Skip to content

Privacy Policy and Notice of Data Processing Activities

Warm office workspace with a secure operations dashboard
Legal

Privacy Policy and Notice of Data Processing Activities

AiCall AB publishes this Privacy Policy to explain, clearly and openly, how we process your data. It is written to comply with the GDPR and the ISO/IEC 27001:2022 standard.

Privacy at a glance

What happens to your data when Skaala answers a call.

Skaala uses customer and call data to answer, book, route, and summarise calls. We keep the policy readable so owners can see what is collected, why it is used, and how to exercise their rights.

Data Collection

Only what's necessary for our service, in accordance with data minimisation principles

Data Sharing

Never sold, only shared with vetted sub-processors under strict contractual safeguards

Your Rights

Full GDPR rights including access, rectification, erasure, and data portability

Security

ISO 27001 aligned ISMS with enterprise-grade encryption and comprehensive safeguards

1. Categories of Personal Data Processed

Client-Provided and Account Information

We follow the data-minimisation principle in Article 5(1)(c) GDPR. To run and manage the Service, we collect:

  • Identity and Contact Data: Full name, corporate name, email address, telephone number, and physical address for billing
  • Authentication Data: Your login credentials and security information. These are managed by our designated secure authentication service provider.
  • Business Contextual Data: Your company name, industry, and knowledge base. The AI uses this to do its job.
  • Financial and Transactional Data: Payment methods, subscriptions, and transaction history. These are processed by our PCI-DSS compliant payment gateway.

Service-Generated and Processed Communication Data

Data that is generated, transmitted, and processed as an intrinsic function of the Service:

  • Audio and Transcription Data: Audio recordings of phone calls, real-time audio streams, and the text transcriptions they produce
  • Interaction Metadata: System-generated data such as the caller's and recipient's phone numbers, call direction, timestamps, and AI interaction summaries
  • AI interaction logs and analysis of what was said in conversations
  • Integrated Service Data: The minimal calendar data needed for authorized integrations and scheduling

Automatically Collected Technical Data

Information we collect automatically when you use our website or platform dashboard:

  • System, application, and user activity logs. We generate these for all critical systems and protect them from unauthorized access.
  • Device and Connection Information: IP address, browser type and version, operating system, and device identifiers
  • Service usage statistics, feature use, and error reports, fed into a central logging platform
  • Cookies and similar tracking technologies as per our Cookie Policy

2. Legal Basis and Purposes of Processing

Performance of a Contract (Article 6(1)(b) GDPR)

  • Creating, maintaining, and securing your account so we can deliver the Service
  • Providing core AiCall Services functions, including processing Audio Data
  • Managing subscriptions and processing payments through sub-processors
  • Providing customer support and sending administrative communications

Legitimate Interests (Article 6(1)(f) GDPR)

  • Analyzing anonymized or pseudonymized data to improve AI model performance and accuracy
  • Compiling aggregated, anonymized statistics for internal business intelligence
  • Monitoring our systems to prevent security incidents and fraud
  • Protecting the integrity of our IT infrastructure, as set out in our Operations Security Policy

3. Automated Decision-Making & AI Processing

Skaala uses artificial intelligence to process personal data in several ways. In accordance with GDPR Article 22, Quebec Law 25 Section 12.1, and the UK GDPR, we disclose the following automated decision-making systems:

AI Call Handling

Our AI agent answers incoming calls automatically. It routes them to the right person or department, creates bookings, and decides whether to transfer a call to a human. It makes these decisions using the caller's voice input, your business context, and your service configuration.

Data used: caller voice audio, phone number, business knowledge base, service catalog, staff availability.

Human review: Business owners can review all call logs, transcripts, and AI decisions through the dashboard.

Contact Scoring & Profiling

Our CRM automatically generates scores and predictions for contacts. These include churn risk, estimated lifetime value (LTV), interaction frequency, and familiarity tiering. The scores help business owners prioritise customer relationships.

Data used: call history, booking frequency, interaction patterns, sentiment analysis from conversations.

Human review: All scores are visible to and can be overridden by the business owner via the dashboard.

Booking Automation

The AI automatically matches available time slots, assigns staff, resolves scheduling conflicts, and confirms bookings. It bases these decisions on service duration, staff skills, calendar availability, and your business rules.

Data used: service type, staff availability, calendar data, booking preferences.

Human review: Business owners can manually override any booking via the dashboard.

Conversation Analysis

After each call, the AI writes a summary, identifies the caller's intent, scores sentiment, and flags issues or follow-up needs. This helps business owners understand customer interactions without listening to full recordings.

Data used: call transcripts, caller context, conversation flow.

Human review: Business owners can review full transcripts and override any AI-generated analysis.

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. You can request human intervention, express your point of view, and contest any automated decision. To do so, contact us at hello@skaala.ai.

Callers are informed at the beginning of each call that they are speaking with an AI assistant. Post-call communications include a notice that the interaction was AI-processed.

4. OAuth and Third-Party Integrations

Calendar Integrations

When you connect calendar services (Google Calendar, Microsoft Outlook), we access only the minimum data necessary in accordance with standard authentication protocols:

  • Accessing temporal availability to prevent scheduling conflicts
  • Instantiating new event objects when explicitly requested
  • Basic calendar information strictly on the basis of your explicit authorization

Important: You can revoke these permissions at any time through your Google or Microsoft account settings.

5. Data Sharing and Categories of Recipients

Engagement of Sub-processors

We use vetted third-party service providers as Data Processors. Each one is bound by a GDPR-compliant Data Processing Agreement:

  • Audio stream processing and voice synthesis provider, for AI voice capabilities
  • Telephony and SMS provider for communication services
  • Payment Gateway Provider (PCI-DSS compliant) for financial transactions

We Never Sell Your Data: We do not sell, rent, or trade your Personal Data to any third parties.

6. Data Security Measures

Technical Safeguards

  • Cryptography Policy: TLS 1.2+ for data in transit and AES-256 for data at rest, with a dedicated KMS for key management
  • Access Control Policy: least-privilege access, unique user IDs, and mandatory MFA for all remote and critical-system access
  • Secure Operations: formal processes for change management, malware protection, logging, and monitoring
  • Regular vulnerability scans, peer code reviews, and strict separation of development, testing, and production environments

Organizational Measures

  • Formal Information Security Incident Management Plan (ISMS-PLAN-001) for swift incident response
  • Business Continuity and Disaster Recovery Plan with RPO of 1 hour and RTO of 4 hours for core platform
  • Multi-AZ database replication with point-in-time recovery capabilities
  • Secure Software Development Lifecycle (SDLC) with mandatory secure coding guidelines

7. Your Rights as a Data Subject

Under the GDPR, you have a comprehensive set of rights that we are fully committed to upholding:

To exercise these rights or lodge a complaint with the Swedish Authority for Privacy Protection (IMY), contact us at hello@skaala.ai

We acknowledge requests promptly, normally within 72 hours, and respond in full without undue delay and within one month of receipt, extendable by two further months for complex requests (Article 12(3) GDPR).

8. Contact Information

For any questions, concerns, or requests pertaining to this Policy or our data processing practices:

Data Controller

AiCall AB

Husarvikstorget 4, 115 47 Stockholm

Organization Number: 5594654583

hello@skaala.ai

Privacy Officer

August Lönn

Privacy Officer / ISMS Manager

hello@skaala.ai

Supervisory Authorities

Sweden / EU: Swedish Authority for Privacy Protection (IMY), Box 8114, 104 20 Stockholm, imy.se

United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, ico.org.uk

Quebec (Law 25): Commission d'accès à l'information du Québec (CAI), cai.gouv.qc.ca

Canada (PIPEDA): Office of the Privacy Commissioner of Canada (OPC), priv.gc.ca

We acknowledge requests promptly, normally within 72 hours, and provide a full response without undue delay and within one month of receipt, extendable by two further months for complex requests (Article 12(3) GDPR).

9. Amendments and Revisions

AiCall AB reserves the right to amend this Policy to reflect changes in our practices or legal requirements. This Policy is reviewed at least annually as part of our formal Management Review process. The 'Effective Date' will be updated, and for material changes, we will provide prominent notice.