Privacy Policy | Vocatively

1. Introduction

SIRRIUS OFFICE INC. (“Vocatively,” “we,” “us,” or “our”) provides AI-powered receptionist services to healthcare providers, professional service firms, and other businesses (“Subscribers”). This Privacy Policy describes how we collect, use, disclose, and protect information through our AI receptionist platform, subscriber dashboard, and website at vocatively.app (collectively, the “Services”).

We are committed to protecting the privacy and security of your personal information and complying with applicable privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Scope of This Policy

This Privacy Policy applies to information we collect from:

Subscribers who register for and use our AI receptionist services
Visitors to our website at vocatively.app
Individuals who contact us for support or inquiries

Important Notice Regarding Caller Data: When our AI receptionist handles calls on behalf of a Subscriber, the Subscriber—not Vocatively—is the data controller for caller information. Each Subscriber determines how caller data is collected, used, and retained. We process caller data solely on the Subscriber's behalf and in accordance with their instructions. We encourage callers to review the privacy practices of the business they are contacting.

3. Information We Collect

3.1 Subscriber Account Information

When you create an account and use our Services, we collect:

Account Information: Business name, contact name, email address, phone number, business type, and industry
Billing Information: Payment method details are collected and processed by Stripe; we do not store credit card numbers on our servers
Configuration Data: AI receptionist settings, voice preferences, greeting scripts, industry templates, and appointment types
Configuration Data: AI receptionist customization preferences, notification settings, and business hours
Communication Records: Support tickets, emails, and chat conversations with our team

3.2 Call Data

On behalf of our Subscribers, our AI receptionist collects and processes:

Contact Details: Caller name, phone number, and email address (if provided)
Appointment Information: Preferred dates, times, and reason for visit
Call Content: Information shared during the conversation, which may include health-related information for healthcare practices
Call Metadata: Date, time, duration, caller phone number, and call outcome
AI-Generated Summaries: Structured summaries of call content, including caller name, appointment requests, and call categorization
AI-Generated Call Data: Structured call summaries, sentiment analysis, and call categorization, stored securely and accessible only through the authenticated Subscriber dashboard

3.3 Usage Data

We automatically collect certain technical information when you use our Services:

Device Information: Browser type, operating system, screen resolution, and device identifiers
Usage Patterns: Pages visited, features used, interaction patterns, and session duration
Network Information: IP address, referring URLs, access timestamps, and approximate geographic location

4. How We Use Your Information

We use collected information for the following purposes:

Provide Services: Operate the AI receptionist, process appointments, generate call summaries, and deliver notifications to Subscribers
Improve Our Platform: Analyze usage patterns, enhance AI accuracy and natural language processing, and develop new features
Communicate: Send service updates, respond to inquiries, and provide technical support
Ensure Security: Detect fraud, prevent abuse, monitor for security threats, and protect our systems and users
Meet Legal Obligations: Comply with applicable laws, respond to lawful requests, and fulfill regulatory requirements
Process Payments: Manage subscriptions, process billing, and handle overage charges through Stripe
Anonymized Aggregate Analytics: We collect anonymized, aggregate statistical data (such as call volumes, timing patterns, sentiment trends, and call categories) for industry research, benchmarking, and service improvement. This data is permanently stripped of all personally identifiable information at the time of collection and cannot be traced back to any specific business, individual, caller, or patient. We apply a minimum aggregation threshold of ten (10) data points to prevent re-identification. See Section 9.3 of our Terms of Service for full details.

We do not sell your data. We never sell personal information, anonymized data, or any other data derived from your use of the Services to third parties, under any circumstances. We do not use call data or summaries to train third-party AI models. We do not share personal information with third parties for their marketing purposes.

5. Call Data and AI Processing

Our AI receptionist handles calls in real time using voice AI technology. By default, calls are not recorded and not transcribed. The AI processes conversations live and generates structured summaries (including caller intent, sentiment, appointment requests, and call categorization). Only this structured metadata is stored. Callers receive an automated notification at the beginning of each call informing them that the call is handled by an AI assistant.

Secure Access: Call summaries and AI-generated insights are stored securely and are accessible only through the authenticated Subscriber dashboard.

Email Notifications: Email notifications sent to Subscribers after each call contain only contact information (caller name and phone number) and a generic call categorization. Email notifications never contain Protected Health Information (PHI) or detailed call content. To review full call details, Subscribers must log in to the authenticated dashboard.

Data Ownership: Call data and summaries belong to the Subscriber, not Vocatively. Detailed call records (caller name, appointment details, call summaries) are retained for ninety (90) days, after which they are automatically anonymized. Anonymized analytics (trends, call volumes, categories) are retained for the lifetime of the account. It is the Subscriber's responsibility to export any detailed data they wish to retain beyond the 90-day period.

6. How We Share Information

We may share information in the following limited circumstances:

With Subscribers: Caller information is shared with the Subscriber whose AI receptionist handled the call, via the authenticated dashboard and email notifications (contact information only)
Service Providers: We work with trusted vendors who process data on our behalf, subject to contractual obligations to protect your information (see Section 10: Third-Party Services)
Legal Requirements: We may disclose information when required by law, court order, subpoena, or governmental authority
Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, information may be transferred to the acquiring entity, subject to the same privacy protections
Safety and Protection: We may disclose information when we believe in good faith that disclosure is necessary to protect the rights, safety, or property of Vocatively, our users, or the public
With Consent: We may share information when you have given us explicit written permission

7. Privacy Compliance

7.1 PIPEDA Compliance (Canada)

As a Canadian company, Vocatively complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and is guided by PIPEDA's ten fair information principles:

Accountability: We have designated a Privacy Officer responsible for our compliance with PIPEDA and for the protection of personal information in our custody or control.
Identifying Purposes: We identify the purposes for which personal information is collected at or before the time of collection.
Consent: We obtain meaningful consent for the collection, use, and disclosure of personal information. Consent may be express or implied, depending on the sensitivity of the information.
Limiting Collection: We limit the collection of personal information to what is necessary for the identified purposes. Information is collected by fair and lawful means.
Limiting Use, Disclosure, and Retention: Personal information is used or disclosed only for the purposes for which it was collected, unless the individual consents or as required by law. Information is retained only as long as necessary to fulfill those purposes.
Accuracy: We keep personal information as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used.
Safeguards: We protect personal information with security safeguards appropriate to the sensitivity of the information, including encryption, access controls, and physical security measures.
Openness: We make information about our policies and practices relating to the management of personal information readily available through this Privacy Policy.
Individual Access: Upon request, we inform individuals of the existence, use, and disclosure of their personal information and provide access to that information within 30 days.
Challenging Compliance: Individuals may challenge our compliance with these principles by contacting our Privacy Officer. We investigate all complaints and take appropriate corrective action.

Our Privacy Officer can be reached at privacy@vocatively.app.

8. Data Storage and Security

We implement comprehensive, industry-leading security measures to protect your information:

9.1 Encryption

At Rest: All data is encrypted at rest by our managed database provider using industry-standard encryption
In Transit: All data transmitted between your devices, our servers, and third-party services is encrypted using TLS 1.2 or higher

9.2 Infrastructure

Cloud Hosting: Our database is hosted on DigitalOcean Managed PostgreSQL in Toronto, Canada (ca-central). Our backend runs on Railway and our frontend on Vercel.
Database Security: Production databases are encrypted, access-controlled, and regularly backed up with point-in-time recovery
Network Security: Firewalls, intrusion detection systems, and DDoS protection safeguard our infrastructure

9.3 Access Controls

Role-Based Access: Strict role-based access controls ensure only authorized personnel can access sensitive data
Authentication: Subscriber accounts are protected by secure authentication mechanisms
Monitoring: Continuous security monitoring, logging, and regular vulnerability assessments

9.4 Payment Security

We do not store payment card information on our servers. All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor—the highest level of certification in the payments industry.

9. Third-Party Services

We use the following third-party service providers to deliver our Services. Each provider is bound by contractual obligations to protect the data they process on our behalf:

Provider	Purpose	Data Processed
Vapi.ai	AI voice platform for call handling, speech recognition, and natural language processing	Call metadata, AI summaries, voice interaction data
Stripe	Payment processing, subscription management, and billing	Payment methods, billing information, transaction records
Twilio	Telecommunications infrastructure for phone number provisioning and call routing	Phone numbers, call routing data
DigitalOcean	Managed PostgreSQL database hosting in Toronto, Canada (ca-central)	All application data (encrypted at rest with LUKS AES-256)
Railway	Backend application hosting and compute	Application processing (no data stored at rest)
Vercel	Frontend hosting and CDN	No PHI (client-side application only)
Paubox	Secure email delivery for call notifications	Email addresses, notification content (contact info only—no PHI)
OpenAI	Call intelligence analysis (sentiment, categorization, revenue tagging)	Structured call metadata only (no transcripts, no PHI)

We carefully evaluate all third-party providers for their security practices and compliance with applicable privacy regulations before engaging their services.

10. Data Retention

We retain information according to the following schedule:

Detailed Call Records (Tier 1): Call summaries, caller names, appointment details, AI-generated insights, and structured metadata are retained for ninety (90) days from the date of the call, after which they are automatically anonymized. Subscribers should export any detailed data they need to retain beyond this period.
Client Analytics (Tier 2): Anonymized, account-level analytics (call volume trends, sentiment trends, category breakdowns, year-over-year comparisons) are retained for the lifetime of the Subscriber's active account. Deleted within 30 days of account termination.
Aggregate Analytics (Tier 3): Permanently anonymized, aggregate statistical data (stripped of all PII and account identifiers) is retained indefinitely for industry research, benchmarking, and service improvement. See Section 9.3 of our Terms of Service for details.
Subscriber Account Data: Retained while the subscription is active. Upon cancellation, account data is deleted within 30 days unless longer retention is required by law.
Billing Records: Retained for seven (7) years to comply with financial record-keeping and tax reporting requirements.
Marketing Communications: Contact information retained until opt-out or after two (2) years of inactivity.
Website Analytics: Aggregated usage data retained indefinitely; individual session data retained for 12 months.

Upon request, we will delete or anonymize your personal information within 30 days, subject to legal retention obligations and legitimate business needs.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our website and improve your experience:

Essential Cookies: Required for website functionality, security, and authentication. These cannot be disabled.
Analytics Cookies: Help us understand how visitors use our site, which pages are most visited, and how users navigate the platform. Data is aggregated and anonymized.
Preference Cookies: Remember your settings and choices, such as language and display preferences.

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or alert you when a cookie is being set. Disabling certain cookies may affect website functionality and your ability to use some features of our Services.

We do not use tracking technologies to serve targeted advertising. We do not participate in cross-site tracking or ad networks.

13. Your Privacy Rights

13.1 Rights for All Users

Regardless of your location, you have the right to:

Access: Request a copy of the personal information we hold about you
Correction: Request correction of inaccurate or incomplete information
Deletion: Request deletion of your personal information, subject to legal retention requirements
Portability: Receive your data in a structured, commonly used, machine-readable format
Opt-Out: Unsubscribe from marketing communications at any time using the unsubscribe link in our emails
Withdraw Consent: Withdraw previously given consent for specific processing activities

13.2 Canadian Residents

Under PIPEDA, you have the right to access and challenge the accuracy of your personal information held by us. You may also file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have not handled your personal information appropriately.

13.3 California Residents

Under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), California residents have additional rights, including the right to know what personal information is collected, the right to delete personal information, and the right to opt out of the sale or sharing of personal information. As stated above, we do not sell or share personal information for cross-context behavioral advertising.

13.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@vocatively.app. We will verify your identity and respond to your request within 30 days. If we need additional time, we will notify you of the reason and extension period (up to an additional 30 days).

We will not discriminate against you for exercising any of your privacy rights.

14. Children's Privacy

Our Services are designed for business use and are not directed at individuals under 18 years of age. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA). If we become aware that we have inadvertently collected information from a child under the applicable age, we will promptly delete that information. If you believe a child has provided us with personal information, please contact us at privacy@vocatively.app.

15. Compliance Agreements

If your organization has specific compliance requirements, please contact us at compliance@vocatively.app to discuss how we can support your needs.

16. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Notify Subscribers via email at least 30 days before the changes take effect
Post the updated policy on our website with a revised “Last Updated” date
Highlight material changes at the top of the updated policy

Your continued use of our Services after the effective date of changes constitutes acceptance of the updated policy. If you do not agree to the revised policy, you must stop using the Services and cancel your subscription.

17. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or wish to exercise your privacy rights, please contact us:

SIRRIUS OFFICE INC.

Toronto, Ontario, Canada

Privacy Inquiries: privacy@vocatively.app

Compliance: compliance@vocatively.app

General Support: support@vocatively.app

If you are not satisfied with our response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada or the Information and Privacy Commissioner of Ontario.