PRIVACY POLICY – AI VOICE AGENT CALL RECORDINGS

RuleInside LLC
30 N Gould St, Ste 32376, Sheridan, WY 82801, USA
Email: support(at)ruleinside(dot)com
Privacy Officer: Stefano Bertoli

Last updated: 19/11/2025
Version: 2.0

IMPORTANT: APPLICABILITY OF THIS POLICY

This privacy policy applies to all users worldwide, with specific provisions based on location:

  • EU/EEA/UK Users: Full GDPR compliance (Sections 1-17)
  • California Users: CCPA compliance (Section 18)
  • Canada Users: PIPEDA compliance (Section 19)
  • Other International Users: General privacy protections (Section 20)

1. INTRODUCTION

This privacy policy describes how RuleInside LLC (hereinafter “RuleInside”, “we” or “our”) collects, uses and protects the personal data of users who interact with our artificial intelligence-based voice agents, in compliance with:

  • Regulation (EU) 2016/679 (“GDPR”) for EU/EEA/UK users
  • California Consumer Privacy Act (“CCPA”) for California residents
  • Personal Information Protection and Electronic Documents Act (“PIPEDA”) for Canadian users
  • Applicable local privacy laws for other jurisdictions

IMPORTANT: Our AI voice agents ALWAYS record phone conversations. Recording is an integral part of the service and necessary for its operation. By continuing the conversation after the initial notice, the user consents to the recording.

2. DATA CONTROLLER

RuleInside LLC
30 N Gould St, Ste 32376
Sheridan, WY 82801
United States of America

Privacy contact point:
Stefano Bertoli
Email: support(at)ruleinside(dot)com

EU Representative (Art. 27 GDPR):
The appointment of the EU representative is being formalized. Until the appointment, all communications can be sent to: support(at)ruleinside(dot)com

3. PERSONAL DATA COLLECTED

During interaction with our AI voice agents, we collect and process the following categories of personal data:

3.1 Automatically Collected Data

  • Complete audio recordings of phone conversations
  • Voice biometrics (biometric data pursuant to Art. 4(14) GDPR)
  • Text transcriptions of conversations automatically generated
  • Call metadata: date, time, duration, caller/called phone number
  • Technical data: IP address (if applicable), device used

3.2 Voluntarily Provided Data

During the conversation, the user may provide:

  • First and last name
  • Email address
  • Phone number
  • Physical address
  • Information about preferences, needs or specific requests
  • Other information freely shared during the conversation

3.3 Derived Data

  • Sentiment analysis (emotional state perceived from voice)
  • Interest categories inferred from the conversation
  • Aggregated statistical data on user behavior

4. PURPOSES OF PROCESSING AND LEGAL BASIS

We process personal data for the following purposes:

PURPOSE LEGAL BASIS (GDPR – EU Users) LEGAL BASIS (Non-EU Users)
Service provision Legitimate interest (Art. 6(1)(f)) Contractual necessity
Contract execution Contract performance (Art. 6(1)(b)) Contractual necessity
Service improvement and AI training Legitimate interest (Art. 6(1)(f)) Legitimate business interest
Statistical analysis Legitimate interest (Art. 6(1)(f)) Legitimate business interest
Direct marketing Explicit consent (Art. 6(1)(a)) Opt-in consent
Legal compliance Legal obligation (Art. 6(1)(c)) Legal obligation

Legitimate Interest (EU Users): Our legitimate interest consists in providing an effective and continuously improving AI service. Recording is strictly necessary for the operation of AI voice agents, which use conversations to understand and respond to requests. We have balanced this interest with the rights of data subjects by implementing adequate security measures and limiting access to data.

Business Interest (Non-EU Users): Recording enables us to provide quality service, improve AI performance, and maintain business operations. Users can opt-out of certain processing (see Section 18-20 for jurisdiction-specific rights).

Note on Marketing Consent: If during the conversation the user expresses interest in receiving marketing communications, separate explicit consent will be requested. The user can revoke such consent at any time.

5. RETENTION PERIOD

Recordings and personal data are retained for the following periods:

  • Audio recordings: Retained for the time strictly necessary for the indicated purposes, variable based on agreements with our B2B clients. Generally:

    • Minimum: 30 days (for complaints management and quality assurance)
    • Maximum: 24 months (for AI training and service improvement)

  • Text transcriptions: Retained for the same duration as audio recordings

  • Contact data (for marketing): Retained until consent is revoked or for a maximum of 24 months from the last interaction

  • Anonymous statistical data: Retained indefinitely in aggregated form not attributable to the user

At the end of the retention period, data is deleted in a secure and irreversible manner.

Early deletion: Users can request early deletion of their personal data at any time (see rights sections below).

6. DATA RECIPIENTS

Personal data may be communicated to the following recipients:

6.1 Internal Personnel

Authorized RuleInside personnel with access needs to perform their duties (e.g. technical team, customer support).

6.2 Business Clients (Independent Controllers)

Recordings are shared with the business client (e.g. real estate agency) who requested the contact service. In this case, the business client acts as an independent controller for data collected as part of their commercial activity.

6.3 AI Service Providers (Data Processors/Service Providers)

For the operation of voice agents, we use the following third-party providers:

  • OpenAI (voice synthesis and natural language processing)
  • Google (Gemini) (natural language processing)
  • ElevenLabs (voice synthesis)
  • Cartesia (voice synthesis)

These providers process data exclusively on our instructions and in compliance with Data Processing Agreements (DPA) that guarantee adequate security measures.

Provider certifications:

  • OpenAI, Google (Gemini), ElevenLabs: EU-US Data Privacy Framework certified
  • Cartesia: GDPR Compliant + SOC 2 Type II + PCI-DSS + HIPAA + Zero Data Retention option

All providers comply with the highest international standards of data protection and information security, ensuring that users’ personal information is treated with the maximum level of confidentiality and protection.

6.4 Competent Authorities

When required by law, data may be communicated to judicial, police or other public authorities.

7. INTERNATIONAL TRANSFERS (EU/EEA/UK USERS)

ATTENTION: Personal data may be transferred and processed outside the European Economic Area (EEA), particularly in the United States of America.

7.1 Adequate Safeguards

Transfers to third countries are carried out with the following safeguards compliant with articles 44-50 of GDPR:

To the United States:

EU-US Data Privacy Framework certified providers:

  • OpenAI: DPF certified – guarantees adequate level of protection recognized by the European Commission (Adequacy Decision of July 10, 2023)
  • Google (Gemini): DPF certified – guarantees adequate level of protection recognized by the European Commission
  • ElevenLabs: DPF certified – guarantees adequate level of protection recognized by the European Commission

The Data Privacy Framework is an international agreement between the European Union and the United States that guarantees a level of personal data protection comparable to the European one. The European Commission has formally recognized such adequacy with a decision in July 2023.

GDPR Compliant provider:

  • Cartesia: GDPR Compliant with highest level security certifications (SOC 2 Type II, PCI-DSS, HIPAA). Also offers the Zero Data Retention option to guarantee maximum privacy protection.

RuleInside LLC: In the absence of DPF certification, transfers to our US servers are governed by Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Decision 2021/914. SCCs are binding contractual clauses that require RuleInside to comply with data protection standards equivalent to European ones.

7.2 Server Location

Data may be stored on servers located in:

  • United States of America: by default
  • European Union: upon specific request from the business client

All servers, regardless of their geographical location, are protected by technical and organizational security measures compliant with the most rigorous international standards.

The user can request information about the specific location of their data by contacting support(at)ruleinside(dot)com.

7.3 Continuous Monitoring

The Data Privacy Framework is subject to periodic review by European authorities. RuleInside constantly monitors the certification status of its providers and is committed to promptly adopting any additional measures required by competent authorities or regulatory developments.

7.4 Copy of Safeguards

It is possible to request a copy of the safeguards adopted for international transfers (DPF certificates, Standard Contractual Clauses) by writing to support(at)ruleinside(dot)com.

8. DATA SUBJECT RIGHTS (EU/EEA/UK USERS)

In compliance with articles 15-22 of GDPR, EU users have the following rights:

8.1 Right of Access (Art. 15)

Obtain confirmation whether or not personal data concerning you is being processed and, if so, access to such data and information regarding the processing.

8.2 Right to Rectification (Art. 16)

Obtain the correction of inaccurate personal data or the completion of incomplete data.

8.3 Right to Erasure – “Right to be Forgotten” (Art. 17)

Obtain the deletion of personal data when:

  • Data is no longer necessary for the purposes for which it was collected
  • The user withdraws consent (for consent-based processing)
  • The user objects to processing
  • Data has been unlawfully processed

DELETION METHOD: Users can delete their recordings by requesting deletion at support(at)ruleinside(dot)com. The system is designed to allow rapid and secure data deletion upon request.

8.4 Right to Restriction of Processing (Art. 18)

Obtain restriction of processing when:

  • The user contests the accuracy of personal data
  • Processing is unlawful but the user prefers restriction to deletion
  • Data is necessary for the user to establish, exercise or defend legal rights

8.5 Right to Data Portability (Art. 20)

Receive personal data provided in a structured, commonly used and machine-readable format, and transmit it to another controller.

8.6 Right to Object (Art. 21)

Object at any time to the processing of personal data based on legitimate interest. In this case, RuleInside will cease processing unless it demonstrates compelling legitimate grounds.

OBJECTION TO MARKETING: The user always has the right to object to processing for direct marketing purposes.

8.7 Withdrawal of Consent

When processing is based on consent (e.g. marketing), the user can withdraw it at any time without prejudice to the lawfulness of processing carried out before withdrawal.

8.8 How to Exercise Rights

To exercise the above rights, the user can:

  • Email: support(at)ruleinside(dot)com
  • Subject line: “GDPR Rights Request – [specify right]”
  • Information to provide: First name, last name, phone number associated with the recording, description of the request

RuleInside will respond within 30 days of receiving the request. In complex cases, the deadline may be extended by an additional 60 days, with reasoned communication to the user.

9. RIGHT TO LODGE A COMPLAINT (EU/EEA/UK USERS)

EU users have the right to lodge a complaint with the competent supervisory authority if they believe that the processing of their personal data violates GDPR.

Italian Supervisory Authority:
Garante per la Protezione dei Dati Personali
Piazza Venezia n. 11, 00186 Roma, Italy
Email: garante@gpdp.it
PEC: protocollo@pec.gpdp.it
Tel: +39 06.696771
Website: www.garanteprivacy.it

Other EU Authorities:
The user can also lodge a complaint with the supervisory authority of the EU Member State in which they habitually reside, work or where the alleged infringement occurred.

UK Authority:
Information Commissioner’s Office (ICO)
Website: www.ico.org.uk
Tel: +44 303 123 1113

10. SECURITY MEASURES

RuleInside adopts appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in compliance with Art. 32 GDPR, including:

10.1 Technical Measures

  • Encryption: Data encryption in transit (TLS 1.3/SSL) and at rest (AES-256)
  • Access control: Data access limited to authorized personnel through strong authentication (MFA)
  • Pseudonymization: Where possible, data is pseudonymized to reduce risks
  • Secure backups: Regular backup procedures with encryption
  • Continuous monitoring: Anomaly and intrusion detection system (IDS/IPS)
  • Network segmentation: Isolation of systems processing personal data

10.2 Organizational Measures

  • Internal policies: Security and confidentiality policies binding on all personnel
  • Training: Regular training of personnel on security and privacy best practices
  • Data breach response plan: Procedures for timely management of any data breaches
  • Regular audits: Regular verification of implemented security measures
  • Supplier management: Rigorous due diligence on third-party suppliers and continuous monitoring
  • Confidentiality agreements: All employees and collaborators sign binding NDAs

10.3 Provider Certifications

All our AI providers maintain highest level security certifications:

  • SOC 2 Type II: Annual verification of security controls
  • PCI-DSS: Security standard for payment data
  • HIPAA: Healthcare data compliance (Cartesia)
  • ISO 27001: Information security management

10.4 Data Breach Notification

In case of a personal data breach that presents a risk to the rights and freedoms of data subjects, RuleInside will:

  • Notify the breach to the competent supervisory authority within 72 hours
  • Communicate the breach to data subjects when the risk is high
  • Document all breaches and corrective measures adopted in the breach register

11. AUTOMATED DECISION-MAKING

Our AI voice agents use artificial intelligence algorithms to:

  • Understand and respond to user requests
  • Analyze conversation sentiment
  • Classify interests and preferences

IMPORTANT NOTE: Decisions made by AI voice agents during the conversation do NOT produce significant legal effects nor similarly affect the person pursuant to Art. 22 GDPR. The voice agent is limited to providing information, collecting data and, if appropriate, setting appointments.

Any final commercial decision (e.g. contract signing, application approval) is always made by human personnel of the business client (e.g. real estate agency) after the conversation with the AI agent.

Human intervention: The user can always request the intervention of a human operator during the conversation or subsequently contest the information provided by the AI agent.

12. PRIVACY BY DESIGN AND BY DEFAULT

RuleInside applies the principles of data protection by design and by default pursuant to Art. 25 GDPR:

Privacy by Design:

  • Systems are designed to minimize the collection of personal data
  • Implementation of security measures from the development phase
  • Data protection impact assessments (DPIA) for new features

Privacy by Default:

  • Only strictly necessary data is collected by default
  • Data access limited to personnel who actually need it
  • Default retention period aligned with purposes

13. CHANGES TO THIS POLICY

RuleInside reserves the right to modify or update this privacy policy at any time to:

  • Comply with regulatory changes
  • Reflect changes in services offered
  • Improve clarity and transparency

Communication of changes: Substantial changes will be communicated to users through:

  • Publication on the website ruleinside.com with evidence of the update date
  • Email to users who have provided consent for communications (when applicable)
  • Notice during calls for relevant changes requiring new consent

Last updated: [INSERT DATE]
Version: 2.0 (updated with Cartesia GDPR Compliant certification)

14. CONTACT

For any questions, doubts or requests regarding this privacy policy or the processing of personal data, you can contact:

RuleInside LLC
Email: support(at)ruleinside(dot)com
Privacy Officer: Stefano Bertoli

EU Representative (Art. 27 GDPR):
[TO BE UPDATED AFTER APPOINTMENT]

Response times: Within 3 business days for general requests, within 30 days for GDPR rights exercise.

For urgent requests (e.g. possible data breach, security issues):
Email: support(at)ruleinside(dot)com with subject “URGENT – Privacy”

15. CONSENT AND ACCEPTANCE

IMPORTANT: By continuing the conversation with the AI voice agent after the initial recording notice, the user:

  • Acknowledges being informed of the conversation recording
  • Accepts this privacy policy
  • Consents to the processing of their personal data for the indicated purposes (except for marketing, which requires separate explicit consent)

The user can interrupt the conversation at any time if they do not wish their data to be recorded and processed.

16. LEGAL REFERENCES (EU USERS)

This privacy policy is drafted in compliance with:

  • Regulation (EU) 2016/679 (GDPR)
  • Legislative Decree June 30, 2003, n. 196 (Italian Privacy Code) as amended by D.Lgs. 101/2018
  • Provisions of the Italian Data Protection Authority
  • Guidelines of the European Data Protection Board (EDPB)

Main applicable GDPR articles:

  • Art. 5: Principles relating to processing
  • Art. 6: Lawfulness of processing
  • Art. 9: Processing of special categories of data (voice as biometric data)
  • Art. 12-22: Rights of data subjects
  • Art. 25: Data protection by design and by default
  • Art. 27: Representatives of controllers not established in the Union
  • Art. 28: Processor
  • Art. 30: Records of processing activities
  • Art. 32: Security of processing
  • Art. 33-34: Notification and communication of breaches
  • Art. 35: Data protection impact assessment
  • Art. 44-50: Transfers of personal data to third countries

17. GLOSSARY

Personal data: Any information relating to an identified or identifiable natural person.

Processing: Any operation applied to personal data (collection, recording, organization, storage, use, deletion, etc.).

Controller: RuleInside LLC, which determines the purposes and means of processing.

Processor: Entity that processes personal data on behalf of the controller (e.g. AI providers).

Data subject: The natural person whose personal data is processed (the user).

Biometric data: Personal data resulting from specific technical processing relating to the physical characteristics of a person (e.g. voice biometrics).

Pseudonymization: Processing of data in such a way that it can no longer be attributed to a data subject without additional information.

EU-US Data Privacy Framework (DPF): Agreement between the EU and USA that guarantees an adequate level of protection for data transferred to the United States.

Standard Contractual Clauses (SCC): Standard contractual clauses approved by the European Commission to legitimize data transfers to third countries.

INTERNATIONAL USERS – SPECIFIC PROVISIONS

18. CALIFORNIA RESIDENTS (CCPA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

18.1 Categories of Personal Information We Collect

Under CCPA, we collect the following categories of personal information:

  • Identifiers: Name, phone number, email address, IP address
  • Audio/Visual Information: Voice recordings, voice biometrics
  • Internet/Network Activity: Call metadata, interaction data
  • Inferences: Preferences, characteristics, behavior patterns drawn from data

18.2 Sources of Personal Information

  • Directly from you during phone conversations
  • Automatically through our AI voice agents
  • From business clients who engage our services

18.3 Business/Commercial Purposes for Collection

  • Providing AI voice agent services
  • Service improvement and AI training
  • Analytics and research
  • Marketing (with your consent)
  • Legal compliance

18.4 Categories of Third Parties We Share With

  • Business clients who requested the service
  • AI service providers (OpenAI, Google, ElevenLabs, Cartesia)
  • Legal authorities when required

18.5 Your CCPA Rights

Right to Know: You can request:

  • Categories of personal information we collect
  • Specific pieces of personal information we hold
  • Sources of information
  • Purposes for collection
  • Categories of third parties we share with

Right to Delete: You can request deletion of your personal information (subject to certain exceptions).

Right to Opt-Out of Sale: We do NOT sell personal information. However, you can opt-out of certain sharing practices.

Right to Correct: You can request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information: Voice recordings may be considered sensitive. You can limit use to what’s necessary for service provision.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

18.6 How to Exercise Your California Rights

Submit a Request:

  • Email: support(at)ruleinside(dot)com
  • Subject: “California Privacy Rights Request”
  • Include: Name, phone number, specific request

Verification: We may request additional information to verify your identity.

Response Time: We will respond within 45 days (extendable to 90 days for complex requests).

Authorized Agents: You may designate an authorized agent to make requests on your behalf by providing written authorization.

18.7 Notice of Financial Incentive

We do not offer financial incentives in exchange for personal information.

18.8 California “Shine the Light” Law

California residents can request information about disclosure of personal information to third parties for direct marketing purposes. We do not share personal information for third-party direct marketing.

19. CANADIAN RESIDENTS (PIPEDA)

If you are a Canadian resident, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA).

19.1 Consent

We obtain your consent before or when we collect, use, or disclose your personal information, except where permitted or required by law. By continuing the conversation after the recording notice, you provide implied consent.

19.2 Your PIPEDA Rights

Right to Access: Request access to your personal information and information about how it’s used.

Right to Correction: Request correction of errors or omissions in your personal information.

Right to Withdraw Consent: Withdraw consent at any time, subject to legal or contractual restrictions.

Right to Challenge Compliance: Challenge RuleInside’s compliance with PIPEDA.

19.3 How to Exercise Your Canadian Rights

Submit a Request:

  • Email: support(at)ruleinside(dot)com
  • Subject: “PIPEDA Privacy Request – Canada”
  • Include: Name, phone number, specific request

Response Time: We will respond within 30 days.

Complaints: If you’re not satisfied with our response, you can file a complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Website: www.priv.gc.ca

19.4 Cross-Border Data Transfers

Your personal information may be processed and stored in the United States. While in the U.S., it is subject to U.S. laws, including lawful access by U.S. government authorities.

19.5 AI and Automated Decision-Making

We use AI to process calls, but do not make automated decisions that significantly impact you without human oversight.

20. OTHER INTERNATIONAL USERS

If you are located outside the EU/EEA, UK, California, or Canada, the following provisions apply:

20.1 Your Privacy Rights

While you may not have rights under GDPR, CCPA, or PIPEDA, we respect your privacy and offer similar protections:

Access: Request information about what personal data we hold about you.

Correction: Request correction of inaccurate information.

Deletion: Request deletion of your personal data, subject to legal retention requirements.

Opt-Out: Opt-out of marketing communications at any time.

Data Portability: Request a copy of your data in a portable format.

20.2 How to Exercise Your Rights

Contact Us:

  • Email: support(at)ruleinside(dot)com
  • Subject: “Privacy Rights Request – [Your Country]”
  • Include: Name, phone number, country of residence, specific request

Response Time: We aim to respond within 30 days.

20.3 Data Transfers

Your personal information may be transferred to and processed in the United States or other countries where RuleInside or its service providers operate. We take measures to ensure adequate protection of your data through:

  • Contractual safeguards with service providers
  • Security measures described in Section 10
  • Compliance with applicable local laws

20.4 Local Law Compliance

If you are in a jurisdiction with specific privacy laws (e.g., Brazil’s LGPD, Australia’s Privacy Act, etc.), we commit to complying with applicable local requirements. Please contact us if you have questions about compliance with your local privacy laws.

20.5 Children’s Privacy

Our services are not directed to children under 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately for deletion.

21. DO NOT TRACK SIGNALS

Some browsers support a “Do Not Track” signal. Our services do not currently respond to Do Not Track signals. You can control data collection through the rights described in the applicable sections above.

22. THIRD-PARTY LINKS

Our communications may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.

23. UPDATES TO THIS PRIVACY POLICY

We may update this privacy policy from time to time. Material changes will be communicated through:

  • Prominent notice on our website
  • Email notification (where applicable)
  • Call notification for significant changes

24. CONTACT FOR PRIVACY INQUIRIES

General Privacy Inquiries: Email: support(at)ruleinside(dot)com
Privacy Officer: Stefano Bertoli

EU-Specific Inquiries: EU Representative: [TO BE APPOINTED]
Email: support(at)ruleinside(dot)com (until EU Rep appointed)

California-Specific Inquiries: Email: support(at)ruleinside(dot)com
Subject: “California Privacy Inquiry”

Canada-Specific Inquiries: Email: support(at)ruleinside(dot)com
Subject: “Canadian Privacy Inquiry”

Data Protection Officer (when appointed): [TO BE UPDATED]

ACKNOWLEDGMENT

By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information as described herein, subject to the rights and protections applicable in your jurisdiction.

RuleInside LLC – Privacy Policy compliant with GDPR, CCPA, PIPEDA and International Standards

Last Updated: 19/11/2025
Effective Date: 19/11/2025