Privacy Policy
Effective date: 8 May 2026 Last updated: 8 May 2026
This Privacy Policy explains how Criollo Cloud Ltd ("Criollo Cloud", "we", "us", "our") collects, uses, shares and protects personal data when you visit our websites, create an account, or use our products and services, including the Vibe Caller voice AI platform.
Vibe Caller is a trading name of Criollo Cloud Ltd. This policy applies to both criollocloud.com and vibecaller.app, and to any associated subdomains, applications, dashboards and APIs (together, the "Services").
Criollo Cloud Ltd is the data controller for personal data we collect about visitors to our websites, our customers, and prospective customers. When our customers use the Vibe Caller platform to handle calls with their own end-users, Criollo Cloud generally acts as a data processor on behalf of that customer (see "Our role in voice AI calls" below).
1. Who we are and how to contact us
Controller: Criollo Cloud Ltd, a company registered in England and Wales. Trading name covered by this policy: Vibe Caller. Company number: 16382009 ICO registration number: ZB980427
General contact: hello@criollocloud.com Privacy contact: privacy@criollocloud.com Vibe Caller support: support@vibecaller.app
If you have any questions about this policy or how we handle your personal data, please contact us using the details above.
2. Scope of this policy
This policy covers personal data we process in the following situations:
- when you browse criollocloud.com or vibecaller.app;
- when you create an account, sign up for a trial, or subscribe to any of our Services;
- when you communicate with us by email, chat, phone, social media or other channels;
- when you, or your organisation, configure and operate voice AI assistants on the Vibe Caller platform; and
- when you, as an end-user, interact with a voice AI assistant operated by one of our customers using Vibe Caller.
This policy does not apply to third-party websites, products or services we do not control, even where we link to them.
3. The personal data we collect
We collect different categories of personal data depending on how you interact with us.
3.1 Information you provide to us
- Account and identity data: name, job title, employer, email address, telephone number, username and password (passwords are stored in hashed form).
- Billing data: billing address, VAT or tax identifiers, the last four digits and brand of payment cards, and invoice history. Full payment card numbers are processed by our payment provider and never stored on our systems.
- Communications data: the content of emails, support tickets, chat messages, demo requests and other correspondence you send us.
- Marketing preferences: your choices about receiving marketing from us.
- Configuration data: the prompts, scripts, knowledge base content, contact lists, phone numbers and integrations you configure inside Vibe Caller.
3.2 Information we collect automatically
When you use our websites or the Vibe Caller dashboard, we may automatically collect:
- Device and connection data such as IP address, device identifiers, browser type and version, operating system and time zone;
- Usage data such as pages and features viewed, time spent, click-paths, referring URLs and error logs; and
- Cookies and similar technologies as described in section 11.
3.3 Voice AI service data
The Vibe Caller platform places, receives and handles telephone and voice-channel interactions on behalf of our customers. In the course of operating the Services, we and our sub-processors process:
- Call audio — recordings of inbound and outbound calls handled by Vibe Caller agents.
- Transcripts — text transcriptions generated from call audio by speech-to-text models.
- Call metadata — caller and called numbers, call direction, timestamps, duration, disposition, hang-up reason, and quality metrics.
- AI-derived data — summaries, classifications, sentiment, intent labels, structured data extractions, and other outputs generated by large language models.
- Function-call data — parameters and results from any tools, webhooks or integrations the assistant calls during a conversation (for example, CRM look-ups or appointment bookings).
- End-user identifiers — names, account numbers, order references, dates of birth or other identifiers that an end-user provides to the assistant during a call.
3.4 Information from third parties
We may receive information about you from:
- our customers (where you are an end-user calling them or being called by them);
- service providers who help us run our business (for example, our identity, payments and analytics providers);
- public sources such as Companies House, LinkedIn or your organisation's website, where we are carrying out due diligence or business development; and
- referral partners who introduce you to us.
4. Our role in voice AI calls
The Vibe Caller platform is a business-to-business service. Our customers (typically businesses, contact centres and agencies) configure voice AI assistants and use them to interact with their own end-users.
- Where we act as a controller: we are the controller for personal data about our customers' authorised users (account admins, agents, billing contacts), website visitors, prospects, and our own marketing and support records.
- Where we act as a processor: we are a processor for personal data contained in calls handled on behalf of a customer, including call audio, transcripts, AI-derived outputs and end-user identifiers shared during those calls. The customer is the controller of that data and is responsible for the lawful basis on which the call takes place, for any consents and notices required, and for setting retention preferences within the limits we allow.
If you are an end-user who has interacted with a voice AI assistant powered by Vibe Caller and you wish to exercise your data protection rights, please contact the business that called you or that you called. We will assist that business in responding to your request.
5. How we use personal data and our legal bases
We process personal data only where we have a lawful basis under the UK GDPR. The table below summarises our main processing activities and the legal bases we rely on.
| Purpose | Legal basis |
|---|---|
| Creating and administering your account; providing the Services; responding to support requests | Performance of a contract with you or your organisation |
| Operating the Vibe Caller platform on behalf of customers, including handling calls, transcribing audio and generating AI outputs | Performance of a contract; legitimate interests in providing a reliable service; and processor instructions from the customer controller |
| Taking payment, issuing invoices, recovering debts and keeping accounting records | Performance of a contract; legal obligation |
| Detecting, investigating and preventing fraud, abuse, misuse or security incidents | Legitimate interests in keeping the Services secure and trustworthy; legal obligation |
| Improving and developing the Services, including diagnosing errors, monitoring performance and analysing aggregate usage | Legitimate interests in operating and improving our products |
| Sending service announcements, security notices and other transactional messages | Performance of a contract; legitimate interests |
| Sending marketing about our products and similar services | Consent (where required) or legitimate interests, with the right to opt out at any time |
| Complying with legal, regulatory and tax obligations, and responding to lawful requests from authorities | Legal obligation |
| Establishing, exercising or defending legal claims | Legitimate interests; legal obligation |
Where we rely on legitimate interests, we have carried out a balancing assessment and concluded that our interests are not overridden by your rights and freedoms. You can ask us for more information about this assessment using the contact details above.
We do not knowingly use Vibe Caller to process special category data (such as health, racial or ethnic origin, or biometric data) or criminal-conviction data. Our customers must not configure assistants to solicit such data without an appropriate lawful basis and additional safeguards.
6. AI and automated processing
The Vibe Caller platform uses large language models, speech-to-text models, text-to-speech models and related machine learning systems to understand, respond to, and act on calls. This means:
- the responses you hear from a Vibe Caller agent are generated by an AI model in real time;
- transcripts and structured outputs are produced automatically and may contain errors;
- assistants may execute pre-configured tools or workflows (for example, looking up an order, scheduling a callback or sending a follow-up message); and
- conversations may be reviewed, in line with this policy, to monitor service quality and to detect abuse.
Vibe Caller does not make decisions producing legal or similarly significant effects on individuals solely by automated means within the meaning of Article 22 UK GDPR. Where a customer configures their assistant in a way that could amount to such a decision, the customer is responsible for putting suitable safeguards (such as human review) in place.
We do not use customer call content (audio, transcripts, AI outputs or function-call data) to train our own foundation models, and we contractually require our model providers not to train their general-purpose models on our customers' call content.
7. Sharing your personal data
We share personal data only where necessary and with appropriate safeguards in place. The categories of recipients are:
7.1 Sub-processors that operate parts of the Services
We use trusted third-party service providers to deliver the Vibe Caller platform. These act as our sub-processors and are bound by written agreements that require them to protect personal data and process it only on our instructions. Current sub-processor categories include:
- Voice AI orchestration: Vapi (and, where adopted, alternative platforms such as Retell or similar).
- Telephony / SIP carriers: providers such as Twilio and Telnyx for call origination, termination, and number provisioning.
- Speech-to-text and language models: providers such as OpenAI, Anthropic, Deepgram and ElevenLabs for transcription, language understanding, and voice synthesis.
- Cloud hosting and storage: AWS, Google Cloud Platform and similar providers for compute, database and object storage.
- Communications and email: providers such as Postmark, SendGrid, Resend or similar for transactional and operational email.
- Analytics and product telemetry: providers such as PostHog, Plausible, Sentry and similar.
- Payments: Stripe (and any successor payment processor) for taking and reconciling payments.
- Customer support and CRM tools: providers such as HubSpot, Intercom or similar.
A current list of named sub-processors is available on request to privacy@criollocloud.com. We will provide reasonable advance notice of material changes to our sub-processor list to customers under contract.
7.2 Other recipients
- Our group companies where we use shared infrastructure or support functions.
- Professional advisers including lawyers, accountants, auditors and insurers, under duties of confidentiality.
- Regulators, courts and law-enforcement bodies where we are required to do so by law, or where disclosure is necessary to establish, exercise or defend legal claims.
- Acquirers and investors in connection with any actual or proposed merger, acquisition, restructure or sale of part of our business; in such cases, personal data will continue to be subject to protections at least equivalent to those in this policy.
We do not sell personal data, and we do not share personal data with third parties for their own marketing purposes.
8. International transfers
Criollo Cloud is based in the United Kingdom, but some of our sub-processors are located outside the UK, including in the United States and the European Economic Area.
When we transfer personal data outside the UK, we rely on one of the following safeguards:
- transfers to countries that benefit from UK adequacy regulations (including the EEA);
- the UK International Data Transfer Agreement, or the EU Standard Contractual Clauses together with the UK Addendum;
- the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified; or
- another transfer mechanism permitted under the UK GDPR.
You can request more information about the specific safeguards that apply to a transfer by contacting privacy@criollocloud.com.
9. Data retention
We keep personal data only for as long as we need it for the purposes set out in this policy, after which we delete or anonymise it. The main retention periods are:
- Account and configuration data: for the duration of your account, plus a short period afterwards to handle close-out requests, disputes and back-up rotation.
- Billing and tax records: at least six years from the end of the relevant tax year, in line with HMRC requirements.
- Marketing data: until you unsubscribe, opt out, or we conclude that the data is no longer relevant.
- Support records: typically up to three years from the date of the most recent interaction.
- Server, security and audit logs: typically up to twelve months, depending on the system and the nature of the log.
- Call audio: by default, retained for the period configured by the customer in their Vibe Caller workspace, subject to a maximum default of 30 days unless a longer period has been agreed in writing. Customers may also choose to disable recording.
- Transcripts and AI-derived outputs: by default, retained for the period configured by the customer, subject to a maximum default of 90 days unless a longer period has been agreed in writing.
We may retain personal data for longer where we are required to do so by law, or where we need it to establish, exercise or defend legal claims.
10. Security
We take the security of personal data seriously and apply technical and organisational measures appropriate to the risk, including:
- encryption of data in transit (TLS) and, for stored call recordings and transcripts, encryption at rest;
- role-based access controls, with access to call content limited to a small number of authorised personnel and our sub-processors as needed to deliver the Services;
- multi-factor authentication for administrative access to production systems;
- network segmentation, monitoring, intrusion detection and regular vulnerability scanning;
- secrets management, key rotation and least-privilege service credentials;
- backups and tested disaster-recovery procedures; and
- staff training, confidentiality obligations and background checks where appropriate.
No internet-based service is completely secure. We commit to notifying affected customers, and where required the Information Commissioner's Office and affected individuals, of any personal data breach within the timescales required by the UK GDPR.
11. Cookies and similar technologies
Our websites and dashboards use cookies and similar technologies to make the Services work, to remember your preferences, to keep you signed in, and to understand how the Services are used. We use:
- Strictly necessary cookies that are required to operate the Services and cannot be turned off;
- Functional cookies that remember choices such as language and region;
- Analytics cookies that help us understand how the Services are used and how to improve them; and
- Marketing cookies, where you have given consent, that help us measure the effectiveness of our campaigns.
You can control non-essential cookies through the cookie banner shown when you first visit our websites and through your browser settings. Blocking some cookies may affect how the Services function.
12. Your data protection rights
Subject to the conditions and exemptions in the UK GDPR and the Data Protection Act 2018, you have the right to:
- be informed about how we process your personal data (this policy);
- access the personal data we hold about you and obtain a copy;
- rectification of inaccurate or incomplete personal data;
- erasure of personal data in certain circumstances ("the right to be forgotten");
- restrict processing of your personal data in certain circumstances;
- object to processing based on legitimate interests, and to direct marketing at any time;
- data portability of personal data you have provided to us, in a structured, commonly used and machine-readable format;
- not to be subject to a solely automated decision producing legal or similarly significant effects; and
- withdraw consent at any time, where we rely on your consent.
To exercise any of these rights, contact us at privacy@criollocloud.com. We may need to verify your identity before we act on your request. We will respond within one month, although this may be extended by a further two months for complex requests.
If you are an end-user whose call has been handled by a Vibe Caller assistant operated by one of our customers, please direct rights requests to that customer in the first instance. We will support them in responding.
You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first.
13. Notice for end-users (callers)
If you are receiving a call from a Vibe Caller assistant or have called a number powered by Vibe Caller, you should be informed at the start of the call that you are speaking with an automated assistant and that the call may be recorded and transcribed. The business operating the assistant is the controller of personal data shared during the call. They are responsible for telling you who they are, why they are calling, and how to exercise your rights.
If you do not wish to continue speaking with an automated assistant, you may end the call at any time, ask to be transferred to a human (where the assistant supports this), or contact the business directly through their usual channels.
14. Children
The Services are intended for business use and are not directed to children. We do not knowingly collect personal data from children under the age of 16. If you believe a child has provided personal data to us, please contact privacy@criollocloud.com and we will take steps to delete it.
15. Third-party links and integrations
Our websites and the Vibe Caller platform may link to, or integrate with, third-party websites and services (for example, CRMs, calendars, messaging tools and analytics platforms). We are not responsible for the privacy practices or content of those third parties. We encourage you to read their privacy notices before you use them.
16. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our Services, in our use of personal data, or in applicable law. When we do, we will update the "Last updated" date at the top of this page. Where the changes are material, we will provide additional notice (for example, by email or by a prominent notice within the Services) before the changes take effect.
Previous versions of this policy are available on request.
17. Contact and complaints
If you have any questions, concerns or complaints about this Privacy Policy or our use of your personal data:
By email: privacy@criollocloud.com
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:
Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Telephone: 0303 123 1113 Website: ico.org.uk