Legal
Privacy Policy
How we handle your personal data
Last updated: 21 February 2026
1. Data Controller
The data controller for the processing of your personal data is:
Communication One i Göteborg AB
Reg. no: 556779-4135
Norra Hamngatan 18, 411 06 Gothenburg, Sweden
Email: info@leadcaller.com
For privacy-related questions or to exercise your rights, contact us at info@leadcaller.com.
2. Personal data we collect
2.1 Data you provide
- Contact details: name, email address, phone number, company name, registration number
- Account data: username, password (encrypted), role and permissions
- Payment details: billing address (payment data is handled by Stripe and never reaches our servers)
- Communications: emails, support tickets and other correspondence with us
- Form data: information you submit through contact, demo or registration forms
2.2 Data collected automatically
- Technical data: IP address, browser type, operating system, device information, screen resolution
- Usage data: pages visited, clicks, scroll depth, session duration, referrer URL
- Cookie data: consent status, session identifiers (see our cookie declaration)
- Geographic data: approximate location based on IP address (country, region)
- Marketing data: UTM parameters, campaign IDs, ad platform click IDs (gclid, fbclid etc.)
2.3 Service data (for customers)
- Call data: timestamps, duration, phone numbers, call status
- Call content: audio recordings and AI-generated transcriptions (when enabled by customer)
- CRM data: leads, contacts, deals, activities, notes
- Widget interactions: chat messages, callback requests, form submissions
- Campaign data: outreach, delivery status, open and click statistics
3. Purposes and legal basis
| Purpose | Legal basis | Retention |
|---|---|---|
| Providing and administering the service | Performance of contract (Art. 6.1b) | Contract term + 12 months |
| Customer communication and support | Performance of contract (Art. 6.1b) | Contract term + 12 months |
| Invoicing and accounting | Legal obligation (Art. 6.1c) | 7 years (Swedish Bookkeeping Act) |
| Website analytics and improvement | Consent (Art. 6.1a) | 26 months or until consent is withdrawn |
| Marketing and newsletters | Consent (Art. 6.1a) | Until consent is withdrawn |
| Security and fraud prevention | Legitimate interest (Art. 6.1f) | 12 months |
| AI services (voice AI, chatbot) | Performance of contract (Art. 6.1b) | Per customer settings |
4. AI and automated decision-making
LeadCaller uses AI technology to deliver services such as voice AI, chat assistants and lead scoring.
- AI-generated calls and responses are based on instructions configured by the customer.
- Lead scoring and prioritisation are supportive and do not produce decisions with legal effect on individuals.
- Call data is not used to train AI models. Data is processed in real time and stored encrypted.
- AI services are provided by third-party processors (see section 6 on sub-processors).
In accordance with Article 22 of the GDPR, we do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. You always have the right to request human review.
5. Cookies and tracking technologies
We use cookies and similar technologies. Analytics and marketing cookies are activated only after your consent via our cookie banner (Cookiebot).
The following third-party services may be activated with your consent:
- Google Tag Manager & Google Analytics — website analytics and conversion measurement
- Microsoft Clarity — session replay and behaviour analytics (sensitive data is masked)
- Meta Pixel (Facebook/Instagram) — conversion measurement and retargeting for advertising campaigns
You can change or withdraw your consent at any time via our cookie declaration.
6. Sub-processors and third parties
We share personal data with the following categories of recipients, all bound by data processing agreements (DPA):
| Sub-processor | Purpose | Data location |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure, servers, databases, storage | EU (Stockholm, eu-north-1) |
| Twilio | Telephony, SMS, call handling | EU/US (DPA + SCC) |
| Stripe | Payment processing | EU/US (DPA + SCC) |
| SendGrid (Twilio) | Email delivery, transactional email | US (DPA + SCC) |
| Anthropic | AI language model (Claude) for voice and chat services | US (DPA + SCC) |
| OpenAI | AI language model, embeddings | US (DPA + SCC) |
| Deepgram | Speech-to-text (voice transcription) | US (DPA + SCC) |
| Sentry | Error monitoring and diagnostics | US (DPA + SCC) |
| Cookiebot (Usercentrics) | Cookie consent management | EU |
| Google (GTM/GA) | Website analytics (with consent) | EU/US (DPA + SCC) |
| Microsoft Clarity | Session replay (with consent) | EU/US (DPA + SCC) |
| Meta Platforms, Inc. | Conversion tracking and retargeting (with consent) | US (DPA + SCC) |
SCC = EU Standard Contractual Clauses for transfers to third countries. Where sub-processors process data outside the EU/EEA, we ensure protection through EU Commission Standard Contractual Clauses (Art. 46.2c GDPR) together with supplementary technical and organisational measures.
7. International data transfers
Primary data storage is within the EU (AWS Stockholm). Some sub-processors process data in the US. For transfers outside the EU/EEA, we rely on:
- EU Standard Contractual Clauses (SCC)
- Technical safeguards (encryption at rest and in transit)
- Transfer Impact Assessments for each receiving country
8. Security measures
We implement appropriate technical and organisational measures to protect your data:
- AES-256 encryption at rest
- TLS 1.3 for all data in transit
- Role-based access control (RBAC) with least privilege principle
- Continuous security monitoring and automated threat detection
- Automated daily backups with geo-redundancy within the EU
- Regular security audits
Read more on our security page.
9. Your rights
Under the GDPR (and UK GDPR where applicable), you have the following rights regarding your personal data:
Right of access (Art. 15)
You have the right to request a copy of the personal data we process about you.
Right to rectification (Art. 16)
You have the right to have inaccurate data corrected without undue delay.
Right to erasure (Art. 17)
You have the right to request deletion of your data. Logged-in users can delete their account directly.
Right to restriction (Art. 18)
You have the right to request restriction of processing under certain conditions.
Right to data portability (Art. 20)
You have the right to receive your data in a machine-readable format. Export is available in account settings.
Right to object (Art. 21)
You have the right to object to processing based on legitimate interest or for direct marketing.
Right to withdraw consent
You may withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing.
To exercise your rights, contact us at info@leadcaller.com. We will respond to your request within 30 days.
10. Complaints to a supervisory authority
If you believe our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. Our lead authority is:
Swedish Authority for Privacy Protection (IMY)
Box 8114, 104 20 Stockholm, Sweden
Phone: +46 8 657 61 00
Website: www.imy.se
You may also contact the supervisory authority in your country of residence.
11. Data Processing Agreement (DPA)
When you as a customer use the LeadCaller service, we act as a data processor for the personal data processed within the service (e.g. your customers' contact details, call data). We provide a Data Processing Agreement (DPA) for all customers at no additional cost.
Contact us at info@leadcaller.com to request a Data Processing Agreement.
12. Changes to this policy
We may update this privacy policy from time to time. For material changes, we will notify you by email or through a notice on our website. The latest version is always available on this page.
Contact us
Questions about how we handle your personal data?