Looking for regulatory claims instead?
This page is about how data moves. For the standards view — what we directly comply with and what we don't — see the companion page.
How the data actually flows. This page is the mechanics — call flow, encryption, retention schedule, deletion scripts, sub-processors — aimed at security engineers and IT admins doing implementation review. For the standards view (PIPEDA, Law 25, CASL, certifications), see the Compliance page.
This page is about how data moves. For the standards view — what we directly comply with and what we don't — see the companion page.
When someone calls a business using our AI receptionist, this is the path the audio and data take. Nothing is persisted on our server beyond live call state; permanent storage happens at the Airtable step.
Key point: Your call audio is streamed in real time and is not permanently stored on our server. If call recording is enabled for a tenant, the recording is stored by Twilio and automatically deleted after 90 days.
/opt/secrets/secrets.enc.yaml) is encrypted with SOPS + age. Plaintext never touches disk — the file is decrypted in memory at service start.chmod 600). Secrets never written to logs, never passed on command lines, never committed to code.Retention is enforced by automated scripts that run weekly. Not aspirational — they run in production and can be audited via --dry-run.
| Data Type | Retention | What Happens After | How Enforced |
|---|---|---|---|
| Call transcripts | 90 days | Permanently deleted | Weekly cron → data_retention.py purges rows older than 90 days |
| Call recordings (audio) | 90 days | Deleted from Twilio via API; reference cleared on our side | Weekly cron deletes Twilio recording SIDs older than 90 days |
| Call logs & metadata | 12 months | Caller phone number replaced with REDACTED; the de-identified record is retained for analytics | Weekly cron anonymizes records older than 12 months |
| Appointments | 12 months after completion | Deleted | Same weekly retention job |
| AI call summaries | Retained | No direct identifiers; used for operational analytics | Not enforced by retention script (no PII) |
| n8n workflow execution data | 90 days | Purged from the database | n8n built-in purge setting + weekly cron backup |
| Billing records (invoices) | 6 years | Retained per Canada Revenue Agency tax law | Stripe retention aligned with Canadian record-keeping obligations |
Concrete jobs that enforce the retention schedule above:
data_retention.py, Sunday 03:30 UTC) — transcripts older than 90 days permanently deleted. AI-generated summaries (no direct identifiers) are retained.ANONYMIZED. Aggregate statistics remain.All retention jobs support --dry-run — you can see exactly which rows would be affected without executing.
Data is deleted automatically on the per-data-type schedule above, measured from each record's own date — for example, a call transcript 90 days after the call, an appointment 12 months after its date, workflow execution data 90 days after it runs, a caller phone number anonymized 12 months after the call. Automated retention jobs run on a weekly schedule and can be audited via dry-run. Deletion is by data type and record age, and applies regardless of whether an account is active, cancelled, suspended, or disabled.
When a business client cancels, a full refund is issued, a chargeback is filed, a trial expires without converting, or an agency partner's account is cancelled, future billing stops and access to the Service is disabled. New data stops being collected; data already collected is retained and then deleted under the schedule above — it is not separately erased at the moment of disable. Partial refunds and goodwill credits do not disable service. Billing records and the timestamped, versioned logs of your acceptance of our Terms are retained for the minimum legal period stated above (six years) regardless of account status.
The automated retention jobs log their actions (timestamps and record counts) to server logs, kept separately from the data being deleted, so deletion events remain verifiable.
If an individual caller (not a business client) requests deletion of their data, submit a request via our privacy request form. We verify the request by email, then locate and delete all records associated with your phone number within 30 days.
Third-party services that process data as part of service delivery. Data they see and their own compliance posture:
| Provider | Purpose | Data Shared | Certifications |
|---|---|---|---|
| Twilio | Call routing, telephony, SMS | Phone numbers, call audio, SMS content | SOC 2 Type II, ISO 27001, Canadian PoPs |
| Anthropic | AI conversation processing (Claude) | Call transcripts (real-time, streamed) | Zero-retention API, SOC 2 Type II |
| Airtable | Business data storage | Call records, appointments, client profiles | SOC 2 Type II, AES-256 at rest |
| Stripe | Payments & subscriptions | Billing name, email; card data tokenized | PCI-DSS Level 1 |
| Hostinger | VPS hosting, transactional email | Server processes; outbound email bodies | ISO 27001 |
Self-hosted (not a sub-processor): Redis runs on our own Canadian VPS as an in-memory cache for temporary call state. Data auto-expires; nothing persists to disk.
chmod 600 (owner-only access).Automated backups protect against data loss. Stored locally on our Canadian infrastructure — no cross-border transfer.
| What | Frequency | Retention | Integrity |
|---|---|---|---|
| Application database (PostgreSQL) | Every 6 hours | 14 days rolling | pg_dump with checksum verification |
| Business data (Airtable) | Daily | 30 days rolling | Full table export with pagination |
| Full system DR backup | Daily | 7 days rolling | Includes /opt data and configuration |
| Off-site git backup | Daily | Indefinite (version-controlled) | Code + configuration templates only; no secrets, no customer data |