Privacy Policy
Plain-English summary (not part of the policy): We collect what we need to answer your business calls and let you cancel cleanly. Call recordings and transcripts are kept up to 90 days by default. We use OpenAI to power the AI, Twilio and LiveKit for telephony, and Stripe for payments — they all process some of the data, including in the United States. You can ask us to give you a copy or delete your data. If you’re in California or another state with privacy rights, you have additional specific rights. If you’re in Canada, PIPEDA and BC PIPA apply.
1. Who this policy applies to
This Privacy Policy describes how Fabio R. B. Carli, sole proprietor doing business as Safigo (“Safigo”, “we”, “us”) collects, uses, and discloses personal information when:
a. Customers (businesses subscribing to Safigo Reception) interact with us, our website, our sales process, and the Service; b. End Callers (the people who call our Customers’ phone numbers and reach our AI agent) interact with the Service.
Customers are typically the controller of End-Caller personal information; Safigo acts as the service provider / processor on the Customer’s behalf, governed by the Data Processing Addendum. For our Customer’s own personal information (the business owner’s contact and billing details), we are the controller.
If you are an End Caller and have questions about how a Customer uses Safigo, please contact that Customer directly. For questions about Safigo’s role as service provider, contact us using the details in Section 12.
2. Information we collect
2.1 From Customers (we are the controller)
| Category | Examples | Source |
|---|---|---|
| Account information | Business name, owner name, business email, business phone | You, at signup |
| Billing information | Payment method (tokenized via Stripe; we do not store card numbers), billing address, charges and payment history | You + Stripe |
| Setup configuration | Service area, hours, prices, services, scripts, vertical preferences | You, during setup call/SMS |
| Communications with us | Emails, SMS, support requests, sales-call recordings | You |
| Usage data | Login times, dashboard activity, feature use, IP address, browser/device metadata | Automatically |
2.2 From End Callers (Customer is the controller; we are the processor)
| Category | Examples | Source |
|---|---|---|
| Voice call data | Audio recording of the call, real-time audio stream | Twilio / LiveKit |
| Transcripts | Whisper-generated text transcript of the call | OpenAI |
| Call metadata | Caller phone number, call start/end time, call duration | Twilio |
| Booking details | Caller name, address, service requested, urgency, preferred time, notes | The caller |
| SMS messages | Confirmation SMS sent to caller, replies | Twilio |
| Outcome data | Booking confirmed, callback requested, escalation flagged | Generated by Service |
2.3 From the website
When you visit safigo.ai we collect minimal analytics: pages viewed, referrer, IP-derived approximate location, browser/device. We use this only to operate the website and improve content.
3. How we use information
We use information to:
a. Provide, operate, secure, and improve the Service; b. Process payments and manage Customer accounts; c. Answer Customer support requests; d. Send Service-related communications (setup confirmations, usage warnings, downtime notices, billing notices, ToS updates); e. Detect, prevent, and respond to fraud, abuse, security incidents, and Acceptable Use Policy violations; f. Comply with legal obligations (tax records, lawful requests, recording-disclosure obligations); g. Improve the AI’s performance — but only on de-identified, aggregated data, and only with respect to data we control as controller. We do not use End-Caller data (which we hold as processor on the Customer’s behalf) to train AI models without the Customer’s documented authorization; h. Marketing communications to existing Customers about Safigo features and updates (you can unsubscribe any time). We do not sell personal information.
4. Legal bases (Canada, US, EU/UK if applicable)
Where consent is the basis, we obtain it at signup (for Customer data) and rely on the Customer’s collection notice to End Callers (for End-Caller data, given the Customer is the controller). Other bases include:
- Contract performance — to deliver the Service to the Customer;
- Legitimate interests — to secure the Service, prevent fraud, and improve our offering, balanced against your privacy rights;
- Legal obligations — to comply with tax, anti-money-laundering, lawful-process, and other regulatory requirements.
For Customers in Canada, we comply with PIPEDA, the British Columbia Personal Information Protection Act (PIPA), and (if applicable) Quebec Law 25. PIPEDA’s heightened consent expectations for AI / automated processing inform our default settings.
5. Disclosure of information
5.1 Sub-processors
We share personal information with the following sub-processors who help us deliver the Service:
| Sub-processor | Purpose | Data location |
|---|---|---|
| OpenAI, L.L.C. | AI language model, voice generation, transcription (Whisper) | United States |
| Twilio Inc. | Inbound voice calls, SMS delivery, phone-number assignment | United States |
| LiveKit Cloud Inc. | Real-time audio streaming infrastructure | United States |
| Stripe, Inc. / Stripe Payments Canada Ltd. | Payment processing, subscription management, invoices | United States and Canada |
| Google Cloud / Google Workspace | Email hosting, business communications | United States |
| Fly.io | Application hosting (where applicable to ancillary services) | United States and other locations |
| Vercel | Hosting of safigo.ai website and product pages | United States and other locations |
A current list of sub-processors is maintained in the Data Processing Addendum. We notify Customers when we add a new sub-processor.
5.2 Other disclosures
We may also disclose personal information:
- To you and your authorized agents — for example, when you ask us to;
- To comply with law — including subpoenas, court orders, lawful regulator requests, or to respond to claims of illegal activity;
- To protect rights and safety — to enforce our agreements, prevent fraud or abuse, protect against harm to people or property;
- In a business transition — if we merge, are acquired, sell substantially all assets, or transfer the business to another entity, your information may transfer subject to commercially reasonable confidentiality protections; we will notify Customers in advance;
- With your express direction — for example, if you ask us to share data with your CRM or another vendor.
We do not sell or “share” personal information for cross-context behavioral advertising within the meaning of the CCPA/CPRA or similar laws.
6. International transfers
We are based in British Columbia, Canada. Several sub-processors are located in the United States. By using the Service, you understand that personal information may be transferred to, stored, and processed in the United States and other jurisdictions where our sub-processors operate. We rely on contractual safeguards with each sub-processor to protect transferred data and require them to maintain industry-standard security practices.
For Canadian Customers and End Callers, this transfer is disclosed in this Policy in compliance with PIPEDA and BC PIPA.
7. Data retention
| Data | Default retention |
|---|---|
| Call recordings | 90 days from the call, then deleted |
| Call transcripts | 90 days from the call, then deleted |
| Call metadata (phone number, duration, outcome) | 24 months |
| Booking details | Until the booking is fulfilled or cancelled, then 24 months |
| Customer account information | Duration of account + 7 years (for tax/audit) |
| Billing records | 7 years (Canada Revenue Agency requirement) |
| Marketing/communication preferences | Until you opt out |
| Aggregated/de-identified analytics | Indefinitely |
Built for you and Built for you · Multi customers may negotiate longer recording retention by written addendum.
You can request earlier deletion under Section 8.
8. Your privacy rights
Subject to applicable law and reasonable verification of your identity, you have the right to:
- Access — request a copy of personal information we hold about you;
- Correct — ask us to fix inaccurate or incomplete information;
- Delete — ask us to delete personal information (subject to legal-hold and contract-performance exceptions);
- Portability — receive your data in a machine-readable format;
- Restrict / object — limit certain processing, including direct marketing;
- Withdraw consent — where consent is the legal basis (note: this may end your access to the Service);
- Lodge a complaint — with the Office of the Privacy Commissioner of Canada (Canadian Customers/Callers) or your state Attorney General (US Customers/Callers).
To exercise rights, email privacy@safigo.ai. We will respond within thirty (30) days (or sooner where required).
End Callers should generally direct rights requests to the Customer (the business they called); the Customer is the controller of that data. If the Customer is unresponsive or unable to fulfill the request, we will assist as service provider.
8.1 California residents (CCPA / CPRA)
If you are a California resident, you have the additional right to:
- Know what personal information we have collected, used, disclosed, and sold or shared;
- Delete personal information (subject to exceptions);
- Correct inaccurate personal information;
- Opt out of sale or sharing for cross-context behavioral advertising — we do not sell or share in that sense, so there is nothing to opt out of, but you may still submit a request;
- Limit use of sensitive personal information;
- Non-discrimination — we will not discriminate against you for exercising rights.
We do not knowingly sell or share the personal information of consumers under sixteen (16) years of age.
8.2 Other US states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Indiana, Iowa, Tennessee, NH, NJ, KY, MD, MN, NE, RI, and others)
If your state’s law applies, you have rights similar to the California rights above (access, deletion, correction, portability, opt-out of targeted advertising and sale, opt-out of profiling for significant decisions). Submit your request to privacy@safigo.ai and identify the state of residence; we will respond per the applicable state’s procedures.
8.3 Authorized agents
You may designate an authorized agent to make a request on your behalf. We will require evidence of authorization and may verify your identity directly.
9. Security
We implement reasonable administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, use, disclosure, alteration, or destruction. These include:
- TLS encryption in transit;
- Encryption at rest for stored recordings and transcripts (via cloud-provider encryption);
- Access controls limiting personnel access on a need-to-know basis;
- Sub-processor due diligence;
- Logging and monitoring;
- Incident-response procedures including breach notification.
No security is perfect. If we discover a security incident affecting your personal information, we will notify you and applicable regulators as required by law. For Canadian Customers, this includes notification to the Office of the Privacy Commissioner under PIPEDA’s breach-of-security-safeguards rules where the breach poses a real risk of significant harm.
10. Children
The Service is for businesses. We do not knowingly collect personal information from children under sixteen (16). If you believe a child has provided us personal information, contact privacy@safigo.ai and we will delete it.
11. Cookies and similar technologies
Our website uses minimal first-party cookies for session continuity and basic analytics. We do not use third-party advertising cookies. Where required by law, we will provide a cookie banner with consent options.
12. Contact
Privacy contact: privacy@safigo.ai Mailing address: 2000 Panora Drive, Port Moody, British Columbia V3H 5J5, Canada Business owner: Fabio R. B. Carli
For Canadian Customers and Callers: complaints may also be made to the Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau, Quebec K1A 1H3, www.priv.gc.ca, or to the BC Office of the Information and Privacy Commissioner, www.oipc.bc.ca.
For California residents: you may contact the California Attorney General, oag.ca.gov, or the California Privacy Protection Agency, cppa.ca.gov.
13. Changes
We may update this Privacy Policy from time to time. We will post the updated version with a new “Last updated” date and, for material changes, notify Customers by email at least thirty (30) days before the change takes effect.
Version 1.0 · Last updated 2026-05-02 · Drafted in good faith without legal counsel; legal review scheduled at customer #3. This Policy is read together with the Terms of Service, Acceptable Use Policy, and Data Processing Addendum.