Last Modified: 29 September 2022
What personal information does Aircall process in connection with the use of its services?
Aircall processes many categories of personal information – that is to say, personally identifiable information (PII), personal data, or however else such information is denominated by applicable privacy regulation - in connection with the use of Aircall’s services. Aircall categorizes this personal information as follows:
Customer's account data – Basic information needed to establish and maintain your account with Aircall, such as company name and contact details, including information about the main contact person.
Customer's contact data (from contact list) – Name, telephone number, owner and other information about contacts in the contact lists of the users (agents).
Customer's financial/payment data – Invoices and information about payment history. Please note that we do not store or in any other way process your full credit card information.
Information about agent - Name, telephone number(s), role, metrics, IP address, device information of the users (agents).
Call/SMS content – Content of messages sent via Aircall, call recordings, voicemails and voice transcriptions.
Call/SMS metadata – Traffic data related to a particular communication, such as sender’s/caller’s and recipient’s telephone number or timestamp.
Additional call-related data - Notes, tags, insight cards attached to a particular communication.
Customer's scanned documents – Proof of user’s (agent’s) identity or address uploaded to Aircall account or sent to Aircall’s supporting team.
The examples provided for each category are indicative and may not constitute the full list of personal information processed as part of the said categories.
Is Aircall a processor under the GDPR and other European privacy laws?
Aircall, in most circumstances, processes the above-listed categories of personal information exclusively on behalf of its customers and acts as a data processor in the meaning of data protection laws of the European Economic Area (EEA). As a result of that, Aircall concludes a Data Processing Agreement with its customers (see below for more information on how the DPA is concluded). Please consult the Data Processing Agreement for more information about how Aircall processes personal data on behalf of its customers.
Does Aircall advise its customers on how to comply with their privacy obligations when using Aircall’s services? How does Aircall help me comply with privacy compliance efforts?
Aircall’s services consist in the provision of a business phone solution (software as a service). Our customers may use the solution for various business use-cases and in different geographical areas. Aircall does not have control over the scope of particular data inserted by our customers in the Aircall solution, over the processing purposes for which our customers use such data, or over the scope of privacy laws applicable to such data. Aircall further fully recognizes that it is not entitled to provide legal advice to its customers. Therefore, Aircall cannot provide you with binding legal advice on how you should use the Aircall solution in compliance with the applicable to your particular case. Aircall, as a processor of the customers’ personal information, can neither guarantee that your usage of the Aircall’s solution will be compliant with the privacy laws applicable to you.
That said, Aircall’s modern business phone solution itself provides customers with many features that can assist in bolstering your privacy compliance efforts under different privacy laws. Speaking more concretely, below are a few examples of how Aircall can help its customers comply with certain key privacy rights of individuals – data subjects.
Right to be forgotten: Delete agent or contact. If a customer of yours or a former user (agent) requests his/her information be deleted, you may do so directly through your dashboard. The data will be removed from the application however some personal information may remain in the call recordings or metadata. Use your options related to call recordings, as described in the next sections.
Right to information and consent for call recording: Compliant inbound. Create your own welcoming message for inbound calls – provide information on personal data processing and obtain consent for call recording via this feature. Your account manager and onboarding team will help you with the setting.
Right to access: Export from the dashboard. Explore your export options in the dashboard. You can, for example, export the list of calls and call recordings made by a particular agent in the last 6 months.
Connecting to our API also provides a variety of options for data access – please explore these in our API documentation.
Data minimization: Use your options related to call recordings, as described in next sections.
Ask for our assistance with a data subject request: If the self-service options described herein do not satisfy your privacy compliance needs, you can also reach out to Aircall’s customer support with your request. Please refer to the relevant section hereof for more detail on how Aircall assists with your data subject requests.
Is Aircall HIPAA compliant?
If you are a covered entity under the Health Insurance Portability and Accountability Act (HIPAA) and you are interested in using the Aircall product, you might be concerned about Aircall's compliance with the obligations set forth by HIPAA and applicable to Aircall as your potential business associate.
We offer our covered entity customers the opportunity to enter into Aircall’s Business Associate Agreement, which you should sign if you will disclose any protected health information (PHI) to Aircall. Our Business Associate Agreement is tailored to the specifics of Aircall's product and services. Please note that it is your responsibility to let us know that you are a covered entity or business associate and you plan to disclose PHI to Aircall.
Aircall's privacy and security practices are designed to safeguard PHI disclosed to us pursuant to a business associate agreement in line with Aircall’s (and covered entities’) obligations under the HIPAA Privacy and Security Rules. You may at any time ask your Aircall sales representative or reach out to Aircall's privacy and security team for more information about these practices.
Does Aircall provide specific privacy compliance features for call recordings?
Yes. As explained in the first section hereof, we process your call recordings exclusively on your behalf. We thus offer certain options to accommodate your instruction for their processing.
We by default store your call recording for the period indicated in your pricing plan, which may be indefinite (but always up to 30 days following the termination of your relationship with Aircall). This applies regardless of how long you can only see your call history in your dashboard. Would you like us to change this retention period? Reach out to Aircall’s customer support (request will only be accommodated if submitted by admin user) and explain your needs.
Would you like us to delete a particular call or a bulk of calls made in certain time period in your account or by your user (agent)? Reach out to Aircall’s customer support (request will only be accommodated if submitted by admin user) and explain your needs.
Do you prefer to store your call recordings on your own infrastructure instead of using Aircall’s? Do you want to download your call recordings on a regular basis? You can download the recordings or use a webhook. Please see our tutorials for both options:
How does Aircall assist its customers with the fulfillment of their obligation to respond to requests for exercising the data subject's rights (DSRs) under the privacy laws?
Aircall invites its customers to submit all requests for assistance with DSRs via the dedicated GDPR section in Aircall’s customer support portal. Our support agents are at your disposal.
The requests will only be accommodated if submitted by an admin user.
We proceed with your request according to the applicable law. Please note that within such procedures, we also assess whether we are required to accommodate such requests. If this is not the case, we inform you accordingly and discuss possible solutions.
For example, if you request that we delete call metadata related to a particular individual, who asked you to do so under GDPR, we may not be able to accommodate your request, as we may find ourselves obliged to keep such data for a certain period under applicable European telecommunications law. In such a case, we have a legitimate reason to keep the metadata (process them for our own purpose – providing access to such metadata upon request of a public authority), we will restrict the processing of the call metadata by (i) removing them from your dashboard but (ii) maintaining them for the above-described processing purpose(s), as data controllers, in dedicated databases in out system.
As an Aircall customer, do we need to carry out a data protection impact assessment (DPIA)? If so, how does Aircall support its customers in carrying out the DPIA?
In relation to the processing of personal information necessary for the provision of the Aircall’s service, your company acts as a data controller, i.e. your company decides also on the purposes for which your data is used by the users of your Aircall account (on the use-cases for which you use our platform). Thus it is also your own responsibility to (i) evaluate whether a DPIA needs to be carried out for your usage of Aircall’s service, and (ii) potentially carry out your DPIA under the applicable laws. Aircall does not possess the information required under the applicable laws to carry out the DPIA for you, however, we are committed to assisting you in your DPIA efforts.
For example, where the GDPR (incl. the UK GDPR) applies, Article 35(7) of the (UK) GDPR requires that the DPIA contains the following [see in square brackets the references to materials provided by Aircall to support your DPIA efforts]:
(a) A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; [For the description of the envisaged processing operations, please see the description of the processing purposes and activities in Exhibit A of Aircall’s Data Processing Agreement (DPA). Further description of processing purposes and legitimate interests, where applicable, depends on your company’s use cases, i.e. whether you use Aircall for direct marketing, customer support, general outbound marketing, intra-group communication etc.]
(b) An assessment of the necessity and proportionality of the processing operations in relation to the purposes; [Since this assessment is derived from information under letter (a), it depends on your company’s use cases.]
(c) An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and [Since this assessment must also be derived from information under letter (a), it again depends on your company’s use cases.]
(d) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. [In this part please feel free to refer to the security-related information provided on our Security page, Exhibit B of our DPA, and relevant sections of the DPA related to the data transfers.]
Please also have in mind that the Data Protection Authorities in different countries suggest using different templates for the DPIA and even use different lists of activities for which the DPIA needs / needs not to be carried out.
As an Aircall customer, what do we need to do in order to conclude a Data Processing Agreement (DPA) with Aircall?
Does Aircall use third parties (sub-processors) to process personal information on our behalf? Can Aircall provide more detail about why and where such third parties process the personal information?
Yes, Aircall uses third parties - sub-processors - to process personal information on customers’ behalf. Sharing some of the customers’ personal information with these sub-processors is necessary for the provision of Aircall’s service, including ensuring that the Aircall platform operates properly in line with the contracted standard.
Please see more information about why and where such third parties process the personal information here. The referred document forms an inseparable part of the Data Processing Agreement between Aircall and its customers. Sections 5 and 6 of the Data Processing Agreement further describes Aircall’s commitments in relation to the usage of the sub-processors.
Where does Aircall store my data?
Personal information processed by Aircall in relation to your usage of its products and services is hosted on AWS servers in the following locations:
Call recordings and voicemails: If you created your Aircall account before May 3, 2022, your call recordings and voicemails are stored on AWS US West servers in Oregon, USA, unless you explicitly agreed with an Aircall representative to have your call recordings and voicemails stored on servers located in the Frankfurt, Germany or in Sydney, Australia. If you created your Aircall account after May 3, 2022, your call recordings and voicemails are stored (i) on AWS US West servers in Oregon, USA, if upon signing up with Aircall you introduces a phone number with country code of a Northern American country; (ii) on AWS servers located in Frankfurt, Germany, if upon signing up with Aircall you introduced a phone number with country code of an EMEA country; (iii) on AWS servers located in Sydney, Australia, if upon signing up with Aircall you introduced a phone number with country code of APAC country, unless you explicitly agreed with Aircall representative to have your call recordings and voicemails stored on one of the other available locations.
All other personal information: All other personal information is stored on AWS US West servers in Oregon, USA.
All personal information stored by Aircall is encrypted (at transit using TLS 1.2, at rest AES-256).
If you want to obtain more information or coordinate the storage location of your call recordings and voicemails, please contact your Customer Success Manager or Aircall’s Privacy team.
Does Aircall transfer personal data from the EEA to non-adequate third countries on behalf of its customers? Did Aircall perform a transfer impact assessment (TIA) and implement any supplementary measures?
Yes. Personal data inserted into the Aircall platform are processed in third countries, which may not benefit from European Commission’s (and/or the UK government’s) adequacy decision (“non-adequate third countries”). Aircall transfers such personal data via its sub-processors, which are located in these countries (for more detail regarding Aircall’s usage of sub-processors please consult the corresponding section hereof).
An up-to-date list of all countries, to which Aircall transfers personal data (including the non-adequate countries), and the respective Aircall’s sub-processors, can be found in Sections 5 and 6 of Aircall’s Data Processing Agreement (DPA).
Aircall has performed and keeps continuously developing a six-step transfer impact assessment (TIA) with respect to these data transfers in line with EDPB’s Recommendations 1/2020 and subsequent guidance provided by the EDPB and the European Commission. Aircall does not share the TIA externally for confidentiality reasons and due to the living nature of the TIA. Please find below, however, a summary of Aircall’s current findings in the TIA:
Step 1 as per the EDPB’s Recommendations 1/2020 - We work from the fact that Aircall transfers personal data, which Aircall processes on behalf of its customers, to its suppliers listed in the sub-processors list in Section 5.1. of our DPA. These sub-processors process the transferred data in two non-adequate countries:
- The USA; and
Step 2 - Our transfers rely on the following mechanisms:
- The Standard Contractual Clauses 2021 (with most of the sub-processors); or
- The Standard Contractual Clauses 2010 supplemented by organizational measures in the same extent as in Section 6.4 of our DPA (with several sub-processors with which we have not yet managed to conclude the SCCs 2021); or
- Approved BCRs in case of Twilio (which are publicly available, see here).
Steps 3 & 4 - Assessment of effectiveness of the mechanisms, i.e. assessment of the law and practices of the third countries in the context of the specific transfers, and identification of supplementary measures:
USA - The legal framework and its non-adequacy has been broadly assessed by the CJEU in the Schrems II decision, as well as consequent decisions of various national DPAs. Based on these precedents (and taking into account Section 40 of the EC’s SCCs 2021 FAQs) we conclude that:
The Standard Contractual Clauses 2010 are unlikely to provide effective safeguards for any of our transfers. Due to that, we concluded the supplementary organizational measures to the same extent as in Section 6.4 of our DPA together with these SCCs (+ technical measures listed under the next bullet point are also applicable here).
The Standard Contractual Clauses 2021 & Twilio BCRs are likely to provide effective safeguards for most of our transfers due to its strict procedure for disclosure requests and also considering our strong security measures (most notably the encryption of all data in transit and at rest - see our Security page for more detail). However, we are taking a conservative approach and we are currently implementing the following additional technical safeguards with respect to our most “sensitive“ transfers:
Hosting - We are deploying a multi-regional hosting solution, based on which we currently offer hosting of call recordings and voicemails on servers located in Germany. All other data processed by Aircall (account data, user data, call analytics etc..) is hosted on servers in the US.
Adjustments to EU infrastructure of various Sub-processors - Several of Aircall's Sub-processors recently started offering an EU-based infrastructure, to which we are aiming at moving our operations, thus eliminating third-country data transfers to these providers.
Vietnam - To our knowledge there is no precedent decision regarding the laws and practices in Vietnam. Aircall adopts the same approach as for the transfers to the USA. We believe these measures are sufficient also considering the circumstances of our transfer of data to Vietnam - the corresponding Sub-processor has solely a remote access to Aircall’s security logs. The security logs contain pseudonymised data (user IDs, call IDs..). We believe that such access constitutes a data transfer under the (UK) GDPR definitions, however, it is a very limited transfer.
Steps 5 & 6 - As per above.
How does Aircall protect my data?
Aircall has established technical and organizational safeguards to protect your data including the personal information processed by Aircall on customers' behalf.
Aircall maintains an information security program striving to meet the ever-evolving industry standards, constantly assessing and monitoring the level of security provided to customers’ data and ensuring appropriate reaction to information security incidents, including personal data breaches.
The technical and organizational safeguards form a part of our commitment to our customers as described in our Data Processing Agreement.
Please see also our page on information security here for more detail on the currently applied technical and organizational safeguards.
How long does Aircall keep our data for? How can we ensure deletion of our data when we need to?
Aircall follows its Customer Data Retention Policy, which sets retention periods for the different categories of personal information, as described below.
For categories of personal information processed exclusively on behalf of the customer, we invite each customer:
- To use self-service options inside Aircall product for deletion of Customer's contact data (from contact list), Call data – other (notes, tags and insight cards) and Customer's scanned documents; and
- To inform our sales representative before opening your Aircall account or to contact Aircall’s customer support, once your account is created, in order to tell us your retention preference for Call/SMS content.
Where may I find additional information regarding Aircall’s processing of personal information?
For more detail about how we process personal information on behalf of our customers, please consult our Data Processing Agreement.
If you are a developer and you are keen for more detail and options how to build in with the highest privacy standard (and compliance with privacy by design principles), we also suggest that you read through our API documentation, which offers a lot of tips for you to customize how different data is used and stored!
Who stands behind Aircall’s privacy management and who can I contact in case of further questions or concerns?
Aircall maintains a complex privacy management program consisting in, above all, internal policies, procedures, other organizational and technical measures and monitoring of privacy legislation development, regular update of Aircall’s privacy documentation and support with customers’ queries.
For matters related to security (including with reports of detected vulnerabilities), please contact us at firstname.lastname@example.org.
The phone system for modern business