Skip to main content

Privacy Policy

Effective date: 2026-05-07 Last updated: 2026-05-07

1. Introduction

This Privacy Policy describes how Oleksii Ianchuk, a sole trader registered in Poland ("we", "us", "our", or "Parlacall"), collects, uses, shares, and protects your personal data when you use our browser-based international calling service at https://parlacall.com (the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Polish Act on the Protection of Personal Data (Ustawa o ochronie danych osobowych), and other applicable data protection legislation.

This Privacy Policy applies to:

  • Users β€” individuals who create an account and use the Service.
  • Visitors β€” individuals who browse our website without creating an account.

2. Data Controller

The data controller responsible for your personal data is:

Oleksii Ianchuk ul. Prochowa 9/21 31-532 KrakΓ³w, Poland NIP: 6751826005

Email: support@parlacall.com

We are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37, as our core activities do not consist of large-scale systematic monitoring of individuals or large-scale processing of special categories of data. However, you may direct any data protection inquiries to support@parlacall.com.

2.1 Data Protection Impact Assessment (DPIA)

Because the Service involves real-time AI processing of voice audio of both Users and called third parties, we are completing a Data Protection Impact Assessment ("DPIA") under GDPR Article 35 covering AI-translated calls and the processing of called-party voice audio in transit. A summary of the DPIA will be made available on request to support@parlacall.com once finalized.

3. Personal Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

When you create an account, we collect:

  • Name β€” your display name (provided during registration, or derived from your email address if not provided, or obtained from your OAuth provider during social login).
  • Email address β€” used for account identification, login, and transactional communications.
  • Profile image β€” only if provided via a third-party OAuth provider (Google).
  • Normalized email β€” a standardized form of your email address used solely to prevent duplicate account creation (e.g., detecting Gmail dot and plus-sign variations).
  • Account profile data β€” account type, account status, and milestone timestamps (e.g., date of first call, date of first top-up) used for service operation and fraud prevention.
  • User preferences β€” your preferred call mode, default languages, and interface locale, stored to personalize your experience.
  • OAuth tokens β€” if you sign in via Google, we store access tokens, refresh tokens, and ID tokens from your provider to maintain your authenticated session. These tokens are protected by database-level encryption at rest (provided by our database hosting provider, Neon) and are used solely to verify your identity.

Source: Directly from you during registration, or from your OAuth provider (Google) during social login.

3.2 Session and Security Data

When you use the Service, we automatically collect:

  • IP address β€” recorded with each session for security and abuse prevention.
  • User agent β€” your browser type and version, recorded with each session.
  • Session tokens β€” encrypted tokens used to maintain your authenticated session.

Retention: Sessions expire automatically after 7 days. Session records (IP, user agent) are deleted when the session expires or when your account is deleted.

3.3 Payment and Wallet Data

When you purchase call credits, we collect and store:

  • Transaction amounts β€” the amount of each credit purchase (in USD cents).
  • Wallet balance β€” your current available and reserved credit balance.
  • Ledger entries β€” an immutable audit trail of all balance changes (purchases, call charges, adjustments), including timestamps and descriptions.
  • Stripe session IDs β€” references to payment sessions for reconciliation.

What we do NOT store: We do NOT store, process, or have access to your payment card number, expiration date, CVV, or other payment method details. All payment processing is handled directly by Stripe, Inc. (PCI DSS Level 1 certified). Your payment method details never touch our servers.

Source: Transaction amounts from Stripe webhook confirmations. Balance data is computed from ledger entries.

3.4 Call Metadata

When you make calls through the Service, we collect:

  • Destination phone number β€” the number you are calling (stored in E.164 format).
  • Call duration β€” actual talk time in seconds.
  • Billed duration β€” duration rounded to the next 60-second increment for billing.
  • Call cost β€” the amount charged for the call (in USD cents).
  • Call mode β€” whether the call was standard or used AI translation.
  • Source and target languages β€” for translated calls, the languages selected.
  • Caller ID used β€” which outgoing number was displayed to the recipient.
  • Call status and timestamps β€” call state transitions (connecting, connected, ended, failed) and their timestamps.
  • End reason β€” why the call ended (user hangup, no answer, error, balance cutoff, etc.).
  • Country code β€” derived from the destination number.
  • Provider reference IDs β€” identifiers from our telephony provider for call reconciliation.
  • AI translation disclosure outcome β€” for translated calls, we record whether the AI-translation disclosure notice was successfully announced to the called party (disclosure_outcome), the language in which the disclosure was played (disclosure_locale), and the timestamp of the disclosure attempt (disclosure_attempted_at). This is required for our compliance obligations regarding synthetic-voice disclosure and for audit if a recipient queries whether they were notified before AI translation engaged.

What we do NOT collect:

  • We do NOT record or store call audio. Your conversations are never recorded.
  • We do NOT store call transcripts or translations. AI translation is processed in real time and discarded immediately.
  • We do NOT store DTMF tones (keypad inputs) beyond detecting that they occurred.

Source: Generated during call processing from our telephony provider webhooks and internal call lifecycle tracking.

3.5 Caller ID Verification Data

When you verify a phone number as your caller ID, we collect:

  • Phone number β€” the number you are verifying (stored in E.164 format).
  • Verification status β€” pending, verified, failed, or revoked.
  • OTP code hash β€” the verification code is stored only as a bcrypt hash. We never store the plaintext code.
  • Verification attempt metadata β€” attempt count, timestamps, and expiry times.

Source: Directly from you when you initiate verification. OTP is sent to your phone via SMS.

3.6 Analytics Data

When you use the Service with analytics enabled (requires your consent), we collect pseudonymized usage data:

  • Product events β€” actions you take in the Service (e.g., starting a call, completing a top-up), recorded with pseudonymized metadata.
  • Page views β€” pages visited within the Service.
  • Pseudonymized user identifier β€” a stable internal account identifier (not your email or name) is used to link events across a session. Under GDPR Recital 26, pseudonymized data remains personal data because it can be attributed to a specific person using additional information held by us. We treat analytics data as personal data accordingly.

What we do NOT send to analytics:

  • Your email address (only the domain portion, e.g., "gmail.com", is included, never the full address).
  • Your phone number.
  • Your payment details.
  • Call content or translations.

We enforce this through automated static analysis tests in our codebase that prevent direct personal identifiers from being included in analytics events.

  • UTM parameters β€” if you arrive at our website via a marketing link containing UTM parameters (source, medium, campaign), these are captured and associated with your analytics session to help us understand which channels bring users to our Service. UTM parameters do not contain personal identifiers.

Source: Client-side event tracking via PostHog. Analytics is activated only after you provide consent via our cookie consent mechanism. Server-side analytics events (e.g., webhook processing) are also gated on consent status.

3.6A Advertising and Conversion Measurement

If you give marketing consent, we may use Google Ads / Google tag and Meta Pixel / Conversions API to measure visits and conversion events from ads and to support remarketing audiences. These tools are disabled unless marketing consent is enabled and the provider integration is enabled in production configuration.

We do not send call audio, call transcripts, phone numbers, full email addresses, payment details, or message content to advertising providers. Server-side advertising events are gated on marketing consent.

3.7 Error and Diagnostic Data

We automatically collect error data to maintain service quality:

  • Error messages and stack traces β€” technical details of software errors.
  • Browser and OS information β€” to help reproduce and fix issues.
  • Session replay on errors β€” when a JavaScript error occurs, we capture a replay of the browser session leading up to the error. This replay includes DOM snapshots (the visual state of the page), mouse movements, clicks, and console output. Session replays are captured ONLY when an error occurs (not during normal usage) and are used solely to diagnose and fix technical issues. Session replays do not capture text you type into password fields or payment fields.

Error tracking does not include your name, email, phone number, or call content in standard error reports. Session replay data may include page content visible at the time of the error.

Legal basis: Error tracking (error messages, stack traces) is processed on the basis of our legitimate interest in maintaining a functional service (GDPR Article 6(1)(f)). Session replay, which uses browser local storage, requires your consent under Art. 399 of the Prawo komunikacji elektronicznej (ePrivacy). Session replay is activated only after you provide consent via our cookie consent mechanism.

Source: Captured by PostHog (Error Tracking + Session Replay) when a technical error occurs in the application.

3.8 Communication Data

When we send you transactional emails (e.g., purchase receipts, account notifications), we record:

  • Recipient email address β€” where the email was sent.
  • Email type and status β€” what was sent and whether delivery succeeded.
  • Template and reference IDs β€” for deduplication and audit purposes.

We do NOT send marketing emails. All emails are transactional (directly related to your use of the Service).

3.9 Data about Called Parties

When you place a call through the Service, the called party (the recipient of your call) is also a data subject under GDPR. We process the following limited data about called parties:

  • Phone number β€” collected from you when you initiate the call.
  • Voice audio in transit β€” for Translated Calls only, the called party's voice is processed in real time by our AI translation sub-processors (see Β§6 and Β§6.1). Voice audio is not recorded or stored by us.
  • Disclosure outcome metadata β€” whether the AI-translation disclosure WAV was successfully announced to them, in which language, and at what time (see Β§3.4 above).

Legal basis (GDPR Art. 6(1)): our processing of called-party data is based on the legitimate interest (Art. 6(1)(f)) of the calling User in placing the call and complying with disclosure requirements, balanced against the called party's interests through the synthetic-voice disclosure played in their language and the absence of audio retention.

Notice obligations (GDPR Art. 14): the AI-voice disclosure WAV announced to the called party at the start of a Translated Call is one element of our notice; this Privacy Policy is the corresponding written notice. Called parties may exercise their GDPR rights (access, rectification, erasure, restriction, objection) by contacting support@parlacall.com.

Right to object: a called party who objects to AI translation may end the call at any time; AI translation will cease automatically when either party hangs up.

4. Legal Bases for Processing

We process your personal data based on the following legal grounds under GDPR Article 6(1):

PurposeLegal BasisGDPR Article
Account creation and authenticationPerformance of contractArt. 6(1)(b)
Processing payments and maintaining walletPerformance of contractArt. 6(1)(b)
Routing calls and providing the calling servicePerformance of contractArt. 6(1)(b)
Caller ID verification via SMSPerformance of contractArt. 6(1)(b)
Sending transactional emails (receipts, alerts)Performance of contractArt. 6(1)(b)
Fraud prevention and abuse detectionLegitimate interestArt. 6(1)(f)
Session security (IP logging, rate limiting)Legitimate interestArt. 6(1)(f)
Error tracking and service stability (PostHog Error Tracking)Legitimate interestArt. 6(1)(f)
Product analytics (PostHog)ConsentArt. 6(1)(a)
Retaining financial records (ledger, transactions)Legal obligationArt. 6(1)(c)
Responding to law enforcement requestsLegal obligationArt. 6(1)(c)

Legitimate interest balancing: Where we rely on legitimate interest, we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. The data processed under legitimate interest is limited to what is strictly necessary for the stated purpose, is not used for profiling or automated decision-making, and is protected by appropriate technical safeguards.

5. How We Use Your Data

We use your personal data to:

  1. Provide the Service β€” create and manage your account, process payments, route calls, enable AI translation, and verify caller IDs.
  2. Bill accurately β€” calculate call costs, maintain wallet balances, and generate transaction records.
  3. Communicate with you β€” send transactional emails related to your account (purchase confirmations, balance alerts, security notifications).
  4. Maintain security β€” detect and prevent fraud, abuse, and unauthorized access through session monitoring, rate limiting, and CAPTCHA verification.
  5. Fix technical issues β€” identify and resolve software bugs using error tracking data.
  6. Improve the Service β€” analyze pseudonymized usage patterns (with your consent) to improve features, call quality, and user experience.
  7. Comply with legal obligations β€” maintain financial records as required by Polish tax law and respond to lawful requests from authorities.
  8. Region-aware consent behavior β€” in opt-in jurisdictions, we show a consent notice unless Global Privacy Control is active; when GPC is active, optional analytics and marketing remain disabled.

We do NOT:

  • Sell your personal data to third parties.
  • Run advertising or ad-targeting processing without marketing consent and active runtime switches.
  • Use your data for automated decision-making or profiling that produces legal effects.
  • Send you marketing emails or newsletters.

6. Data Sharing and Sub-processors

We use a range of third-party sub-processors to deliver the Service and process user data. Each sub-processor is contractually bound to process your data only as instructed by us, to implement appropriate security measures, and to delete or return your data upon termination of the processing relationship. The categories of personal data each sub-processor may access correspond to the data described in Section 3 that is relevant to their purpose.

Our Sub-Processors List may be amended from time to time.

Entity NamePurposeLocation
Stripe, Inc.Payment processingUnited States
Telnyx LLCPSTN telecommunications and SMS one-time-passwords for caller-ID verificationUnited States
Daily, Inc. (Pipecat Cloud)AI-translation orchestration agentUnited States
Daily, Inc. (Daily.co)Browser WebRTC call infrastructureUnited States
Google LLC (Gemini)AI translation model (paid tier; configured to exclude training-data use under Google's paid-tier API terms)United States
PostHog, Inc.Product analytics, error tracking, session replayUnited States
Google LLCAnalytics, advertising measurement, conversion reportingUnited States
Meta Platforms, Inc.Advertising measurement, Meta Pixel, Conversions APIUnited States
Neon, Inc.Database hostingUnited States
Vercel, Inc.Application hostingUnited States
Resend, Inc.Transactional email deliveryUnited States
Google LLCAuthentication (OAuth)United States
Cloudflare, Inc.CAPTCHA, bot protection, edge security cookiesUnited States

We do not share your data with unlisted third parties. We do not sell your data to advertisers or data brokers, and advertising providers receive only the consent-gated measurement data described above.

6.1 Voice audio handling for AI translation

For Translated Calls, your voice audio passes through three sub-processors in real time:

  • Daily, Inc. (Daily.co) β€” receives your microphone audio over WebRTC and forwards it to our AI translation infrastructure. Daily processes audio in transit only.
  • Daily, Inc. (Pipecat Cloud) β€” runs the orchestration agent that connects your audio to the AI translation model. Pipecat processes audio in transit only.
  • Google LLC (Gemini Live) β€” performs real-time speech-to-speech translation. Audio is processed in real time. We use the paid Gemini API tier, under which Google's published terms commit that customer audio is not used to train Google's models. Google's full data handling for the Gemini API is governed by their published terms and our processing agreement.

We do not record, transcribe, or persist any voice audio on our own infrastructure. Each sub-processor's retention of audio in transit is governed by their respective terms.

6.2 Sub-processor list and updates

We do not share your data with unlisted third parties. We do not sell your data to advertisers or data brokers.

7. International Data Transfers

Your personal data is transferred to sub-processors and infrastructure providers located in the United States. These transfers are protected by:

  1. EU Standard Contractual Clauses (SCCs) β€” as adopted by the European Commission (Decision 2021/914). Each sub-processor has executed SCCs with us or maintains SCCs in their standard terms.
  2. EU-U.S. Data Privacy Framework (DPF) β€” where applicable, certain sub-processors and infrastructure providers are certified under the DPF.
  3. Supplementary measures β€” including encryption in transit (TLS 1.2+), encryption at rest, access controls, and contractual obligations for data protection.

You may request copies of the applicable SCCs by contacting support@parlacall.com.

8. Data Retention

We retain your personal data only for as long as necessary for the purposes described in this Privacy Policy, or as required by law:

Data CategoryRetention PeriodReason
Account data (name, email)Duration of account + 30 days after deletionService provision, account recovery grace period
Session data (IP, user agent)7 days (auto-expiry)Security, abuse prevention
Email verification codes1 hour (auto-expiry)One-time verification
Payment and ledger dataDuration of account + 5 yearsPolish tax law (Ordynacja podatkowa) requires retention of financial records for 5 years after the end of the tax year
Call recordsDuration of account + 5 yearsBilling disputes, financial records
Caller ID verification dataDuration of accountService feature
OTP code hashesDuration of verification attemptSecurity
Analytics data (PostHog)Per PostHog retention settings (configurable, typically 1 year)Service improvement
Error tracking + session replay data (PostHog)Per PostHog retention settings (typically 1 year)Bug resolution
Notification recordsDuration of accountAudit trail

When your account is deleted, we cascade-delete all associated data (sessions, wallet, call records, verified numbers, notifications) except:

  • Financial records (ledger entries, transaction references) β€” retained for the legally required period.
  • Admin audit trail entries β€” retained for compliance purposes (do not contain user PII beyond user ID).

9. Your Rights Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights regarding your personal data under GDPR Articles 15-22:

9.1 Right of Access (Art. 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about how it is processed.

9.2 Right to Rectification (Art. 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

9.3 Right to Erasure (Art. 17)

You have the right to request the deletion of your personal data where:

  • The data is no longer necessary for the purpose for which it was collected.
  • You withdraw consent (for consent-based processing) and there is no other legal basis.
  • You object to processing and there are no overriding legitimate grounds.
  • The data has been unlawfully processed.

What we delete on erasure: account data (name, email, profile image, normalized email, OAuth tokens), session data, caller-ID verification data, notifications log, analytics records, and error / session-replay data attributable to you.

What we retain after erasure (and why): ledger entries, transaction references, invoice records, and the minimal user identifier required to attribute them to you, for 5 years from the end of the relevant tax year, under Art. 86 Β§1 of the Polish Ordynacja podatkowa and Art. 74 of the Ustawa o rachunkowoΕ›ci. Telecommunications-secrecy obligations (Β§13) may also require retention of limited call metadata for the period set by applicable law.

When you exercise your right to erasure, we will confirm to you what was deleted and what was retained, the legal basis for the retention, and the date by which the retained records become eligible for deletion.

9.4 Right to Restriction of Processing (Art. 18)

You have the right to request restriction of processing in certain circumstances, including when you contest the accuracy of your data or have objected to processing.

9.5 Right to Data Portability (Art. 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON), and to transmit it to another controller, where processing is based on consent or contract and is carried out by automated means.

9.6 Right to Object (Art. 21)

You have the right to object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.

9.7 Right to Withdraw Consent (Art. 7(3))

Where processing is based on your consent (analytics), you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. You can withdraw analytics consent by declining cookies via our consent mechanism.

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. The supervisory authority in Poland is:

Urzad Ochrony Danych Osobowych (UODO) ul. Stawki 2 00-193 Warszawa, Poland Website: https://uodo.gov.pl/ Email: kancelaria@uodo.gov.pl

You may also lodge a complaint with the supervisory authority of the EU member state in which you reside or work.

9.9 How to Exercise Your Rights

To exercise any of the above rights, please contact us at:

Email: support@parlacall.com

We will respond to your request within 30 days of receipt. If your request is complex or we receive numerous requests, we may extend this period by a further 60 days, in which case we will inform you of the extension within the initial 30-day period.

We may ask you to verify your identity before processing your request. We will not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse the request, with explanation).

10. Cookies and Local Storage

We use cookies and browser local storage on the Website. For full details, including the specific technologies used, their purposes, and how to manage your preferences, please refer to our Cookie Policy.

Summary: We use strictly necessary cookies (authentication, CSRF protection, consent preference storage) that do not require consent, analytics technologies that require consent where applicable, and marketing technologies only when marketing consent is enabled. You can manage optional categories from "Manage cookies" in the footer.

11. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at support@parlacall.com. If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit β€” all data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security).
  • Password hashing β€” passwords are stored using bcrypt hashing (never in plaintext).
  • OTP hashing β€” verification codes are stored as bcrypt hashes, not plaintext.
  • PII guards β€” automated static analysis tests prevent personal identifiers (email, phone) from being sent to analytics services.
  • Rate limiting β€” IP-based rate limiting on authentication and verification endpoints to prevent brute-force attacks.
  • CAPTCHA β€” Cloudflare Turnstile CAPTCHA on authentication endpoints to prevent automated abuse.
  • Abuse detection β€” disposable email detection and normalized email deduplication to prevent multi-account fraud.
  • Access controls β€” administrative actions are logged with audit trails including the reason for each action.
  • Payment security β€” payment card details are handled exclusively by Stripe (PCI DSS Level 1) and never touch our servers.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

13. Telecommunications Secrecy (Tajemnica telekomunikacyjna)

As a registered telecommunications operator in Poland, we are bound by the obligation of telecommunications secrecy (tajemnica telekomunikacyjna) under the Prawo komunikacji elektronicznej. This obligation covers:

  • The content of communications transmitted through the Service.
  • Call metadata (destination numbers, call duration, timestamps).
  • Location data (if any).
  • Attempts to establish connections.

We may only disclose information covered by telecommunications secrecy in circumstances expressly permitted by law, including lawful requests from courts, prosecutors, and authorized state authorities in accordance with applicable Polish legislation.

This obligation is in addition to, and does not replace, our obligations under GDPR as described in this Privacy Policy.

14. Automated Decision-Making

We do not use your personal data for automated individual decision-making, including profiling, that produces legal effects or similarly significantly affects you (GDPR Article 22).

The following automated processes are used but do not constitute automated decision-making under Article 22:

  • Fraud prevention β€” automated checks during account creation (disposable email detection, duplicate detection) that may block registration. These are security measures, not profiling. Blocked users can contact us for manual review.
  • Rate limiting β€” automated rate limiting based on IP address to prevent abuse. This is a security measure applied uniformly to all users.

15. Do Not Sell My Personal Information

We do not sell your personal information. We have never sold personal information and have no plans to do so. This applies regardless of your jurisdiction.

16. Complaints Procedure (Procedura reklamacyjna)

If you believe we have processed your personal data incorrectly, or you wish to file a complaint about data protection:

  1. Submit a complaint to support@parlacall.com with a description of the issue.
  2. We will acknowledge receipt within 14 days.
  3. We will resolve your complaint within 30 days of receipt. If we cannot resolve it within 30 days, we will inform you of the reason for the delay and the expected resolution date.
  4. If you are not satisfied with our response, you may escalate your complaint to:
    • UODO (Urzad Ochrony Danych Osobowych) for data protection matters.
    • UKE (Urzad Komunikacji Elektronicznej) for telecommunications secrecy and service-related matters.

For service-related complaints (billing disputes, call quality), please refer to the Complaints Procedure in our Terms of Service.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

  1. We will update the "Last updated" date at the top of this page.
  2. We will notify registered users via email at the address associated with their account.
  3. We will post a notice on the Website.

We encourage you to review this Privacy Policy periodically. If changes affect processing based on consent, we will seek renewed consent where required. If changes affect processing based on other legal bases, the updated policy applies to processing from the effective date onward.

18. Contact Us

If you have questions about this Privacy Policy, want to exercise your data protection rights, or have a complaint about how we handle your personal data, please contact us:

Data Controller: Oleksii Ianchuk ul. Prochowa 9/21 31-532 KrakΓ³w, Poland

Privacy inquiries: support@parlacall.com General inquiries: support@parlacall.com