Privacy Policy

BubblyPhone Agents is operated by Inhype Live Limited, a company registered in England and Wales (Company Number: 13379772). We provide a telephony API platform that enables developers to connect AI assistants to real phone calls.

We collect information you provide directly to us, including:

• Account information: name, email address, company name, and password when you register.
• Billing information: payment card details processed securely via Stripe. We do not store raw card numbers.
• API credentials: API keys you generate and any third-party credentials you supply (e.g. AI provider keys).
• Usage data: call logs, call duration, webhook events, and API request logs.
• Communications: messages you send to our support team.

We also collect information automatically, including:

• IP addresses, browser type, and operating system.
• Pages visited, time spent, and referral URLs.
• Error logs and diagnostic data.

The platform supports a BYOK model. If you supply third-party API keys (e.g. for OpenAI, Google Gemini, Groq, or other providers), those credentials are:

• Stored encrypted at rest in our database.
• Used solely to authenticate outbound requests on your behalf.
• Never shared with other customers or used for any other purpose.

When your phone calls are processed through an AI assistant integration (e.g. via ChatGPT, Claude, or Cursor using the Model Context Protocol):

• Audio streams may be forwarded to your configured AI provider.
• Transcripts and media are governed by your provider’s privacy policy.
• We do not train any AI models on your call audio or transcripts.
• We store call metadata (duration, timestamps, call IDs) for billing and debugging.
• Data exposed to the AI assistant is determined by the OAuth scopes you grant during authorization.
• You can revoke access at any time by disconnecting the app in your AI assistant’s settings.

We use the information we collect to:

• Provide, maintain, and improve the Service.
• Process payments and generate invoices.
• Send transactional emails (account creation, billing receipts, alerts).
• Respond to your support requests.
• Detect and prevent fraud and abuse.
• Comply with legal obligations.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Contract performance: processing necessary to provide the Service you have subscribed to.
• Legitimate interests: security monitoring, fraud prevention, and service improvement.
• Legal obligation: compliance with applicable laws and regulations.
• Consent: where we have obtained your explicit consent (e.g. marketing communications).

We do not sell your personal data. We share data only with:

• Service providers:Stripe (payments), DigitalOcean (hosting), Telnyx (telephony), Cloudflare (CDN & storage), and other infrastructure providers, under data processing agreements.
• AI providers: only as directed by your BYOK configuration.
• Law enforcement: when required by applicable law or valid legal process.

• API request logs: 30 days.
• Call recordings: 90 days (configurable per account).
• Call transcripts: 90 days.
• Call metadata (CDR): 90 days.
• Account data: duration of account plus 6 years.
• Billing and transaction records: 7 years (legal requirement).
• You may request deletion of personal data not required for legal compliance.

Our infrastructure is located in the United States (DigitalOcean), with global presence via Cloudflare. Telnyx, our telephony carrier, is US-based. For transfers outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) and adequacy decisions where available.

Under GDPR and applicable UK data protection law, you have the right to:

• Access the personal data we hold about you.
• Rectification of inaccurate or incomplete data.
• Erasure(“right to be forgotten”) in certain circumstances.
• Restriction of processing in certain circumstances.
• Portability of your data in a machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with the ICO (UK) or your relevant EU supervisory authority.

To exercise your rights, contact us at hello@bubblyphone.com.

We use strictly necessary cookies to maintain your login session and CSRF protection. We do not use advertising or tracking cookies. You can configure your browser to refuse cookies, but this may affect Service functionality.

We implement industry-standard security measures including:

• TLS encryption for data in transit.
• AES-256 encryption for sensitive data at rest.
• API keys stored as SHA-256 hashes.
• Rate limiting and IP whitelisting.
• Restricted access to production systems.
• Regular security reviews.
• Breach notification: within 72 hours to the ICO; prompt notification to affected users when there is high risk.

No method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

If you use our API to build services for your own end-users, you are the data controller for the personal data of those end-users. You must:

• Maintain your own privacy policy covering your use of BubblyPhone.
• Obtain appropriate consent for call recording in your jurisdiction.
• Comply with all applicable data protection laws.

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us.

We will notify registered developers by email of any material changes to this policy. Changes take effect 30 days after notification unless a longer period is required by law. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights:

Inhype Live Limited
Company Number: 13379772
Email: hello@bubblyphone.com
Website: agents.bubblyphone.com