Vendra AI

Privacy Policy

Last Updated: February 2, 2026

1. Introduction

Vendra AI ("we," "our," or "us"), operated by FlowUp S.r.l., is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered voice agent service that connects with email, WhatsApp, phone (voice calls), SMS, web chatbot, and other communication channels.

By using our service, you agree to the collection and use of information in accordance with this policy. This policy complies with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and other applicable data protection laws.

2. Data Controller Information

The data controller responsible for your personal data is:

FlowUp S.r.l.

P.IVA: 02629740466

Registered Address: Via Gireto 246, 55041 Camaiore (LU), Italia

Email: admin@vendracall.com

Data Protection Officer: dpo@vendracall.com

3. Information We Collect

3.1 Information You Provide Directly:

  • Account registration data (name, email address, phone number, company name)
  • Billing information (payment card details processed by Stripe, billing address)
  • Communication content (voice call recordings, transcripts, messages, emails)
  • Business documents (scripts, FAQs, pricing information, company knowledge base)
  • Calendar and scheduling preferences
  • CRM data synced through authorized integrations
  • Support requests and correspondence

3.2 Information Collected Automatically:

  • Device information (browser type, operating system, device identifiers)
  • IP address and approximate geolocation
  • Usage data (pages visited, features used, interaction patterns)
  • Call metadata (duration, timestamps, call outcomes, caller ID)
  • Cookies and similar tracking technologies
  • Log files and error reports

3.3 Information from Third Parties:

  • CRM platforms (Salesforce, HubSpot, Pipedrive, Zoho) - contact and lead data
  • Calendar services (Google Calendar, Microsoft Outlook, Calendly) - scheduling data
  • Telephony providers (Twilio, Telnyx, Vonage) - call data and recordings
  • Messaging platforms (WhatsApp via Meta Business API, Telegram) - message content
  • Payment processors (Stripe) - transaction data
  • OAuth providers (Google, Microsoft) - authentication data

4. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

  • Contract Performance: Processing necessary to provide our AI voice agent services as agreed in our Terms of Service
  • Legitimate Interests: Business operations, fraud prevention, security, and service improvement
  • Consent: Marketing communications, optional data collection, and certain cookie usage
  • Legal Obligation: Compliance with applicable laws, tax requirements, and regulatory requests

5. How We Use Your Information

We use collected information for the following purposes:

  • Providing AI voice agent services (call handling, transcription, scheduling)
  • Processing and routing communications across all channels
  • Training and improving our AI models (using anonymized/aggregated data only)
  • Processing payments and managing subscriptions
  • Sending transactional emails (receipts, service updates, security alerts)
  • Providing customer support and responding to inquiries
  • Analyzing usage patterns to improve our services
  • Detecting and preventing fraud, abuse, and security threats
  • Complying with legal obligations and regulatory requirements
  • Marketing communications (with explicit consent, opt-out available)

6. Third-Party Service Providers & Integrations

We integrate with and share data with the following categories of third-party services:

6.1 Meta Platforms (Facebook/WhatsApp)

  • WhatsApp Business API: We process WhatsApp messages on behalf of businesses using our platform
  • Data shared: Phone numbers, message content, delivery status, user opt-in status
  • Purpose: Enabling WhatsApp communication channels for customer service
  • Meta's Privacy Policy: https://www.facebook.com/privacy/policy

6.2 Google Services

  • Google Calendar API: Calendar access for appointment scheduling
  • Google OAuth: Authentication and account linking
  • Google Analytics: Website usage analytics (anonymized)
  • Google Cloud Platform: Infrastructure and AI services
  • Data shared: Calendar events, authentication tokens, usage metrics
  • Google's Privacy Policy: https://policies.google.com/privacy

6.3 Microsoft Services

  • Microsoft Outlook Calendar: Calendar integration for scheduling
  • Microsoft OAuth: Authentication and account linking
  • Azure Services: Cloud infrastructure and AI processing
  • Data shared: Calendar events, authentication tokens
  • Microsoft's Privacy Policy: https://privacy.microsoft.com

6.4 CRM Platforms

  • Salesforce: Contact sync, lead management, activity logging
  • HubSpot: Contact management, deal tracking, communication logs
  • Pipedrive: Pipeline management, contact synchronization
  • Zoho CRM: Contact and deal management
  • Data shared: Contact information, call logs, transcripts, outcomes
  • Purpose: Enabling CRM synchronization as configured by users

6.5 Calendar & Scheduling

  • Google Calendar: Appointment booking and availability sync
  • Microsoft Outlook: Calendar integration
  • Calendly: Scheduling link integration
  • Cal.com: Open-source scheduling integration
  • Data shared: Availability, booked appointments, attendee information

6.6 Telephony & Communications

  • Twilio: Voice calls, SMS messaging, phone number provisioning
  • Telnyx: Voice calls, SMS, and SIP trunking
  • Vonage: Voice and messaging APIs
  • Data shared: Call recordings, transcripts, phone numbers, SMS content
  • TCPA Compliance: All calls comply with Telephone Consumer Protection Act requirements

6.7 AI & Machine Learning

  • OpenAI (GPT-4): Natural language processing for conversations
  • Anthropic (Claude): AI conversation handling
  • Google AI (Gemini): Multi-modal AI processing
  • Azure OpenAI: Enterprise AI services
  • Azure Cognitive Services: Speech-to-text, text-to-speech
  • Data shared: Anonymized conversation data for AI processing
  • Note: Your data is NOT used to train third-party AI models without explicit consent

6.8 Payment Processing

  • Stripe: Payment processing, subscription management, invoicing
  • Data shared: Billing information, transaction history
  • PCI-DSS Compliance: All payment data handled according to PCI standards
  • Stripe's Privacy Policy: https://stripe.com/privacy

6.9 Automation Platforms

  • Zapier: Workflow automation and integrations
  • Make (Integromat): Process automation
  • n8n: Open-source workflow automation
  • Data shared: As configured by user-created automations

7. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including:

  • European Union (primary data center location)
  • United States (cloud service providers, AI processing)
  • Other countries where our service providers operate

For transfers outside the EEA, we ensure appropriate safeguards through:

  • EU-US Data Privacy Framework certification (where applicable)
  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Binding Corporate Rules for intra-group transfers
  • Adequacy decisions by the European Commission

8. Data Retention

We retain your data for the following periods:

  • Account data: Duration of account plus 3 years for legal compliance
  • Call recordings: 90 days default (configurable up to 2 years)
  • Transcripts: 1 year default (configurable)
  • Billing records: 7 years (legal requirement)
  • Support tickets: 3 years from resolution
  • Analytics data: 26 months (anonymized)
  • Marketing consent records: Duration of consent plus 3 years

You may request earlier deletion of your data, subject to legal retention requirements.

9. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Economic Area, you have the following rights:

  • Right of Access (Article 15): Obtain a copy of your personal data
  • Right to Rectification (Article 16): Correct inaccurate personal data
  • Right to Erasure (Article 17): Request deletion of your personal data ('right to be forgotten')
  • Right to Restriction (Article 18): Limit how we process your data
  • Right to Data Portability (Article 20): Receive your data in a machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests
  • Right to Withdraw Consent (Article 7): Withdraw consent at any time
  • Right to Lodge a Complaint: File a complaint with your local data protection authority

To exercise these rights, contact us at dpo@vendracall.com. We will respond within 30 days.

10. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under CCPA and CPRA:

  • Right to Know: Request disclosure of personal information collected, used, and disclosed
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the 'sale' or 'sharing' of personal information
  • Right to Limit Use: Limit use of sensitive personal information
  • Right to Non-Discrimination: No discrimination for exercising your privacy rights

WE DO NOT SELL YOUR PERSONAL INFORMATION.

We do not 'share' personal information for cross-context behavioral advertising.

To exercise these rights, email privacy@vendracall.com or use our online request form.

11. Other Applicable Privacy Laws

11.1 TCPA (Telephone Consumer Protection Act - USA)

  • We obtain proper consent before making automated calls or sending SMS messages
  • We maintain internal Do-Not-Call lists and honor opt-out requests
  • Calls are made only during permitted hours (8am-9pm recipient's local time)
  • Our platform includes TCPA compliance features for all users

11.2 CAN-SPAM Act (USA)

  • All marketing emails include clear unsubscribe links
  • We honor unsubscribe requests within 10 business days
  • Emails include valid physical address and accurate sender information

11.3 CASL (Canada's Anti-Spam Legislation)

  • Express or implied consent obtained before sending commercial electronic messages
  • Clear identification and contact information in all messages
  • Easy unsubscribe mechanism in all communications

11.4 LGPD (Brazil)

  • We process data of Brazilian residents in accordance with LGPD requirements
  • Legal bases for processing include consent, contract, and legitimate interests
  • Data subject rights are honored as per LGPD provisions

11.5 PIPEDA (Canada)

  • Personal information is collected with knowledge and consent
  • Collection is limited to purposes identified at or before collection
  • Information is retained only as long as necessary for stated purposes

12. Data Security

We implement comprehensive security measures to protect your data:

  • End-to-end encryption for all voice calls and messages (AES-256)
  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • SOC 2 Type II certified infrastructure
  • ISO 27001 certified information security management
  • HIPAA-compliant data handling for healthcare customers
  • Regular penetration testing and security audits
  • Multi-factor authentication (MFA) for all accounts
  • Role-based access control (RBAC)
  • 24/7 security monitoring and intrusion detection
  • Incident response plan and breach notification procedures

13. Cookies and Tracking Technologies

We use the following types of cookies:

Essential Cookies (Required)

Necessary for website functionality, authentication, and security. Cannot be disabled.

Analytics Cookies (Optional)

Help us understand how visitors use our website. Includes Google Analytics (anonymized IP).

Marketing Cookies (Optional)

Used for targeted advertising. Only enabled with explicit consent.

You can manage cookie preferences through our Cookie Consent Banner or your browser settings.

14. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@vendracall.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy periodically. We will notify you of material changes via email or prominent notice on our website at least 30 days before changes take effect. Continued use of our services after changes constitutes acceptance of the updated policy.

16. Data Protection Officer

Our Data Protection Officer can be contacted for any privacy-related inquiries:

Data Protection Officer

Email: dpo@vendracall.com

Via Gireto 246, 55041 Camaiore (LU), Italia

17. Supervisory Authority

If you are in the EU/EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection authority. For Italy, this is:

Garante per la protezione dei dati personali

Website: https://www.garanteprivacy.it

Email: protocollo@gpdp.it

18. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy:

Company: FlowUp S.r.l. (operating as Vendra AI)

P.IVA: 02629740466

Contact Person: Nicola Marchetti

General Inquiries: admin@vendracall.com

Privacy Requests: privacy@vendracall.com

Data Protection Officer: dpo@vendracall.com

Address: Via Gireto 246, 55041 Camaiore (LU), Italia

Website: vendracall.com

← Back to Home