HomeLogo
Anmelden

Privacy Policy

This Privacy Policy describes our data practices, including the types of information we collect, how it is processed, and the choices you have regarding your personal data when using ZTECHAI’s software and AI solutions.

Effective Date: January 11, 2026
Privacy contact / DPO: privacy@ztechai.us

This Privacy Policy explains how ZTECHAI LLC (“ZTECHAI,” “we,” “us,” or “our”) collects, uses, discloses and protects personal data when we provide our AI voice agents, AI automation, dashboards, integrations and related services (collectively, the “Services”). This Policy describes data we collect directly, data received from Clients (as defined in your agreement), how we process and share data, retention, security practices, and the choices available to data subjects.

Because ZTECHAI provides B2B services (we build and host AI voice agents and related automation for business Clients), this Policy addresses:

  • how Clients supply and control their end-customer data;

  • how we act as a Processor on behalf of Clients (and when requested will sign Data Processing Addenda / BAAs); and

  • the rights and options available to Clients and their end-customers.

If you are a Client of ZTECHAI, your contractual statement of work (SOW) and any executed DPA/BAA describe more specific obligations. If you are an end-user interacting with an AI agent deployed by a Client, please consult the Client’s privacy communications for additional information about how that Client uses your data.

1. Summary — key points (short)

  • We collect call metadata, recordings, transcripts, interaction logs and information required to deliver Services.

  • Default retention for recordings & transcripts: 14 days for dashboard processing, after which material is routed to the Client’s CRM or exported per the Client’s instructions (longer retention available for a fee).

  • ZTECHAI is generally a data processor; Clients are the data controllers and must obtain consents where required.

  • We rely on third-party processors (telephony, LLMs, cloud providers). We do not disclose personal data to third parties except as needed to provide Services or as directed by the Client.

  • We will sign Data Processing Addenda (DPAs) and Business Associate Agreements (BAAs) where appropriate.

  • Contact privacy@ztechai.us to make data requests, request a DPA/BAA, or raise concerns.

2. What personal data we collect

We collect the categories of data necessary to design, deploy, operate and maintain AI voice agents, dashboards, integrations, and analytics.

A. Data collected from Clients (directly)

  • Company name, billing information, email, phone, contact person information.

  • API keys, credentials and integration details that Clients provide for linking to CRMs, calendars, ERPs, telephony providers, storage, etc.

B. Data collected about end-users / callers / agent interlocutors

Depending on how a Client configures an agent and the nature of the Client’s business, ZTECHAI may process:

  • Caller phone numbers and Caller ID;

  • Call recordings (voice audio) and call transcripts;

  • Call metadata: call date/time, duration, call direction (inbound/outbound), agent ID, routing logs;

  • Conversational content (words spoken, typed inputs in chat widgets);

  • Names, email addresses, physical addresses, appointment details, and other contact or identifier data captured during an interaction;

  • CRM identifiers or other identifiers supplied by the Client;

  • Analytics and usage data (event logs, interaction counts, performance metrics);

  • Device and connection data for web widgets (IP address, browser user-agent, session data) when users interact with embedded chat widgets.

C. Payment & billing data

  • For billing we may process billing names and billing contacts; payments are processed via PCI-compliant third-party payment processors. ZTECHAI does not store full payment card numbers on our systems unless explicitly agreed and processed via a certified provider.

D. Cookies & tracking

  • Website cookies and analytics (see Section 9).

3. How we obtain data

  • Directly from Clients when onboarding, during SOW execution, or when Clients upload files.

  • Directly from end-users when they interact with an AI agent (voice or chat), enter information into a widget, or call a configured phone number.

  • Automatically through our dashboard and analytics systems (logs, usage metrics, cookies).

  • From third-party services that Clients connect (CRMs, telephony providers, LLM providers), as permitted by the Client.

4. Purposes and legal bases for processing

We process personal data to deliver and improve the Services:

Purposes

  • Provide, configure, host and run AI voice agents, chat widgets and integrations;

  • Record, transcribe and store interactions for dashboard analytics and routing to Client CRM;

  • Train and refine Client-specific agents (using Client data only for that Client’s agent) as necessary to provide the Services;

  • Billing, invoicing and payment processing;

  • Customer support, troubleshooting and quality control;

  • Fraud detection, abuse prevention and security;

  • Compliance with legal obligations and responding to lawful requests;

  • Aggregated/anonymous analytics and product improvement (see Section 7).

Legal bases (GDPR)

For EU data subjects, legal bases we rely on include:

  • Performance of a contract — to provide the Services requested by a Client;

  • Legitimate interests — for analytics, fraud prevention, security, and service improvements (balanced with data subject rights);

  • Consent — where required (for marketing communications, tracking cookies, or in cases Clients configure agents to require explicit consent).

For HIPAA-covered data, processing occurs only under an executed BAA and limited to the purposes necessary for the Services.

5. Who controls data & who processes it

  • Clients are typically the Controllers of end-user personal data for interactions occurring through agents they commission. Clients determine what data to collect, how to use it, and what lawful basis applies.

  • ZTECHAI acts as a Processor for Client data. We process data only on documented instructions from the Client or as necessary to provide the Services. When required, we will execute a DPA or a BAA prior to processing regulated health data.

If ZTECHAI processes any personal data as a Controller (rare, e.g., for our demo site leads), we will identify that processing and provide relevant notices.

6. Data retention, routing & deletion

  • Default retention: Call recordings, transcripts and associated logs are retained by ZTECHAI for 14 days (dashboard processing and operational use) unless the Client requests otherwise. After 14 days we will route or transfer the data to the Client’s CRM/ERP per the Client’s configuration or delete it if so instructed.

  • Extended retention: Clients may request extended retention of recordings/transcripts for an additional fee; such retention will be documented in the SOW.

  • Backups & residual copies: Backups or logs may persist for a short period for disaster recovery or to meet legal obligations; such residual copies are subject to security controls.

  • Deletion on termination: On contract termination, we will delete or return personal data per the SOW and documented instructions. If export or extended retention has been requested and paid for, we will follow that arrangement.

  • Legal holds: We may retain data if required to comply with legal obligations, investigations, litigation, or enforcement actions.

7. Use of data for AI training & improvements

  • Client-specific training: We use Client-provided data to train and tune that Client’s agents so the agent performs well for that Client’s business.

  • No reuse without consent: We will not use Client personal data to train or improve our general-purpose models or other Clients’ agents without explicit, documented consent.

  • Aggregated insights: We may use de-identified or aggregated data (which does not reasonably identify an individual) to analyze, monitor, and improve our Services.

If you require stricter controls (e.g., no use even for de-identified analytics), we will document and implement those restrictions in a DPA.

8. Data sharing & disclosures

We may share personal data as follows:

A. With third-party processors

We use third-party processors to provide core functionality (telephony carriers, LLM providers, cloud infrastructure, storage, transcription, CRM connectors, analytics, payment processors). Examples include (but are not limited to): telephony providers (Twilio, Vapi, others), LLM providers (OpenAI, Anthropic, OpenRouter or other providers the Client selects), cloud and storage providers (OVH, AWS, GCP, Contabo), CRM platforms (HubSpot, Zoho, Salesforce), and analytics providers (Google Analytics, Meta Pixel). These processors act under contract and only process data on our instructions.

B. As directed by a Client

We will share or export data to a Client’s CRM, ERP or third-party endpoint when the Client configures the integration.

C. For legal reasons

We may disclose personal data to comply with legal obligations, to respond to lawful requests by public authorities, or to protect rights, safety and property.

D. Merger, sale or corporate transaction

If ZTECHAI is involved in a merger, acquisition or sale of assets, personal data may be transferred as part of that transaction. We will notify Clients in advance and, where required, provide choices consistent with applicable law.

9. Cookies, tracking & analytics

  • We use cookies and similar technologies on our website and dashboard for session management, security, analytics and performance. Cookies may be first-party or third-party (for example analytics pixels).

  • We provide a cookie banner and consent mechanism where required by law. You can control cookie preferences via the cookie banner and browser settings.

  • Analytics providers we use may collect IP addresses and other technical information; refer to those providers’ privacy docs for details.

10. Security measures

We implement reasonable administrative, technical and physical safeguards appropriate to the risk, including:

  • Access controls and role-based permissions;

  • Encryption of data in transit (TLS) and at rest where supported by the storage provider;

  • Network and host security controls, logging and monitoring;

  • Regular backups and disaster recovery planning;

  • Vetting and contractual obligations for third-party processors.

While we use industry-standard safeguards, no security is perfect. We cannot guarantee absolute protection. Where required by law or contract, we will provide breach notifications to Clients and cooperate in incident response.

11. International transfers & safeguards

ZTECHAI processes and stores data in the United States and on OVH cloud infrastructure (which may involve transfers to or processing in other jurisdictions). Transfers of personal data across borders are undertaken with appropriate safeguards such as Standard Contractual Clauses (SCCs), DPAs, or other lawful transfer mechanisms where required by law. Clients may request more detail about locations and safeguards; we will provide this in our DPA.

12. Data subject rights (GDPR & similar)

Where applicable and where we are the controller, or where Clients instruct us to assist, data subjects have rights including:

  • Access to their personal data;

  • Rectification of inaccurate data;

  • Erasure (right to be forgotten) where legal grounds permit;

  • Restriction of processing;

  • Portability of data in a commonly used format;

  • Object to processing based on legitimate interests;

  • Withdraw consent (where processing is based on consent).

How to exercise rights: Data subjects or Clients should submit requests to privacy@ztechai.us. If ZTECHAI is a Processor, we will promptly forward any data subject request to the relevant Client (Controller) and assist to the extent required by the contract and law.

We may require verification of identity before responding to a request. We will respond within applicable legal timeframes (for GDPR, typically one month, extendable in complex cases).

13. HIPAA & health data

  • If a Client is a HIPAA Covered Entity and elects to use our Services to process Protected Health Information (PHI), ZTECHAI will execute a Business Associate Agreement (BAA) prior to processing PHI. Processing of PHI will be limited to the purposes described in the BAA.

  • ZTECHAI will implement reasonable safeguards required by HIPAA, but execution of a BAA does not shift ultimate compliance responsibility from the Covered Entity (Client).

14. Minors

Our Services are intended for business use. We do not knowingly collect personal data from children under 18. If you believe we have collected data for a minor, contact privacy@ztechai.us to request deletion.

15. Marketing communications

  • We send operational communications (service notices, billing, support) as needed.

  • Promotional or marketing communications will only be sent with your consent or where a pre-existing business relationship permits. You may opt out of marketing communications at any time via the unsubscribe link in marketing emails or by emailing privacy@ztechai.us.

16. Retention & backups — practical notes

  • Default: recordings & transcripts retained 14 days to enable dashboard functionality and exports. After 14 days we will route or delete as instructed by the Client.

  • Export: Clients are encouraged to export and store necessary data (their CRM/ERP). If a Client requests extended storage with ZTECHAI, we will document duration and fees in the SOW.

  • Legal hold exceptions apply.

17. Data breaches & notifications

If ZTECHAI becomes aware of a security breach that results in unauthorized access to personal data we control, we will:

  1. Notify affected Clients without undue delay and provide relevant information about the nature and scope of the incident;

  2. Cooperate with Clients and authorities in investigation and remediation; and

  3. Provide reasonable assistance for regulatory reporting as required.

Where ZTECHAI is a Processor, our primary obligation is to notify and assist the Client (Controller). We will not notify end-users directly unless required by law or directed by the Client.

18. Third-party links & embedded agents

  • Embedded agents, widgets or links may involve third-party content or connectors. ZTECHAI is not responsible for the privacy practices of third parties. Clients embedding agents are responsible for ensuring required notices and consents are presented to their end-users.

19. Changes to this Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to Clients in advance (at least 30 days for substantive changes affecting Clients) and posted with an updated effective date. Continued use after notification constitutes acceptance of the changes.

20. Contact, DPA & BAA requests, complaints

  • Privacy contact / DPO: privacy@ztechai.us

  • To request a Data Processing Addendum (DPA) or Business Associate Agreement (BAA) for HIPAA, email privacy@ztechai.us.

  • If you are a data subject and wish to exercise rights, or you have questions or complaints, contact privacy@ztechai.us.

  • If you remain unsatisfied after contacting us, data subjects have the right to lodge a complaint with an applicable supervisory authority (for EU residents: the relevant Data Protection Authority).

21. Additional information

  • Controller & Processor details: ZTECHAI LLC (registered in Montana, USA) — Clients are generally Controllers of their end-user data.

  • Locations: Data is processed and stored in the United States and with OVH cloud infrastructure (locations may vary by configuration). For details about exact storage locations for a given Client deployment, request the information from privacy@ztechai.us.

  • Legal basis summary: contract performance, legitimate interest, and consent (where applicable).