Last updated: 1 May 2026
Privacy Policy
This document is governed by Dutch law. An authoritative Dutch version is available on request.
1. Controller
B-WYSE BV (âVibeVoiceâ, âweâ, âusâ) is the data controller responsible for the processing of personal data described in this Privacy Policy. We are registered in the Netherlands (KvK 12345678) and our registered address is Amsterdam, Netherlands.
We offer an AI-powered voice receptionist platform that enables businesses (âCustomersâ) to handle inbound telephone calls automatically. When you use our platform â either as a Customer, a Customerâs end-user, or a visitor to our website â we process certain personal data as described below.
2. Data We Collect
Website visitors
- IP address and approximate geolocation (country/city level)
- Browser type, operating system, referring URL
- Pages visited, time spent, clicks (via anonymised analytics)
- Any information you submit via contact or sign-up forms
Customer accounts
- Business name, billing address, VAT number
- Account holder name, email address, phone number
- Payment method details (processed by Stripe; we store only the last 4 digits and card type)
- Usage logs: API calls, agent configurations, dashboard activity
Call data (processed on behalf of Customers)
- Voice recordings and transcripts of calls handled by the VibeVoice AI agent
- Caller telephone number (where provided by the carrier)
- Call metadata: timestamp, duration, outcome, intent classification
Call recordings and transcripts are processed on behalf of our Customers under our Data Processing Agreement (DPA). Customers are the controllers for this data; we act as processors. Our Cookie Policy describes cookies and similar tracking technologies separately.
3. How We Use Your Data
- Service delivery: operating the platform, routing calls, generating transcripts, providing the dashboard
- Billing and payments: processing subscriptions and invoices via Stripe
- Account management: authentication, notifications, support communications
- Security and fraud prevention: detecting abuse, enforcing acceptable use policies
- Product improvement: anonymised aggregate analytics to understand feature usage
- Legal obligations: complying with Dutch tax law (7-year retention of financial records)
- Marketing: with your consent only, sending product updates and newsletters
We do not use Customer call data to train our AI models without separate written consent. We do not sell personal data to third parties.
4. Legal Basis (GDPR Art. 6)
| Processing purpose | Legal basis |
|---|---|
| Providing the contracted service | Contract performance â Art. 6(1)(b) |
| Processing call data on behalf of Customers | Legitimate interests of the Customer (controller) â Art. 6(1)(f); DPA in place |
| Fraud prevention and security | Legitimate interests â Art. 6(1)(f) |
| Financial record keeping | Legal obligation â Art. 6(1)(c) |
| Marketing communications | Consent â Art. 6(1)(a); withdraw at any time |
| Website analytics (anonymised) | Legitimate interests â Art. 6(1)(f) |
5. Data Retention
- Account data: retained for the duration of the contract and 7 years thereafter for tax and legal purposes
- Call recordings: default 30 days after call date; Customers can configure shorter or longer periods within their subscription
- Call transcripts and metadata: retained for the subscription term; deleted within 30 days of account closure unless legally required otherwise
- Website analytics: 24 months rolling window
- Email marketing: until you unsubscribe or we receive a valid erasure request
6. Your Rights
Under the GDPR you have the following rights with respect to your personal data:
- Right of access (Art. 15): request a copy of the data we hold about you
- Right to rectification (Art. 16): ask us to correct inaccurate data
- Right to erasure (Art. 17): ask us to delete your data (âright to be forgottenâ), subject to legal retention obligations
- Right to data portability (Art. 20): receive your data in a structured, machine-readable format
- Right to restriction (Art. 18): ask us to limit processing of your data in certain circumstances
- Right to object (Art. 21): object to processing based on legitimate interests, including direct marketing
- Right to withdraw consent: where processing is based on consent, withdraw at any time without affecting prior processing
To exercise any of these rights, email privacy@vibevoice.nl. We will respond within 30 days. If you believe your rights have been violated, you may lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens.
7. Sub-processors
We engage the following sub-processors to deliver the VibeVoice service. All sub-processors are bound by data processing agreements and appropriate safeguards.
| Processor | Service | Location | Safeguards |
|---|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt, Germany) | DPA; EU Standard Contractual Clauses |
| Vapi AI | Voice infrastructure and call handling | USA | DPA; EU SCCs |
| ElevenLabs | Text-to-speech voice synthesis | USA | DPA; EU SCCs |
| Anthropic | AI language model | USA | DPA; EU SCCs |
| Stripe | Payment processing | Ireland (EU) | DPA; EU SCCs |
| Resend | Transactional email | USA | DPA; EU SCCs |
| Vercel | Web hosting and CDN | USA / EU edge | DPA; EU SCCs |
We will notify Customers of any material changes to our sub-processor list with at least 14 daysâ notice via the dashboard or email.
8. Contact & DPO
For privacy-related questions, requests, or complaints, contact our privacy team:
- Email: privacy@vibevoice.nl
- Address: B-WYSE BV, Amsterdam, Netherlands
We aim to appoint a formal Data Protection Officer as we scale. In the meantime, our privacy team handles all data protection matters and is reachable at the address above.
This policy was last updated on 1 May 2026. We will notify registered Customers of material changes by email at least 30 days before they take effect.