Privacy Policy
Effective May 4, 2026 · Last updated May 4, 2026
At a glance
pivex.ai is a phone receptionist that answers calls for your business. To do that, we record and transcribe inbound calls and store the metadata required to run the service. We don’t sell your data, we don’t use it to train third-party AI models on your behalf, and you control how long recordings are kept. The rest of this policy is the long version.
1.Who we are
pivex.ai (“pivex.ai,” “we,” “us”) operates the pivex.ai AI phone receptionist platform available at pivex.ai. For privacy questions, contact us at privacy@pivex.ai.
pivex.ai is a B2B service. The businesses that subscribe to pivex.ai (“Customers”) are typically the controllers of personal data relating to the people who call them (“Callers”). pivex.ai generally acts as the processor of that data on the Customer’s behalf. For Customer account data (the people who sign in to manage an organization), pivex.ai is the controller.
2.Scope of this policy
This policy describes how we handle personal data in connection with the pivex.ai platform, including the marketing site, the authenticated dashboard, the inbound voice receptionist, and any email pivex.ai sends on a Customer’s behalf.
It does notcover the privacy practices of the businesses that use pivex.ai — when a Caller dials a pivex.ai-attended number, that business’s own privacy practices apply. Where pivex.ai acts as a processor for a Customer, our handling of Caller data is governed by our agreement with that Customer (see our Terms and our Data Processing Addendum, available on request).
3.What we collect
3.1 Customer account data
When you create or are invited to a pivex.ai organization, we collect:
- Email address and (optionally) display name.
- Organization name, slug, and plan tier.
- Authentication metadata (sign-in timestamps, IP address, user-agent) for security and fraud prevention.
- Billing contact details (company name, billing address, AP contact email) that we use to send invoices. Pivex.ai bills by invoice; when a Customer pays an invoice with a card or ACH-debit, payment is collected by Stripe and pivex.ai receives only the session ID and payment confirmation — we never see or store card numbers ourselves.
3.2 Caller data (calls answered by pivex.ai)
When a Caller reaches a pivex.ai-attended number, we process:
- The Caller’s phone number (as provided by the carrier).
- An audio recording of the call and a written transcript generated from it.
- A structured AI-generated summary of the conversation — typically intent, key facts the Caller volunteered, and the outcome (booked / transferred / message / missed).
- Booking details if the Caller scheduled a meeting (name, email, chosen time slot — collected by the Customer’s booking provider).
- Call metadata: timestamps, duration, and routing decisions.
3.3 Telemetry
For the marketing site and dashboard we collect minimal telemetry — server logs, error reports, and aggregate usage counters. We don’t use third-party advertising or behavioural tracking cookies.
4.How we use your data
We use the data described above to:
- Operate the receptionist — answer calls, generate transcripts, produce summaries, deliver bookings, and route urgent calls.
- Provide the dashboard — show recent calls, transcripts, summaries, and reports to the Customer’s authorized members.
- Maintain security — detect abuse, fraud, and unauthorised access.
- Operate billing and provide customer support.
- Comply with legal obligations and respond to lawful requests.
We do not sell personal data, share it for cross-context behavioural advertising, or use Customer call audio or transcripts to train general-purpose AI models. Inference providers we use to power the receptionist are bound by data-use terms that prohibit them from using our inputs to train their base models (see Section 7).
5.Lawful bases (EU / UK / Quebec)
For individuals in jurisdictions that require a lawful basis (EU GDPR, UK GDPR, Quebec Law 25), we rely on:
- Performance of a contract — to provide the service to Customers and the dashboard to their members.
- Legitimate interests— to secure the platform, prevent abuse, debug, and improve the service. Where a Caller calls a pivex.ai-attended number, our Customer typically relies on a similar legitimate-interests basis (or contract performance with the Caller) to process the call; we process on the Customer’s instructions.
- Consent — where required by local law for call recording, the Customer is responsible for capturing it; pivex.ai additionally plays a notice at the start of each call (see Section 6).
- Legal obligation — where we must process data to comply with the law.
6.Call recordings & two-party consent
U.S. state law on call recording varies. Some states require all parties to a call to consent to recording (commonly called “two-party consent” or “all-party consent” states). Other jurisdictions (EU, UK, Canada) impose their own notice and lawful-basis rules.
By default, pivex.ai plays an audible recording-and-AI notice at the start of every inbound call before the receptionist begins qualifying. Customers are responsible for confirming that this notice — together with any signage, on-website disclosures, or consents they collect — meets the requirements of their jurisdiction and industry.
If a Caller objects to being recorded, the receptionist will offer to transfer the call without recording where supported, or terminate the call. Customers can change recording behaviour in organization settings, subject to the limitations of the telephony stack.
8.International data transfers
pivex.ai is operated from the United States. Sub-processors may store or process data in the U.S., the EU, or other locations depending on the service. For transfers out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (or the UK International Data Transfer Addendum) and assess each sub-processor’s safeguards.
9.Retention
Customer-controlled. Each organization sets its recording-retention window in Settings → Recording retention (30 days, 90 days, 1 year, or 7 years for regulated industries). Recordings older than that window are permanently deleted on a nightly schedule. Transcripts and AI summaries follow the same schedule unless the Customer asks otherwise in writing.
Account data.We keep the Customer’s account data for the life of the subscription plus a short period (typically 90 days) to allow account recovery. After deletion or cancellation we keep only the records we’re required to keep (for example, billing records under tax law).
Backups. Encrypted backups roll off on a fixed cadence (typically 30 days). Deletion requests propagate to backups as backups expire.
10.Security
We design pivex.ai around the following safeguards:
- TLS 1.2+ for all network traffic.
- Encryption at rest for the database and recording object storage.
- Postgres row-level security for tenant isolation — one Customer’s rows are not readable by another Customer’s members or by an unauthenticated request.
- Principle of least privilege for staff access; production access is logged and audited.
- Vendor-managed authentication with rotating session tokens.
No system is perfectly secure. If you believe you’ve found a vulnerability in pivex.ai, email security@pivex.ai and give us a reasonable opportunity to remediate before disclosing.
11.Your rights
11.1 If you’re a Caller
The business you called is the controller of your data. Direct requests to access, correct, delete, port, restrict, or object to processing of your data to that business in the first instance. We’ll forward requests we receive directly and assist the Customer in responding.
11.2 If you’re a Customer member
You can update your account from the dashboard. To delete your account or your organization’s data, email privacy@pivex.ai. We respond to verifiable requests within 30 days (or shorter where the law requires).
11.3 California (CCPA / CPRA)
California residents have the right to know, delete, correct, and limit use of sensitive personal information, and to opt out of sale or sharing for cross-context behavioural advertising. pivex.ai does not sell or share personal data for behavioural advertising. We don’t use sensitive personal information for any purpose beyond the operation of the service.
11.4 EEA, UK, Switzerland
You may lodge a complaint with your local supervisory authority if you believe our processing infringes data protection law. We’d appreciate the chance to address concerns first — write to us at privacy@pivex.ai.
12.Children
pivex.ai is a B2B service intended for businesses and people aged 18 or older. We don’t knowingly collect personal data from children. If a Caller is a minor and you’d like that data removed, contact us.
14.Third-party links
The dashboard and our marketing pages occasionally link to third-party services (your booking provider, support tooling, etc.). Their privacy practices are governed by their own policies, not this one.
15.Changes to this policy
We update this policy as the product evolves. Material changes will be communicated to active Customers by email at least 30 days before they take effect, where reasonably practicable. The “Last updated” date at the top of this page reflects the most recent revision.
16.How to contact us
- Privacy: privacy@pivex.ai
- Security: security@pivex.ai
- General: hello@pivex.ai