Technical Walkthrough

Data Handling Guide.

How the data actually flows. This page is the mechanics — call flow, encryption, retention schedule, deletion scripts, sub-processors — aimed at security engineers and IT admins doing implementation review. For the standards view (PIPEDA, Law 25, CASL, certifications), see the Compliance page.

Last updated: April 22, 2026
Canadian hosted
Zero cross-border transfer

Looking for regulatory claims instead?

This page is about how data moves. For the standards view — what we directly comply with and what we don't — see the companion page.

Compliance at a Glance →

1. How a call flows through our system

When someone calls a business using our AI receptionist, this is the path the audio and data take. Nothing is persisted on our server beyond live call state; permanent storage happens at the Airtable step.

Caller dials business Twilio (Canadian PoP) Voice Agent (Canadian VPS) Claude AI (zero-retention) Airtable (record)

Key point: Your call audio is streamed in real time and is not permanently stored on our server. If call recording is enabled for a tenant, the recording is stored by Twilio and automatically deleted after 90 days.

2. Encryption & security

In transit

At rest

Canadian hosting

3. Data retention schedule

Retention is enforced by automated scripts that run weekly. Not aspirational — they run in production and can be audited via --dry-run.

Data TypeRetentionWhat Happens AfterHow Enforced
Call transcripts90 daysPermanently deletedWeekly cron → data_retention.py purges rows older than 90 days
Call recordings (audio)90 daysDeleted from Twilio via API; reference cleared on our sideWeekly cron deletes Twilio recording SIDs older than 90 days
Call logs & metadata12 monthsCaller phone number replaced with REDACTED; the de-identified record is retained for analyticsWeekly cron anonymizes records older than 12 months
Appointments12 months after completionDeletedSame weekly retention job
AI call summariesRetainedNo direct identifiers; used for operational analyticsNot enforced by retention script (no PII)
n8n workflow execution data90 daysPurged from the databasen8n built-in purge setting + weekly cron backup
Billing records (invoices)6 yearsRetained per Canada Revenue Agency tax lawStripe retention aligned with Canadian record-keeping obligations

4. Automated data lifecycle

Concrete jobs that enforce the retention schedule above:

All retention jobs support --dry-run — you can see exactly which rows would be affected without executing.

5. Right to erasure — deletion mechanics

How data is deleted

Data is deleted automatically on the per-data-type schedule above, measured from each record's own date — for example, a call transcript 90 days after the call, an appointment 12 months after its date, workflow execution data 90 days after it runs, a caller phone number anonymized 12 months after the call. Automated retention jobs run on a weekly schedule and can be audited via dry-run. Deletion is by data type and record age, and applies regardless of whether an account is active, cancelled, suspended, or disabled.

Cancellation, refunds, and disputes

When a business client cancels, a full refund is issued, a chargeback is filed, a trial expires without converting, or an agency partner's account is cancelled, future billing stops and access to the Service is disabled. New data stops being collected; data already collected is retained and then deleted under the schedule above — it is not separately erased at the moment of disable. Partial refunds and goodwill credits do not disable service. Billing records and the timestamped, versioned logs of your acceptance of our Terms are retained for the minimum legal period stated above (six years) regardless of account status.

Audit trail

The automated retention jobs log their actions (timestamps and record counts) to server logs, kept separately from the data being deleted, so deletion events remain verifiable.

Individual caller requests

If an individual caller (not a business client) requests deletion of their data, submit a request via our privacy request form. We verify the request by email, then locate and delete all records associated with your phone number within 30 days.

6. Sub-processors

Third-party services that process data as part of service delivery. Data they see and their own compliance posture:

ProviderPurposeData SharedCertifications
TwilioCall routing, telephony, SMSPhone numbers, call audio, SMS contentSOC 2 Type II, ISO 27001, Canadian PoPs
AnthropicAI conversation processing (Claude)Call transcripts (real-time, streamed)Zero-retention API, SOC 2 Type II
AirtableBusiness data storageCall records, appointments, client profilesSOC 2 Type II, AES-256 at rest
StripePayments & subscriptionsBilling name, email; card data tokenizedPCI-DSS Level 1
HostingerVPS hosting, transactional emailServer processes; outbound email bodiesISO 27001

Self-hosted (not a sub-processor): Redis runs on our own Canadian VPS as an in-memory cache for temporary call state. Data auto-expires; nothing persists to disk.

7. Per-tenant isolation

8. Access controls

9. Backups

Automated backups protect against data loss. Stored locally on our Canadian infrastructure — no cross-border transfer.

WhatFrequencyRetentionIntegrity
Application database (PostgreSQL)Every 6 hours14 days rollingpg_dump with checksum verification
Business data (Airtable)Daily30 days rollingFull table export with pagination
Full system DR backupDaily7 days rollingIncludes /opt data and configuration
Off-site git backupDailyIndefinite (version-controlled)Code + configuration templates only; no secrets, no customer data
Submit a privacy question →