← Back to VuraOS

Comprehensive Privacy Policy

Last Updated & Effective Date: March 2026

1. Introduction & Data Controller

Welcome to VuraOS ("we," "our," or "us"). We provide advanced AI Receptionist and telephony automation services. Protecting your privacy and the data of your callers is our highest priority.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website (getvura.com) or use our services. The Data Controller responsible for processing your personal data under the General Data Protection Regulation (GDPR) is:

Dominik Lechner Internetmarketing
Graberweg 14
94121 Salzweg, Germany
Email: support@getvura.com

CRITICAL NOTICE: CAN-SPAM & INSTANTLY.AI COMPLIANCE (USA)

We use Instantly.ai exclusively for compliant B2B cold email campaigns to the United States and selected regions. Every email contains our physical address (Graberweg 14, 94121 Salzweg, Germany), a working opt-out link, and is processed within 10 days. We do not sell or share any data.

CRITICAL NOTICE: SMS, TWILIO & A2P 10DLC COMPLIANCE

VuraOS strictly adheres to global telecommunication compliance standards. No mobile information will be shared with third parties/affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties under any circumstances. We do not sell, rent, or lease any customer phone numbers, SMS consent records, or call logs to data brokers or marketing agencies.

2. Information We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked to you ("Personal Data").

Special Notice Regarding Voice Cloning & Biometric Data

When you use our Voice Setup Studio, we collect audio recordings of your voice to create an "AI Twin." Depending on your jurisdiction, this may constitute biometric data or a voiceprint.

Purpose & Consent: Your voice data is used exclusively to generate your personalized AI voice model for our telephony services. By clicking "Send to VuraOS Engine" or uploading an audio file, you explicitly consent to this processing.
Transmission & Processing: The audio is captured locally in your browser and securely transmitted via encrypted webhooks to our designated voice synthesis sub-processor (ElevenLabs) and securely stored in our cloud infrastructure (Supabase).
No Sale or Misuse: We do not sell, trade, or share your voiceprints with unauthorized third parties. Your AI voice model is strictly isolated to your specific workspace.
Storage & Deletion: You maintain full control over your biometric data. You can permanently delete your AI voice model and all associated audio files at any time directly from your VuraOS Agent Dashboard with a single click, or it will be automatically deleted upon account termination.

Special Notice Regarding Contact Syncing (Smart Routing)

Our "Level 0: VIP & Private Routing" feature allows you to manually add or sync third-party contacts (names, phone numbers, and relationship tags like 'VIP' or 'Private') from your device or via a .vcf file.

Your Responsibility: By uploading or syncing these contacts, you represent and warrant that you have the lawful right, or have obtained the necessary consent from the individuals, to share their personal data with us.
Exclusive Purpose: We process this contact data exclusively to identify incoming callers in real-time and apply your custom AI routing rules (e.g., greeting a VIP by name or bypassing the sales pitch for family members).
Strict Isolation & No Misuse: Your synced contacts are strictly siloed to your specific VuraOS account. We will never sell, rent, share, or use your synced address book data for our own marketing purposes or B2B outreach.

A. Information You Provide Directly

Identity & Contact Data: First name, last name, email address, phone number, and company name when registering or using our contact forms.
Financial Data: Billing address, payment details, and Wallet-Top-Up histories (processed entirely by our secure payment gateway Stripe; we do not store full credit card numbers).
Voice Data: Audio samples explicitly provided by you to train and synthesize your custom AI voice clone.
CRM Integration Data: API Keys provided by you (e.g., Follow Up Boss) to allow our system to push call summaries to your third-party platforms.
Address Book Data: Third-party names, phone numbers, and custom relationship tags provided by you via our "Smart Routing" contact sync feature.

B. Information Collected Automatically (Service Usage)

Telephony Metadata: Caller ID, recipient phone numbers, call duration, timestamps, and call routing logs.
Call Transcripts: Automated text transcriptions of conversations between the AI and callers to provide you with service summaries.
Technical Data: IP address, browser type, device identifiers, and operating system collected via Cloudflare and Google Analytics.
Push Notification Tokens: Anonymous device tokens collected via OneSignal to deliver critical call alerts to your devices.

3. Legal Basis & How We Use Your Information

Under GDPR Article 6, we process your data on the following legal bases:

Contractual Necessity (Art. 6(1)(b)): To provide the AI telephony services, process payments via Stripe, and manage your account.
Legitimate Interest (Art. 6(1)(f)): To ensure network security (Cloudflare), analyze website traffic to improve our services (Google Analytics), and prevent fraud.
Consent (Art. 6(1)(a)): For processing your explicit voice cloning data, sending push notifications (OneSignal), and for receiving non-essential marketing communications.
Legal Obligation (Art. 6(1)(c)): Retaining billing records for tax and accounting compliance.

4. Data Sharing & Third-Party Sub-Processors

We do not build our AI infrastructure from scratch. To provide our Service, we share strictly necessary data with verified third-party vendors (Data Processors) under strict Data Processing Agreements (DPAs).

Supabase: Primary database hosting, user authentication, and secure file storage (including voice samples, call transcripts, and summaries).
Stripe: Secure payment processing for subscriptions, Lifetime Deals, and Wallet top-ups.
Twilio & Meta Platforms, Inc.: Provision of telephony and WhatsApp Business API infrastructure. When utilizing the WhatsApp integration, message content is processed by Meta to facilitate delivery.
Vapi.ai: Orchestration of the conversational AI voice infrastructure.
ElevenLabs: Voice synthesis and cloning technology.
OpenAI / DeepSeek / OpenRouter: Large Language Models (LLMs) for generating intelligent conversational text.
OneSignal: Delivery of real-time push notifications regarding missed calls and lead alerts.
Follow Up Boss (FUB): Optional CRM integration. If configured by you, we push lead data directly to your FUB account.
Make.com & Pabbly Connect: Workflow automation and webhook handling.
Cloudflare: Website hosting, CDN, and DDoS security.
Instantly.ai & Third-Party Data Providers: We use Instantly.ai as our B2B cold email marketing platform. To identify potential business clients (e.g., real estate professionals), we may obtain business contact information (such as name, professional email address, and company name) from third-party B2B data providers and lead databases (including Instantly.ai's B2B database). We process this data strictly for business-to-business (B2B) outreach based on our legitimate interest in direct marketing (Art. 6(1)(f) GDPR) and in compliance with the US CAN-SPAM Act. Every outreach email contains a clear opt-out mechanism. We do not use personal data from private consumers for these campaigns. If you wish to know more about the specific source of your contact data or wish to be placed on our internal Do-Not-Email list, please contact support@getvura.com.
Instantly.ai – UK Campaigns: B2B cold email marketing in the United Kingdom. We only process legitimate business email addresses under the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Every email contains a clear unsubscribe link and we honor all opt-out requests immediately.
Instantly.ai – Singapore Campaigns: B2B cold email marketing in Singapore. We process business contact data under the Personal Data Protection Act (PDPA) based on legitimate interests. We ensure relevance to the recipient’s profession and provide an easy opt-out option in every email.
Google Analytics: Website performance tracking (with IP anonymization enabled).

See also our dedicated AI Compliance & Acceptable Use Policy for detailed rules on AI telephony and acceptable use.

5. International Data Transfers

Because some of our sub-processors (like Twilio, OpenAI, Stripe, Supabase, and Vapi) are headquartered in the United States, your data may be transferred outside the European Economic Area (EEA). We ensure these transfers are fully compliant with GDPR Chapter V by relying on standard contractual clauses (SCCs) and requiring adequate technical safeguards from our US partners. Meta Platforms, Inc. processing is also subject to relevant data transfer mechanisms.

6. Data Retention

We store your data only as long as necessary for the purposes set out in this policy:

Account Data: Retained for the duration of your active subscription.
Compliance Logs: To ensure legal security and document the B2B verification process, we retain logs including IP addresses, timestamps, and records of explicit consent to our Terms and AI Disclaimer.
Call Logs & Transcripts: Retained securely in your Supabase dashboard and automatically deleted after a specified period (or immediately upon your request).
Voice Models: Deleted immediately upon your request via the Dashboard, or automatically upon account termination.
Billing Data: Retained for up to 10 years to comply with German/EU tax laws.

7. Security Measures

We have implemented robust technical and organizational measures (TOMs) to protect your data. This includes TLS/SSL encryption for data in transit, secure API key management, restricted access to our databases via Supabase Row Level Security (RLS), and encrypted webhook payloads. However, no electronic transmission over the internet or telephony network can be guaranteed to be 100% secure.

8. Your Privacy Rights (GDPR & CCPA)

Depending on your location (e.g., EU/EEA or California), you have the right to:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate or incomplete data.
Erasure ("Right to be Forgotten"): Request deletion of your personal data.
Restriction / Objection: Object to our processing of your data under certain circumstances.
Data Portability: Request your data in a structured, machine-readable format.

State-Specific Rights

In addition to CCPA, we comply with state laws such as the Illinois Biometric Information Privacy Act (BIPA). For voice cloning, which may be considered biometric data, we require explicit consent and provide deletion options. Residents of California, Virginia, Colorado, Connecticut, and Utah have additional rights, including opt-out from data sales (though we do not sell data). For AI-specific disclosures, users in certain states may request information on automated decision-making. Meta's privacy practices are also detailed in their own public disclosures.

To exercise any of these rights, please email us at support@getvura.com. We will respond to your request within 30 days.

9. Children's Privacy (COPPA/GDPR)

Our services are strictly intended for businesses and individuals over the age of 18. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such data, we will delete it immediately.

10. Changes to This Privacy Policy

We reserve the right to update this Privacy Policy at any time to reflect changes in our legal or operational requirements. We will notify you of any material changes by updating the "Last Updated" date at the top of this document or via email.