Zvani Privacy Policy

Version:v1-0  | Effective Date:16 May 2026  | Last Modified:16 May 2026  | Version history

This Privacy Policy explains how Zvani collects, uses, and protects information when you use our website, dashboard, APIs, and services (the “Service”). It is written for both customers (the businesses that subscribe to Zvani) and end users (the people who interact with calls and messages our customers send through Zvani).

We anchor this policy to the highest common denominator of the privacy laws that apply to our customers and their users — including the US CCPA/CPRA, the EU/UK GDPR, India’s Digital Personal Data Protection Act, 2023 (DPDP), and the UAE and Saudi (KSA) PDPLs. Region-specific rights and contacts are in our regional annexes under /trust.

1. Our roles: Controller and Processor

Zvani acts as a data controller for information about our customers and dashboard users (account details, billing, audit logs, support correspondence).

Zvani acts as a data processor for Customer Data— call recordings, transcripts, contact lists, message bodies, and integration data — that customers direct us to process. The customer is the controller for that data and is responsible for the lawful basis under which it is collected. Our processor obligations are set out in the Data Processing Agreement.

2. Google Sign-In and account information

If you choose to sign in with Google, we receive your name, email address, and profile picture directly from Google.

• We use this information only to authenticate you and to create or manage your Zvani user record and the organisation you belong to.
• We do not sell or share your Google account information with third parties for marketing or advertising.
• You can request deletion of your account and associated data at any time — see /data-deletion.

3. Categories of personal data we collect

When you use Zvani, the categories of data we may collect are:

• Account information: name, email address, profile photo, organisation name, role, and team-membership data.
• Billing information:billing address, GST / VAT details, and payment metadata. Card / UPI / bank details are processed by our payment provider — Zvani does not store full payment instrument numbers.
• Customer Data (processor role):
  • Voice and messaging configuration: agent prompts, knowledge bases, voices, integrations, phone numbers, and SIP settings.
  • Conversation data: inbound and outbound call audio, transcripts, message bodies, attachments, contact identifiers (phone numbers, WhatsApp IDs), and metadata such as duration, direction, and timestamps.
  • Integration tokens: encrypted credentials for third-party systems (Google Calendar, Google Sheets, CRMs, Twilio, Meta WhatsApp Business, etc.) that you authorise Zvani to access.
• Usage data: log data such as IP address, browser type, device type, operating system, and access times.
• Cookies and similar technologies: session cookies and similar technologies to authenticate you, remember preferences, and improve site functionality. See our Cookie Notice.

4. Where we get this data from

• Directly from you when you sign up, set up your account, or use the dashboard.
• From callers and end users when they speak to or message a business that uses Zvani.
• From third parties you authorise — for example, Google when you sign in with Google, Meta when you connect a WhatsApp Business or Instagram account, or a CRM when you authorise an integration.
• From payment processors when you pay for the Service (Razorpay, Stripe, or similar).
• Automatically through cookies, logs, and analytics when you use our website and dashboard.

5. Purposes and lawful basis

We process personal data only for the purposes set out below, each tied to one or more lawful bases under DPDP and GDPR.

Where we rely on legitimate interest, we balance that interest against your fundamental rights and limit processing accordingly. You may object at any time — see your rights.

6. Sub-processors and sharing

We do not sell your personal information. We share data only with vendors that help us operate Zvani, and only to the extent needed to deliver the Service. Our current sub-processor categories include cloud infrastructure, managed databases, telephony carriers, messaging platforms, AI / language model providers, authentication, payments, analytics and observability, and customer support tools.

The current named list, with vendor, purpose, data shared, and hosting region, is at /subprocessors. We notify customers at least 30 days before a new sub-processor begins handling their data, with a right to object.

We may also share information when required by law, in response to valid legal process, or in connection with a merger, acquisition, or restructuring (in which case the receiving party will be bound by privacy obligations no less protective than this Policy).

7. Data retention

We retain personal data only as long as needed for the purposes set out in this Policy, subject to the legal retention requirements summarised below.

Customers may configure shorter retention windows for call and transcript data in their workspace settings, subject to any agreed contractual minimums.

8. Security

We use industry-standard technical and organisational measures to protect data, including TLS 1.2+ in transit and AES-256 encryption at rest, role-based access controls, per-organisation scoping at the API layer, audit logging, centralised secrets management, multi-factor authentication for internal access, dependency vulnerability scanning, and periodic credential rotation.

Full details are on the Security page, including our incident response commitments and vulnerability disclosure programme.

9. Your rights and how to exercise them

Depending on your location, you have rights over your personal data including:

• Access— obtain a copy of the personal data we hold about you.
• Correction— have inaccurate or incomplete data corrected.
• Erasure— have your personal data deleted, subject to lawful retention requirements.
• Restriction and objection— stop or restrict processing in certain situations.
• Data portability— receive your data in a structured, machine-readable format (GDPR).
• Nomination— nominate another person to exercise your rights in case of incapacity or death (DPDP).
• Lodge a complaint with the Data Protection Board of India or your local supervisory authority.

How to exercise these rights. Use any of the following channels. All routes reach the same team and the same SLA applies:

• Structured intake at /grievance (recommended).
• For deletion specifically, see /data-deletion.
• Email privacy@zvaniai.com.

Response timelines. We acknowledge requests within 48 hours and complete them within 30 days, except where a longer period is allowed by law. We may need to verify your identity before acting on a request. There is no charge for exercising these rights except where requests are manifestly unfounded or excessive.

End users (callers and message recipients). The business that operates the service you called or messaged is the controller for that conversation. We will route caller rights requests to that business and assist with fulfilment. You may also contact us directly at the addresses above.

10. Right to withdraw consent

Where we rely on your consent to process personal data (for example, optional marketing communications), you may withdraw that consent at any time, without affecting the lawfulness of processing that took place before withdrawal.

Withdrawing consent for essential service features may prevent us from continuing to provide those features. We will tell you what is affected before you withdraw.

11. Automated decision-making and profiling

Zvani uses artificial intelligence to interpret what callers say, route conversations, and respond on a customer’s behalf. These are automated processes by design. Where an AI-driven decision could produce a legal or similarly significant effect on you, the controlling customer is responsible for ensuring meaningful human review on request.

We do not use Customer Data to train foundation AI models. Internal model tuning, when it occurs, uses aggregated, de-identified data only.

Under GDPR Article 22 and DPDP Rule 12, you have the right to request human review of automated decisions that significantly affect you. Contact our Grievance Officer and we will route the request.

12. Children’s data

Zvani is a business product. It is not directed to individuals under 18 and is not intended for services targeting children. We do not knowingly collect personal data from minors. Our Acceptable Use Policy prohibits customers from deploying Zvani for use cases primarily targeting under-18 callers. If you believe a minor’s data has been provided to us, please contact privacy@zvaniai.com for removal.

13. Caller recording and AI disclosure

When a caller speaks to or messages a business through Zvani, the conversation may be recorded and transcribed. Zvani provides a layered in-call notice system that informs callers their call is recorded and that they are interacting with an AI agent, in the caller’s language. Our customers are required to keep this notice enabled at or above the legal minimums for their jurisdiction. The notice text and configuration controls are set out in Annex 2 of our Data Processing Agreement.

The business is the data controller for the caller conversation and is responsible for obtaining all consents required by applicable law (one-party / two-party consent, GDPR lawful basis, etc.). Zvani is the data processor and does not enforce these consents on the customer’s behalf, but we provide the tools and audit logs that let customers meet their obligations.

14. International transfers

Zvani may process and store data in multiple regions, including India, the United States, and the European Union. If you are accessing the Service from outside the country of our primary servers, your data may be transferred across borders. We rely on appropriate safeguards (Standard Contractual Clauses, adequacy decisions where applicable, DPDP-compliant contractual safeguards) for international transfers. We offer an India-resident processing tierto customers that require data, models, and telephony to remain inside India — contact us for details and availability.

15. Personal data breach notification

If we confirm a security incident that affects personal data:

• We notify affected customers within 24 to 48 hours of confirmation so customers can meet their own regulatory obligations.
• We notify the relevant regulator within 72 hours— the Data Protection Board of India under DPDP, the lead supervisory authority under GDPR, or another competent authority where applicable.
• We notify affected individuals in line with applicable law and our agreement with the controlling customer.
• We publish a post-incident summary once containment and remediation are complete.

16. Changes to this Policy

We may update this Privacy Policy from time to time. Each version is published at a stable URL of the form /privacy/v{x-y} and listed at /legal/history. The version you accepted is recorded against your account in our consent ledger.

For material changes, we notify you by email or in-product announcement at least 14 days before they take effect and ask you to re-accept on next sign-in. For minor wording changes, we bump the version and update the version history without re-prompting.

17. Grievance Officer (DPDP Act)

Under §8(9) of the Digital Personal Data Protection Act, 2023, the contact details of our Grievance Officer are:

For the full grievance process, including pre-filled request templates and escalation to the Data Protection Board of India, see /grievance.

18. Contact us

General product and account questions: support@zvaniai.com. Privacy and data-protection questions: privacy@zvaniai.com. Security issues: security@zvaniai.com. Full address and topic-routed contacts at /contact.