PRIVACY POLICY
Company: CallPro UK Limited
Company Number: 16801755
Last Updated: 20/10/2025
Version: 1.0
QUICK SUMMARY
CallPro UK provides AI receptionist services. This means we handle phone calls on behalf of our clients.
Here's what you need to know:
If you call one of our clients: Your call may be answered by our AI, and we'll collect your name, phone number, and reason for calling. Calls may be recorded.
If you're our client (a business or institution): We collect your business information and contact details to provide our service.
We take security seriously: Your data is encrypted and protected.
Your data stays in the UK: We primarily process and store data in the United Kingdom.
You have rights: You can access, correct, or delete your data. See Section 11.
For full details, please read the complete policy below.
TABLE OF CONTENTS
Introduction
Who This Policy Applies To
Information We Collect
How We Collect Your Information
Why We Collect and Use Your Information (Lawful Bases)
How We Use Your Information
Who We Share Your Information With
International Data Transfers
How Long We Keep Your Information
Security of Your Information
Your Rights and Choices
Cookies and Similar Technologies
Children's Privacy
Third-Party Links
Changes to This Privacy Policy
Contact Us
Complaints
1. INTRODUCTION
1.1 About CallPro UK
CallPro UK Limited ("CallPro UK," "we," "us," or "our") is the UK's specialist AI receptionist provider, primarily serving universities, colleges, schools, and other education institutions, as well as general businesses.
Our tagline: Every Client. Every Call.
1.2 Our Commitment to Privacy
We are committed to protecting and respecting your privacy. This Privacy Policy explains:
What personal information we collect
Why we collect it
How we use it
Who we share it with
Your rights regarding your information
How to contact us
1.3 Our Role Under Data Protection Law
CallPro UK acts in different roles depending on the relationship:
As a Data Controller:
For information about our clients (the businesses and institutions who purchase our services)
For information about visitors to our website
For our own marketing and business operations
As a Data Processor:
For information about callers who phone our clients' numbers (where calls are handled by our AI receptionist)
We process this data on behalf of and according to the instructions of our clients (who are the Data Controllers)
1.4 Data Protection Legislation
This Privacy Policy is designed to comply with:
UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Privacy and Electronic Communications Regulations (PECR)
Any other applicable UK data protection laws
2. WHO THIS POLICY APPLIES TO
This Privacy Policy applies to several different groups of people:
2.1 CALLERS (Most Important Group)
If you call a phone number that is answered by CallPro UK's AI receptionist on behalf of one of our clients:
You are calling a business or institution (university, college, school, company, etc.)
Our AI receptionist may answer your call
We collect information about you during the call
Our client is the Data Controller of your information (they determine what happens with your data)
CallPro UK is the Data Processor (we process your data on their behalf)
Questions about how your data is used should be directed to the organization you called
Important: While we explain our practices here, the organization you called is primarily responsible for your data. You should also review their privacy policy.
2.2 CLIENTS
If you are a business or institution that purchases our AI receptionist services:
We collect information about your organization
We collect contact details for your staff members
CallPro UK is the Data Controller for this information
This policy explains how we handle your information
2.3 WEBSITE VISITORS
If you visit our website (callpro.uk):
We collect information about your visit
We use cookies and similar technologies
CallPro UK is the Data Controller for this information
2.4 PROSPECTIVE CLIENTS
If you inquire about our services (but haven't yet become a client):
We collect your contact details and inquiry information
CallPro UK is the Data Controller for this information
2.5 SUPPLIERS AND PARTNERS
If you are a supplier, partner, or service provider to CallPro UK:
We collect your business contact information
CallPro UK is the Data Controller for this information
3. INFORMATION WE COLLECT
The information we collect depends on your relationship with us:
3.1 INFORMATION ABOUT CALLERS (People Who Call Our Clients)
When you call a phone number answered by our AI receptionist, we may collect:
A. Identity and Contact Information:
Your name (first name, last name, title)
Your telephone number (from Caller ID or as provided)
Your email address (if you provide it)
Your postal address (if you provide it)
Your relationship to the organization (e.g., prospective student, customer, patient)
B. Communication Information:
The date and time of your call
The duration of your call
The phone number you called
The content of your conversation with the AI receptionist
Voice recordings of your call (see Section 3.5 below)
Messages you leave
Information you provide in response to questions (e.g., reason for calling, inquiry details, program interest, appointment preferences)
C. Inquiry and Interest Information:
Your reason for calling
Questions you ask
Information you're seeking
Services or products you're interested in
Appointment preferences
Follow-up preferences
D. Education-Specific Information (If Calling an Education Institution):
Your status (prospective student, current student, parent/guardian, alumni)
Program or course interest
Qualification level and subjects
Academic qualifications (if discussing entry requirements)
UCAS ID or application reference (if you provide it)
Previous educational background (if relevant to inquiry)
Funding or scholarship interest
E. Technical Information:
Phone carrier/network information
Location information (general area based on phone number, not precise GPS location)
Technical quality of the call connection
Important Notes:
We do NOT intentionally collect special category data (also known as sensitive personal data) such as health information, racial or ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data, or information about sex life or sexual orientation.
If you provide special category data during a call (e.g., mentioning a health condition), we will handle it in accordance with data protection law and our client's instructions.
Safeguarding concerns: If you disclose information suggesting you or someone else is at risk of harm, this information may be flagged and immediately escalated to appropriate personnel at the organization you called, in accordance with safeguarding protocols.
3.2 INFORMATION ABOUT CLIENTS (Businesses and Institutions)
When you become a client of CallPro UK, we collect:
A. Organization Information:
Business or institution name
Trading name (if different)
Legal entity type (company, charity, trust, partnership, etc.)
Company registration number / Charity number
VAT number (if applicable)
UKPRN (for education institutions)
Registered office address
Trading addresses and campus locations
Telephone numbers
Email addresses
Website URL
Industry sector
Size and scale of operations
B. Contact Person Information:
Names of staff members we need to communicate with
Job titles and roles
Work email addresses
Work telephone numbers (direct lines, mobile numbers if provided)
Departmental information
C. Services and Configuration Information:
Service plan selected (Starter, Professional, Enterprise, Education Tier 1/2/3)
Custom configuration requirements
Call routing preferences
Scripts and FAQ information you provide
Integration details (CRM, calendar, etc.)
Business hours and holiday closures
D. Financial Information:
Billing address
Payment method details (processed securely by payment processor)
Bank account details (for BACS/Direct Debit)
Purchase order numbers
Payment history
Invoice history
E. Usage Information:
Call volume and patterns
Service usage statistics
Feature usage
Support requests and interactions
Feedback and satisfaction surveys
F. Marketing Preferences:
Whether you wish to receive marketing communications
Communication channel preferences
Areas of interest
3.3 INFORMATION ABOUT WEBSITE VISITORS
When you visit our website, we automatically collect:
A. Technical Information:
IP address
Browser type and version
Operating system
Device type (desktop, mobile, tablet)
Screen resolution
Referring website (where you came from)
Pages visited on our website
Time and date of visit
Time spent on each page
Links clicked
B. Cookies and Similar Technologies:
Information collected via cookies (see Section 12 for full details)
Analytics data
Session information
C. Information You Provide:
Contact form submissions (name, email, phone, message)
Demo request information
Newsletter signup details
Live chat messages (if you use our chat feature)
3.4 INFORMATION ABOUT PROSPECTIVE CLIENTS
If you inquire about our services, we collect:
A. Inquiry Information:
Name
Organization name
Job title
Email address
Phone number
Information about your inquiry (what you're looking for)
How you heard about us
Size of your organization
Current challenges or needs
B. Communication History:
Records of emails, calls, and meetings
Proposals and quotes sent
Follow-up interactions
Demo participation
3.5 CALL RECORDINGS
IMPORTANT: Calls may be recorded.
What We Record:
Audio recordings of telephone conversations between callers and our AI receptionist
These recordings capture the caller's voice, tone, accent, and speech patterns
Recordings include all information communicated verbally during the call
Why We Record:
Quality assurance and service monitoring
Training and improvement of AI models
Dispute resolution and legal compliance
Service improvement and analytics
Safeguarding (for education institutions - recordings may serve as evidence)
Compliance with client instructions and regulatory requirements
Voice Data as Biometric Data: Under UK GDPR, voice recordings may constitute biometric data if used for identification purposes. We do NOT use voice recordings to uniquely identify individuals (e.g., voice recognition for authentication). We use recordings for the purposes listed above only.
Notice Requirements:
Our clients are responsible for providing appropriate notice that calls may be recorded
This is typically done via recorded message when the call connects (e.g., "This call may be recorded for quality and training purposes")
You have the right to object to being recorded - see Section 11
See Section 9 for information on how long we keep call recordings.
4. HOW WE COLLECT YOUR INFORMATION
We collect information in several ways:
4.1 Information You Provide Directly
A. During Phone Calls:
When you call a number answered by our AI receptionist
Information you verbally provide in response to questions
Information in messages you leave
B. Through Our Website:
Contact forms you submit
Demo requests you make
Newsletter signups
Live chat messages
Email correspondence
C. In Written Communications:
Emails you send us
Letters or documents you provide
Contracts and agreements you sign
Information provided during onboarding (for clients)
D. In Meetings and Calls:
Information shared during sales calls, demos, support calls, or meetings
4.2 Information We Collect Automatically
A. Call Data:
Call metadata (date, time, duration, numbers)
Caller ID information
Call recordings (audio)
B. Website Data:
Information collected via cookies and similar technologies
Server logs and analytics
IP addresses and technical information
4.3 Information We Receive from Third Parties
A. From Our Clients:
Information our clients provide to us about their organization, operations, and requirements
FAQs, scripts, and business information used to train our AI
B. From Telecommunications Providers:
Caller ID information
Call routing information
Technical call quality data
C. From Business Information Providers:
Company information from Companies House
Business contact details from legitimate business directories
Industry information
D. From CRM and Other Integrated Systems:
Customer data from CRM systems (where our clients have integrated our service)
Calendar and appointment information
Contact details from address books
5. WHY WE COLLECT AND USE YOUR INFORMATION (LAWFUL BASES)
Under UK GDPR, we must have a "lawful basis" for processing your personal information. Here are the lawful bases we rely on:
5.1 For CALLERS (People Who Call Our Clients)
Primary Lawful Basis: Legitimate Interests
Our clients' legitimate interests in:
Efficiently managing incoming telephone inquiries
Providing excellent customer service
Responding to prospective student or customer inquiries (for education institutions and businesses)
Capturing leads and opportunities
Operating their business or institution effectively
Ensuring quality of service
CallPro UK's legitimate interests in:
Providing our AI receptionist service effectively
Improving our AI models and service quality
Training our systems to better understand inquiries
Preventing fraud and abuse
Balancing Test: We have assessed that these legitimate interests are not overridden by your rights and freedoms because:
You are calling the organization voluntarily to make an inquiry or seek information
The processing is reasonably expected (you expect your call to be answered and your inquiry to be recorded)
The information collected is limited to what is necessary to respond to your inquiry
Appropriate security measures are in place
You are informed about the recording (via recorded message or other notice)
You have the right to object (see Section 11)
Alternative Lawful Bases (Depending on Context):
Contract: Where you are calling about an existing contract (e.g., current students calling their university, existing customers calling a business)
Legal Obligation: Where we must process your information to comply with legal requirements (e.g., safeguarding obligations for education institutions)
Consent: In specific circumstances where consent is obtained (e.g., for recording in certain jurisdictions or situations)
5.2 For CLIENTS (Businesses and Institutions)
Primary Lawful Bases:
A. Contract (GDPR Article 6(1)(b)):
Processing necessary to perform our contract with you (providing the AI receptionist service)
Processing necessary before entering into a contract (e.g., during the sales process)
B. Legitimate Interests (GDPR Article 6(1)(f)):
Our legitimate interests in:
Operating our business efficiently
Improving our services
Marketing our services to similar organizations
Preventing fraud and ensuring security
Defending legal claims
C. Legal Obligation (GDPR Article 6(1)(c)):
Compliance with accounting and tax requirements
Compliance with AML (Anti-Money Laundering) regulations
Responding to lawful requests from authorities
D. Consent (GDPR Article 6(1)(a)):
For marketing communications (where required)
For cookies on our website (where required)
5.3 For WEBSITE VISITORS
Primary Lawful Bases:
A. Legitimate Interests (GDPR Article 6(1)(f)):
Our legitimate interests in:
Operating our website effectively
Understanding how visitors use our website
Improving website user experience
Generating leads for our business
Protecting our website security
B. Consent (GDPR Article 6(1)(a)):
For non-essential cookies (e.g., marketing and analytics cookies)
For newsletter subscriptions
For marketing communications
C. Contract (GDPR Article 6(1)(b)):
When you submit an inquiry or request a demo (steps before entering into a contract)
5.4 For SPECIAL CATEGORY DATA (If Applicable)
We do NOT intentionally collect special category data (sensitive personal information).
If special category data is inadvertently provided to us (e.g., a caller mentions health information during a call), we rely on:
A. Explicit Consent (GDPR Article 9(2)(a)):
Where you have given explicit consent
B. Substantial Public Interest (GDPR Article 9(2)(g)):
For safeguarding of children and vulnerable adults (education institutions)
C. Legal Claims (GDPR Article 9(2)(f)):
Where necessary for legal claims or proceedings
6. HOW WE USE YOUR INFORMATION
6.1 Uses of CALLER Information
We use information about callers to:
A. Provide Our Service:
Answer your call via our AI receptionist
Understand your inquiry and provide appropriate information
Route your call to the right person or department
Take messages and pass them to the appropriate team
Schedule appointments on your behalf
Provide you with information about courses, programs, services, or products
B. Improve Our AI:
Train our AI models to better understand inquiries
Improve voice recognition and natural language understanding
Develop new features and capabilities
Enhance accuracy of responses
Test and refine our systems
C. Quality Assurance:
Monitor quality of interactions
Identify areas for improvement
Ensure compliance with client requirements
Train our client-facing teams
D. Analytics and Reporting:
Generate reports for our clients on call volume, inquiry types, etc.
Analyze trends and patterns (in anonymized/aggregated form)
Provide insights to help our clients improve their operations
E. Safeguarding (Education Institutions):
Identify potential safeguarding concerns
Escalate concerns to appropriate personnel
Maintain records for safeguarding purposes
F. Legal and Compliance:
Comply with legal obligations
Respond to legal requests
Defend or bring legal claims
Investigate complaints or disputes
6.2 Uses of CLIENT Information
We use information about our clients to:
A. Provide Our Service:
Set up and configure your AI receptionist
Train our AI on your specific business/institution information
Route calls according to your preferences
Integrate with your systems (CRM, calendar, etc.)
Provide ongoing support and optimization
Send service notifications and updates
B. Billing and Account Management:
Process payments and invoices
Manage your subscription
Communicate about billing matters
Maintain accurate financial records
C. Customer Relationship:
Respond to your inquiries and support requests
Provide technical support
Conduct performance reviews
Gather feedback and suggestions
Maintain our relationship with you
D. Service Improvement:
Analyze usage patterns to improve our service
Develop new features based on client needs
Benchmark performance
E. Marketing (With Appropriate Consent):
Send you information about new features or services
Provide industry insights and best practices
Invite you to webinars or events
Share case studies and success stories (with your permission)
F. Legal and Compliance:
Comply with legal and regulatory obligations
Maintain records for tax and accounting purposes
Defend or bring legal claims
Investigate security incidents or breaches
6.3 Uses of WEBSITE VISITOR Information
We use information about website visitors to:
A. Operate Our Website:
Display our website to you
Remember your preferences
Provide requested information
Enable website functionality
B. Respond to Inquiries:
Process contact form submissions
Respond to demo requests
Send requested information
Follow up on inquiries
C. Analytics and Improvement:
Understand how visitors use our website
Identify popular content
Improve website design and usability
Test new features
D. Marketing:
Retarget website visitors with relevant ads (with consent)
Send newsletters (with consent)
Generate leads for our business
Track effectiveness of marketing campaigns
E. Security:
Detect and prevent fraud
Protect against security threats
Monitor for malicious activity
7. WHO WE SHARE YOUR INFORMATION WITH
We share personal information with the following categories of recipients:
7.1 OUR CLIENTS (For Caller Information)
Most Important:
When you call a phone number answered by our AI receptionist, your information is shared with the organization you called (our client).
Our clients are the Data Controllers for this information
We share your information with them so they can respond to your inquiry
Information shared includes: your name, contact details, inquiry details, call recordings, and any other information you provide
Our clients may use your information for their own purposes (marketing, admissions, customer management, etc.) in accordance with their own privacy policies
You should review the privacy policy of the organization you called to understand how they will use your information.
7.2 SERVICE PROVIDERS AND SUB-PROCESSORS
We work with trusted third-party service providers who help us deliver our service. These include:
A. Cloud Infrastructure Providers:
[Specify your actual provider, e.g., Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure]
Purpose: Hosting our platform, storing data, and ensuring service availability
Location: United Kingdom and/or EEA regions
Safeguards: Data Processing Agreements in place, UK GDPR compliant
B. AI and Machine Learning Platform Providers:
[Specify actual providers, e.g., OpenAI, Google Cloud AI, etc.]
Purpose: Powering our AI models, natural language processing, speech recognition
Location: [Specify]
Safeguards: Data Processing Agreements, security measures, UK GDPR compliant
C. Telecommunications Providers:
Various telecommunications carriers and SIP trunk providers
Purpose: Routing and managing telephone calls
Location: United Kingdom
Safeguards: Industry-standard security, encryption
D. Payment Processors:
[E.g., Stripe, GoCardless, etc.]
Purpose: Processing client payments securely
Location: United Kingdom / EEA
Safeguards: PCI DSS compliant, Data Processing Agreements
E. CRM and Business Tools:
[E.g., HubSpot, Salesforce, etc.]
Purpose: Managing client relationships, support tickets, and internal operations
Location: United Kingdom / EEA / US (with appropriate safeguards)
Safeguards: Data Processing Agreements, UK GDPR compliant
F. Email and Communication Services:
[E.g., Google Workspace, Microsoft 365, SendGrid]
Purpose: Email delivery, notifications, internal communications
Location: [Specify]
Safeguards: Data Processing Agreements, encryption, UK GDPR compliant
G. Analytics Providers:
Google Analytics (website analytics)
Other analytics tools for service monitoring
Purpose: Understanding website usage and service performance
Safeguards: Anonymization, Data Processing Agreements, cookie consent
H. Customer Support Tools:
[E.g., Zendesk, Intercom, etc.]
Purpose: Managing support requests and client communications
Location: [Specify]
Safeguards: Data Processing Agreements, UK GDPR compliant
Important Notes:
All service providers are carefully selected and vetted for security and data protection compliance
We have Data Processing Agreements in place with all sub-processors
Sub-processors are contractually obligated to protect personal information
We maintain an up-to-date list of sub-processors (available upon request)
We notify clients of any changes to sub-processors as required by our contracts
7.3 INTEGRATED THIRD-PARTY SYSTEMS (Client Systems)
For our clients who integrate our service with their own systems:
A. CRM Systems (Customer Relationship Management):
Salesforce, HubSpot, Pipedrive, Zoho CRM, etc.
Purpose: Automatically create or update records based on caller information
Data shared: Caller name, contact details, inquiry information, call summaries
B. Student Information Systems (SIS) (Education Clients):
Campus Management Systems, Banner, PeopleSoft, etc.
Purpose: Update prospective student records, track inquiries
Data shared: Prospective student information, inquiry details, interaction history
C. Calendar and Scheduling Systems:
Google Calendar, Microsoft Outlook, Calendly, etc.
Purpose: Schedule appointments and campus tours
Data shared: Caller name, contact details, appointment preferences
D. Marketing Automation Platforms:
Marketo, Pardot, Mailchimp, etc.
Purpose: Add leads to marketing campaigns (with appropriate consent)
Data shared: Contact information, interests, engagement data
Important: When we integrate with your third-party systems, data flows into those systems and becomes subject to their privacy policies and your control as the Data Controller.
7.4 PROFESSIONAL ADVISORS
We may share information with:
Solicitors and legal advisors: For legal advice and representation
Accountants and auditors: For accounting, tax, and audit purposes
Insurance providers: For insurance coverage and claims
Business consultants: For strategic advice and business improvement
Sharing is limited to what is necessary and subject to confidentiality obligations.
7.5 REGULATORY AND LAW ENFORCEMENT AUTHORITIES
We may share information with:
A. Regulatory Bodies:
Information Commissioner's Office (ICO)
Office for Students (OfS) (for education clients)
Competition and Markets Authority (CMA)
Other sector regulators
B. Law Enforcement:
Police
National Crime Agency
Other law enforcement agencies
C. Legal Authorities:
Courts and tribunals
Legal representatives
Government agencies
When required by law or in response to:
Court orders or subpoenas
Legal obligations
National security requirements
Prevention or detection of crime
Protection of vital interests (e.g., safeguarding emergencies)
7.6 BUSINESS TRANSFERS
If CallPro UK is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy:
Personal information may be transferred to the successor entity
You will be notified of any such change
The successor will be bound by this Privacy Policy (until they notify you of changes)
7.7 WITH YOUR CONSENT
We may share your information with other parties where you have given specific consent, for example:
Using your organization as a case study or testimonial
Featuring your logo on our website
Sharing success stories (with identifying details)
7.8 AGGREGATED AND ANONYMIZED DATA
We may share aggregated, anonymized, or de-identified data that does not identify you personally:
Industry reports and benchmarks (e.g., "UK universities receive an average of X calls during clearing season")
Research and analytics
Marketing materials
Service improvement insights
This data is not considered personal information and is not subject to this Privacy Policy.
8. INTERNATIONAL DATA TRANSFERS
8.1 Where We Store and Process Data
Primary Location: United Kingdom
We primarily store and process personal information within the United Kingdom.
Our servers and main infrastructure are located in UK data centers.
8.2 Transfers Outside the UK
In some limited circumstances, personal information may be transferred to countries outside the United Kingdom:
A. To the European Economic Area (EEA):
Some of our service providers have servers in EEA countries
The UK government has recognized EEA countries as providing adequate data protection
No additional safeguards are required for transfers to the EEA
B. To Other Countries:
If we transfer personal information to countries without an adequacy decision from the UK government, we ensure appropriate safeguards are in place:
1. UK International Data Transfer Agreement (IDTA):
Standard contractual clauses approved by the ICO
Legally binding commitments to protect your data
2. UK Addendum to EU Standard Contractual Clauses:
Where third parties use EU SCCs, we add the UK Addendum
3. Other Approved Mechanisms:
Binding Corporate Rules (BCRs)
Codes of Conduct
Certification mechanisms
8.3 Specific Service Providers
[Note: You should list specific providers and their locations. Example:]
Examples of providers involving international transfers:
[AI Provider Name]: United States - protected by UK IDTA
[Cloud Provider]: EEA regions - adequate protection
[Analytics Provider]: United States - protected by UK IDTA
We maintain an up-to-date list of all sub-processors and their locations, available upon request.
8.4 Your Rights Regarding International Transfers
You have the right to:
Request information about international transfers
Request a copy of the safeguards in place
Object to international transfers in certain circumstances
See Section 11 for how to exercise your rights.
9. HOW LONG WE KEEP YOUR INFORMATION
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.
9.1 CALLER INFORMATION
A. Call Recordings:
Standard Retention: 90 days
For quality assurance and service improvement
Automatically deleted after 90 days
Extended Retention:
Safeguarding concerns: Retained until matter is resolved, as required by our client's safeguarding policies (may be several years)
Legal claims or disputes: Retained until claim is resolved or time limit for claims has expired
Legal compliance: Where we are required by law to retain recordings (e.g., regulatory requirements)
Client request: Where our client requests longer retention (subject to data protection requirements and legitimate purpose)
B. Call Metadata and Inquiry Information:
During service provision: Retained for the duration of our contract with the client
After contract ends: Retained for up to 30 days to allow client to export data
After 30 days: Securely deleted unless legally required to retain
C. Education-Specific Data:
For prospective student data processed on behalf of education institutions:
Active inquiries: Retained for the duration of the admissions cycle (typically 12-18 months)
Converted students: Data may be transferred to the institution's Student Information System
Non-converted prospects: Deleted after 24 months (or per institution's instructions)
9.2 CLIENT INFORMATION
A. During Active Relationship:
Retained for the entire duration of our contract and service provision
B. After Contract Ends:
Minimum Retention Periods (Legal Requirements):
Financial records (invoices, payments): 6 years (UK tax law requirement)
Contracts and agreements: 6 years after end date (limitation period for contract claims)
Correspondence: 2 years after contract end
After Minimum Retention:
Securely deleted unless there is a legitimate ongoing reason to retain (e.g., ongoing legal claim)
C. Marketing Information:
If you opt out of marketing: Removed from marketing lists immediately
Suppression record retained indefinitely to ensure you're not contacted again
9.3 WEBSITE VISITOR INFORMATION
A. Website Cookies:
See Section 12 for specific cookie retention periods
Analytics cookies: Typically 2 years
Strictly necessary cookies: Session-based (deleted when you close browser)
B. Contact Form Submissions and Inquiries:
Successful conversions (became clients): Converted to client records
Unsuccessful inquiries: 2 years then deleted
Unless you request earlier deletion
C. Newsletter Subscribers:
Until you unsubscribe
After unsubscribing: Suppression record retained to prevent re-subscription
9.4 ANONYMIZED AND AGGREGATED DATA
Indefinitely
Once data is truly anonymized (cannot be linked back to individuals), it is no longer personal data
We may retain anonymized data indefinitely for analytics, research, and service improvement
9.5 BACKUPS
Backups are made regularly for disaster recovery purposes
Personal information in backups is deleted according to our backup retention schedule (typically 90 days)
Once data reaches its retention limit in our live systems, it will also be deleted from backups during the next backup cycle
9.6 DELETION PROCESS
When we delete personal information:
Secure deletion methods are used (overwriting, degaussing, physical destruction)
Data is rendered irrecoverable
Deletion is logged for audit purposes
We can provide certification of deletion upon request
10. SECURITY OF YOUR INFORMATION
We take the security of your personal information seriously and implement appropriate technical and organizational measures to protect it.
10.1 Technical Security Measures
A. Encryption:
Data in transit: All data transmitted over the internet is encrypted using TLS 1.2 or higher (HTTPS)
Data at rest: All personal data stored in our systems is encrypted using AES-256 encryption
Call recordings: Encrypted immediately upon capture
Database encryption: All databases containing personal information are encrypted
B. Access Controls:
Multi-factor authentication (MFA): Required for all administrative access
Role-based access control (RBAC): Staff only have access to data necessary for their role
Principle of least privilege: Minimum necessary access granted
Access logging: All access to personal data is logged and monitored
Regular access reviews: Periodic review of who has access to what
C. Network Security:
Firewalls: Protecting our networks from unauthorized access
Intrusion detection and prevention systems (IDS/IPS): Monitoring for suspicious activity
DDoS protection: Protecting against distributed denial of service attacks
Network segmentation: Separating different parts of our infrastructure
VPN requirements: Secure remote access for staff
D. Application Security:
Secure development practices: Security built into our development process
Code reviews: Regular security-focused code reviews
Vulnerability scanning: Automated scanning for security vulnerabilities
Penetration testing: Regular third-party security testing
Security patching: Prompt application of security updates
E. Data Backup and Recovery:
Regular backups: Automated daily backups
Encrypted backups: All backups are encrypted
Offsite storage: Backups stored in secure, geographically separate locations
Disaster recovery plan: Documented procedures for recovering from incidents
Regular testing: Backup restoration tested regularly
10.2 Organizational Security Measures
A. Staff Security:
Background checks: Conducted for all staff with access to personal data
Confidentiality agreements: All staff and contractors bound by strict confidentiality obligations
Security training: Mandatory security awareness training for all staff
Regular updates: Ongoing security education and updates
Clear desk policy: Physical security measures in offices
B. Data Protection Governance:
Data Protection Officer (DPO): Designated DPO overseeing data protection
Privacy by Design: Privacy considerations built into all new projects
Data Protection Impact Assessments (DPIAs): Conducted for high-risk processing
Regular audits: Internal and external audits of security and data protection practices
Policies and procedures: Comprehensive data protection and security policies
C. Incident Response:
Incident response plan: Documented procedures for responding to security incidents
24/7 monitoring: Continuous monitoring for security threats
Rapid response team: Dedicated team for handling security incidents
Breach notification procedures: Clear processes for notifying affected parties and regulators
Post-incident review: Learning from incidents to improve security
D. Vendor Management:
Vendor due diligence: Security assessment of all service providers
Data Processing Agreements: Contractual security requirements for all sub-processors
Regular vendor reviews: Ongoing monitoring of vendor security
Right to audit: Ability to audit vendor security practices
10.3 Physical Security
A. Data Center Security:
Our data centers (or those of our cloud providers) employ:
24/7 physical security and surveillance
Biometric access controls
Environmental controls (fire suppression, climate control)
Redundant power supplies
SOC 2 Type II or ISO 27001 certification
B. Office Security:
Secure office premises with access control
Visitor management procedures
Secure disposal of physical documents (shredding)
Lock screens and device encryption for all computers
10.4 Security Certifications and Standards
We align our security practices with industry standards including:
ISO 27001: Information Security Management System (working towards certification)
SOC 2 Type II: Security, availability, and confidentiality controls (our cloud providers)
Cyber Essentials: UK government-backed cyber security certification [if applicable]
PCI DSS: For payment card data (our payment processors are PCI compliant)
10.5 Your Role in Security
You can help protect your information by:
Strong passwords: Use strong, unique passwords for any accounts
Keep credentials confidential: Never share login details
Beware of phishing: Be cautious of suspicious emails claiming to be from CallPro UK
Update contact details: Keep your contact information current
Report suspicious activity: Contact us immediately if you suspect unauthorized access
10.6 Data Breaches
In the event of a data breach:
We will investigate immediately
We will contain and mitigate the breach
We will notify the ICO within 72 hours (if required by law)
We will notify affected individuals without undue delay (if required by law)
We will cooperate with any regulatory investigations
We will review and improve our security measures
If you believe there has been a breach of your information, contact us immediately: [email protected]
10.7 Limitations
While we implement robust security measures, please note:
No system is 100% secure - absolute security cannot be guaranteed
Internet transmission is not completely secure
You transmit information to us at your own risk
We are not responsible for circumvention of security measures
We are not liable for unauthorized access resulting from factors outside our reasonable control
11. YOUR RIGHTS AND CHOICES
Under UK GDPR and Data Protection Act 2018, you have important rights regarding your personal information.
11.1 Overview of Your Rights
You have the right to:
Be informed about how your data is used (this Privacy Policy)
Access your personal data
Rectify inaccurate or incomplete data
Erase your data ("right to be forgotten")
Restrict processing of your data
Data portability (receive your data in a usable format)
Object to processing
Rights related to automated decision-making (including profiling)
11.2 Right of Access (Subject Access Request)
You have the right to request:
Confirmation of whether we process your personal data
A copy of your personal data
Information about how we use your data
How to exercise:
Submit a request to: [email protected] or [postal address]
Include: Your name, contact details, description of information requested
Provide ID verification if requested (to protect against fraud)
Our response:
Free of charge (in most cases)
Within one month (may extend to 2-3 months for complex requests)
In a commonly used electronic format (PDF, etc.)
Important for Callers:
If you called one of our clients and want to access information about your call:
Contact the organization you called first - they are the primary Data Controller
They can provide you with comprehensive information about your inquiry
If you specifically need call recording data held by CallPro UK, contact us at [email protected]
11.3 Right to Rectification
You have the right to have inaccurate or incomplete personal data corrected.
How to exercise:
Contact us at: [email protected]
Explain what information is inaccurate or incomplete
Provide correct information
Our response:
Within one month
We may verify the accuracy of new information
We will notify you once corrections are made
We will inform third parties to whom we disclosed the data (where appropriate)
11.4 Right to Erasure ("Right to be Forgotten")
You have the right to request deletion of your personal data in certain circumstances:
When erasure applies:
The data is no longer necessary for the purpose it was collected
You withdraw consent (where processing was based on consent)
You object to processing and there are no overriding legitimate grounds
The data was unlawfully processed
Erasure is required for compliance with a legal obligation
The data was collected from a child for online services
When we may refuse:
We need the data to comply with a legal obligation
We need the data to establish, exercise, or defend legal claims
We need the data for public health or scientific research purposes
Freedom of expression and information rights apply
How to exercise:
Contact us at: [email protected]
Specify what information you want deleted and why
Our response:
Within one month
We will confirm deletion or explain why we cannot delete
We will inform third parties to whom we disclosed the data (where appropriate)
Important for Callers:
If you want your call information deleted:
Contact both us (CallPro UK) AND the organization you called
The organization controls how they use your information
We can delete call recordings and data we hold, subject to legal retention requirements
11.5 Right to Restrict Processing
You have the right to request that we limit how we use your personal data in certain situations:
When restriction applies:
You contest the accuracy of the data (restriction while we verify)
Processing is unlawful but you don't want erasure
We no longer need the data but you need it for legal claims
You have objected to processing (restriction while we verify our legitimate grounds)
Effect of restriction:
We can still store the data
We cannot use the data without your consent (except for legal claims or protecting others' rights)
How to exercise:
Contact us at: [email protected]
Explain why you want restriction
Our response:
Within one month
We will confirm restriction or explain why we cannot restrict
We will inform you before lifting restriction
11.6 Right to Data Portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
When portability applies:
Processing is based on consent or contract
Processing is carried out by automated means
It is technically feasible
What you can receive:
Personal data you provided to us
In formats such as CSV, JSON, XML
How to exercise:
Contact us at: [email protected]
Specify what data you want and in what format
Our response:
Within one month
Free of charge
Note: This right does not apply to all types of processing (e.g., processing based on legitimate interests).
11.7 Right to Object
You have the right to object to processing of your personal data in certain circumstances.
A. Object to Processing Based on Legitimate Interests:
You can object to processing based on our or our client's legitimate interests
We must stop processing UNLESS we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, OR we need the data for legal claims
How to exercise:
Contact us at: [email protected]
Explain your objection and reasons
B. Object to Direct Marketing:
Absolute right - we must stop immediately
No questions asked, no justification required
How to exercise:
Click "Unsubscribe" in any marketing email
Contact us at: [email protected]
Reply "STOP" to marketing SMS messages
C. Object to Processing for Research or Statistical Purposes:
You can object on grounds relating to your particular situation
We must stop unless processing is necessary for public interest reasons
For Callers:
If you object to your calls being answered by our AI receptionist:
Contact the organization you are calling - they control this decision
They can arrange for your calls to be handled differently
You can also ask not to be contacted further by that organization
11.8 Rights Related to Automated Decision-Making and Profiling
You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects.
Our Use of Automation:
Our AI receptionist makes automated decisions about how to respond to your call
These are NOT "solely automated decisions" with legal or significant effects because:
The AI is providing information and routing calls, not making decisions about you
There is always human oversight and intervention available
Responses are based on your explicit questions and requests
You can always speak to a human if needed
If you believe automated processing is affecting you:
Contact us at: [email protected]
We will review and provide explanation
Human review can be requested
11.9 Right to Withdraw Consent
Where processing is based on your consent, you have the right to withdraw consent at any time.
How to withdraw:
Click "Unsubscribe" in emails (for marketing consent)
Contact us at: [email protected]
Change cookie preferences on our website
Effect:
Withdrawal does not affect the lawfulness of processing before withdrawal
We will stop processing based on that consent going forward
Other lawful bases may still apply
11.10 How to Exercise Your Rights
Contact our Data Protection Officer:
Email: [email protected]
Post: Data Protection Officer, CallPro UK Limited, [Your Address]
Phone: [Your phone number]
What to include in your request:
Your name and contact details
Description of the right you want to exercise
Details of what you're asking for (e.g., specific data, corrections needed)
Proof of identity (if requested - to prevent fraud)
Our Response Timeline:
One month from receipt of request
May extend to 2-3 months for complex requests (we'll notify you)
Free of charge (in most cases)
Exceptions:
We may charge a reasonable fee for clearly unfounded or excessive requests
We may refuse manifestly unfounded or excessive requests
11.11 Important Notes for Callers
If you are a caller who contacted one of our clients:
Your primary contact should be the organization you called:
They are the Data Controller of your information
They make decisions about how your data is used
They can provide you with comprehensive information about your inquiry
They handle requests for access, correction, deletion, etc.
Contact CallPro UK if:
You specifically need call recordings held by us
You have questions about our AI receptionist technology
The organization directs you to us
Contact the organization you called if:
You want to update your contact details
You want to know the status of your inquiry
You want to opt out of their marketing
You want comprehensive information about how they use your data
12. COOKIES AND SIMILAR TECHNOLOGIES
12.1 What Are Cookies?
Cookies are small text files that are stored on your device (computer, phone, tablet) when you visit a website. They help the website remember information about your visit.
Types of cookies:
Session cookies: Temporary, deleted when you close your browser
Persistent cookies: Remain on your device for a set period or until you delete them
First-party cookies: Set by the website you're visiting (callpro.uk)
Third-party cookies: Set by other services (e.g., Google Analytics)
12.2 How We Use Cookies
We use cookies on our website (callpro.uk) for the following purposes:
A. Strictly Necessary Cookies:
These cookies are essential for our website to function. You cannot opt out of these cookies.
Cookie Name
Purpose
Duration
cookie_consent
Remembers your cookie preferences
1 year
session_id
Maintains your session
Session
CSRF_token
Security - prevents cross-site request forgery
Session
B. Performance and Analytics Cookies:
These cookies help us understand how visitors use our website so we can improve it.
Cookie Name
Provider
Purpose
Duration
_ga
Google Analytics
Distinguishes users
2 years
_gid
Google Analytics
Distinguishes users
24 hours
_gat
Google Analytics
Throttles request rate
1 minute
Purpose: Understanding website traffic, popular pages, user journey, device types, etc.
C. Functional Cookies:
These cookies remember your preferences and choices.
Cookie Name
Purpose
Duration
language_preference
Remembers your language choice
1 year
accessibility_settings
Remembers accessibility preferences
1 year
D. Marketing/Advertising Cookies:
These cookies track your browsing to show you relevant ads.
Cookie Name
Provider
Purpose
Duration
_fbp
Facebook advertising tracking
3 months
IDE
Google advertising tracking
13 months
NID
Google advertising preferences
6 months
Purpose: Showing you relevant ads on other websites, measuring ad effectiveness, retargeting.
12.3 Third-Party Services Using Cookies
We use the following third-party services that set cookies:
A. Google Analytics:
Purpose: Website analytics
Data collected: Pages visited, time on site, device type, general location (city-level)
Privacy policy: https://policies.google.com/privacy
Opt-out: Browser add-on available at https://tools.google.com/dlpage/gaoptout
B. Google Ads / Google Marketing Platform:
Purpose: Advertising and retargeting
Data collected: Browsing behavior, ad interactions
Privacy policy: https://policies.google.com/privacy
Opt-out: Ad settings at https://adssettings.google.com
C. Facebook Pixel:
Purpose: Facebook advertising and tracking
Data collected: Page views, conversions
Privacy policy: https://www.facebook.com/privacy/explanation
Opt-out: Ad settings at https://www.facebook.com/ads/preferences
D. LinkedIn Insight Tag:
Purpose: LinkedIn advertising and analytics
Data collected: Page views, conversions
Privacy policy: https://www.linkedin.com/legal/privacy-policy
Opt-out: Settings at https://www.linkedin.com/psettings/guest-controls
12.4 Your Cookie Choices
How to Control Cookies:
A. Cookie Banner:
When you first visit our website, you'll see a cookie banner
You can accept all cookies, reject non-essential cookies, or customize your preferences
Your choices are saved and remembered
B. Cookie Preference Center:
Click "Cookie Settings" in our website footer
Change your preferences at any time
Toggle different cookie categories on/off
C. Browser Settings:
All browsers allow you to control cookies through settings
You can block all cookies, allow only first-party cookies, or delete cookies
Note: Blocking strictly necessary cookies may prevent the website from functioning properly
How to manage cookies in popular browsers:
Chrome: Settings > Privacy and security > Cookies
Firefox: Settings > Privacy & Security > Cookies
Safari: Preferences > Privacy > Cookies
Edge: Settings > Privacy, search, and services > Cookies
D. Opt-Out Tools:
Google Analytics: https://tools.google.com/dlpage/gaoptout
Network Advertising Initiative: https://optout.networkadvertising.org/
Your Online Choices (EU): https://www.youronlinechoices.com/
12.5 Other Tracking Technologies
A. Web Beacons (Pixels):
Small invisible images on web pages or in emails
Used to track if you've opened an email or viewed a page
Work in conjunction with cookies
B. Local Storage:
Browser storage for larger amounts of data
Used for website functionality (e.g., remembering form inputs)
Can be cleared through browser settings
C. Server Logs:
Automatically collect information such as IP address, browser type, pages visited
Used for security, diagnostics, and analytics
Not subject to cookie consent (legitimate interests)
12.6 Do Not Track (DNT)
Some browsers offer a "Do Not Track" (DNT) signal. Our website does not currently respond to DNT signals, but you can control tracking through cookie preferences and browser settings as described above.
12.7 Updates to Cookie Usage
We may update our use of cookies from time to time. When we make significant changes, we'll notify you through:
Updated cookie banner on website
Notice on this privacy policy page
Email (for registered users)
13. CHILDREN'S PRIVACY
13.1 Our Position on Children's Data
CallPro UK does not knowingly or intentionally collect personal information from children under the age of 13 through our website or marketing activities.
However:
Our service is used by education institutions (schools, colleges, universities), and many callers to these institutions may be under 18, including prospective students inquiring about programs.
13.2 Processing Children's Data Through Our Service
When children call our clients' phone numbers:
A. For Education Institutions:
Many prospective students are aged 16-18 (or younger for schools)
Our clients (the education institutions) are the Data Controllers
They are responsible for ensuring lawful processing of children's data
They must have appropriate privacy notices and safeguards in place
B. Safeguarding:
Our system is designed to identify potential safeguarding concerns
Information suggesting a child is at risk is immediately escalated to the appropriate safeguarding personnel at the institution
Call recordings may be retained for safeguarding purposes
C. Consent:
We do not rely on children's consent for processing their data
Processing is based on legitimate interests (responding to admissions inquiries) or legal obligations (safeguarding)
D. Parental Involvement:
We recognize that parents/guardians often call on behalf of children
Information provided by parents about their children is processed appropriately
13.3 Children Under 13
Our website is not directed at children under 13.
If we become aware that we have inadvertently collected personal information from a child under 13 through our website:
We will delete the information promptly
We will not use it for any purpose
Parents/guardians can contact us at [email protected] to request deletion
13.4 Age Verification
We do not have age verification mechanisms on our website or in our AI receptionist service. We rely on:
Our clients to ensure appropriate processing of children's data
Parents/guardians to supervise children's interactions with websites
Safeguarding protocols to protect children who call our clients
13.5 Rights for Children
Children have the same rights as adults under UK GDPR, including:
Right to access their data
Right to have inaccurate data corrected
Right to have their data deleted
Enhanced right to erasure for data collected when they were a child
Parents/guardians can exercise these rights on behalf of their children.
To exercise rights:
Contact the education institution the child called (for call data)
Contact us at [email protected] for questions about our processing
14. THIRD-PARTY LINKS
14.1 Links to Other Websites
Our website and communications may contain links to third-party websites, including:
Our clients' websites
Partner websites
Social media platforms
Service provider websites
Educational resources
14.2 No Responsibility
We are not responsible for:
The content of third-party websites
The privacy practices of third-party websites
How third parties use your information
Security of third-party websites
14.3 Please Review Third-Party Privacy Policies
When you click a link to a third-party website:
You are leaving our website
You will be subject to that website's privacy policy
We encourage you to read their privacy policy before providing any personal information
14.4 Social Media
We maintain profiles on social media platforms (LinkedIn, Twitter, Facebook, etc.). When you interact with us on social media:
Your interactions are governed by the social media platform's privacy policy
We may collect information you publicly post or send to us
We use social media data for marketing, customer service, and business purposes
You can review social media privacy policies:
Twitter/X: https://twitter.com/en/privacy
15. CHANGES TO THIS PRIVACY POLICY
15.1 Updates
We may update this Privacy Policy from time to time to reflect:
Changes to our practices
Changes in data protection law
New features or services
Feedback from regulators or users
Business changes
15.2 How We Notify You
For significant changes:
We will post a notice on our website homepage
We will update the "Last Updated" date at the top of this policy
We may send email notifications to clients
We may display a prominent notice when you visit our website
For minor changes:
We will update the policy and change the "Last Updated" date
Continued use of our services after changes constitutes acceptance
15.3 Review Regularly
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
15.4 Previous Versions
You can request previous versions of this Privacy Policy by contacting us at [email protected].
16. CONTACT US
16.1 General Privacy Questions
Email: [email protected]
Phone: +44 [YOUR PHONE NUMBER]
Post: Privacy Team, CallPro UK Limited, 205, Fountayne Road, London, N15 4QL
16.2 Data Protection Officer (DPO)
For data protection rights, complaints, or specific data protection questions:
Email: [email protected]
Post: Data Protection Officer, CallPro UK Limited, 205, Fountayne Road, London, N15 4QL
16.3 Client Support
For existing clients with account or service questions:
Email: [email protected]
Phone: +44
16.4 For Callers
If you called one of our clients and have questions about your data:
First: Contact the organization you called - they are the primary Data Controller
For questions about our AI technology or call recordings: Contact us at [email protected]
16.5 Head Office Address
CallPro UK Limited
205, Fountayne Road, London
N15 4QL
United Kingdom
Company Number: 16801755
17. COMPLAINTS
17.1 We Want to Hear From You
If you have concerns about how we handle your personal information, please contact us first. We will investigate and try to resolve your concerns.
Contact: [email protected]
17.2 Complaint to the ICO
You have the right to lodge a complaint with the UK's supervisory authority for data protection:
Information Commissioner's Office (ICO)
Website: https://ico.org.uk/make-a-complaint/
Phone: 0303 123 1113
Post:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Live Chat: Available on ICO website
17.3 When to Contact the ICO
You can contact the ICO if:
You are unhappy with how we have handled your personal data
You believe we have breached data protection law
You want independent advice about your data protection rights
We have not responded to your complaint within a reasonable time (typically one month)
17.4 No Detriment
You will not suffer any detriment for making a complaint. We take all complaints seriously and use them to improve our practices.
APPENDIX A: GLOSSARY OF KEY TERMS
Anonymization: The process of removing or altering personal data so that individuals can no longer be identified.
Consent: Agreement freely given, specific, informed, and unambiguous indication of the individual's wishes.
Data Controller: The organization that determines the purposes and means of processing personal data.
Data Processor: An organization that processes personal data on behalf of a Data Controller.
Data Subject: An identifiable living individual whose personal data is processed.
GDPR: General Data Protection Regulation - EU/UK data protection law.
ICO: Information Commissioner's Office - UK's data protection regulator.
Lawful Basis: Legal justification for processing personal data under GDPR (e.g., consent, contract, legitimate interests).
Legitimate Interests: One of the lawful bases for processing - pursuing interests in a way that might be expected and that doesn't adversely impact the data subject.
Personal Data: Information relating to an identified or identifiable individual.
Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion, etc.).
Special Category Data: Sensitive personal data requiring extra protection (health, ethnicity, religion, etc.).
UK GDPR: UK version of GDPR applicable after Brexit.
APPENDIX B: DATA SUBJECT RIGHTS SUMMARY CARD
YOUR DATA PROTECTION RIGHTS AT A GLANCE:
✅ Right to be Informed - This privacy policy
✅ Right of Access - Get a copy of your data
✅ Right to Rectification - Correct inaccurate data
✅ Right to Erasure - Request deletion
✅ Right to Restrict Processing - Limit how we use your data
✅ Right to Data Portability - Receive your data in usable format
✅ Right to Object - Object to certain processing
✅ Rights re Automated Decision-Making - Challenge automated decisions
To exercise your rights: [email protected]
Questions about data from a call? Contact the organization you called first
Complaint? ICO: 0303 123 1113 or ico.org.uk
END OF PRIVACY POLICY
Tel: 0203 697 5336
Email: [email protected]
© 2025 | CallPro UK
All Rights Reserved | Terms and Conditions | Privacy Policy