Caller data, they are responsible for handling your request. You may also contact us at support@vaissistant.com and we will direct you to the appropriate Customer.

12. Data Processing Agreement

Where Ragencia processes personal data on behalf of a Customer (e.g., Caller data, call recordings), Ragencia acts as a data processor under Article 28 of the GDPR. The terms governing this processing relationship are set out in our Data Processing Agreement (DPA), which is available upon request by contacting support@vaissistant.com.

Our DPA covers:

• The subject matter, duration, nature, and purpose of processing.
• The types of personal data processed and categories of data subjects.
• The obligations and rights of the Customer as data controller.
• Security measures and sub-processor management.
• Data breach notification procedures.
• Assistance with data subject rights requests and data protection impact assessments.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect information about your browsing activities on our website. For detailed information about the cookies we use, their purposes, and how you can manage your cookie preferences, please refer to our Cookie Policy.

14. Children's Privacy

Our Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information. If you believe that we may have collected data from a child under 16, please contact us at support@vaissistant.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Notify you by email or through a prominent notice on our website.
• Where required by law, obtain your consent to the changes.

We encourage you to review this Privacy Policy periodically to stay informed.

16. Supervisory Authority

If you are located in the European Economic Area and believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority. In France, the competent supervisory authority is:

Commission Nationale de l'Informatique et des Libertés (CNIL)
3 Place de Fontenoy
TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

17. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Ragencia SAS (operating VAissistant)
18 Rue Masséna
06000 Nice, France
Email: support@vaissistant.com