AI Phone Assistants VOICO.AI

1. Controller and Data Protection Officer

Controller (Art. 4 No. 7 GDPR):

Voico GmbH i.G.

Weikenrott 19

46499 Hamminkeln, Germany

Represented by the Managing Director Dean Koenning. For questions regarding data protection, please contact us at datenschutz@voico.ai

Data Protection Officer:

We have appointed an external data protection officer. You can reach them at:

Aleksa Spalevic – Voico GmbH i.G.

Email: datenschutz@voico.ai

2. General Information on Data Processing

We take the protection of your personal data very seriously. Personal data is processed by us only to the extent necessary and in accordance with legal provisions (GDPR, BDSG, TMG/TTDSG). This privacy policy explains the type, scope, and purpose of processing personal data on our public website.

Legal Basis: Unless otherwise stated below, processing is done based on Art. 6(1) GDPR – especially due to our legitimate interest (lit. f) in the operation and security of the website, to fulfill a contract or pre-contractual measures (lit. b), or with your consent (lit. a) – also considering TTDSG for device access (see Section 4). If processing is based on your consent, you can revoke it at any time with future effect.

Recipients and Transfer to Third Countries: We use service providers as processors for the operation of the website and the offered functions (e.g., hosting providers, newsletter services). These process personal data only as instructed by us and are contractually obligated to data protection (Art. 28 GDPR). If these service providers process data outside the EU/EEA (especially in the USA), we ensure an adequate level of data protection through appropriate safeguards (e.g., EU standard contractual clauses).

Storage Duration: Personal data is deleted as soon as the purpose of processing ceases to exist and there are no legal retention obligations. Specific deletion deadlines can be found in the individual processing activities listed below.

Your Rights: As a data subject under GDPR, you have the following rights in particular: Information about your personal data processed by us (Art. 15 GDPR), correction of inaccurate data (Art. 16 GDPR), deletion (Art. 17 GDPR) or restriction of processing (Art. 18 GDPR), and data portability (Art. 20 GDPR). Additionally, you have the right to object to processing legitimate interests for reasons arising from your particular situation (Art. 21 GDPR). If processing is based on your consent, you can revoke this at any time (Art. 7(3) GDPR). Finally, you have the right to lodge a complaint with a supervisory authority (especially the Berlin Commissioner for Data Protection) (Art. 77 GDPR).

3. Provision of the Website and Server Log Files

Description: Each time our website is accessed, our web server automatically processes the following data transmitted by your browser: IP address of the requesting device, date and time of access, time zone, specific page/file, HTTP status code, transferred data volume, referrer URL (the previously visited page), and information about the browser and operating system used. This data is stored in so-called server log files.

Purpose: Temporary storage of the IP address and log files is necessary to enable the delivery of the website to your device and to ensure the functionality and security of the website. Additionally, the data serves technical evaluation in the event of attempted attacks and to ensure network and information security (e.g., clarification of misuse).

Legal Basis: Art. 6(1) lit. f GDPR (Voico's legitimate interest in the secure and trouble-free operation of the website).

Storage Duration: IP addresses in log files are anonymized or deleted as soon as they are no longer required to achieve the purpose. Storage in a personally identifiable form takes place for a maximum of 7 days.

Transfer: The log files are processed by our hosting service provider. Our hosting takes place in a German data center (currently Hetzner Online GmbH, Gunzenhausen). A contract for data processing is in place with the service provider. No transmission to a third country takes place.

4. Use of Cookies and Tracking Technologies

Description: Our website uses cookies and similar technologies (e.g. pixels, local storage). Cookies are small text files stored on your device. Some cookies are technically necessary for the operation of the website (e.g. session cookies for login or shopping cart); other cookies are used for statistical purposes (visitor analysis) or marketing purposes.

Upon your first visit to the website, we ask for your consent for non-essential cookies/tracking in a cookie banner. You can adjust your preferences there. We use technically necessary cookies without your consent, as they are indispensable for website functionality (Art. 6(1) lit. b or f GDPR). Non-essential cookies (Analytics, Marketing) are used only with your prior consent (Art. 6(1) lit. a GDPR in conjunction with § 25(1) TTDSG). Your consent is voluntary and can be revoked at any time through our cookie settings or by deleting the cookies.

Legal Basis: Technically necessary cookies: Art. 6(1) lit. f GDPR (legitimate interest in a functioning website, e.g. load distribution, login function). Non-essential cookies: Art. 6(1) lit. a GDPR (consent); also § 25(2) TTDSG for access to information already stored on the end device, unless exceptionally no consent is required (e.g. in the case of pure session cookies).

Cookie Consent Tool: We use a consent management tool that appears when you first visit. You can allow or reject certain categories of cookies in it. Your selection is stored in a cookie. Note: If you delete cookies, you may need to reconfigure its settings.

Storage Duration: Cookies have different lifespans. Session cookies are deleted when you close your browser. Persistent cookies remain on your device for a predetermined period (e.g. 6 months) unless you delete them sooner. The consent tool provides details about individual cookies (name, purpose, storage duration).

Third-Party Cookies and Tracking: If you give your consent, we may use the following external services:

Web Analysis (e.g., Google Analytics or Matomo): To improve our website and marketing measures, we may collect pseudonymized visitor data. This includes analysis of page views, feature usage, and dwell time. In the case of Google Analytics, your IP address would be anonymized before analysis. Google LLC (USA) may receive personal data. We have set Google Analytics to a privacy-friendly configuration (IP anonymization activated, retention period 14 months). Third Country Transfer: Google LLC in the USA; secured by EU Standard Contractual Clauses and, if necessary, certification under the EU-US Data Privacy Framework (status: 2025). Legal Basis: Consent (cookie banner). You can withdraw your consent at any time or use browser add-ons to opt-out.
Marketing and Remarketing Services (e.g., LinkedIn Insight Tag, Google Ads): If you agree, we may use pixels or cookies from these platforms to learn anonymously if you have come to our site through an advertisement or to display interest-based advertising. Usage data (e.g. visiting our website, interactions, your ad ID if applicable) may be transmitted to the respective provider. Third Country Transfer: Possibly USA (e.g. Google, LinkedIn); secured by EU standard contractual clauses. Legal basis: Consent.

Revocation and Do-Not-Track: You can change your cookie settings on our website at any time (link e.g., "Cookie Settings" in the footer). You can also prevent cookies from being set on your browser or delete cookies that have already been stored. Please note that not all features of our website may be available. If you have activated your browser's "Do Not Track" feature, we respect this and automatically disable all non-essential trackers.

5. Newsletter

Description: On our website, you have the option to subscribe to our email newsletter. For this purpose, we collect your email address and, if applicable, other information (e.g., name for personalization) as specified in the registration form. We use a Double-Opt-In procedure: After signing up, you will receive an email with a confirmation link that you must click to complete the registration. This ensures that you are the owner of the specified email address and consent to receiving the newsletter.

Purpose: Sending the newsletter with information about our products, offers, and news from Voico. Logging of the registration process (time of registration and confirmation, IP address) for verification purposes.

Legal basis: Art. 6(1) lit. a GDPR (consent through confirmation in Double-Opt-In). You can withdraw your consent at any time by clicking the "Unsubscribe" link in each newsletter or by sending a message to newsletter@voico.ai

Service Provider for Sending: The newsletter may be sent using a service provider that uses your data as a data processor. Currently, for email dispatch, we use Sendinblue (Sendinblue GmbH, Germany) for email sending. We have concluded a GDPR-compliant data processing contract with the service provider. Data is processed on European servers.

Storage Duration: The data deposited for the newsletter will be stored until the time of cancellation of the newsletter subscription. After cancellation (withdrawal of consent), you will no longer receive newsletters, and your data will be promptly deleted from the active distribution list or stored in a suppression list to prevent future mailings. We retain the registration log data for a maximum of 24 months based on Art. 6(1) lit. f GDPR (legitimate interest in demonstrating consent).

6. Contact (Contact Form, Email, Telephone)

Description: If you contact us (e.g., via web contact form, email address, or telephone), we process the personal data you provide: for example, your name, email address, phone number, and the content of your inquiry. Additionally, for a contact form, the time and IP address are recorded at the time of submission (spam protection/proof).

Purpose: Responding to and processing your inquiry, possibly initiating or processing a contract. For telephone inquiries, we may document your information internally (e.g., in our CRM system) to process your request.

Legal basis: Depending on the nature of the inquiry: Art. 6(1) lit. b GDPR (pre-contractual measures or fulfillment of a contract, if your inquiry is aimed at concluding a contract, e.g., request for an offer) or Art. 6(1) lit. f GDPR (legitimate interest in communication with inquirers and processing customer inquiries).

Storage Duration: We delete inquiries and correspondence as soon as they are no longer necessary for the purpose of fulfillment. This is regularly the case when communication is completed and no further relationship is established. Business correspondence that relates to a contractual relationship will be stored in accordance with the legal retention periods (usually 6 to 10 years according to commercial and tax law).

Special Notes Regarding Telephone Contact: Our public marketing phone is not part of the Voico platform. No call recordings are made during general calls. If, exceptionally, calls are to be recorded for quality assurance purposes, we will first obtain your express consent; otherwise, recordings are prohibited (§ 201 of the German Penal Code).

8. Integrated Content and External Links

Embedded content: Our website may include content from third parties, e.g., videos (YouTube/Vimeo) or maps (Google Maps). By embedding such content, your IP address is technically sent to the third-party provider so that the content can be delivered. If you view such content, the third-party provider may set their own cookies. Whenever possible, we use privacy-friendly default settings (e.g., the extended data protection mode on YouTube). Nevertheless, we have no influence on the data processing by the third party. Please refer to the privacy policy of the respective provider for details.

Social Media Links: On our website, you will find links to our presences on social networks (e.g., LinkedIn, X/Twitter). These are embedded as simple links or icons. Clicking on the links will redirect you to the pages of third-party providers. No automatic data transfer to the platform operators takes place by simply displaying our website. However, please note that when visiting the external pages, the privacy policies of the respective providers apply.

External Links: Our website may contain links to external websites. These are subject to the liability of the respective operators. At the time of linking, no legal violations were apparent. However, we have no influence over the content of the linked pages. Please review the respective privacy policies of those sites for more information.

8. Security

We take technical and organizational security measures to protect your personal data from loss, misuse, unauthorized access, or disclosure. These measures include, among other things, encrypting the website connection (TLS/SSL) and access restrictions to our servers. Our employees and service providers are committed to confidentiality and data secrecy.

9. Amendments to this Privacy Policy

We reserve the right to adjust this privacy policy as needed, for example, due to developments on the website or new legal requirements. The respective current version applies at the time of your visit. We will make significant changes evident to you on the website.

Status of this Privacy Policy: August 10, 2025

1. Introduction and Scope

This privacy policy explains how Voico GmbH processes personal data when you use our Voico web platform and AI Voice Agent services. It is primarily aimed at our customers or users of the Voico service (hereinafter “customers”), and – for information – at persons whose data is processed as part of usage by our customers (e.g., callers, call participants).

Important: Voico provides a service that enables our customers to automate phone calls using AI-based voice assistance. In doing so, Voico processes certain data itself as the controller (e.g., customer data for account management, usage data for contract fulfillment). At the same time, Voico processes personal data on behalf of the customer (Art. 28 GDPR) – particularly data that arises from phone calls and integrations – whereby the customer remains legally the responsible party and Voico acts as a processor. We conclude a data processing contract (DPC) with each customer for this purpose (see Attachment 1 of the T&Cs).

This Privacy Policy primarily refers to the processing operations where Voico is the controller. For the processing of end-customer data initiated by the customer (e.g., call contents between the AI agent and callers), the agreements in the DPC primarily apply; Voico processes these contents exclusively according to the customer's instructions and for the provision of the service. However, we also provide information below about the nature and scope of these data processing tasks to ensure transparency for all data subjects.

Data Protection Officer: As stated above for the website, our Data Protection Officer is also available for questions regarding platform data protection.

2. Categories and Purposes of Processed Data (Processing as Controller)

When using the Voico platform, we process various categories of personal data of our customers and users to provide the services, fulfill contracts, and securely operate the platform:

a) Registration and Account Data: When you create a customer account, we collect master data such as your name, company name, address, email address, phone number, login data (username, password), and, if applicable, payment information (billing contact, bank account details). The purpose is contract initiation and performance, account setup, and communication with you. Legal basis: Art. 6(1) lit. b GDPR (user contract).

b) Platform Usage and Metadata: When using the platform, we collect technical usage data such as logins (time, user ID, IP address), actions taken (e.g., settings changes), API calls, as well as system events (error messages, warnings). These logs serve security, error analysis, abuse prevention, and quality control. We also store configuration data that you enter within the platform (e.g., setting up voice dialogues, routing strategies). Legal Bases: Art. 6(1) lit. b GDPR (contract performance, as these data are necessary for providing the functions) and lit. f (legitimate interest in security and improvement).

c) Billing Data: If our services are subject to charges, we process billing information: booked package/tariff details, usage volume (e.g., minute contingents, number of calls), invoicing, payment status. In cases of payment via third-party providers (e.g., credit card, SEPA direct debit), payment data is collected and processed by an external payment service provider; we only store transaction references when necessary. Legal basis: Art. 6(1) lit. b GDPR (contract execution, payment processing) and legal obligations under commercial and tax law (Art. 6(1) lit. c GDPR in conjunction with § 147 AO).

c) Support and Communication Data: If you contact our support (e.g., via ticket, email, or phone), we record the information you provide (contact details, problem description, possibly log files or screenshots) to process the support. Phone calls with our customer support may be recorded for quality assurance purposes, but only with your prior express consent; otherwise, calls are not recorded. Legal basis: Art. 6(1) lit. b GDPR (support as part of the service) or lit. f (qualitative service as a legitimate interest). Recordings are made only on the basis of Art. 6(1) lit. a GDPR (consent) and are deleted upon revocation or when the purpose is fulfilled.

d) Publication of Publicly Available References: With your consent, we may publish your company name or short customer feedback (e.g., logo on our website under "Customers") – exclusively after separate approval and based on Art. 6(1) lit. a GDPR. Without consent, Voico does not publicly name any customers.

3. Processing in the Context of Service Provision (Voico as Data Processor)

In the context of our customers’ use of the Voico AI Voice Agents, the following data are processed, for which the customer acts as the controller and Voico as the processor bound by instructions:

a) Telecommunications traffic data: For every call processed via our platform (incoming or outgoing), traffic data is generated: the telephone numbers involved (calling and called parties), start and end time of the call, duration, technical events (connection setup, termination, potential error messages), and, where applicable, information on call transfer or waiting queues. We process these traffic data in order to carry out the call (voice routing via the telephone network/VoIP) and to provide the customer with statistics and records in the administration interface (e.g. call lists, call duration per time period).
Legal basis in the processor relationship: processing takes place on the basis of the DPA in accordance with Art. 28 GDPR and under the German Telecommunications and Telemedia Data Protection Act (TKG/TTDSG). Voico is also subject to telecommunications and telemedia secrecy obligations, meaning the content and circumstances of communication are treated confidentially (§ 3 TTDSG).

b) Call content and recordings: Speech content from calls is processed by the Voico system to enable the AI Agent. For this purpose, the caller’s speech signal is converted into text using speech recognition (speech-to-text). This text is then analyzed by our AI assistant to generate an appropriate response, which is then converted back into speech (text-to-speech) and played to the caller. This process happens in near real time. By default, neither the audio recordings nor the generated transcripts are stored permanently – unless the customer explicitly activates the call recording or transcription function.

Optional recording: Upon request, the customer can record calls (audio capture) or save text transcripts in order to carry out quality control or review call histories. Important: For legal reasons, recording a telephone call is only permitted if all participants have given their prior consent. Our platform provides a function to automatically play a notice before recording begins and to obtain confirmation from the caller (e.g. via keypress or a clear “Yes” on the phone). Without such consent, recording is prohibited and Voico does not enable it (Art. 6(1)(a) GDPR in conjunction with § 201 German Criminal Code, § 102 TKG).

Processing of content: Call content (the spoken words of the caller and any personal data they provide) is processed by Voico exclusively to conduct automated dialogues. Depending on the customer’s configuration, the AI may also interact with external data sources (see item c). Call content may include personal data of third parties (e.g. name, customer number, concern of the caller). Voico does not use this content for its own purposes – in particular not for AI training outside the respective customer environment – unless the customer explicitly permits us to carry out anonymized analyses for improvement (by default, this is disabled).

Storage and access: Audio and text data are stored in the customer account and are only accessible to the customer (and authorized users). Voico staff only access content if necessary for troubleshooting or customer support and contractually permitted – and even then remain bound by confidentiality (telecommunications secrecy).

c) Integration of knowledge data and third-party systems: The Voico platform allows customers to upload their own knowledge bases (documents, FAQs) or connect to third-party applications (e.g. CRM systems, ticketing software) so that the AI Agent can provide better responses (so-called Retrieval-Augmented Generation, RAG). For example, if the customer integrates their CRM, the AI Agent may retrieve customer data from the CRM during a call (e.g. contract details) or write new data back (e.g. call summaries as a ticket). Note: Such integrations are configured by the customer. Responsibility for the lawfulness of data exchange with the third party lies with the customer. Voico acts only as a technical intermediary under instruction. The customer must ensure that appropriate legal bases exist for transferring data to the third-party system and, where necessary, that a joint controllership or data processing agreement with the third-party provider is in place. Voico, for its part, concludes DPAs with such subcontractors where they act on our behalf (see section 5 below).

Examples of integrations: CRM systems (e.g. transmitting the call log to the customer account), ticketing systems, email dispatch (automatic emails to the caller after a call). The data transmitted depend on your configuration and may include personal data of third parties (name, contact details, call content).

d) Automated decisions/profiling: Voico AI Agents make automated decisions within the defined dialogue flows (e.g. classifying a caller’s request into a category, routing to a specific department, scheduling an appointment, or rejecting a request according to fixed rules). These decisions are based on customer-defined processes and AI outputs. In general, they have no legal or similarly significant effects on data subjects – they primarily serve customer service. If, however, the AI Agent supports a decision of legal significance (e.g. preliminary approval or rejection of an application), the customer is responsible for ensuring appropriate human oversight. Voico provides corresponding functions, e.g. escalation to a human operator (“human handover”) whenever the caller requests it or certain criteria are met. The customer must ensure that data subjects are informed about the use of AI and can object or demand human involvement.

Transparency obligation: EU law requires that users be able to recognize when they are interacting with AI rather than a human. Voico supports its customers in providing this transparency – e.g. with predefined greetings that inform the caller that an automated assistant (AI) is speaking and that they can request a human operator at any time. Customers are required not to suppress such notices and to use them whenever legally required.

e) Other categories of data: In addition, further data may be generated through usage, e.g. user management: if our customer grants access to several employees, we process their login data similar to the main user’s (see a). Audit logs: changes to settings, new users, login attempts, etc. are logged for audit security purposes. Blacklists/blocklists: the system allows certain phone numbers or words to be blocked (e.g. for spam protection). If the customer uses this function, Voico stores the relevant entries (e.g. a blocked phone number). These may also be personal data (as a phone number may indirectly identify a person). Voico uses these data solely in the context of the function requested by the customer (here: blocking the respective calls/messages).

4. Legal Bases for Data Processing (Platform)

For data where Voico acts as the controller, the following legal bases apply:

Contract and service provision (Art. 6(1)(b) GDPR): Processing of your account data, connection and usage data, as well as all information required to provide the service under the usage agreement (e.g. routing of calls, authentication, storage of your configurations).

Legal obligations (Art. 6(1)(c) GDPR): e.g. retention of invoice data (tax requirements), disclosure to law enforcement authorities pursuant to TKG/StPO (only upon legitimate legal requests), compliance with telecommunications regulations (e.g. subscriber identification when assigning phone numbers, if required).

Legitimate interests (Art. 6(1)(f) GDPR): for platform security (logging of admin logins, monitoring against attacks), improvement of our services (anonymized usage analysis where not covered by contract), and customer communication (support). In these cases we ensure that your interests do not override ours. You have the right to object to such processing for reasons arising from your particular situation.

Consent (Art. 6(1)(a) GDPR): In specific cases we request your consent, e.g. for recording calls for training purposes, publishing customer testimonials, or extended usage analytics. You may withdraw consent at any time with effect for the future.

For data processed on behalf of customers, the legal basis is determined by the customer as controller. Typically, customers rely on Art. 6(1)(b) GDPR (contract with the caller/customer, e.g. in a service hotline) or Art. 6(1)(f) (legitimate interest, e.g. efficient customer service). In certain cases, Art. 6(1)(a) (consent) may also apply, particularly for call recordings or promotional calls. The customer is responsible for ensuring the appropriate legal basis, and in particular for obtaining and documenting consent where required. Voico provides technical support (e.g. consent prompts before recording), but does not assume liability for missing legal bases on the customer side.

5. Recipients of Data and Disclosure

Internal recipients: Within Voico, only those employees who require access to personal data in order to fulfill our contractual obligations and provide the service receive access (need-to-know principle). This includes staff in customer support/success (for support cases), development and engineering (for maintenance, troubleshooting), and accounting (for invoicing). All employees are bound by confidentiality; call content is further subject to telecommunications secrecy.

External processors (subcontractors): Voico uses external service providers for specific technological components or services that process data on our behalf. Key subprocessors include:

Data center and cloud providers: (e.g. Hetzner Online GmbH, Germany, for server hosting; possibly Amazon Web Services EMEA, Frankfurt region, for scaling services). These host our platform and process all of the above data on the server systems. Data remain within the EEA. Security: All data are transmitted encrypted; servers are physically and logically secured.
Telecommunications providers (carriers): To terminate or receive calls via the public telephone network, we use telecom providers. We currently cooperate with partners in Germany/EU (e.g. Deutsche Telekom/T-Systems, or an international VoIP provider with EU infrastructure). These providers receive traffic data (numbers, timestamps) and transmit voice data. They are likewise subject to telecommunications secrecy. Where legally required, these services are registered with the Federal Network Agency.
AI and speech technology providers: For speech recognition and synthesis we may use specialized services. We strive for GDPR-compliant solutions within the EU. For example, we use automatic speech recognition via an EU-hosted service. In some cases, we work with Microsoft Azure AI Services (operated in EU data centers) for natural language processing. Microsoft is covered by Standard Contractual Clauses and, according to its own statements, certified under the EU–US Data Privacy Framework, ensuring an adequate level of data protection. In no case does the AI service use the data for its own model training; we have contractually agreed that the data will only be used for immediate processing and then deleted. If, in exceptional cases, a US-based AI model (e.g. OpenAI GPT via API) is used, this only takes place with the customer’s explicit consent, and we conclude EU Standard Contractual Clauses accordingly.
Caller speech note: We point out that external speech analysis may technically involve short snippets of speech being transmitted to the providers’ servers (over encrypted connections). Through contractual, technical, and organizational measures we ensure that no unauthorized further use takes place.
Email/notification services: For system emails (e.g. password reset, notifications) we use a European email service. Currently this is Sendinblue (Germany). For SMS notifications (if activated) we may use Twilio or similar providers; in such cases, phone number and message text may be transmitted to the USA, but we also secure this via Standard Contractual Clauses.
Payment processing: For credit card or direct debit payments we work with external payment providers (e.g. Stripe, US/Ireland; or BS Payone, Germany). These receive the necessary payment data. Voico does not store credit card numbers itself.

With all service providers we have concluded data processing agreements in accordance with Art. 28 GDPR, ensuring compliance with data protection requirements. A list of current subprocessors is available to customers on request or in our Trust Center.

Disclosure to third parties (joint controllers/recipients): As a rule, we do not share active customer data with third parties, except where necessary to fulfill the contract or required by law. Examples include:

Number porting: If you transfer a phone number provided by Voico to another provider (porting), we transmit your number and, where applicable, subscriber data to the receiving telecom provider or the porting database. Basis: TKG requirements and your request (Art. 6(1)(b) and (c) GDPR).
Authority requests: In the event of lawful requests for information by law enforcement or security authorities, we are obliged under TKG/StPO to provide certain information (e.g. subscriber details, traffic data). In such cases, we process and disclose data solely on the basis of legal obligations (Art. 6(1)(c) GDPR in conjunction with TKG/StPO) and ensure proportionality. Where legally permissible, affected parties will be informed by us of such requests.
Auditors/advisors: Our financial accounting or certified information security audits may involve access to necessary data (e.g. during an audit, logs may be sampled). These recipients are also subject to confidentiality obligations.
In legal proceedings: Where necessary, we may disclose data to our legal counsel or, in the course of litigation, to courts or the opposing party, insofar as required for legal defense or enforcement of claims (Art. 6(1)(f) GDPR, legitimate interest in asserting legal rights).

We do not engage in any commercial transfer of data (e.g. selling customer data).

6. Data Retention and Deletion Policy

We do not store personal data longer than necessary. The following deletion periods apply unless otherwise specified above:

Account data: Upon termination of the usage agreement, your master and contact data will initially be retained for the duration of the notice period. After that, we delete them from active systems, unless further contractual relationships exist. Master data subject to statutory retention requirements (invoices, accounting data) are archived for the legally prescribed period (generally 6 or 10 years pursuant to § 257 HGB, § 147 AO). During archiving, data are blocked from other uses.

Usage and connection data: Log data (logins, actions) in the admin interface are retained for 12 months to assist with retrospective inquiries (audit, support), and then automatically deleted or anonymized. Traffic data within the meaning of the TKG (who called whom, when) are stored for a maximum of 6 months for billing and verification purposes, unless longer retention is legally permitted. At the customer’s request, call connection data can also be deleted or aggregated earlier once the invoice has been issued and paid. Note: If the customer requires retention of traffic data for their own purposes (e.g. to keep call history visible longer), the customer bears responsibility as controller.

Call recordings/transcripts: If activated, these may remain stored in the customer account until the customer deletes them. We provide functions for automatic deletion after a customer-defined period (e.g. 30 or 90 days). By default, maximum retention is set at 90 days unless the customer specifies otherwise. Regardless, the customer can delete recordings/transcripts manually at any time. Immediate deletion: Deleted recordings are removed from the production database and file system and are no longer accessible to users. For technical reasons it may take up to 24 hours to purge all caches/backups. We maintain a deletion log that records the time and user of the deletion to demonstrate compliance (Art. 5(2) GDPR – accountability). This log does not contain call content, only metadata (e.g. “Recording ID XYZ deleted by User A on [date]”).

Integration data: Data transmitted to third-party systems (e.g. CRM) are stored there in accordance with the third party’s policies. Our system retains only logs of successful transfers (e.g. “Record no. 5 sent to CRM”) for the above 12-month period.

Support tickets: Support requests and their resolution history are retained as long as you remain an active customer to allow continuity for follow-up issues. On request, we will delete individual support tickets unless they contain operationally necessary information. After contract termination, support data are generally deleted after 1–2 years, unless the correspondence relates to legal matters (e.g. disputes), in which case they may be needed longer.

Backups: We perform regular encrypted backups of our databases to enable data recovery in case of system failures. These backups are stored separately and overwritten after a short period (rolling backups, typically 7–14 days retention). Therefore, information deleted from the active platform may still exist in these backups until the backup period expires. In emergencies, if a restore is performed, any data that had been deleted will be re-deleted or anonymized.

7. Data Subject Rights and Voico’s Assistance

If you are a customer/user of our platform, you may exercise the rights described in section 1 (website part) also with respect to platform data. In particular, you have the right at any time to obtain information about the personal data stored in your account, to correct inaccurate information, or to request deletion. Many basic data can be viewed and changed by you directly in your customer account. For further requests (e.g. complete data access or deletion), please contact us at support@voico.ai. Please note that we cannot delete certain data as long as a contract is active (e.g. data necessary for service provision) or where we are legally obliged to retain it.

If you are an end customer of one of our customers (e.g. a caller who has interacted with a Voico system) and wish to exercise a data protection request (e.g. access, deletion of your call data), please note: In this case, Voico is not your primary contact, but the company you called, as that company controls the data. However, you are welcome to contact us – we will then forward your request to our customer and assist them in processing it (Art. 28(3)(e) GDPR). For example, Voico may locate and delete specific call recordings or export call logs upon our customer’s instruction. We may only carry out such actions on the customer’s explicit instructions.

8. Data Security and Confidentiality

The Voico platform is operated with high security standards. We use modern encryption (TLS) for all data transmissions. If an AI agent retrieves external data (knowledge base, API), this also occurs via encrypted channels. All stored data reside on secure servers within the EU. Only authorized persons have access to these servers.

In addition, Voico has implemented extensive technical and organizational measures (TOMs), including access control systems, regular security updates, penetration tests, logging, and a role-based access concept to protect data against loss, unauthorized access, or disclosure. Call data and confidential content are internally classified as confidential; all processing is subject to telecommunications secrecy and contractual confidentiality obligations.

9. Changes to this Privacy Notice (Platform)

As we continually develop our services, it may become necessary to amend this privacy notice. We will inform our customers of material changes (e.g. by email or upon login) and provide the updated version on our website. Please review the current privacy information regularly.

Effective date: August 10, 2025

General Terms and Conditions (GTC) of Voico GmbH

(for the use of the Voico SaaS platform and AI telephony services)

1. Scope and Contracting Parties

1.1. These General Terms and Conditions (GTC) apply to all contracts concerning the use of the Voico Software-as-a-Service platform and related telecommunications and AI voice services (hereinafter “Voico Service”), concluded between Voico GmbH i.G., Weikenrott 19, 46499 Hamminkeln (hereinafter “Voico” or “we”), and our customers (hereinafter also “user” or “customer”).

1.2. Deviating or conflicting terms of the customer shall not apply, unless Voico has expressly agreed to their validity in writing. These GTC apply exclusively even if we perform services with knowledge of conflicting conditions without reservation.

1.3. Contracting parties: The Voico services are directed exclusively at entrepreneurs within the meaning of § 14 BGB (commercial customers, B2B). By registering, the customer confirms that they are acting in the course of their commercial or self-employed professional activity. Consumers (§ 13 BGB) are excluded from use. Voico is entitled to request proof of entrepreneurial status (e.g. commercial register extract, VAT ID).

1.4. Conclusion of contract: The presentation of the Voico Service on our website does not constitute a binding offer. The contract is only concluded upon acceptance of the customer’s order by Voico. Typically, the customer registers online for an account. We may accept registration by activating the account or by confirmation email. Voico reserves the right to refuse registration in individual cases, particularly if there are doubts about creditworthiness or compliance with these GTC.

2. Subject Matter of Services

2.1. Description of Voico services: Voico provides a cloud-based platform enabling customers to configure and operate AI-powered voice bots/voice assistants for telephone calls. The service essentially includes:

Online access to the Voico platform (web interface, API) to configure AI voice dialogues (phone assistants).
Telecommunications integration: provision of phone numbers or use of customer numbers via SIP trunk, receiving and initiating phone calls via the public telephone network on behalf of the customer.
AI engine: processing of incoming calls through automated speech recognition, dialog management via AI (natural language processing), and speech synthesis for output.
Integrations: connection to third-party software (e.g. CRM systems) via interfaces according to customer settings.
Recording and analysis (optional): ability to record calls and receive transcripts and evaluations (statistics), where legally permissible (see section 7).
Hosting and storage of required data (e.g. configurations, call logs) on servers in the EU.
Support: technical support and software updates during the contract term.

The exact service description results from the product description valid at the time of contract conclusion and any individual agreements. Voico owes the provision of platform-related functions to the agreed extent. A specific business result (e.g. conclusion of a deal via AI or accuracy of each AI response) is not owed.

2.2. Software-as-a-Service: The Voico Service is provided as Software-as-a-Service (SaaS) via the internet. The customer receives a non-exclusive right to use the platform during the contract term for their own business purposes. No installation takes place at the customer’s premises. Access is provided via web browser and defined APIs.

2.3. Telecommunications service: To the extent Voico provides public telephony functions (e.g. assignment of numbers, handling of calls), Voico also renders a telecommunications service within the meaning of the German Telecommunications Act (TKG) and complies with statutory requirements (telecommunications secrecy, traffic data protection, etc.). Details are set out in these GTC (esp. sections 6, 11) and the Privacy Notice.

2.4. Service modifications: Voico may adapt the Voico Service in the course of technical progress and development (e.g. updates, new features, improvements). Voico will consider the customer’s legitimate interests and ensure that no disproportionate impairment of the main contractual services occurs. Material deteriorations or restrictions of functions shall not be made without customer consent. Voico will inform the customer of changes in good time. Voico may make minor changes to comply with legal requirements or close security gaps without giving rise to a special termination right.

2.5. Trial offers: If the customer uses the service initially as part of a free trial (proof-of-concept, beta, etc.), Voico may limit performance (e.g. limited call minutes, restricted functions) and may terminate the trial phase at any time. During the trial, services are provided without warranty or liability for defects, except in cases of intent or gross negligence.

3. User Accounts and Customer Obligations

3.1. Registration & login details: The customer must provide truthful and complete information during registration (in particular company name, contact person, contact details) and keep these details up to date during the contract term. After registration, the customer receives login credentials (username/password). They may create additional authorized users (employees). The customer ensures that login data are kept confidential and only made available to authorized persons. Voico must be informed immediately of suspected unauthorized access. Voico may temporarily block access in case of misuse suspicion.

3.2. System requirements: Use of the Voico platform requires a current browser and internet connection. The provision of these technical requirements is the customer’s responsibility. The customer also bears the communication costs (internet/telephony fees).

3.3. Own infrastructure: The customer is responsible for ensuring their systems (e.g. PBX, devices, network) are compatible with the Voico Service. Voico provides interfaces; integration into the customer’s environment (e.g. SIP trunk integration, API integration) is the customer’s responsibility unless otherwise agreed. Voico supports with documentation and general advice but assumes no warranty for third-party software.

3.4. Use of numbers and services:

If Voico provides phone numbers, the customer receives a simple right of use for the contract term. Numbers remain in the allocation responsibility of Voico or the carrier. No resale or transfer to third parties. Porting is possible under legal rules with prior coordination.
The customer ensures geographic number use complies with regulations. Voico may require proof of local address.
Voico services must only be used within legal limits. Emergency calls are not contractually guaranteed; the customer must ensure alternatives.
Unsolicited marketing calls without consent, mass calls, ping calls, or fraud are prohibited. Voico may restrict or terminate the service if misused.

3.5. Content responsibility: The customer is solely responsible for all content processed via Voico. Voico does not monitor content. Customer content must not infringe third-party rights or laws. Illegal or harmful content is prohibited.

3.6. Data protection & consents: The customer must fulfill all GDPR obligations toward third parties. This includes: informing end customers about AI use, obtaining consent for recordings, ensuring compliance for outbound calls, and concluding a Data Processing Agreement (DPA) with Voico. The customer indemnifies Voico against third-party claims resulting from violations.

3.7. Forwarding & external connections: The customer must ensure consent of target line holders if calls are forwarded (e.g. to an employee’s mobile phone).

3.8. Data backup: The customer is responsible for backing up their data (e.g. configurations, uploads). Voico performs regular system-level backups, but customers should keep local copies, especially before contract termination.

4. Availability and Service Levels

4.1. Availability: Voico targets 99.5% monthly average uptime. Availability refers to technical accessibility at the handover point (data center router). Planned maintenance or outages beyond Voico’s control are deemed available.

4.2. Maintenance windows: Regular maintenance occurs, preferably at off-peak times (e.g. night or weekends). Outages are announced at least 5 business days in advance.

4.3. Excluded outages: Outages not attributable to Voico are excluded (customer-side issues, public internet/telecom failures, force majeure, security incidents despite safeguards, customer misuse).

4.4. Incident reporting & handling: Customers must promptly report issues. Voico prioritizes incidents:

Critical: total outage → response within 2 hours, resolution asap.
Medium: major restriction → handling within 4 hours.
Minor: small errors → scheduled fix.

Support times: Mon–Fri, 9:00–18:00 CET (excluding holidays).

4.5. SLAs & credits: Only if explicitly agreed in a separate SLA (e.g. Enterprise plan). Otherwise, targets apply without binding guarantees.

4.6. Liability for outages: Damages are governed by section 10. No explicit uptime guarantee is given.

5. Prices and Payment Terms

5.1. Fees: Based on the selected plan/offer. Prices are net plus VAT. Current prices available on Voico website or individual agreement.

5.2. Billing model: Fixed monthly fees billed in advance; usage-based fees (minutes, overages) billed afterwards.

5.3. Invoicing: Electronic (PDF by email). Currency: EUR unless agreed otherwise.

5.4. Payment term: 14 days from invoice date unless otherwise specified.

5.5. Payment methods: SEPA direct debit, credit card, or bank transfer. Direct debits earliest 5 days after invoice; credit card charges near invoice date.

5.6. Invoice objections: Must be raised within 6 weeks; otherwise deemed accepted.

5.7. Default: Default interest per § 288(2) BGB (9 pp above base rate) + €40 fee. Service suspension possible after notice.

5.8. Set-off/withholding: Only with undisputed or legally established claims.

5.9. Price adjustments: Voico may adjust prices due to cost changes (carriers, energy). Notification 6 weeks in advance. >5% per year → special termination right.

6. Legal Framework, TKG Compliance

6.1. Telecommunications Act (TKG): Voico complies with applicable duties: number management, data protection, secrecy, lawful processing of traffic data, and security measures.

6.2. Emergency calls: Not primarily supported; customer must provide alternatives.

6.3. CLI misuse: Caller ID spoofing prohibited. Only assigned/ported numbers may be used.

6.4. Protective measures: Voico may apply restrictions to prevent abuse (limit call channels, block known fraud numbers, rate-limit APIs, temporary suspensions for anomalies).

7. Call Recording and AI Use – Special Obligations

7.1. Call recording: Customer bears full legal responsibility. In Germany, prior consent of all parties is required. Voico provides technical tools but is not liable if misused. Unauthorized recording is criminally punishable (§ 201 StGB).

7.2. AI-generated content: Customer acknowledges AI responses are automatically generated and may not always be correct. Testing and monitoring are the customer’s responsibility.

7.3. Human fallback: Customer should configure handover to a human operator. Voico provides corresponding features.

7.4. Transparency: Callers must be informed they are speaking with an AI assistant.

7.5. Quality/training: Customers may train bots with their own data. They must hold rights to content and ensure data protection. No cross-customer training by Voico without explicit consent.

7.6. Prohibited misuse: No unlawful or harmful AI use (deception, threats, impersonation). Customer is liable for content communicated via the AI system.

8. Responsibility and Indemnification

8.1. Customer responsibility: Customer is solely responsible for all content. If Voico is held liable due to customer violations, the customer shall indemnify Voico.

8.2. No general monitoring: Voico has no duty to monitor but may act if violations are suspected.

5. Processor’s Obligations (Voico)

5.1. Instructions. Voico processes personal data only on the customer’s documented instructions. The main agreement and this DPA contain the initial instructions. Any instructions beyond that (e.g., deletion or provision of specific data) must be submitted by the customer in text form to [email protected]. Voico will implement instructions without undue delay. If Voico becomes aware that an instruction violates the GDPR or other data protection laws, Voico will inform the customer and may suspend implementation until the controller confirms or amends the instruction.

5.2. Security measures. Voico undertakes to implement all technical and organizational measures (TOMs) required under Art. 32 GDPR to ensure an appropriate level of protection. These include, in particular: access control (authentication), physical access control (secure server rooms), access rights management (least privilege), transfer control (encrypted transmissions), input control (change logging), order control (contracts with subprocessors), availability control (backups, resilience), and data separation (logical tenant segregation).
Encryption: Voice data and sensitive content are always transmitted over public networks in encrypted form (HTTPS/TLS, SRTP/ZRTP or similar). Data at rest (e.g., in databases, recordings) are stored on hardened systems, in part with additional encryption layers. Voico maintains an information security management system (ISO 27001 certified). A detailed overview of TOMs is available on request. Measures may be adapted to technical progress, provided the protection level is not reduced.

5.3. Assistance to the controller. Within reasonable means, Voico assists the customer in fulfilling the obligations under Art. 32–36 GDPR, including:

ensuring data security (see above);
notifying the customer without undue delay upon becoming aware of a personal data breach, and providing all information necessary for the customer to meet Art. 33/34 GDPR obligations;
assisting with data subject requests (e.g., access, deletion). If a data subject contacts Voico directly, Voico will promptly forward the request to the customer and will not provide information to the data subject without instruction;
assisting with any required Data Protection Impact Assessment (DPIA) under Art. 35 GDPR and with prior consultations under Art. 36 GDPR, insofar as processing occurs at Voico and we can provide relevant information.
Voico may charge reasonable fees for assistance not included in the main service description (e.g., substantial personnel effort for DPIA support).

5.4. Confidentiality. Voico ensures that all persons (employees and externals) with access to the customer’s personal data are bound by confidentiality and are familiar with data protection requirements (e.g., training). Telecommunications secrecy under the TTDSG is observed; violations are subject to sanctions.

5.5. Evidence and audits. Upon request, Voico will provide the customer with all information necessary to demonstrate compliance with this DPA (Art. 28(3)(h) GDPR), including current certifications or third-party reports (e.g., ISO 27001, SOC 2, penetration test reports) and a description of TOMs. The customer may exercise audit rights: after prior coordination (at least 2 weeks’ notice), the customer may audit Voico on-site or remotely, or have an independent auditor do so. Audits should be limited to normal business hours and must not unreasonably disrupt operations. Voico may, where appropriate, provide a current audit/assessment report (not older than 12 months) in lieu of an on-site audit if this adequately addresses the customer’s specific audit objectives. The customer bears the audit costs, except in cases of serious deficiencies caused by Voico.

6. Controller’s Obligations (Customer)

6.1. The customer remains responsible for assessing the lawfulness of processing. In particular, the customer obtains any required consents and informs data subjects pursuant to Art. 13 GDPR. The customer ensures a valid legal basis for all processing under this DPA.

6.2. The customer documents instructions, regularly reviews Voico’s TOMs based on the documentation provided, and promptly reports to Voico any irregularities or violations the customer becomes aware of.

6.3. The customer must promptly inform Voico if any errors or irregularities in processing by Voico come to the customer’s attention.

6.4. Where consultation duties arise for the customer under Art. 28(3) GDPR in connection with the contracted processing, the customer will consult Voico accordingly.

7. Subprocessing (Engagement of Subprocessors)

7.1. The customer hereby grants Voico general authorization to engage further processors (subcontractors) as necessary for service provision. A list of current subprocessors is provided in the Privacy Notice (hosting, telecom carriers, cloud services, etc.) or upon request. This includes, in particular: Hetzner Online GmbH (hosting), various telecommunications carriers (depending on destinations), Microsoft (Azure EU Cloud for AI processing), etc.

7.2. Voico will inform the customer in advance of any intended change regarding the engagement or replacement of a subprocessor. The customer may object on justified data protection grounds. If no justified objection is raised within 10 days after notification, consent is deemed granted. If the customer objects, Voico will seek a solution without the subprocessor. If not feasible, the customer has a special termination right.

7.3. Voico ensures an equivalent level of data protection with all subprocessors. In particular, Voico concludes a contract pursuant to Art. 28(4) GDPR obligating subprocessors to the same duties that apply to Voico here. Voico is liable to the customer for data protection breaches by subprocessors as for its own.

7.4. Disclosure to third parties outside processing on behalf (e.g., joint controllers or independent controllers) occurs only with the customer’s consent or where permitted by law. Where Voico must disclose customer data by order of an authority or under a legal provision (e.g., TKG information request), Voico will — where lawful — inform the customer.

8. Data Subject Requests

8.1. Upon instruction by the controller or where the controller’s need for support is apparent, Voico will reasonably assist in fulfilling data subject rights, including searching for a data subject’s data, providing it in a common format, or deleting/blocking data upon instruction.

8.2. If a data subject contacts Voico directly, Voico will promptly forward the request to the customer and direct the data subject to the controller. Voico will take direct action only upon the customer’s instruction.

9. Data Transfers to Third Countries

9.1. Processing generally takes place within the EU/EEA. Transfers to third countries occur only where use of a subprocessor so requires (see subprocessor list). This may be the case for certain telephony services (e.g., international calls involving foreign carriers) or AI services provided by non-EU vendors.

9.2. In such cases, Voico ensures appropriate safeguards under Art. 44 et seq. GDPR. As a rule, Standard Contractual Clauses (SCCs) are concluded with recipients. Voico also assesses whether additional measures (e.g., encryption, enhanced data processing terms) are required and implements them.

9.3. The customer is informed of cases involving third-country data flows (see Privacy Notice). For international calls, it may be technically unavoidable that telephony traverses foreign networks — the customer agrees to this.

10. Termination of Processing; Return and Deletion

10.1. Upon termination of the main agreement, and upon the customer’s request during the term (where technically feasible), Voico will delete all personal data processed on behalf of the customer or, at the customer’s option, return such data. This also applies to data stored with subprocessors. Any physical data carriers, where applicable, shall be returned or destroyed at the customer’s choice.

10.2. Documentation required to evidence proper processing (e.g., logs, consent records) may be retained by Voico after contract end in accordance with statutory retention periods and deleted thereafter. Such residual data remain subject to confidentiality under this DPA.

10.3. Voico will confirm completion of deletion upon the customer’s request. If deletion is not possible in exceptional cases (e.g., due to Voico’s statutory retention obligations), data will be blocked instead.

11. Liability and Damages

11.1. The liability provisions of the main agreement (GTC, liability clause) also apply between controller and processor. Voico is liable to the controller for culpably caused damages arising from breaches of this DPA within the contractual liability limits.

11.2. Strict liability of the processor under Art. 82 GDPR toward data subjects remains unaffected. Internally, however, the controller shall indemnify Voico from data subject claims to the extent Voico demonstrates it is not responsible for the event causing the damage (Art. 82(3) GDPR).

12. Miscellaneous

12.1. Notices. For data protection matters under this DPA, both parties contact the points of contact designated upon contract conclusion (e.g., data protection officers or responsible departments). Changes must be notified to the other party.

12.2. Amendments; side agreements. Amendments to this DPA require written form. This also applies to any waiver of this form requirement.

12.3. Precedence. In the event of conflict, the provisions of this DPA take precedence over the main agreement with respect to data processing.

12.4. Governing law and jurisdiction. The law applicable to the main agreement applies (see GTC). Jurisdiction follows the main agreement, to the extent permitted under data protection law.

Transform the way you reach new and existing customers with VOICO AI.

Get Started Now