Privacy Policy
Last updated: April 5, 2026
SipPulse Tecnologia Ltda. ("SipPulse", "we", "us") operates the AITRUNK platform. This Privacy Policy explains what data we collect, how we use it, who we share it with, and your rights regarding your personal information.
We comply with the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados — LGPD, Law 13.709/2018) and applicable international privacy regulations.
1. Data We Collect
| Data Category | What | Why |
|---|
| Account data | Email, name, password hash, company name | Account creation and authentication |
| Billing data | Stripe customer ID, payment history, plan type | Processing payments, credit management |
| API keys | Hashed key values, key prefix, creation date | API authentication |
| Call metadata | Destination number, caller-ID, call type, duration, timestamp, status, credits consumed | Service delivery, billing, CDR generation |
| Context variables | JSON data passed via --context flag (names, amounts, dates) | Delivered to AI agents during calls |
| TTS text | Text content provided for text-to-speech calls | Audio generation and call delivery |
| Conversation transcripts | AI-generated transcripts of call conversations | Fraud detection, quality analysis, and agent improvements |
| Usage logs | API request timestamps, IP addresses, user agent | Security, rate limiting, abuse detection |
2. Data We Do NOT Collect
- Call audio recordings. We do not permanently store audio recordings of calls.
- Credit card numbers. All payment processing is handled by Stripe. We never see or store your card details.
- Recipient personal data. We process destination phone numbers for call routing only. We do not build profiles of call recipients.
3. Legal Basis for Processing (LGPD Art. 7)
- Contract performance (Art. 7, V) — Account data, call metadata, and billing data are necessary to provide the Service.
- Legitimate interest (Art. 7, IX) — Usage logs and fraud monitoring are necessary to maintain security and prevent abuse.
- Legal obligation (Art. 7, II) — We retain certain records as required by Brazilian telecommunications regulations and tax law.
- Consent (Art. 7, I) — For optional communications such as product updates and marketing emails. You can withdraw consent at any time.
4. How We Use Your Data
- Originating and routing telephone calls as instructed by your API requests.
- Generating Call Detail Records (CDRs) for billing and your reference.
- Processing credit purchases and managing your account balance.
- Detecting and preventing fraud, abuse, and policy violations.
- Monitoring service health and performance.
- Responding to support requests.
- Complying with legal obligations and law enforcement requests.
5. Context Variables and TTS Text
Context variables (JSON data passed via --context) and TTS text are transmitted to our systems for the sole purpose of delivering them to AI agents or generating speech audio. This data:
- Is transmitted encrypted (TLS) and encoded (base64) in SIP headers.
- Is stored in call records for a maximum of 90 days for debugging and dispute resolution.
- Is never used for advertising, profiling, or any purpose beyond call delivery.
- May contain personal data of third parties (e.g., debtor names). You are the data controller for this data and are responsible for ensuring you have a legal basis to process it.
6. Data Sharing
We share your data only with the following categories of recipients:
| Recipient | Data Shared | Purpose |
|---|
| Stripe | Email, payment details | Payment processing |
| Upstream carriers (AGil, others) | Caller-ID, destination number, SIP headers | Call routing and termination |
| SipPulse AI | Context variables, agent ID | AI agent conversation delivery |
| Law enforcement | Account data, call records, IP logs | Valid legal requests, court orders, fraud investigation |
We do not sell, rent, or trade your personal data to third parties for marketing purposes. Ever.
7. Data Retention
| Data Type | Retention Period |
|---|
| Account data | Duration of account + 5 years after deletion |
| Call metadata (CDRs) | 5 years (Brazilian telecom regulation) |
| Context variables and TTS text | 90 days |
| Conversation transcripts | 30 days |
| API request logs | 12 months |
| Billing records | 5 years (tax law) |
| Fraud investigation records | 10 years |
8. Data Security
- All data in transit is encrypted using TLS 1.2+.
- API keys are stored as salted hashes. We cannot recover your key — only you have the plaintext.
- Database access is restricted to authorized personnel only.
- Infrastructure is hosted on Oracle Cloud with network-level security controls.
- We conduct regular security reviews of our codebase and infrastructure.
9. Fraud Detection and Automated Monitoring
We use automated AI-based systems to monitor call patterns and detect potential fraud or abuse. These systems may:
- Analyze call frequency, destination patterns, and context variables.
- Examine conversation transcripts generated during AI agent calls to detect vishing, impersonation, scam patterns, threats, or other prohibited content. Transcripts are also used for quality analysis and to improve the performance of predefined AI agents. Transcripts are retained for 30 days and then permanently deleted. They are not shared with third parties except law enforcement when required.
- Flag accounts exhibiting behavior consistent with known fraud patterns (e.g., Wangiri, traffic pumping, vishing).
- Automatically suspend accounts pending human review when high-confidence fraud indicators are detected.
If your account is flagged or suspended, you may request a human review by contacting [email protected].
10. Your Rights (LGPD Art. 18)
As a data subject, you have the right to:
- Access — request a copy of your personal data we hold.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your data, subject to legal retention requirements.
- Portability — receive your data in a structured, machine-readable format.
- Revocation of consent — withdraw consent for optional data processing at any time.
- Information — know which entities we share your data with.
- Opposition — object to processing based on legitimate interest.
To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond within 15 business days.
11. International Data Transfers
Your data may be processed in servers located in Brazil (Oracle Cloud, São Paulo region). If data is transferred outside Brazil, we ensure adequate protection through standard contractual clauses or equivalent mechanisms as required by the LGPD.
12. Children
The Service is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from minors.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the portal at least 30 days before taking effect.
14. Contact
Data Controller: SipPulse Tecnologia Ltda.
DPO: [email protected]
Abuse reports: [email protected]
General: [email protected]
SipPulse Tecnologia Ltda. CNPJ: 09.603.902/0001-97. Florianópolis, SC, Brazil.