Data Protection & GDPR

How iamadroid handles UK and EU data protection obligations for AI Agents, AI Phone, Business Phone, websites, dashboards, calls, chats and related services.

Summary: iamadroid usually acts as a processor when we process personal data through customer-configured AI Agents, AI Phone, Business Phone, call flows, chat widgets, transcripts, recordings, summaries and dashboards. Our customer is usually the controller for that data. For our own website, account management, billing, support, security, sales and legal administration, iamadroid acts as a controller. This page explains our GDPR approach, data roles, security measures, sub-processors, transfers, data-subject requests and breach handling.

1. Legal Framework

iamadroid aims to process personal data in line with applicable data protection laws, including the UK General Data Protection Regulation, the Data Protection Act 2018, and the EU General Data Protection Regulation where they apply.

This page should be read together with our Privacy Policy, Terms of Service, Acceptable Use Policy, Cookie Policy and, where applicable, any Data Processing Agreement.

2. Data Roles: Controller and Processor

The role iamadroid plays depends on the context:

  • Customer as controller: When a customer configures an AI Agent, AI Phone workflow, Business Phone service, call routing flow, chat widget, knowledge source, prompt, notification, handoff, transcript, recording or summary, the customer usually decides the purpose and means of processing. In that case, the customer is usually the controller.
  • iamadroid as processor: When we process personal data on behalf of a customer through the customer’s configured services, we usually act as processor and process that data according to the customer’s instructions, the contract and applicable law.
  • iamadroid as controller: For our own website visitors, customer account data, billing records, fraud prevention, security logs, sales enquiries, support requests, compliance checks and legal administration, iamadroid usually acts as controller.

3. Products and Processing Activities Covered

iamadroid’s data protection obligations may apply to personal data processed through:

  • AI Agents: website chat agents, chat sessions, prompts, responses, lead capture, support tickets, booking requests, knowledge answers, notifications and handoff.
  • AI Phone: AI call handling, caller intent recognition, call logs, routing, recordings, transcripts, summaries, appointment flows and escalation paths.
  • Business Phone: non-AI telephony, business numbers, inbound and outbound call records, call routing, voicemail, usage data and related phone features.
  • Account and administration tools: dashboards, analytics, logs, billing, payment records, user roles, settings, integrations and support communications.

4. Customer Responsibilities as Controller

Where you are the controller, you are responsible for your own compliance with data protection law. This includes:

  • providing a clear privacy notice to website visitors, callers, staff, customers and other end users;
  • identifying and documenting a lawful basis for processing;
  • obtaining valid consent where required, including for cookies, call recording, call monitoring, marketing or special-category data;
  • explaining when users interact with AI, where disclosure is required by law or would otherwise be necessary for transparency;
  • configuring agents, phone flows, retention, notifications, integrations and access permissions lawfully;
  • responding to data-subject requests where you are the controller;
  • ensuring that you do not collect unnecessary, excessive or unlawful personal data through the Service.

5. Data Processing Agreement

Where iamadroid acts as processor for customer personal data, our data processing terms or Data Processing Agreement apply as part of the customer contract, unless a separate signed DPA is agreed. These terms set out the subject matter, duration, nature and purpose of processing, categories of data, categories of data subjects, security measures, sub-processing and both parties’ obligations.

Enterprise customers or customers who require a signed DPA can request one by contacting compliance@iamadroid.com.

6. Categories of Personal Data

Depending on configuration and use, iamadroid may process:

  • names, email addresses, phone numbers, business names, job titles and contact details;
  • chat messages, prompts, responses, support requests, lead details, booking details and customer enquiries;
  • caller ID, called number, call time, call duration, routing information, voicemail, recordings, transcripts, summaries and call metadata;
  • account details, login records, user roles, billing details, invoices, payment status and subscription records;
  • IP addresses, device information, browser information, security logs, audit logs and usage analytics;
  • customer-uploaded documents, FAQs, knowledge sources, web content, configuration data and integration data;
  • verification, tax, business, service-address or compliance information where required for billing or telephony services.

7. Special-Category and Sensitive Data

The Service is not designed for unnecessary collection of special-category or sensitive personal data. Customers must not collect health data, biometric data, children’s data, payment-card numbers, government identifiers, criminal-offence data or other regulated data unless they have a lawful basis, required consents, appropriate safeguards and a suitable plan/configuration.

If sensitive data is provided by an end user without being requested, it may still be processed incidentally as part of providing the Service. Customers should configure agents and phone flows to avoid asking for unnecessary sensitive information.

8. Lawful Bases for iamadroid Controller Processing

Where iamadroid acts as controller, we may rely on the following lawful bases:

  • Contract: to provide accounts, subscriptions, billing, support and requested services.
  • Legitimate interests: to secure, maintain, improve and protect the Service, prevent fraud, analyse usage and operate our business.
  • Consent: for optional marketing, certain cookies or processing where consent is required.
  • Legal obligation: to comply with tax, accounting, telecoms, regulatory, law-enforcement and data-protection obligations.
  • Vital interests: only in rare cases where processing is necessary to protect life or safety.

9. Processor Instructions

Where iamadroid acts as processor, we process customer personal data only on documented instructions from the customer, unless we are required by law to process it otherwise. Customer instructions include configuration choices made in the dashboard, agent settings, phone routing rules, integrations, retention settings and support requests.

If we believe an instruction infringes applicable data protection law, we may notify the customer, refuse the instruction, suspend the affected processing or request clarification.

10. Security Measures

iamadroid uses technical and organisational measures designed to protect personal data, including:

  • HTTPS/TLS encryption in transit;
  • access controls and role-based permissions;
  • least-privilege access practices;
  • secure credential and key handling;
  • logging, monitoring and audit trails where appropriate;
  • backup, recovery and operational safeguards;
  • provider security controls for infrastructure, payment, telecoms and AI services;
  • internal restrictions on access to customer data.

See our Security page for further details where available.

11. Sub-processors

We use third-party providers to help operate the Service, including hosting, databases, AI model processing, telecoms, number services, payment processing, email delivery, analytics, monitoring, support and security services.

  • Sub-processors are used only where needed to provide, secure, support or improve the Service.
  • We require appropriate contractual safeguards from sub-processors where personal data is processed.
  • Telephony services may require telecom carriers, number providers, communications APIs and compliance providers.
  • AI features may require AI model providers or related infrastructure providers.

Customers may request the current sub-processor list by contacting compliance@iamadroid.com.

12. International Transfers

Personal data may be processed in the United Kingdom, European Economic Area, United States, Canada and other countries where we or our providers operate. Where personal data is transferred outside the UK or EEA, we use appropriate transfer safeguards where required, such as adequacy decisions, Standard Contractual Clauses, UK international data transfer terms, contractual safeguards or other lawful mechanisms.

Some transfers may be necessary to provide AI, telephony, hosting, security, support, analytics, payment or communications services.

13. Data Subject Rights

Individuals may have rights under UK/EU data protection law, including the right to access, rectify, erase, restrict, object, receive data portability, withdraw consent and complain to a supervisory authority.

Where iamadroid acts as controller, individuals can contact us using the details below. Where we act as processor for a customer, individuals should normally contact the relevant customer/controller first. If we receive a request relating to customer-controlled data, we may refer the request to the customer or act on the customer’s instructions.

14. Assistance to Customers

Where iamadroid acts as processor, we will provide reasonable assistance to customers, taking into account the nature of processing and information available to us, to help them:

  • respond to data-subject requests;
  • meet security obligations;
  • handle personal data breaches;
  • conduct data protection impact assessments where relevant;
  • consult supervisory authorities where legally required.

15. Call Recording, Transcription and AI Summaries

AI Phone and Business Phone features may generate call logs, recordings, transcripts, summaries, voicemail, routing metadata and analytics. Customers are responsible for:

  • telling callers when calls may be recorded, transcribed, monitored, summarised or handled by AI;
  • obtaining consent where required;
  • setting appropriate retention periods;
  • limiting access to authorised staff;
  • checking transcripts and summaries before relying on them.

16. Automated Processing and AI Transparency

AI Agents and AI Phone may classify intent, generate responses, produce summaries, route calls, trigger configured workflows or assist with customer follow-up. Customers must ensure that AI use is transparent where required and that automated outputs are not used unlawfully for high-impact, regulated, safety-critical or sensitive decisions without appropriate human review.

17. Data Retention and Deletion

Retention periods vary by plan, configuration, product, legal requirements and operational needs. Customer-controlled chats, calls, recordings, transcripts, summaries, analytics and logs are retained according to the applicable plan, settings, contract and retention policy.

  • Customers are responsible for configuring retention appropriately where controls are available.
  • Account, billing, tax and compliance records may be kept longer where required by law.
  • Security and audit logs may be retained for platform protection, investigation and compliance.
  • Backup copies may persist for a limited period before deletion.
  • Data may be anonymised or aggregated where appropriate.

18. Personal Data Breach Notification

If we become aware of a personal data breach affecting customer personal data for which we act as processor, we will notify the affected customer without undue delay after becoming aware of the breach, as required by applicable law and the relevant data processing terms.

Where iamadroid acts as controller, we will assess whether notification to individuals or supervisory authorities is required and will make notifications where legally required.

19. Audits and Compliance Information

We may provide reasonable compliance information, security summaries, sub-processor information or DPA documentation to customers where required by law or contract. Any audit rights are subject to reasonable confidentiality, security, operational and notice requirements.

20. Data Protection Impact Assessments

Customers are responsible for deciding whether their use of AI Agents, AI Phone, Business Phone, call recording, profiling, automated routing, sensitive data or high-volume processing requires a Data Protection Impact Assessment. Where we act as processor, we will provide reasonable assistance where required and where information is available to us.

21. Children’s Data

iamadroid is designed for business use and is not directed at children. Customers must not configure the Service to knowingly collect children’s personal data unless they have all required lawful authority, consents and safeguards.

22. Contact and Data Protection Requests

For data protection questions, DPA requests, sub-processor requests or privacy-rights requests where iamadroid is the controller, contact: compliance@iamadroid.com.

You may also contact us through Contact Us.

23. Complaints

If you are in the UK, you may complain to the Information Commissioner’s Office at ico.org.uk. If you are in the EEA, you may complain to your local data protection authority.

We encourage you to contact us first so we can try to resolve your concern.

24. Updates to this Page

We may update this Data Protection & GDPR page from time to time to reflect changes in our Service, laws, providers, safeguards or processing activities. The effective date below shows the latest revision.

Effective date: 1 May 2026