pivex.aiSign in →

Privacy Policy

Effective May 4, 2026 · Last updated May 4, 2026

At a glance

pivex.ai is a phone receptionist that answers calls for your business. To do that, we record and transcribe inbound calls and store the metadata required to run the service. We don’t sell your data, we don’t use it to train third-party AI models on your behalf, and you control how long recordings are kept. The rest of this policy is the long version.

1.Who we are

pivex.ai (“pivex.ai,” “we,” “us”) operates the pivex.ai AI phone receptionist platform available at pivex.ai. For privacy questions, contact us at privacy@pivex.ai.

pivex.ai is a B2B service. The businesses that subscribe to pivex.ai (“Customers”) are typically the controllers of personal data relating to the people who call them (“Callers”). pivex.ai generally acts as the processor of that data on the Customer’s behalf. For Customer account data (the people who sign in to manage an organization), pivex.ai is the controller.

2.Scope of this policy

This policy describes how we handle personal data in connection with the pivex.ai platform, including the marketing site, the authenticated dashboard, the inbound voice receptionist, and any email pivex.ai sends on a Customer’s behalf.

It does notcover the privacy practices of the businesses that use pivex.ai — when a Caller dials a pivex.ai-attended number, that business’s own privacy practices apply. Where pivex.ai acts as a processor for a Customer, our handling of Caller data is governed by our agreement with that Customer (see our Terms and our Data Processing Addendum, available on request).

3.What we collect

3.1 Customer account data

When you create or are invited to a pivex.ai organization, we collect:

  • Email address and (optionally) display name.
  • Organization name, slug, and plan tier.
  • Authentication metadata (sign-in timestamps, IP address, user-agent) for security and fraud prevention.
  • Billing contact details (company name, billing address, AP contact email) that we use to send invoices. Pivex.ai bills by invoice; when a Customer pays an invoice with a card or ACH-debit, payment is collected by Stripe and pivex.ai receives only the session ID and payment confirmation — we never see or store card numbers ourselves.

3.2 Caller data (calls answered by pivex.ai)

When a Caller reaches a pivex.ai-attended number, we process:

  • The Caller’s phone number (as provided by the carrier).
  • An audio recording of the call and a written transcript generated from it.
  • A structured AI-generated summary of the conversation — typically intent, key facts the Caller volunteered, and the outcome (booked / transferred / message / missed).
  • Booking details if the Caller scheduled a meeting (name, email, chosen time slot — collected by the Customer’s booking provider).
  • Call metadata: timestamps, duration, and routing decisions.

3.3 Telemetry

For the marketing site and dashboard we collect minimal telemetry — server logs, error reports, and aggregate usage counters. We don’t use third-party advertising or behavioural tracking cookies.

4.How we use your data

We use the data described above to:

  • Operate the receptionist — answer calls, generate transcripts, produce summaries, deliver bookings, and route urgent calls.
  • Provide the dashboard — show recent calls, transcripts, summaries, and reports to the Customer’s authorized members.
  • Maintain security — detect abuse, fraud, and unauthorised access.
  • Operate billing and provide customer support.
  • Comply with legal obligations and respond to lawful requests.

We do not sell personal data, share it for cross-context behavioural advertising, or use Customer call audio or transcripts to train general-purpose AI models. Inference providers we use to power the receptionist are bound by data-use terms that prohibit them from using our inputs to train their base models (see Section 7).

5.Lawful bases (EU / UK / Quebec)

For individuals in jurisdictions that require a lawful basis (EU GDPR, UK GDPR, Quebec Law 25), we rely on:

  • Performance of a contract — to provide the service to Customers and the dashboard to their members.
  • Legitimate interests— to secure the platform, prevent abuse, debug, and improve the service. Where a Caller calls a pivex.ai-attended number, our Customer typically relies on a similar legitimate-interests basis (or contract performance with the Caller) to process the call; we process on the Customer’s instructions.
  • Consent — where required by local law for call recording, the Customer is responsible for capturing it; pivex.ai additionally plays a notice at the start of each call (see Section 6).
  • Legal obligation — where we must process data to comply with the law.

6.Call recordings & two-party consent

U.S. state law on call recording varies. Some states require all parties to a call to consent to recording (commonly called “two-party consent” or “all-party consent” states). Other jurisdictions (EU, UK, Canada) impose their own notice and lawful-basis rules.

By default, pivex.ai plays an audible recording-and-AI notice at the start of every inbound call before the receptionist begins qualifying. Customers are responsible for confirming that this notice — together with any signage, on-website disclosures, or consents they collect — meets the requirements of their jurisdiction and industry.

If a Caller objects to being recorded, the receptionist will offer to transfer the call without recording where supported, or terminate the call. Customers can change recording behaviour in organization settings, subject to the limitations of the telephony stack.

7.Sharing & sub-processors

pivex.ai shares data only with the sub-processors required to run the service. We do not share personal data with anyone outside this list except (a) at your direction (for example, when a Caller’s booking is sent to your calendar provider), or (b) when required by law.

Sub-processorPurposeData category
Supabase, Inc.Database, authAccount, calls, transcripts, metadata
VapiVoice receptionist runtimeCall audio, transcripts, model I/O
Twilio Inc.Inbound telephonyPhone numbers, call routing
OpenAILLM inference (selected paths)Transcripts, summaries (no training)
AnthropicLLM inference (selected paths)Transcripts, summaries (no training)
Cloudflare R2Recording storage (object storage)Call audio (encrypted at rest)
Cal.comBooking handoffBooking metadata
ResendTransactional emailEmail addresses, message contents
StripeInvoice payment processing (when Customer pays online)Card details, billing email, session/payment IDs
NetlifyHosting and edge runtimeServer logs, request metadata

We update this list when sub-processors change. Material additions are announced to active Customers at least 30 days before they take effect, where reasonably practicable.

8.International data transfers

pivex.ai is operated from the United States. Sub-processors may store or process data in the U.S., the EU, or other locations depending on the service. For transfers out of the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (or the UK International Data Transfer Addendum) and assess each sub-processor’s safeguards.

9.Retention

Customer-controlled. Each organization sets its recording-retention window in Settings → Recording retention (30 days, 90 days, 1 year, or 7 years for regulated industries). Recordings older than that window are permanently deleted on a nightly schedule. Transcripts and AI summaries follow the same schedule unless the Customer asks otherwise in writing.

Account data.We keep the Customer’s account data for the life of the subscription plus a short period (typically 90 days) to allow account recovery. After deletion or cancellation we keep only the records we’re required to keep (for example, billing records under tax law).

Backups. Encrypted backups roll off on a fixed cadence (typically 30 days). Deletion requests propagate to backups as backups expire.

10.Security

We design pivex.ai around the following safeguards:

  • TLS 1.2+ for all network traffic.
  • Encryption at rest for the database and recording object storage.
  • Postgres row-level security for tenant isolation — one Customer’s rows are not readable by another Customer’s members or by an unauthenticated request.
  • Principle of least privilege for staff access; production access is logged and audited.
  • Vendor-managed authentication with rotating session tokens.

No system is perfectly secure. If you believe you’ve found a vulnerability in pivex.ai, email security@pivex.ai and give us a reasonable opportunity to remediate before disclosing.

11.Your rights

11.1 If you’re a Caller

The business you called is the controller of your data. Direct requests to access, correct, delete, port, restrict, or object to processing of your data to that business in the first instance. We’ll forward requests we receive directly and assist the Customer in responding.

11.2 If you’re a Customer member

You can update your account from the dashboard. To delete your account or your organization’s data, email privacy@pivex.ai. We respond to verifiable requests within 30 days (or shorter where the law requires).

11.3 California (CCPA / CPRA)

California residents have the right to know, delete, correct, and limit use of sensitive personal information, and to opt out of sale or sharing for cross-context behavioural advertising. pivex.ai does not sell or share personal data for behavioural advertising. We don’t use sensitive personal information for any purpose beyond the operation of the service.

11.4 EEA, UK, Switzerland

You may lodge a complaint with your local supervisory authority if you believe our processing infringes data protection law. We’d appreciate the chance to address concerns first — write to us at privacy@pivex.ai.

12.Children

pivex.ai is a B2B service intended for businesses and people aged 18 or older. We don’t knowingly collect personal data from children. If a Caller is a minor and you’d like that data removed, contact us.

13.Cookies & local storage

We use a small number of cookies and local-storage entries to keep you signed in, remember whether you’ve dismissed the first-run wizard, and detect when a request actually has a session. We don’t use advertising cookies or third-party behavioural tracking.

15.Changes to this policy

We update this policy as the product evolves. Material changes will be communicated to active Customers by email at least 30 days before they take effect, where reasonably practicable. The “Last updated” date at the top of this page reflects the most recent revision.

16.How to contact us