Kalvo Privacy Policy

    Last updated: May 4, 2026

    This Privacy Policy explains how Kalvo collects, uses, discloses, and protects personal information when you use the Services. Capitalized terms not defined here have the meanings in our Terms of Service.

    1. Who we are; contact

    Kalvo is the controller of personal information collected from account holders and visitors. For personal information that Customers upload about third parties (including call Recipients), Kalvo acts as a processor; the Customer is the controller and our Data Processing Addendum applies.

    Privacy Officer: legal@kalvo.io

    EU Article 27 Representative: [To be appointed — contact legal@kalvo.io for current details.]

    UK Article 27 Representative: [To be appointed — contact legal@kalvo.io for current details.]

    2. Information we collect

    2.1 You provide: account information (name, email, password hash, organization, role); billing data processed by Stripe; phone numbers; contact lists and lead data; support communications.

    2.2 Automatically: call metadata (numbers, timestamps, duration, disposition). Kalvo does not record or transcribe call audio in production. Device and log data (IP, browser, OS, pages, error reports). Cookies and similar technologies — see the Cookie Policy.

    2.3 From third parties: integrations you connect (e.g. CRM imports); authentication providers if you use SSO.

    2.4 We do not knowingly collect special-category data. Do not upload it.

    3. How we use information

    We use personal information to provide and improve the Services, authenticate users, prevent fraud, process payments, communicate about your account, respond to support, comply with law, enforce agreements, and produce aggregate analytics.

    4. Lawful bases (GDPR / UK GDPR)

    Contract (Art. 6(1)(b)); legitimate interests (Art. 6(1)(f)) for security and improvement; consent (Art. 6(1)(a)) for non-essential cookies and optional marketing; legal obligation (Art. 6(1)(c)).

    5. Sharing

    With subprocessors listed at /subprocessors. With integrations you authorize. With advisors under confidentiality. In corporate transactions. With authorities when required by law. We do not sell personal information.

    6. International transfers

    We are based in Canada. Subprocessors may be in the US and elsewhere. For EEA/UK/Switzerland transfers we use Standard Contractual Clauses, UK IDTA/addendum, and other mechanisms as required. Request copies at legal@kalvo.io.

    7. Retention

    Account data: life of account plus 24 months after closure (longer if required for tax — default 7 years for billing). Call metadata: 24 months. Support tickets: 24 months after resolution. Security logs: 12 months.

    8. Your rights

    Access, correction, deletion, objection, restriction, portability, withdraw consent, and complaint to a supervisory authority, depending on jurisdiction. Contact legal@kalvo.io. We respond within 30 days (PIPEDA / Quebec Law 25) or one month (GDPR / UK GDPR), with permitted extensions.

    California (CCPA/CPRA): rights to know, delete, correct, and opt out of sale/share. We do not sell or share personal information for cross-context behavioral advertising. Requests: legal@kalvo.io.

    9. Security

    We use TLS, encryption at rest where applicable, access controls, and audit logs. No method is 100% secure.

    10. Breach notification

    We notify regulators and individuals when required by law (including PIPEDA significant-harm assessment and GDPR 72-hour notification where applicable).

    11. Children

    The Services are not directed to anyone under 18.

    12. Changes

    Material changes will be notified by email or in-app notice at least 14 days before effectiveness.

    13. Contact

    Kalvo Privacy Officer — legal@kalvo.io