18,742voicemails landed today
the call guy
Draft — pending legal review. This document was generated from current best-practice templates for a US + Canadian SaaS targeting auto dealerships. It is not legal advice. We will commission a licensed business attorney's review before onboarding the first paying dealership.

Data Processing Addendum

Effective date: May 17, 2026

This Data Processing Addendum (the "DPA") supplements the Terms of Service between The Call Guy ("we", "Processor") and the Subscriber ("you", "Controller") and governs our processing of Personal Data on your behalf when you use the platform. It is effective upon your acceptance of the Terms of Service.

1. Definitions

Terms used here have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act, and the Canadian Personal Information Protection and Electronic Documents Act, as applicable.

2. Roles

You act as the Controller of Personal Data you upload to the platform (including contact phone numbers and consent records). We act as the Processor, processing Personal Data only on your documented instructions as set out in the Terms and your configured campaigns.

3. Subject matter and duration

The subject matter is the operation of the platform: storing contact records, scrubbing against the federal Do Not Call Registry, generating synthetic voicemail audio, dispatching drops via downstream carriers, recording delivery outcomes, and handling opt-outs. The duration is the term of the Subscriber's subscription plus the retention periods described in our Privacy Policy.

4. Nature and purpose of processing

The processing is automated (database storage, API calls to sub-processors, scheduled cron-driven workers). Its purpose is to deliver ringless voicemail campaigns the Subscriber initiates.

5. Types of Personal Data and categories of data subjects

Personal Data: contact phone numbers, contact names, contact email addresses, time zones, consent metadata, audio samples of the Subscriber's chosen voice, delivery status records, and opt-out events.

Data subjects: the Subscriber's customers and prospects, the Subscriber's employees (where they use the dashboard), and the Subscriber's voice talent (where applicable).

6. Sub-processors

You authorize the sub-processors listed in our Privacy Policy. We will notify you (by email to workspace administrators) at least 14 days before engaging a new sub-processor that processes contact Personal Data, and you may object on reasonable data-protection grounds.

7. Security measures

  • TLS 1.2+ for all data in transit.
  • Encryption at rest via Neon (database), Vercel Blob (audio), and Stripe (billing).
  • Per-tenant unguessable tokens on all webhook endpoints.
  • Bcrypt password hashing for Subscriber and user accounts.
  • Role-based access control inside the dashboard.
  • Audit logging of consent events and opt-out events.
  • Annual review of sub-processor security posture.

8. Personnel

Personnel with access to Personal Data are bound by confidentiality obligations and are limited to those with a need-to-know basis to operate or support the platform.

9. Data subject rights

We will assist you, by appropriate technical and organizational measures, in fulfilling your obligation to respond to data subject requests. For requests we receive directly that relate to your workspace's contact data, we will forward them to your account administrator within 5 business days.

10. Personal Data breach notification

We will notify you of any confirmed Personal Data breach affecting your workspace's data without undue delay and in any event within 72 hours of becoming aware. Our notice will describe the nature of the breach, the categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed to address it.

11. Audits

On reasonable written notice (no more than once per 12 months unless triggered by a confirmed incident), and subject to confidentiality, we will provide reasonable information necessary to demonstrate compliance with this DPA, including security policies, sub-processor lists, and responses to a standard security questionnaire.

12. International transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or another jurisdiction without an adequacy decision, the transfer is governed by the Standard Contractual Clauses (Module Two) issued by the European Commission, incorporated by reference, with the parties' names, descriptions, and addresses populated from the Terms and from this DPA.

13. Return or deletion

On termination of the Subscriber's account, we will delete Personal Data within 90 days unless retention is required by law (e.g. billing records). Suppression-list entries will be retained indefinitely to honor opt-outs.

14. Order of precedence

In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails.

15. Contact

DPA questions: cohenbell23@gmail.com.

Questions? Contact us — see also our Terms, Privacy Policy, and Data Processing Addendum.