Privacy Policy

This Privacy Policy explains how Zavo LTD, a company registered in England and Wales (company number 14543620), whose registered office is at 3 Orchard Pl, Broadway, London SW1H 0BF, United Kingdom (Zavo, we, us or our), collects, uses and protects personal data, and the rights you have under UK data protection law — the UK GDPR and the Data Protection Act 2018.

It applies to our website, the Zavo dashboard and our AI phone-agent service (together, the Service). Zavo is a business-to-business service; this policy is written for the people at the businesses we deal with — visitors, prospects, account holders and their teams.

Data protection law distinguishes the controller (who decides why and how data is used) from the processor (who handles it on the controller's behalf). Zavo acts in both roles, depending on the data:

• We are the controller for personal data about our website visitors, prospects, and the people who register for and administer customer accounts — for example account, billing, support and usage data. This policy governs that data.
• We are a processor for the personal data our business customers run through the Service about their own callers and contacts — for example call audio, recordings and transcripts. The customer is the controller of that data; we process it only on their instructions under our Data Processing Agreement (DPA).

If a business used a Zavo AI agent to call you, or you called a number it runs, that business — not Zavo — is the controller of your data. Please contact them to exercise your rights. We will help them respond as their processor.

As a controller, we may collect and use:

• Account & identity data — name, work email, phone number, job title, company, and login credentials.
• Billing & transaction data — plan, billing address, VAT details and payment history. Card payments are handled by our payment processor; we do not store full card numbers.
• Usage & technical data — how you use the dashboard, configuration, IP address, device and browser information, and log and diagnostic data.
• Communications — messages you send us, Intercom sales/support chats, support tickets, and records of our correspondence with you.
• Marketing data — your preferences for receiving communications from us.

• Directly from you — when you sign up, configure the Service, contact us, or book a demo.
• Automatically — through cookies and similar technologies when you use our website and dashboard (see Cookies below).
• From your colleagues — for example when someone invites you to their Zavo workspace.
• From third parties — such as our payment processor, integration providers you connect, and, for business marketing, reputable public and commercial sources.

We use personal data only where we have a lawful basis to do so. Our purposes and bases are:

• To provide the Service — create your account, deliver features and support — to perform our contract with you.
• To take payment — billing, invoicing and collecting amounts due — to perform our contract and to meet our legal obligations.
• To secure and improve the Service — monitoring, fraud prevention, troubleshooting and product analytics — in our legitimate interests in running a safe, reliable service.
• To communicate with you — service messages, and business marketing where permitted — in our legitimate interests or with your consent, which you can withdraw at any time.
• To comply with the law — tax, accounting and responding to lawful requests — to meet our legal obligations.

When our customers use the Service to make and receive calls, we process call audio, recordings and transcripts as their processor, on their instructions and under our DPA. AI models generate the agents' responses.

• We do not use customer call data to train AI models. We do not use call audio, recordings or transcripts to train or fine-tune our own or any third party's general AI models.
• Customers can configure retention, and higher plans offer a Zero Data Retention option.
• The customer is responsible for giving callers any required recording notice and for obtaining the consents the law requires for their calls.

We use cookies and similar technologies to run our website, remember your preferences, provide Intercom sales/support chat and understand how the site is used. Analytics and marketing cookies are controlled through our cookie banner and your browser settings. See our Cookie Policy for the full details.

We do not sell your personal data. We share it only with parties who help us run the Service, under contracts that require them to protect it and use it only on our instructions. These include:

• Cloud hosting & infrastructure — our hosting and database providers, which keep customer data within the EU.
• Payments — our subscription and payment processor (Chargebee) for billing.
• Telephony & communications — the carriers and providers that connect calls and provision phone numbers.
• AI & voice providers — the model providers that power the AI agents, engaged under terms that prohibit training on our data.
• Operational tools — authentication, analytics, email and customer-support providers, including Intercom for sales/support conversations.
• Advisers & authorities — professional advisers, and regulators or law-enforcement where we are legally required to disclose.
• Business transfers — a buyer or successor if we reorganise, merge or sell part of our business.

A current list of our sub-processors is available on request and is set out in our DPA for customers.

We aim to keep customer data within the UK and the European Economic Area (EEA). Where personal data is transferred outside the UK or EEA — for example to a service provider in another country — we rely on appropriate safeguards, such as a UK adequacy decision, the UK International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, together with additional protections where needed. You can ask us for more detail about the safeguards we use.

• Account data — for as long as you have an account, and for a reasonable period afterwards.
• Billing and tax records — typically up to six years, to meet our legal and accounting obligations.
• Customer Content we process for customers — for as long as the customer instructs, in line with their settings and our DPA, then deleted or returned.
• Logs and diagnostics — for a limited period for security and troubleshooting.
• Marketing data — until you opt out or ask us to stop.

We maintain technical and organisational measures appropriate to the risk, including hosting data in the EU, encryption in transit and at rest, access controls, logging and monitoring, and staff confidentiality obligations. Our infrastructure is independently audited (including SOC 2 Type II and ISO 27001). No system is ever completely secure, but if a personal-data breach occurs we will act promptly and notify you and the relevant authorities where the law requires.

Under UK data protection law you have the right to:

• Access a copy of the personal data we hold about you.
• Have inaccurate or incomplete data corrected.
• Have your data erased in certain circumstances.
• Restrict or object to certain processing, including direct marketing.
• Receive certain data in a portable, machine-readable format.
• Withdraw consent at any time where we rely on it.

To exercise these rights, contact us using the details below. We may need to verify your identity, and we will respond within one month. You can complain to the Information Commissioner's Office (ICO) at any time, but we'd appreciate the chance to help first. If you are a caller or contact of one of our customers, please direct your request to that business as the controller.

We do not use your personal data to make decisions based solely on automated processing that produce legal or similarly significant effects about you without a lawful basis and appropriate safeguards. Where our customers configure AI agents to interact with their callers, the customer is responsible for how those agents are used.

We only send business marketing where we are allowed to, and you can opt out at any time using the unsubscribe link in our emails or by contacting us. Opting out of marketing won't stop essential service messages about your account.

The Service is intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under 18 in a personal capacity. If you believe a child has provided us with personal data, contact us and we will delete it.

Our website and Service may link to third-party sites and services we do not control. This policy does not apply to them, and we are not responsible for their privacy practices. Please review their policies before providing any personal data.

We may update this policy from time to time. If we make material changes we'll give you reasonable notice — for example by email or a notice in the dashboard. The "Last updated" date at the top shows when it was last revised.

For any privacy question or to exercise your rights, contact:

You also have the right to complain to the UK's data protection regulator, the Information Commissioner's Office (ICO) — Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; ico.org.uk; 0303 123 1113.