Data & Compliance

LIVE

UK GDPR compliant

Vocetica operates as a data processor on your behalf. Lawful basis, purpose limitation, data minimisation and retention all defined per engagement.

LIVE

UK & EU data residency

Call recordings, transcripts and caller metadata are processed and stored in UK and EU regions only. No US hosting, no EU-US data transfers for your call data.

LIVE

Encryption

All call recordings encrypted at rest (AES-256). TLS 1.2+ in transit. Encryption keys managed in UK/EU KMS with audit logging.

LIVE

DPA (Data Processing Agreement)

Standard DPA is signed with every Vocetica client before go-live. ICO-compliant controller-to-processor terms. Read the DPA.

LIVE

Retention & deletion

Call recordings retained for 90 days by default (configurable 30/90/180). Transcripts retained per your data retention policy. Full delete-on-request within 30 days of DSAR.

PAID — REGISTERED 25 APR 2026

ICO registration

Vocetica is registered with the UK Information Commissioner's Office as a data processor (Tier 1). Application reference C1918623, paid 25 April 2026. Registration certificate and ZA number expected within 7 working days; this page will publish the ZA number automatically on receipt. Verify Vocetica's listing on the ICO public register of fee payers.

LIVE

Sub-processor transparency

Full current sub-processor list published and maintained below. Changes notified 30 days in advance.

LIVE

Regulator-aware intake

Sophie's scripts are written with SRA Standards & Regulations (law firms) and GDC Standards for the Dental Team (dental practices) in mind — no unauthorised advice, no misleading claims, no pressure tactics.

Privacy Policy — summary

When a caller dials a number routed through Sophie, Vocetica processes the following on your behalf: the caller's phone number, the content of the conversation (audio + transcript), the qualification fields your intake captures (name, email, accident/treatment detail, callback preference), and technical metadata (call timestamp, duration, carrier, country).

We process this data only as your data processor — never for Vocetica's own commercial purposes, never for model training, never sold to third parties, never shared with anyone outside the sub-processor list below. Caller audio is not used to train any AI model, ours or anyone else's.

Plain English version: your callers' data belongs to you. We look after it during the call, hand it to you immediately afterwards, delete it on your retention schedule, and never touch it for anything else.

Data Processing Agreement (DPA)

Every Vocetica client signs a written DPA before go-live. It includes:

Controller-to-processor terms compliant with UK GDPR Art. 28
Defined purpose, categories of data, categories of data subject
Confidentiality and staff vetting commitments
Security measures (encryption, access control, audit logging)
Sub-processor authorisation and change-notification procedure
International transfer safeguards (UK IDTA / EU SCCs where applicable)
Personal data breach notification (72-hour ICO + client notification)
Audit rights and co-operation with DPIAs
End-of-engagement data return and deletion procedure

A template DPA is available on request prior to engagement — privacy@vocetica.com.

Sub-processor list (current)

Vocetica uses the following sub-processors to deliver Sophie. UK/EU-hosted or with UK/EU data residency commitments where relevant:

Twilio / Telnyx — carrier-grade voice telephony, SIP trunks, number provisioning. UK-originated calls routed through UK infrastructure.
Vapi — voice AI orchestration layer coordinating speech-to-text, the LLM, and text-to-speech for each call.
OpenAI / Anthropic — language model inference. Configured for zero-retention on API calls (data not used for training).
ElevenLabs — text-to-speech voice synthesis for Sophie's voice.
Deepgram — speech-to-text transcription for real-time call handling.
Cloudflare — edge compute (Workers), KV storage for call state, DNS, CDN. UK/EU data residency.
Stripe — subscription billing for Vocetica's services. Cardholder data never touches Vocetica systems.
GoHighLevel (GHL) — CRM for Vocetica's own sales pipeline. Your callers' data is not stored in GHL — this is Vocetica's internal CRM only.

Sub-processor changes are notified to clients with at least 30 days' notice. You may object to material changes in writing.

Data retention

Unless agreed otherwise in your engagement:

Call recordings: 90 days, then automatically deleted
Call transcripts: retained per your firm/practice policy (default 12 months, configurable)
Caller metadata (number, timestamp, duration): retained per your policy
CRM fields you've chosen to capture: delivered to your system; we hold a copy for your retention period then delete

On termination of your contract, all caller data is deleted from Vocetica systems within 30 days, with confirmation of deletion issued to you.

Data Subject Access Requests (DSARs)

If a caller makes a DSAR to you (as data controller) that involves data we process on your behalf, contact privacy@vocetica.com and we'll provide the relevant recording, transcript and metadata within 5 working days — well inside the statutory 30-day window. Deletion and rectification requests are handled on the same timeline.

Personal data breach procedure

In the event of a personal data breach affecting your callers' data, we will notify you without undue delay (target: within 24 hours of detection) with a factual description, the categories and approximate numbers of data subjects affected, the likely consequences, and the measures we've taken or propose to take. This is faster than the ICO's 72-hour reporting requirement, giving you time to make your own notification if required.

Regulator awareness in Sophie's scripts

Sophie is a non-lawyer and a non-dentist. Every intake script she runs is written with the following regulatory boundaries in mind:

For law firms (SRA-regulated): Sophie collects qualification information and books callbacks. She does not provide legal advice, quote case values beyond general ranges, or make definitive statements about case merits — those are reserved for your solicitors. She follows SRA Principles and Code of Conduct for Firms around honest, fair client interaction.
For dental practices (GDC-regulated): Sophie collects clinical history at a triage level only, does not diagnose, does not recommend specific treatments, and does not quote definitive clinical costs. Clinical decisions and treatment planning are reserved for your clinicians in line with GDC Standards for the Dental Team.

Vocetica's legal structure

Vocetica is operated as a UK sole trader trading as "Vocetica." We're transparent about this because it matters for procurement — some firms require supplier due diligence including Companies House records. A sole trader does not have a Companies House number.

We are registered as self-employed with HMRC. Invoicing details, HMRC UTR, and VAT status (if applicable) are shared on engagement. A limited company structure is on the roadmap; clients on existing engagements will be novated to the new entity with written notice.

Contact — compliance & privacy

For any compliance, privacy, data protection, or incident-related enquiry: privacy@vocetica.com

For general enquiries: hello@vocetica.com

This page is the summary. The full DPA, sub-processor notification log, DPIA template, and retention schedule are shared on engagement. If you need any of the above to complete due diligence before signing, email privacy@vocetica.com and we'll have it with you the same working day.

Last updated: 24 April 2026. Material changes to this page are communicated to existing clients with 30 days' notice.