Privacy Policy
1. Data Controller
The data controller for the processing of personal data described in this Privacy Policy is:
KCraft Studio LTD
Cyprus
Email: hello@callrix.io
Website: callrix.io
This Privacy Policy applies to the Callrix website (callrix.io) and the business relationship between Callrix and its Licensees (B2B customers). For End Users of a Licensee's branded platform, the Licensee is the data controller and must provide their own privacy policy.
2. What Data We Collect
2.1 Account Data
When you sign up as a Licensee, we collect:
- Full name and company name
- Email address
- Phone number (if provided)
- Billing address
2.2 Payment Data
Payment processing is handled entirely by Stripe. Callrix does not store credit card numbers, CVVs, or full bank account details on its own servers. Stripe may collect and process payment data in accordance with Stripe's Privacy Policy.
2.3 Usage Data
We collect data about how you use the Platform:
- Login timestamps and frequency
- Features accessed and actions taken in the admin dashboard
- Number of advisors, End Users, and calls on your platform
2.4 Communication Data
We store communications between you and Callrix, including emails, support requests, and onboarding call notes.
2.5 Technical Data
When you visit our website or use the Platform, we automatically collect:
- IP address
- Browser type and version
- Operating system and device type
- Pages visited and time spent
- Referring URL
3. Legal Basis for Processing (Art. 6 GDPR)
| Purpose | Legal Basis |
|---|---|
| Providing the Platform and fulfilling the license agreement | Contract performance — Art. 6(1)(b) |
| Processing payments and billing | Contract performance — Art. 6(1)(b) |
| Security monitoring, fraud prevention, and abuse detection | Legitimate interest — Art. 6(1)(f) |
| Platform improvement and analytics | Legitimate interest — Art. 6(1)(f) |
| Marketing communications | Consent — Art. 6(1)(a) |
| Tax records and accounting obligations | Legal obligation — Art. 6(1)(c) |
4. How We Use Your Data
- To provide, operate, and maintain the Callrix Platform
- To process payments, issue invoices, and manage subscriptions
- To communicate with you about your account, support requests, and service updates
- To monitor and improve Platform performance, reliability, and security
- To detect and prevent fraud, abuse, or unauthorized access
- To comply with legal obligations (tax, accounting, regulatory)
5. Data Sharing & Sub-Processors
We do not sell, rent, or trade your personal data. We share data only with the following categories of service providers who are contractually bound to process data on our behalf:
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Server hosting and infrastructure | Germany (EU) |
| Stripe, Inc. | Payment processing and Stripe Connect payouts | USA (EU SCCs in place) |
| Google LLC (Firebase) | Push notifications via Firebase Cloud Messaging | USA (EU SCCs in place) |
| LiveKit, Inc. | Real-time VoIP/WebRTC infrastructure | USA (EU SCCs in place) |
| Matomo (self-hosted) | Website analytics | Germany (EU) — self-hosted on Hetzner |
6. International Data Transfers
The Platform and all primary data storage are hosted in the European Union (Hetzner, Germany). Where data is transferred to processors outside the EU (Stripe, Google, LiveKit), appropriate safeguards are in place in accordance with Chapter V of the GDPR, including EU Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
7. Data Retention
- Active account: Data is retained for the duration of the license agreement.
- After termination: Account data is retained for 30 days to allow for data export, then permanently deleted.
- Financial records: Invoices, payment records, and tax-relevant data are retained for 7 years as required by applicable tax and accounting laws.
- Communication records: Support correspondence is retained for 2 years after the last interaction.
- Technical logs: Server logs and access logs are retained for 90 days, then automatically purged.
8. Your Rights (Art. 15–22 GDPR)
As a data subject under the GDPR, you have the following rights:
- Right of access (Art. 15): You may request a copy of the personal data we hold about you.
- Right to rectification (Art. 16): You may request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17): You may request deletion of your personal data, subject to legal retention obligations.
- Right to restriction (Art. 18): You may request that we restrict processing of your data in certain circumstances.
- Right to data portability (Art. 20): You may request your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21): You may object to processing based on legitimate interest, including direct marketing.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at hello@callrix.io. We will respond within 30 days.
9. Cookies & Tracking
The Callrix website uses the following cookies:
- Session cookies: To maintain your login state and session.
- Authentication tokens: To securely identify authenticated users.
- Matomo analytics: We use a self-hosted Matomo instance (hosted on our own EU servers) to collect anonymous website usage statistics. Matomo is configured to respect Do Not Track (DNT) browser settings and does not share data with any third party. All analytics data remains on our own infrastructure within the EU.
We do not use third-party tracking cookies, advertising cookies, or retargeting services. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking services.
10. Security Measures
We implement appropriate technical and organizational measures to protect your personal data:
- All data transmitted between your browser and our servers is encrypted via TLS (HTTPS).
- Passwords are hashed using BCrypt with a cost factor of 12.
- Authentication uses JWT tokens with expiration and refresh mechanisms.
- Rate limiting is applied to all sensitive endpoints to prevent brute-force attacks.
- Stripe webhook signatures are verified to prevent tampering.
- Wallet operations use pessimistic database locking to prevent race conditions.
- All infrastructure is hosted within the EU on Hetzner servers in Germany.
- Automatic SSL certificates via Let's Encrypt and Traefik.
11. Children
Callrix is a B2B service directed at businesses and professionals. We do not knowingly collect personal data from individuals under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated effective date. For material changes that affect how we process your data, we will notify you via email at least 30 days before the changes take effect.
13. Supervisory Authority
If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. The competent authority for KCraft Studio LTD is:
Commissioner for Personal Data Protection
Republic of Cyprus
www.dataprotection.gov.cy
14. Contact
For any questions or requests regarding this Privacy Policy or the processing of your personal data, contact us at:
KCraft Studio LTD
Email: hello@callrix.io
Website: callrix.io