Privacy Policy

Last updated: October 27, 2025

This Privacy Policy explains how Phona collects, uses, and protects your personal information in compliance with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

1. Information We Collect

1.1 Account Information

When you sign up using Google authentication, we collect:

  • Your name
  • Email address
  • Google profile ID

1.2 Usage Data

We automatically collect:

  • Voice interaction duration and timestamps
  • Conversation transcripts (text versions of voice interactions)
  • Usage metrics (minutes used, number of assistants created)
  • Browser type and device information
  • IP address

1.3 Content You Provide

This includes:

  • AI assistant configurations and prompts
  • Knowledge base content (URLs, documents, structured data)
  • Customer contact information captured by your assistants

1.4 Payment Information

Payment data is processed by Stripe. We do not store your full credit card details. We receive limited information from Stripe including payment status, last 4 digits of your card, and billing email.

2. How We Use Your Information

We use your personal information for the following purposes:

  • Service Provision: To create and manage your account, process voice interactions, and deliver AI assistant functionality
  • Billing: To process payments and manage subscriptions
  • Notifications: To send inquiry notifications, usage alerts, and trial reminders via email
  • Service Improvement: To analyze usage patterns and improve our Service
  • Legal Compliance: To comply with legal obligations and enforce our Terms of Service
  • Security: To detect fraud, abuse, and security incidents

2.1 Legal Basis for Processing (GDPR)

We process your personal data under the following legal bases:

  • Contractual Necessity: Processing necessary to provide the Service you've signed up for
  • Legitimate Interests: Fraud prevention, security, and service improvement
  • Consent: For marketing communications (you can opt out at any time)
  • Legal Obligation: Compliance with UK and EU laws

3. How We Store Your Data

3.1 Data Storage

Your data is stored securely using:

  • Supabase: Database hosting (EU region servers)
  • Netlify: Application hosting and serverless functions
  • Encryption in transit (HTTPS/TLS) and at rest

3.2 Data Retention

We retain your personal information:

  • Account data: Until you delete your account, plus 30 days
  • Conversation logs: 30 days from creation
  • Usage logs: 12 months for billing and analytics
  • Payment records: 7 years (UK tax law requirement)

4. Sharing Your Information

We do not sell your personal data. We share your information only with:

4.1 Third-Party Service Providers

  • Stripe: Payment processing
  • Google (Gemini API): AI voice processing and natural language understanding
  • Supabase: Database and authentication services
  • Netlify: Hosting and serverless functions

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government regulation.

5. Your Data Rights (GDPR)

Under UK GDPR, you have the following rights:

5.1 Right to Access

You can request a copy of all personal data we hold about you.

5.2 Right to Rectification

You can update incorrect or incomplete personal information through your account settings or by contacting us.

5.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data. We will comply unless we have a legal obligation to retain it.

5.4 Right to Data Portability

You can request your data in a machine-readable format (JSON) to transfer to another service.

5.5 Right to Object

You can object to processing based on legitimate interests, including marketing communications.

5.6 Right to Restrict Processing

You can request we limit how we use your data in certain circumstances.

To exercise any of these rights, email us at support@phona.app. We will respond within 30 days.

6. Cookies and Tracking

We use essential cookies for:

  • Authentication and session management
  • Remembering your preferences
  • Security and fraud prevention

See our Cookie Policy for more details.

7. International Data Transfers

Your data is primarily stored in EU/UK data centers. Some service providers (e.g., Google Gemini API) may process data globally. These transfers are protected by appropriate safeguards including standard contractual clauses approved by the UK Information Commissioner's Office (ICO).

8. Children's Privacy

The Service is not intended for children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

9. Data Security

We implement industry-standard security measures including:

  • Encryption in transit and at rest
  • Regular security audits
  • Access controls and authentication
  • Secure cloud infrastructure

However, no method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Continued use after changes constitutes acceptance of the updated policy.

11. Contact and Complaints

For privacy-related questions or to exercise your rights, contact us at:

Email: support@phona.app

If you're unhappy with how we've handled your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113