• English
LoginBook a Demo
Privacy Policy

How We Handle Your Data

This page describes what personal data we collect when you interact with our AI voice agents, the purposes for which we process it, who we share it with, and how long we retain it. Your data is processed in compliance with GDPR, CCPA, PIPEDA, and applicable international standards.

Contact Us

GDPR compliant · DPAs in place · Full rights disclosure

RuleInside LLC

30 N Gould St, Ste 32376, Sheridan, WY 82801, USA

Email: support (at) ruleinside.com  ·  Privacy Officer: Stefano Bertoli

Last Updated: 10/04/2026 Version: 2.0

Important: Applicability of This Policy

This privacy policy applies to all users worldwide, with specific provisions based on location:

  • EU/EEA/UK Users: Full GDPR compliance (Sections 1–17)
  • California Users: CCPA compliance (Section 18)
  • Canada Users: PIPEDA compliance (Section 19)
  • Other International Users: General privacy protections (Section 20)

1. Introduction

This privacy policy describes how RuleInside LLC collects, uses and protects the personal data of users who interact with our AI voice agents, in compliance with: Regulation (EU) 2016/679 (GDPR) for EU/EEA/UK users; California Consumer Privacy Act (CCPA) for California residents; Personal Information Protection and Electronic Documents Act (PIPEDA) for Canadian users; and applicable local privacy laws for other jurisdictions.

Important: Our AI voice agents always record phone conversations. Recording is an integral part of the service and necessary for its operation. By continuing the conversation after the initial notice, the user consents to the recording.

2. Data Controller

RuleInside LLC
30 N Gould St, Ste 32376, Sheridan, WY 82801, United States of America
Email: support (at) ruleinside.com
Privacy Officer: Stefano Bertoli

EU Representative (Art. 27 GDPR):
The appointment of the EU representative is being formalized. Until the appointment, all communications can be sent to: support (at) ruleinside.com

3. Personal Data Collected

3.1 Automatically Collected Data

  • Complete audio recordings of phone conversations
  • Voice biometrics (biometric data pursuant to Art. 4(14) GDPR)
  • Text transcriptions of conversations automatically generated
  • Call metadata: date, time, duration, caller/called phone number
  • Technical data: IP address (if applicable), device used

3.2 Voluntarily Provided Data

During the conversation, the user may provide: first and last name, email address, phone number, physical address, information about preferences, needs or specific requests, and other information freely shared during the conversation.

3.3 Derived Data

  • Sentiment analysis (emotional state perceived from voice)
  • Interest categories inferred from the conversation
  • Aggregated statistical data on user behavior

4. Purposes of Processing and Legal Basis

PurposeLegal Basis (GDPR — EU Users)Legal Basis (Non-EU Users)
Service provisionLegitimate interest (Art. 6(1)(f))Contractual necessity
Contract executionContract performance (Art. 6(1)(b))Contractual necessity
Service improvement and AI trainingLegitimate interest (Art. 6(1)(f))Legitimate business interest
Statistical analysisLegitimate interest (Art. 6(1)(f))Legitimate business interest
Direct marketingExplicit consent (Art. 6(1)(a))Opt-in consent
Legal complianceLegal obligation (Art. 6(1)(c))Legal obligation

Note on Marketing Consent: If during the conversation the user expresses interest in receiving marketing communications, separate explicit consent will be requested and can be revoked at any time.

5. Retention Period

  • Audio recordings: Minimum 30 days (complaints management and quality assurance); maximum 24 months (AI training and service improvement).
  • Text transcriptions: Same duration as audio recordings.
  • Contact data (for marketing): Until consent is revoked or maximum 24 months from last interaction.
  • Anonymous statistical data: Retained indefinitely in aggregated form not attributable to the user.

At the end of the retention period, data is deleted in a secure and irreversible manner. Users can request early deletion at any time.

6. Data Recipients

6.1 Internal Personnel

Authorized RuleInside personnel with access needs to perform their duties.

6.2 Business Clients (Independent Controllers)

Recordings are shared with the business client who requested the contact service. The business client acts as an independent controller for data collected as part of their commercial activity.

6.3 AI Service Providers (Data Processors)

  • OpenAI — voice synthesis and natural language processing (EU-US Data Privacy Framework certified)
  • Google (Gemini) — natural language processing (EU-US Data Privacy Framework certified)
  • ElevenLabs — voice synthesis (EU-US Data Privacy Framework certified)
  • Cartesia — voice synthesis (GDPR Compliant + SOC 2 Type II + PCI-DSS + HIPAA + Zero Data Retention option)

These providers process data exclusively on our instructions and in compliance with Data Processing Agreements (DPA).

6.4 Competent Authorities

When required by law, data may be communicated to judicial, police or other public authorities.

7. International Transfers (EU/EEA/UK Users)

Personal data may be transferred and processed outside the EEA, particularly in the United States. Transfers are governed by Standard Contractual Clauses (SCC) pursuant to Decision 2021/914, and by the EU-US Data Privacy Framework for certified providers (OpenAI, Google, ElevenLabs). Cartesia maintains GDPR Compliant status with SOC 2 Type II, PCI-DSS, and HIPAA certifications.

Data may be stored on US servers by default, or EU servers upon specific request from the business client. A copy of the safeguards adopted for international transfers can be requested at support (at) ruleinside.com.

8. Data Subject Rights (EU/EEA/UK Users)

In compliance with articles 15–22 of GDPR, EU users have the following rights:

  • Right of Access (Art. 15): Obtain confirmation of processing and access to personal data.
  • Right to Rectification (Art. 16): Obtain correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Obtain deletion when data is no longer necessary, consent is withdrawn, or data has been unlawfully processed.
  • Right to Restriction of Processing (Art. 18): Obtain restriction when accuracy is contested or processing is unlawful.
  • Right to Data Portability (Art. 20): Receive personal data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interest.
  • Withdrawal of Consent: Withdraw consent for marketing at any time.

To exercise rights:

Email: support (at) ruleinside.com  ·  Subject: "GDPR Rights Request – [specify right]"

Include: first name, last name, phone number associated with the recording, description of the request.

Response time: 30 days (extendable by 60 days in complex cases).

9. Right to Lodge a Complaint (EU/EEA/UK Users)

Italian Supervisory Authority:
Garante per la Protezione dei Dati Personali — Piazza Venezia n. 11, 00186 Roma, Italy
Email: garante@gpdp.it  ·  Tel: +39 06.696771  ·  www.garanteprivacy.it

UK Authority:
Information Commissioner's Office (ICO) — www.ico.org.uk  ·  Tel: +44 303 123 1113

10. Security Measures

Technical measures: Encryption in transit (TLS 1.3/SSL) and at rest (AES-256); multi-factor authentication; pseudonymization where possible; secure encrypted backups; continuous anomaly and intrusion detection monitoring; network segmentation.

Organizational measures: Internal security policies binding on all personnel; regular training; data breach response plan; regular audits; rigorous supplier due diligence; binding NDAs for all employees and collaborators.

Data Breach Notification: RuleInside will notify the competent supervisory authority within 72 hours of a breach presenting risk to data subjects, communicate the breach to data subjects when the risk is high, and document all breaches in the breach register.

11. Automated Decision-Making

AI voice agents use algorithms to understand user requests, analyze sentiment, and classify interests. Decisions made during the conversation do not produce significant legal effects pursuant to Art. 22 GDPR. Any final commercial decision is always made by human personnel. The user can always request the intervention of a human operator.

12. Privacy by Design and by Default

Systems are designed to minimize data collection, security measures are implemented from the development phase, only strictly necessary data is collected by default, and data access is limited to personnel who actually need it.

13. Changes to This Policy

Changes will be communicated via publication on ruleinside.com, email to consenting users, and call notice for changes requiring new consent.

Last updated: 10/04/2026  ·  Version: 2.0

14. Contact

RuleInside LLC  ·  Email: support (at) ruleinside.com  ·  Privacy Officer: Stefano Bertoli

EU Representative (Art. 27 GDPR):
The appointment of the EU representative is being formalized. Until the appointment, all communications can be sent to: support (at) ruleinside.com

Response times: Within 3 business days for general requests; within 30 days for GDPR rights exercise.
Urgent requests: Email support (at) ruleinside.com — Subject: "URGENT – Privacy"

15. Consent and Acceptance

By continuing the conversation with the AI voice agent after the initial recording notice, the user acknowledges being informed of the conversation recording, accepts this privacy policy, and consents to the processing of their personal data for the indicated purposes. Marketing consent requires a separate explicit action. The user can interrupt the conversation at any time.

16. Legal References (EU Users)

Regulation (EU) 2016/679 (GDPR); Legislative Decree June 30, 2003, n. 196 (Italian Privacy Code) as amended by D.Lgs. 101/2018; Provisions of the Italian Data Protection Authority; Guidelines of the European Data Protection Board (EDPB).

17. Glossary

Personal data
Any information relating to an identified or identifiable natural person.
Processing
Any operation applied to personal data.
Controller
RuleInside LLC.
Processor
Entity that processes data on behalf of the controller.
Data subject
The natural person whose data is processed.
Biometric data
Data resulting from technical processing relating to physical characteristics (e.g. voice biometrics).
Pseudonymization
Processing so that data can no longer be attributed to a data subject without additional information.
EU-US Data Privacy Framework (DPF)
Agreement guaranteeing adequate protection for data transferred to the United States.
Standard Contractual Clauses (SCC)
Standard clauses approved by the European Commission for transfers to third countries.

18. California Residents (CCPA)

18.1 Categories of Personal Information We Collect

  • Identifiers: Name, phone number, email address, IP address
  • Audio/Visual Information: Voice recordings, voice biometrics
  • Internet/Network Activity: Call metadata, interaction data
  • Inferences: Preferences, characteristics, behavior patterns

18.2 Your CCPA Rights

  • Right to Know: Categories and specific pieces of personal information collected, sources, purposes, and third parties we share with.
  • Right to Delete: Request deletion (subject to certain exceptions).
  • Right to Opt-Out of Sale: We do not sell personal information.
  • Right to Correct: Request correction of inaccurate information.
  • Right to Limit Use of Sensitive Personal Information: Limit use of voice recordings to service provision only.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise rights:

Email: support (at) ruleinside.com  ·  Subject: "California Privacy Rights Request"

Include: name, phone number, specific request. Response time: 45 days (extendable to 90 days).

19. Canadian Residents (PIPEDA)

By continuing the conversation after the recording notice, you provide implied consent. You have the right to access your personal information, request correction of errors, withdraw consent at any time, and challenge RuleInside's compliance with PIPEDA.

To exercise rights:

Email: support (at) ruleinside.com  ·  Subject: "PIPEDA Privacy Request – Canada"

Response time: 30 days.

Complaints:
Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, Quebec K1A 1H3  ·  1-800-282-1376  ·  www.priv.gc.ca

20. Other International Users

We offer equivalent protections including: access to personal data we hold; correction of inaccurate information; deletion subject to legal retention requirements; opt-out of marketing at any time; and data portability.

To exercise rights:

Email: support (at) ruleinside.com  ·  Subject: "Privacy Rights Request – [Your Country]"

Response time: 30 days.

Our services are not directed to children under 18. If you believe we have collected information from a child, contact us immediately for deletion.

21. Do Not Track Signals

Our services do not currently respond to Do Not Track signals. You can control data collection through the rights described in the applicable sections above.

22. Third-Party Links

We are not responsible for the privacy practices of third-party websites linked from our communications. We encourage you to review their privacy policies.

23. Updates to This Privacy Policy

Material changes will be communicated through prominent notice on our website, email notification where applicable, and call notification for significant changes.

24. Contact for Privacy Inquiries

  • General: support (at) ruleinside.com  ·  Privacy Officer: Stefano Bertoli
  • EU: support (at) ruleinside.com (EU Representative appointment pending)
  • California: support (at) ruleinside.com  ·  Subject: "California Privacy Inquiry"
  • Canada: support (at) ruleinside.com  ·  Subject: "Canadian Privacy Inquiry"

By using our services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information as described herein, subject to the rights and protections applicable in your jurisdiction.

RuleInside LLC — Privacy Policy compliant with GDPR, CCPA, PIPEDA and International Standards
Last Updated: 10/04/2026  ·  Effective Date: 10/04/2026