Privacy Policy
Version: 1.1 Date: April 2026
1. Who We Are
CallCore Limited ("CallCore", "we", "us", "our") is a company registered in England and Wales (Company No. 16406351), with its registered office at 20 Wenlock Road, London N1 7GU, United Kingdom.
We provide the CallCore platform — a B2B SaaS service for business customers ("customers") that delivers call analytics, real-time staff performance dashboards, scheduled call activity reports, call transcription, AI-generated call summaries, and Salesforce CRM integration via the CallCore TX-3 managed package.
Our customers are businesses, not consumers. The individuals who interact with this Privacy Policy are primarily: the business contacts who manage a CallCore account on behalf of their organisation, and the staff of those organisations who access the platform.
For data protection enquiries, contact us at: [email protected]
2. Scope — Two Roles, One Policy
CallCore operates in two distinct capacities under UK GDPR, and it is important to understand which applies to your data.
2.1 CallCore as a data controller
For personal data that CallCore collects and uses for its own purposes — such as account data, acceptance records, login history, and billing records — CallCore is the data controller. This Privacy Policy governs that processing.
2.2 CallCore as a data processor
Where a business customer uses the CallCore platform to handle call data (including call metadata, staff call activity metrics, call recordings accessed transiently during transcription, transcripts, and AI-generated call summaries), CallCore acts as a data processor on behalf of that customer. The customer is the data controller for that data.
That processing is not governed by this Privacy Policy — it is governed by the Data Processing Agreement (DPA) between CallCore and each customer. If you are a caller, callee, or member of staff whose call data has been processed via a business customer's use of CallCore, you should contact that business directly to exercise your data protection rights. They are your data controller, not CallCore.
3. Personal Data We Collect as a Controller
3.1 Account and registration data
When a business registers with CallCore or a staff member is provisioned access, we collect:
- Full name and business email address
- Organisation name
- Registered address and postcode
- Country
- Job title (if provided)
- Microsoft account identity (used for authentication via OAuth — we do not store passwords)
- IP address at the time of registration
3.2 Legal acceptance records
When you accept our Terms of Service, this Privacy Policy, or our Data Processing Agreement, we record:
- Which version of the document was accepted
- The date and time of acceptance
- The IP address from which acceptance was made
- The identity of the accepting user
Acceptance records are visible to other users with administrator access within your organisation's CallCore workspace. This allows your organisation to maintain its own audit trail of which legal agreements are in place and who authorised them on behalf of the organisation.
We retain these records as evidence of your agreement to our legal terms. See Section 8 for how long we keep them, and why full erasure prior to backup expiry may not be possible.
3.3 Authentication and session data
When you log into the CallCore platform, we collect:
- Date, time, and duration of the session
- IP address
- Device type and browser
- Authentication method
3.4 Platform usage data
As you use the platform, we collect information about your interactions — which features you access, when, and how. This is used for platform security, troubleshooting, and improving the service. We do not use this data for behavioural advertising or profiling.
3.5 Billing data
If your organisation holds a paid subscription, we retain billing records including subscription plan, billing dates, and amounts paid. Payment card and instrument data is handled directly by our payment processor, Paddle — we do not hold raw card data. See Section 6.
3.6 Support and correspondence
If you contact us — by email, through a support channel, or otherwise — we retain that correspondence and any personal data it contains for the purpose of handling your query and maintaining a record.
3.7 Website visitor and technical data
When you visit callcore.io or use the CallCore platform, we automatically collect standard technical information including:
- IP address
- Browser type and version
- Device type and operating system
- Pages visited, features accessed, and timestamps
- Referring URL
Approximate location derived from IP address: In certain parts of the platform and website, we perform a geo IP lookup to derive an approximate geographic location (typically at city or country level) from your IP address. This is used for purposes such as security monitoring and access controls. This is an approximate inference from your IP address — we do not collect GPS or device-level location data.
We use Google Analytics for website analytics. See our Cookie Policy at callcore.io/policies/cookies for details.
3.8 Regional availability waitlist
CallCore is currently available to businesses in the United Kingdom only. If you attempt to register from a region where CallCore is not available, you will not be able to proceed with onboarding. You may optionally provide your email address to be notified if and when the service becomes available in your region.
If you opt in, we collect:
- Email address
- Country
- IP address at the time of submission
- Timestamp and a record of your consent
You are not required to submit these details. See Section 4 for the lawful basis and Section 8 for how long we keep this data.
4. How We Use Your Data and Our Lawful Bases
| Purpose | Personal Data Used | Lawful Basis |
|---|---|---|
| Creating and managing your account | Account and registration data | Performance of contract |
| Authenticating your access to the platform | Account data; authentication and session data | Performance of contract; legitimate interests (security) |
| Delivering the CallCore platform and services | Account data; usage data | Performance of contract |
| Retaining evidence of acceptance of our legal terms | Acceptance records | Legitimate interests (establishing, exercising, or defending legal claims); legal obligation |
| Billing and subscription management | Billing data | Performance of contract; legal obligation |
| Responding to support requests | Support and correspondence data | Performance of contract; legitimate interests |
| Platform security, fraud prevention, and incident response | Authentication data; usage data; approximate location; acceptance records | Legitimate interests |
| Geographic access controls and security monitoring | Approximate location (IP-derived) | Legitimate interests |
| Service improvement and troubleshooting | Anonymised usage and error data | Legitimate interests |
| Website analytics | Website visitor data | Legitimate interests (where analytics cookies are not required); consent (where PECR applies — see Cookie Policy) |
| Regional availability waitlist — notifying you when CallCore becomes available in your region | Email address; country; IP address | Consent (UK GDPR Article 6(1)(a)) |
| Compliance with legal obligations | Various | Legal obligation |
We do not carry out automated decision-making or profiling that produces legal or similarly significant effects on you.
5. What We Do Not Process as a Controller
To be clear about the scope of this policy, the following data categories are processed by CallCore only in its capacity as a data processor on behalf of customers, and are not covered by this Privacy Policy:
- Call recordings (stored on your 3CX system; accessed transiently by CallCore only for in-browser playback and, where enabled, transcription — both on your instruction)
- Call transcripts and AI-generated call summaries
- Call metadata (phone numbers, call durations, timestamps, call direction)
- Staff call activity metrics processed for real-time visualisations and reports
If you have questions about how any of this data is processed, contact the business customer whose CallCore account is involved. Their privacy notice and the CallCore DPA govern that processing.
6. Third Parties We Share Data With
As a controller, we share personal data with the following third parties:
| Recipient | Role | Data Shared | Location |
|---|---|---|---|
| Microsoft Azure (Microsoft Corporation) | Cloud hosting and platform infrastructure | All categories of controller personal data | UK South (United Kingdom) |
| SendGrid (Twilio Inc.) | Email delivery — system notifications | Email addresses | United States |
| Sentry (Functional Software, Inc.) | Application error tracking and performance monitoring | May receive incidental personal data in error payloads; we configure Sentry to minimise personal data ingestion | United States |
| Paddle (Paddle.com Market Ltd) | Payment processing | Billing contact name, email address, payment instrument details | United Kingdom / United States |
| Google Analytics (Google LLC) | Website analytics for callcore.io | Website visitor data (IP address, browsing behaviour) | United States |
Where CallCore acts as a data processor on behalf of customers — for example, in delivering scheduled call activity reports — sub-processors used in that capacity, including SendGrid, are listed in the Data Processing Agreement (Schedule 2) rather than in this policy.
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
Note — customer-controlled Azure OpenAI: Where a customer has enabled call transcription or AI summarisation, CallCore coordinates the transfer of recording data and transcripts to the customer's own Microsoft Azure OpenAI resource. That resource is operated and controlled by the customer, not CallCore. CallCore's role is limited to initiating the transfer on the customer's instruction. The customer is the data controller for all processing carried out by their own Azure OpenAI resource.
Business transfers
In the event of a merger, acquisition, or sale of all or a material part of CallCore's assets, personal data we hold as a controller may be transferred to the relevant third party as part of that transaction, subject to appropriate confidentiality obligations and data protection safeguards. We will notify affected individuals if and to the extent required by applicable law before any such transfer takes effect, and any successor entity will be required to honour the commitments made in this Privacy Policy or notify you of any material changes.
7. International Transfers
Some of the third parties listed in Section 6 are located outside the United Kingdom. Where we transfer personal data outside the UK, we ensure that an appropriate transfer mechanism is in place, including:
- UK International Data Transfer Agreements (IDTAs); or
- UK Addenda to standard contractual clauses; or
- Transfers to countries benefiting from UK adequacy regulations
Details of the transfer mechanism applicable to any specific third party are available on request at [email protected].
8. How Long We Keep Your Data
We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law. Our retention periods for data held in our capacity as a controller are:
| Data Category | Retention Period | Basis |
|---|---|---|
| User account records | Duration of active account + 12 months after account closure | Contractual necessity; legitimate interests |
| Terms of Service, Privacy Policy, and DPA acceptance records | 6 years from acceptance, or from contract termination — whichever is later | Limitation Act 1980 (6-year contractual claims period); legitimate interests (legal evidence) |
| Authentication and login records | 12 months from the event | Legitimate interests (security monitoring; incident investigation) |
| Billing and financial records | 6 years from the end of the relevant financial year | Companies Act 2006; HMRC record-keeping requirements |
| Support and correspondence | 2 years from last interaction | Legitimate interests (dispute resolution) |
| Website analytics | As configured in Google Analytics (typically 14 months) | Legitimate interests |
| Regional availability waitlist entries | 24 months from submission, or until the availability notification is sent — whichever comes first. Entries are automatically deleted after 24 months. | Consent; storage limitation principle (UK GDPR Article 5(1)(e)) |
Backup copies and the right to erasure
Following deletion of personal data from our live systems, copies may persist within encrypted backup archives for up to 30 days as part of normal backup rotation. During this period, backup data is not actively accessed and is purged in the normal cycle.
If you exercise your right to erasure (see Section 9), we will delete your data from live systems promptly. Consistent with ICO guidance, we are not obliged to restore backup infrastructure to surgically remove your data from encrypted backups before their natural expiry. We will not actively access or use your data from any backup copy following receipt of a valid erasure request.
Acceptance records: Where your acceptance of our Terms, Privacy Policy, or DPA exists in an encrypted backup, we retain a legitimate interest under Article 17(3)(b) UK GDPR in preserving that evidence for the duration of the contractual limitation period. We may not be able to erase those specific records prior to backup expiry.
9. Your Rights
Under UK GDPR, in relation to personal data that CallCore holds as a controller, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate or incomplete data
- Erasure — ask us to delete your data, subject to the limitations described in Section 8
- Restriction — ask us to pause processing of your data in certain circumstances
- Portability — receive your data in a commonly used, machine-readable format in certain circumstances
- Object — object to processing carried out on the basis of legitimate interests
- Not be subject to solely automated decisions — we do not carry out automated decision-making with legal or similarly significant effects, so this right is not typically engaged
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month.
Rights in respect of call data processed by a customer: If you wish to exercise data protection rights in relation to call recordings, transcripts, AI summaries, or call metadata processed by a business customer using CallCore, you must contact that business directly. CallCore is a processor for that data and cannot act on data subject rights requests without the controller's authorisation.
Complaints: If you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint. We would appreciate the opportunity to address your concern first — please email [email protected] before contacting the ICO.
10. Cookies
We use cookies and similar technologies on callcore.io. For full details of what cookies we set, why, and how to control them, see our Cookie Policy at callcore.io/policies/cookies.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or regulatory guidance. When we make material changes, we will notify account holders by email to their registered address and update the version number and date at the top of this document.
12. Contact
Email: [email protected] Post: CallCore Limited, 20 Wenlock Road, London N1 7GU, United Kingdom
End of Privacy Policy