Privacy Policy

Effective: February 18, 2026

1. Introduction

This Privacy Policy describes how 95percent.ai ("we", "us") handles data when you use the Butt-Dial communication platform ("Service"). We are committed to privacy-first design.

2. Data We Collect

2.1 Account Data

When you register: email address, organization name, and hashed password. We do not store plaintext passwords.

2.2 Communication Metadata

For each communication routed through the Service, we store routing metadata:

• Sender and recipient identifiers (phone numbers, email addresses)
• Timestamp, channel type, message direction
• Delivery status and provider response codes

2.3 What We Do NOT Store by Default

• Message bodies or content
• Voice call audio or transcripts
• Media files or attachments
• AI agent prompts or responses

Body storage is opt-in and encrypted when enabled. You control data retention periods.

2.4 Usage Data

Per-agent action counts, cost tracking, rate limit counters. Used for billing and abuse prevention.

2.5 Provider Credentials

Third-party API keys you configure are encrypted at rest using AES-256-GCM. We cannot read them in plaintext.

3. How We Use Data

• Route communications to the correct recipients
• Enforce rate limits and spending caps
• Maintain audit trails for compliance
• Detect and prevent abuse
• Generate usage reports and billing

4. Data Sharing

We do not sell or share your data with third parties, except:

• Communication providers: We transmit message content to providers (Twilio, Vonage, Resend) you configure, as necessary to deliver your communications. We do not control how these providers handle your data — refer to their respective privacy policies
• AI model providers: Voice call transcriptions may be processed by AI model providers (such as Anthropic) for generating conversational responses. These providers process data according to their own privacy policies and data handling agreements
• Legal requirements: When required by law, subpoena, or court order
• Safety: To prevent imminent harm or illegal activity

Provider Disclaimer: The platform passes data to third-party providers you configure. Each provider has its own terms of service and privacy policy. We recommend reviewing: Twilio ToS, Resend ToS, and the terms of any other provider you configure.

5. AI Processing

The Service uses AI for voice call conversations and optional features. You should be aware:

• Voice Transcriptions: Voice call audio is transcribed in real-time and may be processed by AI model providers to generate conversational responses
• Data Controller: For the purposes of data protection law, you (the platform user) are the data controller. The platform operator is the data processor. You determine the purposes and means of processing personal data through the platform
• AI Model Training: We do not use your communication data to train AI models. However, third-party AI providers may have their own data handling policies
• Opt-out: You may disable AI features and use the platform purely as communication infrastructure

6. Data Security

• All API tokens hashed with SHA-256 before storage
• Provider credentials encrypted with AES-256-GCM
• Passwords hashed with PBKDF2-SHA512 (100k iterations)
• Tamper-evident audit log with SHA-256 hash chain
• No PII in application logs

7. Data Retention

Default retention periods:

• Communication metadata: 90 days (configurable)
• Usage logs: 365 days
• Audit logs: Indefinite (compliance requirement)
• Account data: Until account deletion

Self-hosted deployments control their own retention. SaaS retention follows published schedules.

8. Your Rights

8.1 GDPR Rights (EU Residents)

• Access: Request a copy of your data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data (right to be forgotten)
• Portability: Receive your data in a structured format
• Objection: Object to processing of your data

The Service includes a built-in GDPR erasure tool that deletes data across all tables by identifier.

8.2 CCPA Rights (California Residents)

• Right to know what data we collect
• Right to delete your data
• Right to opt out of data sales (we do not sell data)
• Right to non-discrimination for exercising privacy rights

9. Self-Hosted Deployments

If you use the Community or Enterprise edition (self-hosted), your data stays on your infrastructure. We have no access to it. This Privacy Policy applies only to data we process — for self-hosted deployments, that is limited to support interactions and account data (if any).

10. Children's Privacy

The Service is not directed to children under 18. We do not knowingly collect data from minors.

11. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-service notification.

12. Contact

For privacy inquiries or to exercise your rights: privacy@95percent.ai.

Data Protection Officer: dpo@95percent.ai