Privacy Policy
Last updated: 2 May 2026
BookedCalls.ai is a service operated by Epic Software Labs Ltd, a company registered in England and Wales (company number 16576534) with its registered office at 85 Great Portland Street, First Floor, London W1W 7LT (“BookedCalls”, “we”, “us”, “our”). This policy explains how we collect, use, and protect personal data in connection with our website (bookedcalls.ai), our admin and client applications, and the booked-calls service we deliver to B2B customers.
We process personal data in two distinct roles:
- As data controller for personal data we collect about visitors to our marketing site and our signed-in users (e.g. agency operators, our customers’ authorised users).
- As data processor on behalf of our customers when we process the contact details of their prospects (the recipients of outreach campaigns the customer instructs us to run). For this category, our customer is the data controller and is responsible for ensuring a lawful basis for the processing exists.
1. Personal data we collect
1.1 Site visitors
- Pages viewed, referrer, UTM parameters, approximate IP-derived geolocation, device and browser type (via PostHog).
- Any data you submit through forms (contact, calculator email captures): name, company, email, phone (where given), message body.
1.2 Signed-in users (agency operators and customer team members)
- Account identity from Clerk: email address, name, profile picture (where supplied via OAuth).
- Activity metadata: workspace memberships, last active time, role.
- Inbox grants: when you connect a Microsoft 365 or Google mailbox via Nylas, we store the access grant token and the connected email address. We do not store the raw email body content; we read it on demand via the Nylas API.
1.3 Billing data
- For paying customers: company name, billing email, VAT number (where applicable). Payment method details (bank details for BACS Direct Debit, last-4 digits of card) are stored by Stripe; we hold only references (Stripe customer/subscription IDs).
1.4 Outreach prospect data (processor role)
When a customer instructs us to run outreach on their behalf, we process the prospects’ business contact information — typically name, business email, job title, company name, LinkedIn URL, and any enrichment fields (industry, company size, technologies in use). The customer determines the source and lawful basis for this data.
2. Lawful basis for processing
| Processing | Lawful basis |
|---|---|
| Operating the marketing site and analytics | Legitimate interests (running and improving our business) |
| Setting cookies for analytics and consent management | Consent (PECR / GDPR Art. 6(1)(a)) |
| Operating customer accounts and delivering the contracted service | Performance of a contract (GDPR Art. 6(1)(b)) |
| Marketing emails to prospective customers (B2B only) | Legitimate interests (GDPR Art. 6(1)(f)) — documented LIA available on request |
| Stripe payment processing | Performance of a contract; legitimate interest in fraud prevention |
| Outreach prospect processing (when we act as processor) | Determined by the customer (controller) — typically legitimate interests for B2B outreach or consent where required |
3. Sub-processors and third-party services
We use a small number of carefully chosen sub-processors to deliver the service. The complete and current list is maintained at bookedcalls.ai/sub-processors.
We notify customers of new sub-processors via email at least 14 days before they begin processing customer data, giving the customer the opportunity to object.
4. International transfers
We host all customer data in the European Union (Convex EU region, Stripe EU). Some sub-processors (e.g. OpenAI, Anthropic for AI generation) may process data in the United States. Where transfers occur outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) approved by the UK ICO and the European Commission, and any applicable adequacy decisions.
5. Data retention
- Marketing site analytics: 12 months (PostHog default).
- Account data: for the duration of your account plus 90 days after closure for legal/finance reasons.
- Outreach prospect data: held for the duration of the customer’s contract, then deleted within 30 days of termination unless retention is required for compliance or audit.
- Suppression list entries: retained indefinitely (this is itself a privacy-protective record).
- Billing records: 7 years from invoice date (UK statutory accounting period).
- Backups: rolling 30-day window; deleted data clears from backups within that window.
6. Your rights
Under the UK GDPR you have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to processing; data portability; withdraw consent (where consent is the basis); and lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).
To exercise any of these, email privacy@bookedcalls.ai. We will respond within 30 days.
If you are a prospect who has received outreach from one of our customers and wish to exercise your rights regarding that processing, please contact the customer directly (the controller), or contact us and we will route the request appropriately.
7. Security
We employ industry-standard technical and organisational measures: TLS 1.2+ for data in transit, encryption at rest for sensitive fields, role-based access control, multi-factor authentication for staff, and regular access reviews. We will notify affected customers and the ICO within 72 hours of confirming any personal data breach that is likely to result in a risk to data subjects.
8. Children
Our service is designed for B2B use and is not directed at anyone under 18. We do not knowingly collect data from children.
9. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes will be notified to signed-in users via in-app notice or email.
10. Contact
BookedCalls.ai (operated by Epic Software Labs Ltd)
85 Great Portland Street, First Floor, London W1W 7LT, United Kingdom
Privacy enquiries: privacy@bookedcalls.ai
Data Protection Officer: dpo@bookedcalls.ai
General support: hello@bookedcalls.ai