- General information about Aircall's processing of customer personal data
- 1. What personal information does Aircall process in connection with the use of its services?
- 2. Is Aircall a processor under the GDPR and other European privacy laws?
- 3. As an Aircall customer, what do we need to do in order to conclude a Data Processing Agreement (DPA) with Aircall?
- 4. Does Aircall advise its customers on how to comply with their privacy obligations when using Aircall services? How does Aircall help me comply with privacy compliance efforts?
- 5. Does Aircall provide specific privacy compliance features for call recordings?
- Data subject requests
- 6. How does Aircall assist its customers with the fulfillment of their obligation to respond to requests for exercising the data subject's rights (DSRs) under the privacy laws?
- Data protection impact assessment
- 7. As an Aircall customer, do we need to carry out a data protection impact assessment (DPIA)? If so, how does Aircall support its customers in carrying out the DPIA?
- Personal data transfers
- 8. Does Aircall use third parties (subprocessors) to process personal information on its customers behalf? Can Aircall provide more detail about why and where such third parties process the personal information?
- 9. Does Aircall transfer European personal data to non-adequate third countries on behalf of its customers?
- 10. Did Aircall perform a transfer impact assessment (TIA) and implement any supplementary measures?
- Security and storage
- 11. How does Aircall protect its customers’ data?
- 12. Where does Aircall store its customers’ data?
- 13. How long does Aircall keep its customers’ data for? How can an Aircall customer ensure deletion of data when needed?
- Regional specifics: the United Kingdom
- 14. How does Aircall address the specific requirements of the UK privacy
- 15. Is Aircall registered with the ICO?
- Framework specifics: HIPAA
- 16. Is the Aircall solution HIPAA compliant?
- Additional information and contact
- 17. Where may I find additional information regarding Aircall’s processing of personal information?
- 18. Does Aircall have a Data protection Officer? Who can I contact in case of further questions or concerns?
General information about Aircall's processing of customer personal data
1. What personal information does Aircall process in connection with the use of its services?
Aircall processes many categories of personal information – that is to say, personally identifiable information (PII), personal data, or however else such information is denominated by applicable privacy regulation - in connection with the use of Aircall services. Aircall categorizes this personal information as follows:
Customer account data – Basic information needed to establish and maintain your account with Aircall, such as company name and contact details, including information about the main contact person.
Customer contact data (from contact list) – Name, telephone number, owner and other information about contacts in the contact lists of the users.
Customer financial/payment data – Invoices and information about payment history. Please note that we do not store or in any other way process your full credit card information.
Information about user - Name, telephone number(s), role, metrics, IP address, device information of the users.
Call/SMS content – Content of messages sent via Aircall, call recordings, voicemails and voice transcriptions.
Call/SMS metadata – Traffic data related to a particular communication, such as sender’s/caller’s and recipient’s telephone number or timestamp.
Additional call-related data - Notes, tags, insight cards attached to a particular communication.
Customer identity verification data - Information required by local laws for verification of customers identity for assignment of phone numbers in a given location, such as Customer’s physical address, Customer nationality, Customer type of personal ID.
Customer provided documentation – Proof of customer’s (representative) identity or address uploaded to Aircall account or sent to Aircall’s supporting team.
The examples provided for each category are indicative and may not constitute the full list of personal information processed as part of the said categories.
2. Is Aircall a processor under the GDPR and other European privacy laws?
Aircall, in most circumstances, processes the above-listed categories of personal information exclusively on behalf of its customers and acts as a data processor in the meaning of European data protection laws. As a result of that, Aircall concludes a Data Processing Agreement with its customers (see below for more information on how the DPA is concluded). Please consult the Data Processing Agreement for more information about how Aircall processes personal data on behalf of its customers.
3. As an Aircall customer, what do we need to do in order to conclude a Data Processing Agreement (DPA) with Aircall?
4. Does Aircall advise its customers on how to comply with their privacy obligations when using Aircall services? How does Aircall help me comply with privacy compliance efforts?
Aircall services consist in the provision of a business phone solution (software as a service). Our customers may use the solution for various business use-cases and in different geographical areas. Aircall does not have control over the scope of particular data inserted by our customers in the Aircall solution, over the processing purposes for which our customers use such data, or over the scope of privacy laws applicable to such data. Aircall further fully recognizes that it is not entitled to provide legal advice to its customers. Therefore, Aircall cannot provide you, as an Aircall customer, with binding legal advice on how you should use the Aircall solution in compliance with the applicable to your particular case. Aircall, as a processor of the customer personal information, can neither guarantee that your usage of the Aircall solution will be compliant with the privacy laws applicable to you.
That said, Aircall’s modern business phone solution itself provides customers with many features that can assist in bolstering your privacy compliance efforts under different privacy laws. Speaking more concretely, below are a few examples of how Aircall can help its customers comply with certain key privacy rights of individuals – data subjects.
Delete contact: If a customer of yours or a former user (agent) requests his/her information be deleted, you may do so directly through your dashboard. The data will be removed from the application however some personal information may remain in the call recordings or metadata. Use your options related to call recordings, as described in the next sections.
Right to information and consent for call recording: Create your own welcoming message for inbound calls – provide information on personal data processing and obtain consent for call recording via this feature. Your account manager and onboarding team will help you with the setting.
Right to access: Explore your export options in the dashboard. You can, for example, export the list of calls and call recordings made by a particular agent in the last 6 months.
Connecting to our API also provides a variety of options for data access – please explore these in our API documentation.
Ask for our assistance with a data subject request: If the self-service options described herein do not satisfy your privacy compliance needs, you can also reach out to Aircall customer support with your request. Please refer to the relevant section hereof for more detail on how Aircall assists with your data subject requests.
5. Does Aircall provide specific privacy compliance features for call recordings?
Yes. We process our customers’ call recordings exclusively on their behalf. We thus offer certain options to accommodate their instruction for their processing.
We by default store your call recording for the period indicated in your pricing plan, which may be indefinite (but always up to 30 days following the termination of your relationship with Aircall). This applies regardless of how long you can only see your call history in your dashboard.
Would you like us to change this retention period? Reach out to Aircall customer support (request will only be accommodated if submitted by admin user) and explain your needs.
Would you like us to delete a particular call or a bulk of calls made in certain time period in your account or by your user (agent)? Reach out to Aircall customer support (request will only be accommodated if submitted by admin user) and explain your needs.
Do you prefer to store your call recordings on your own infrastructure instead of using Aircall’s? Do you want to download your call recordings on a regular basis? You can download the recordings or use a webhook. Please see our tutorials for both options:
Data subject requests
6. How does Aircall assist its customers with the fulfillment of their obligation to respond to requests for exercising the data subject's rights (DSRs) under the privacy laws?
Aircall invites its customers to submit all requests for assistance with DSRs via the dedicated GDPR section in Aircall customer support portal. Our support agents are at your disposal.
The requests will only be accommodated if submitted by an admin user.
We proceed with your request according to the applicable law. Please note that within such procedures, we also assess whether we are required to accommodate such requests. If this is not the case, we inform you accordingly and discuss possible solutions.
For example, if you request that we delete call metadata related to a particular individual, who asked you to do so under GDPR, we may not be able to accommodate your request, as we may find ourselves obliged to keep such data for a certain period under applicable European telecommunications law. In such a case, we have a legitimate reason to keep the metadata (process them for our own purpose – providing access to such metadata upon request of a public authority), we will restrict the processing of the call metadata by (i) removing them from your dashboard but (ii) maintaining them for the above-described processing purpose(s), as data controllers, in dedicated databases in out system.
Data protection impact assessment
7. As an Aircall customer, do we need to carry out a data protection impact assessment (DPIA)? If so, how does Aircall support its customers in carrying out the DPIA?
In relation to the processing of personal information necessary for the provision of the Aircall service, your company acts as a data controller, i.e. your company decides also on the purposes for which your data is used by the users of your Aircall account (on the use-cases for which you use our platform). Thus it is also your own responsibility to (i) evaluate whether a DPIA needs to be carried out for your usage of the Aircall service, and (ii) potentially carry out your DPIA under the applicable laws. Aircall does not possess the information required under the applicable laws to carry out the DPIA for you, however, we are committed to assisting you in your DPIA efforts.
For example, where the GDPR (incl. the UK GDPR) applies, Article 35(7) of the (UK) GDPR requires that the DPIA contains the following [see in square brackets the references to materials provided by Aircall to support your DPIA efforts]:
(a) A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller; [For the description of the envisaged processing operations, please see the description of the processing purposes and activities in Exhibit A of Aircall Data Processing Agreement (DPA). Further description of processing purposes and legitimate interests, where applicable, depends on your company’s use cases, i.e. whether you use Aircall for direct marketing, customer support, general outbound marketing, intra-group communication etc.]
(b) An assessment of the necessity and proportionality of the processing operations in relation to the purposes; [Since this assessment is derived from information under letter (a), it depends on your company’s use cases.]
(c) An assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and [Since this assessment must also be derived from information under letter (a), it again depends on your company’s use cases.]
(d) The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned. [In this part please feel free to refer to the security-related information provided on our Security page, Exhibit B of our Data Processing Agreement, and relevant sections of the Data Processing Agreement related to the data transfers.]
Please also have in mind that the Data Protection Authorities in different countries suggest using different templates for the DPIA and even use different lists of activities for which the DPIA needs / needs not to be carried out.
Personal data transfers
8. Does Aircall use third parties (subprocessors) to process personal information on its customers behalf? Can Aircall provide more detail about why and where such third parties process the personal information?
Yes, Aircall uses third parties, as well as various entities from the Aircall group of companies - subprocessors - to process personal information on customers’ behalf. Sharing some of the customer information with these subprocessors is necessary for the provision of the Aircall service, including ensuring that the Aircall platform operates properly in line with the contracted standard.
Please see more information about why and where such third parties process the personal information here. The referred document forms an inseparable part of the Data Processing Agreement between Aircall and its customers. Sections 5 and 6 of the Data Processing Agreement further describe Aircall’s commitments in relation to the usage of the subprocessors.
9. Does Aircall transfer European personal data to non-adequate third countries on behalf of its customers?
Yes. Personal data inserted into the Aircall platform are processed in third countries, which may not benefit from European Commission’s (and/or the UK government’s) adequacy decision (“non-adequate third countries”).
An up-to-date list of all countries, to which Aircall transfers personal data (including the non-adequate countries), and the respective subprocessors, can be found in Sections 5 and 6 of the Data Processing Agreement (DPA).
10. Did Aircall perform a transfer impact assessment (TIA) and implement any supplementary measures?
Aircall has performed and keeps continuously developing a six-step transfer impact assessment (TIA) with respect to these data transfers in line with EDPB’s Recommendations 1/2020 and subsequent guidance provided by the EDPB and the European Commission. Aircall does not share the TIA externally for confidentiality reasons and due to the living nature of the TIA. Please find below, however, a summary of Aircall’s current findings in the TIA:
Step 1 as per the EDPB’s Recommendations 1/2020 - We work from the fact that Aircall transfers personal data, which Aircall processes on behalf of its customers, to its suppliers listed in the subprocessors list in Section 5.1. of our DPA. These subprocessors process the transferred data in four non-adequate countries:
Step 2 - Our transfers rely on the following mechanisms:
The Standard Contractual Clauses 2021 (with most of the subprocessors); or
Approved BCRs in case of Twilio (which are publicly available, see here).
Steps 3 & 4 - Assessment of effectiveness of the mechanisms, i.e. assessment of the law and practices of the third countries in the context of the specific transfers, and identification of supplementary measures:
USA - The legal framework and its non-adequacy has been broadly assessed by the CJEU in the Schrems II decision, as well as consequent decisions of various national DPAs. Based on these precedents (and taking into account Section 40 of the EC’s SCCs 2021 FAQs) we conclude that:
The Standard Contractual Clauses 2021 & Twilio BCRs are likely to provide effective safeguards for most of our transfers due to its strict procedure for disclosure requests and also considering our strong security measures (most notably the encryption of all data in transit and at rest - see our Security page for more detail). However, we are taking a conservative approach and we are currently implementing the following additional technical safeguards with respect to our most “sensitive“ transfers:
Hosting - We are deploying a multi-regional hosting solution, based on which we currently offer hosting of call recordings and voicemails on servers located in Germany. All other data processed by Aircall (account data, user data, call analytics etc..) is hosted on servers in the US.
Adjustments to EU infrastructure of various subprocessors - Several of Aircall's subprocessors recently started offering an EU-based infrastructure, to which we are aiming at moving our operations, thus eliminating third-country data transfers to these providers.
Vietnam - To our knowledge there is no precedent decision regarding the laws and practices in Vietnam. Aircall adopts the same approach as for the transfers to the USA. We believe these measures are sufficient also considering the circumstances of our transfer of data to Vietnam - the corresponding subprocessor has solely a remote access to Aircall’s security logs. The security logs contain pseudonymised data (user IDs, call IDs..). We believe that such access constitutes a data transfer under the (UK) GDPR definitions, however, it is a very limited transfer.
Australia & India - The transfers to Australia & India are limited to intragroup processors. To our knowledge there is no precedent decision regarding the laws and practices in Australia or India. For intragroup transfers Aircall has an Intra-Group Data Processing and Transfer Agreement in place, which contains all mandatory clauses under the applicable laws (incl. under Articles 26(1) and 28(3) of the GDPR), regulates the rights and obligations of each group entity with respect to the processing of personal data shared in the group, and includes Standard Contractual Clauses 2021 for transfers of personal data to non-adequate third countries. We also enforce unified security standards (see Section 11 below) that must be upheld across the group and are subject to periodical external audit. The intragroup subprocessors are provided solely with remote access and only for selected / dedicated employees (need-to-know principle as per our access control policy).
Steps 5 & 6 - As per above.
Security and storage
11. How does Aircall protect its customers’ data?
Aircall has established technical and organizational safeguards to protect customer data including the personal information processed by Aircall on customers' behalf.
Aircall maintains an information security program striving to meet the ever-evolving industry standards, constantly assessing and monitoring the level of security provided to customer data and ensuring appropriate reaction to information security incidents, including personal data breaches.
The technical and organizational safeguards form a part of our commitment to our customers as described in our Data Processing Agreement.
Please see also our Security page for more detail on the currently applied technical and organizational safeguards.
12. Where does Aircall store its customers’ data?
Personal information processed by Aircall in relation to the usage of its products and services is hosted on AWS servers in the following locations:
Call recordings and voicemails: If you created your Aircall account before May 3, 2022, your call recordings and voicemails are stored on AWS US West servers in Oregon, USA, unless you explicitly agreed with an Aircall representative to have your call recordings and voicemails stored on servers located in the Frankfurt, Germany or in Sydney, Australia.
If you created your Aircall account after May 3, 2022, your call recordings and voicemails are stored (i) on AWS US West servers in Oregon, USA, if upon signing up with Aircall you introduces a phone number with country code of a Northern American country; (ii) on AWS servers located in Frankfurt, Germany, if upon signing up with Aircall you introduced a phone number with country code of an EMEA country; (iii) on AWS servers located in Sydney, Australia, if upon signing up with Aircall you introduced a phone number with country code of APAC country, unless you explicitly agreed with Aircall representative to have your call recordings and voicemails stored on one of the other available locations.
All other personal information: All other personal information is stored on AWS US West servers in Oregon, USA. Please note that this includes the voice transcriptions, which are currently stored exclusively on AWS US West servers in Oregon, USA, regardless of where transcribed call recording or voicemail is stored.
All personal information stored by Aircall is encrypted (at transit using TLS 1.2, at rest AES-256).
If you want to obtain more information or coordinate the storage location of your call recordings and voicemails, please contact your Customer Success Manager or Aircall’s Privacy team.
13. How long does Aircall keep its customers’ data for? How can an Aircall customer ensure deletion of data when needed?
Aircall follows its Customer Data Retention Policy, which sets retention periods for the different categories of personal information, as described below.
For categories of personal information processed exclusively on behalf of the customer, we invite each customer:
To use self-service options inside Aircall product for deletion ofCustomer's contact data (from contact list), Additional call-related data (notes, tags and insight cards) and Customer provided documents; and
To inform our sales representative before opening your Aircall account or to contact Aircall’s customer support, once your account is created, in order to tell us your retention preference for Call/SMS content.
Regional specifics: the United Kingdom
14. How does Aircall address the specific requirements of the UK privacy
At Aircall we keep up to date with the current development of the privacy regulation and case law including post-Brexit privacy regulation in the UK and make sure to reflect necessary changes in our privacy compliance program.
Where sharing some of the customers’ personal information with subprocessors from third countries is necessary, we ensure adequate level of data protection of UK data subjects is met. Unless the recipients are located in countries that have been deemed adequate by the UK Government, we put in place data transfer agreements based on the applicable European Commission-approved Standard Contractual Clauses as modified by the international data transfer Addendum approved by the UK Parliament or rely on other available data transfer mechanisms to protect the personal data so transferred.
15. Is Aircall registered with the ICO?
Yes. In accordance with the UK GDPR, Aircall is registered as a data processing entity with the Information Commissioner Office (ICO). For more information please consult our ICO registration here.
Framework specifics: HIPAA
16. Is the Aircall solution HIPAA compliant?
If you are a covered entity or a business associate under the Health Insurance Portability and Accountability Act (HIPAA) and you are interested in using the Aircall product for the processing of the protected health information (PHI), you might be concerned about Aircall's compliance with the obligations set forth by HIPAA and applicable to Aircall as your potential business associate.
We offer our customers the opportunity to enter into Aircall’s Business Associate Agreement, which you should sign if you will disclose any PHI to Aircall. Our Business Associate Agreement is tailored to the specifics of the Aircall product and services. Please note that it is your responsibility to let us know that you are a covered entity or business associate and you plan to disclose PHI to Aircall.
Aircall's privacy and security practices are designed to safeguard PHI disclosed to us pursuant to a business associate agreement in line with the parties’ obligations under the HIPAA Privacy and Security Rules. You may at any time ask your Aircall sales representative or reach out to Aircall's privacy and security team for more information about these practices.
Additional information and contact
17. Where may I find additional information regarding Aircall’s processing of personal information?
For more detail about how we process personal information on behalf of our customers, please consult our Data Processing Agreement.
If you are a developer and you are keen for more detail and options on how to build in with the highest privacy standard (and compliance with privacy by design principles), we also suggest that you read through our API documentation, which offers tips for your customization how different data is used and stored!
18. Does Aircall have a Data protection Officer? Who can I contact in case of further questions or concerns?
Aircall maintains a complex privacy management program consisting in, above all, internal policies, procedures, other organizational and technical measures and monitoring of privacy legislation development, regular update of Aircall’s privacy documentation and support with customers’ queries.
The program is overseen by the Data protection Officer of Aircall SAS, registered with the French Commission nationale de l'informatique et des libertés (CNIL).
For matters related to security (including with reports of detected vulnerabilities), please contact us at email@example.com.