Compliance

1. Data protection

UK GDPR-compliant. Data Protection Act 2018-compliant. We are the data controller for vocetica.com. Where we handle data on behalf of a client (e.g. a practice or firm), we operate as a data processor under a Data Processing Agreement (available on request).

2. Security

• End-to-end TLS for every page and API call.
• UK + EU data residency by default.
• Hosted on Cloudflare's globally distributed edge.
• Voice data processed via Vapi (UK/EU regions); audio not retained beyond the active session unless explicitly opted in.
• Stripe handles all payment data — card numbers never touch our infrastructure.

3. Sector regulation

Dental

Stacy does not provide clinical advice. She qualifies enquiries, books appointments, and triages urgency by symptom severity. Anything clinical is escalated to your team. We support practices regulated by the GDC and CQC.

Personal injury law

Stacy does not give legal advice. She gathers facts (accident type, date, liability indicator, injury and treatment, existing representation) and books the callback with your solicitor. We support firms regulated by the SRA.

4. AI transparency

Stacy is an AI agent. Callers may be told this on request. Stacy does not pretend to be human if asked directly. All conversations are processed by Vapi using a model under our control.

5. Recordings

Inbound calls handled on a client's line are recorded only when the client opts in and provides legally compliant call-handling notice to their callers. We do not record without that explicit consent.

6. Sub-processors

• Cloudflare — hosting, edge compute, CDN, email.
• Vapi — voice AI runtime.
• Telnyx — telephony numbers and routing.
• Stripe — payments.
• Anthropic / OpenAI — language model providers, used under their data-processing terms.

A current sub-processor list is available on request.

7. Contact

Compliance questions: bruce@vocetica.com.