Legal

Privacy Policy
Your data, your rights.

Last updated: June 19, 2026 · Effective: June 19, 2026

Governed by the laws of India · Jurisdiction: Mumbai, Maharashtra

Important — we record and transcribe calls

Resonera.ai operates AI phone agents that record, transcribe, and analyse voice calls on behalf of our business customers. This policy explains what data is collected during those calls, why, how it is stored, and your rights under Indian law — specifically the Information Technology Act 2000, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Digital Personal Data Protection Act 2023.

01

Who This Policy Applies To

This Privacy Policy applies to three groups:

Platform Customers (Businesses): Companies and individuals who sign up for and use Resonera.ai to deploy AI phone agents for their operations.
End Callers (Third Parties): Individuals who speak with a Resonera.ai-powered AI phone agent on behalf of a Platform Customer. These callers may or may not be aware that the call is handled by an AI system — our customers are required to disclose this and obtain consent before calls are placed or received through our platform.
Website Visitors: Anyone who visits resonera.ai.
Note for End Callers: If you spoke with an AI phone agent powered by Resonera.ai and have questions about your data, please contact the business that called you directly. If you cannot reach them, you may contact us at [email protected] and we will assist within 30 days.
02

Our Role — Controller vs. Processor

Resonera.ai plays different roles for different categories of data, which affects who is responsible for it:

As a Data Fiduciary / Controller: For Platform Customer account data, billing data, and website visitor data, Resonera.ai determines the purposes and means of processing and acts as the controller (Data Fiduciary under the DPDP Act 2023).
As a Data Processor: For Call Data (voice recordings, transcripts, analytics) and knowledge base content generated or uploaded by a Platform Customer, Resonera.ai acts as a processor on behalf of that Platform Customer. The Platform Customer is the controller and is responsible for having a lawful basis, providing notices to End Callers, and honouring End Caller rights.
If you are an End Caller, the business that called you (the Platform Customer) is the controller of your call data. To exercise your rights over that data, contact that business first. We will support them in responding to your request.
03

Information We Collect

A. From Platform Customers (Businesses)

Account data: Name, email address, company name, GST/PAN number (for invoicing), phone number, billing address
Payment data: Processed via third-party gateways; we do not store full card details
Configuration data: Agent scripts, call flow rules, personality and language settings, and integration credentials (such as telephony provider keys) you provide. Telephony credentials are encrypted at rest.
Knowledge base content: Documents and files you upload to power your AI agents. These are stored, processed into text chunks, and converted into vector embeddings for retrieval during calls. You are responsible for ensuring you have the right to upload this content and that it does not contain personal data of third parties without a lawful basis.
Usage data: Call logs, call durations, agent performance metrics, and API usage

B. From End Callers (Sensitive Personal Data — SPDI)

The following data is collected during AI phone agent calls and constitutes Sensitive Personal Data or Information (SPDI) under the IT (SPDI) Rules 2011:

Voice recordings: Full audio recording of every call processed through our platform
Call transcripts: Text transcriptions generated from voice recordings using automated speech recognition
Caller intent and sentiment analysis: AI-generated analysis of caller intent, emotional tone, and conversation outcomes
Caller-provided information: Any personal information shared verbally during the call (name, phone number, address, financial details, health information, etc.) as required by the use case configured by the Platform Customer
Phone metadata: Caller phone number, call timestamps, duration, and call disposition
Voice biometric data derived from recordings may constitute biometric information under the DPDP Act 2023. We do not build caller voice profiles for identification purposes. Recordings are used solely for transcription, quality analysis, and AI model improvement as described in Section 03.

C. AI Disclosure & Call Recording Consent

Under Indian law and TRAI regulations, the use of an automated/AI system and the recording of a call may need to be disclosed to the parties before the call proceeds. Responsibility for this disclosure works as follows:

Platform Customer responsibility: The Platform Customer is responsible for determining and meeting the AI-disclosure and recording-consent requirements that apply to their use case, jurisdiction, and industry, and for configuring their AI agents accordingly. This is a contractual obligation under our Terms of Service.
Configurable disclosure: Resonera.ai provides the ability to configure a start-of-call disclosure message (for example, stating that the caller is speaking with an AI agent and that the call may be recorded). Whether, and how, this disclosure is used is controlled by the Platform Customer through their agent configuration.
Recording scope: Recording is applied to calls as configured by the Platform Customer (for example, campaign calls). Where a caller refuses consent, the Platform Customer is responsible for configuring an appropriate outcome (such as routing to a human agent or ending the call).
04

How We Use Your Information

A. Call recordings and transcripts are used for:

Service delivery: Generating real-time transcripts and AI responses during the call
Quality assurance: Reviewing calls to monitor AI agent accuracy and conversation quality
Analytics: Providing Platform Customers with dashboards showing call outcomes, sentiment trends, and agent performance — in aggregate and at individual call level
AI model improvement: Using anonymised and aggregated transcript data to improve speech recognition accuracy and intent classification models. Individual caller data is not used for model training without explicit opt-in from the Platform Customer
Dispute resolution: Retaining recordings to resolve billing disputes or complaints
Legal compliance: Retaining records as required by applicable law

B. Platform Customer data is used for:

Account management, billing, and invoicing (including GST compliance)
Providing and improving the Resonera.ai platform
Technical support and onboarding
Sending product updates, service notices, and marketing communications (with opt-out available)
05

Legal Basis for Processing (Indian Law)

Under the IT Act 2000, IT (SPDI) Rules 2011, and the DPDP Act 2023, we process personal data on the following bases:

Consent

Call recording and transcript processing is based on explicit consent obtained via the start-of-call disclosure. Platform Customers consent via our Terms of Service.

Contract

Processing necessary to deliver the AI phone agent service contracted by Platform Customers.

Legitimate Interest

Quality monitoring, fraud prevention, and platform security where privacy impact is proportionate to the purpose.

Legal Obligation

Retaining records to comply with Indian tax laws, TRAI obligations, and court orders.

06

Data Retention

Our retention policy targets the periods below. We are progressively rolling out automated, scheduled deletion; until that is fully in place across all data stores, deletion within these periods can be requested at any time by contacting our Grievance Officer.

Call recordings: Target retention of 90 days. Platform Customers may request shorter retention. Extended retention may be available on Enterprise plans by agreement.
Call transcripts and analytics: Target retention of up to 1 year from the date of the call.
Knowledge base content and embeddings: Retained for as long as the Platform Customer keeps the item in their account; deleted when the customer deletes the item or closes their account.
Platform Customer account data: Retained for the duration of the account and for up to 7 years after closure for GST and tax compliance purposes.
Website visitor data: Retained for up to 24 months per our Cookie Policy.
On account termination, we will delete the associated call recordings, transcripts, and knowledge base content within 30 days of a deletion request, except where retention is required by law (for example, tax and accounting records). If you need confirmation of deletion, contact [email protected].
07

Data Sharing & Third Parties

We do not sell personal data. We share data only in the following circumstances:

Platform Customers: Call recordings, transcripts, and analytics are shared with the Platform Customer whose AI agent conducted the call — this is the primary purpose of the service.
Sub-processors: We rely on a number of third-party providers to deliver the service. Each is bound by contractual data-processing terms. The current categories and providers are listed below.
Legal disclosure: We will disclose data to courts, law enforcement, or regulatory authorities (including TRAI and MEITY) when legally required, with notice to the affected party where permitted by law.
Business transfer: In the event of a merger, acquisition, or sale of assets, personal data may be transferred with notice to affected parties.

Sub-processors we use

The following providers process data on our behalf. Some are located outside India — see Cross-Border Data Transfers below.

Telephony & voice connectivity

Twilio, Exotel, Plivo, and LiveKit — for placing/receiving calls, SIP trunking, and real-time audio transport.

Speech-to-text (STT)

Sarvam AI and Deepgram — for transcribing call audio into text.

AI language models (LLM)

Groq, OpenAI, and Google (Gemini) — for generating agent responses and analysing call content.

Text-to-speech (TTS)

Sarvam AI, Google, Cartesia, ElevenLabs, and OpenAI — for synthesising the agent's voice.

Cloud hosting & storage

Supabase (application database), AWS S3 in the Mumbai ap-south-1 region (call recordings), Google Cloud Storage (knowledge base files), Qdrant (vector embeddings), and Cloudinary (demo audio).

Authentication

Clerk — for account sign-up, sign-in, and identity management (name, email, organisation).

Payments

Stripe — for processing subscription payments. We do not store full card details; these are handled by Stripe.

This list reflects the providers in use as of the last-updated date and may change as the service evolves. An up-to-date list is available on request at [email protected].
08

Cross-Border Data Transfers

Resonera.ai is based in India and we store call recordings in the AWS Mumbai (ap-south-1) region. However, delivering the service necessarily involves some processing outside India:

Call audio and/or transcripts may be sent to AI language model, speech-to-text, and text-to-speech providers (such as OpenAI, Groq, Google, Deepgram, Cartesia, and ElevenLabs) whose processing may occur outside India.
Some infrastructure and identity providers (such as Supabase and Clerk) may store or process data in regions outside India depending on their configuration.

Where data is processed outside India, we rely on the sub-processors' contractual data-processing terms and security commitments. We do not currently restrict transfers to India only. The DPDP Act 2023 permits cross-border transfers except to countries specifically restricted by the Government of India. If you require India-only data residency for a regulated use case, contact us at [email protected] to discuss available options.

09

Your Rights Under Indian Law

Under the IT (SPDI) Rules 2011 and the DPDP Act 2023, you have the right to:

Access: Request a copy of personal data we hold about you, including a transcript or recording of a specific call
Correction: Request correction of inaccurate personal information
Erasure: Request deletion of your personal data, subject to our legal retention obligations (e.g. 7-year GST requirement)
Withdraw consent: Withdraw consent for processing at any time — this will not affect processing already completed
Grievance redressal: Lodge a complaint with our Grievance Officer (details below) within a reasonable time. We will respond within 30 days as required by the IT Act.
Nominate: Under DPDP Act 2023, you may nominate another individual to exercise your rights in the event of your death or incapacity

Grievance Officer (as required by IT Act 2000, Section 5(9) of IT Rules 2011)

Name: Aditya Sah · Email: [email protected] · Address: Mumbai, Maharashtra, India · Response time: 30 days

10

Children's Data

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal data from minors. If a Platform Customer's use case involves minors, they must obtain parental or guardian consent before calls are processed through our platform.

11

Data Security

We implement appropriate technical and organisational measures under Rule 8 of the IT (SPDI) Rules 2011:

Encryption in Transit

TLS 1.3 for all data transfers including audio streams and API calls

Encryption at Rest

AES-256 encryption for stored recordings, transcripts, and database backups

Access Controls

Role-based access, MFA for all personnel, and least-privilege principle

Audit Logging

Comprehensive logs of all access to call recordings and personal data

Periodic Review

Annual security audits and continuous vulnerability scanning

Data Minimisation

Only data necessary for the stated purpose is collected and retained

12

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Platform Customers via email at least 15 days before taking effect. Continued use of the platform after the effective date constitutes acceptance. The current version is always available at resonera.ai/privacy.

13

Contact & Grievance Redressal

For privacy-related queries, data access requests, or to exercise your rights, contact our Grievance Officer:

Resonera.ai — Privacy & Grievance

Email: [email protected]

Address: Mumbai, Maharashtra, India

We acknowledge requests within 3 business days and respond fully within 30 days.

This Privacy Policy is governed by the Information Technology Act 2000, IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, and the Digital Personal Data Protection Act 2023. It was last updated on June 19, 2026.

This page is informational and does not constitute legal advice. Resonera.ai recommends independent legal review of this policy by a qualified advocate before relying on it.

On this page
Governing Laws
IT Act 2000
IT (SPDI) Rules 2011
DPDP Act 2023
TRAI Regulations
Consumer Protection Act 2019