Legal

Privacy Policy

Last updated: 3 July 2026

1. Who we are

Answered ("we", "us", "our") builds an AI phone-receptionist service for UK small businesses. This policy explains what personal data we collect when a business signs up for Answered and when that business's customers call the AI agent, why we collect it, who we share it with, and the rights available to both businesses and callers under UK GDPR and the Data Protection Act 2018.

Answered is the data controller for account and billing data relating to the business that signs up. For call data (recordings, transcripts, caller details collected during a call), the business is the data controller and Answered acts as data processor — see our Data Processing Agreement for that relationship.

2. Data we collect

We collect three broad categories of data:

  • Business account data — the business name, industry, website, owner email and phone number, billing details, and the facts a business owner provides (or that we extract from their website) to teach their agent about hours, services, pricing, and policies.
  • Call data — when someone calls a business's Answered number, we process the caller's phone number, a recording of the call, a transcript, an AI-generated summary and sentiment tag, and any booking or message details the caller shares (name, callback number, requested time, service).
  • Technical data — standard web and API logs (IP address, request timestamps, user agent) generated by using our dashboard and onboarding wizard, used for security and abuse prevention.

3. Why we process this data

We process this data to:

  • Provide the AI receptionist service — answering calls, taking bookings and messages, and generating the agent's knowledge from facts the business gives us.
  • Operate the business's dashboard, showing calls, bookings, messages, and usage.
  • Bill for the subscription the business has chosen.
  • Improve the accuracy of agent responses, by identifying gaps in an agent's knowledge and prompting the business to fill them.
  • Meet legal obligations, including call-recording disclosure requirements and tax/accounting record-keeping.

Our lawful bases are performance of a contract (running the service the business subscribed to), legitimate interests (fraud prevention, service improvement), and, for the recording of calls, consent obtained via the spoken disclosure described in section 6 below.

4. Who we share data with

We do not sell personal data. We share data with a small number of subprocessors who help us run the service, each bound by a data processing agreement:

  • Retell AI — voice and telephony infrastructure that powers the phone call itself, including call recording and transcription.
  • Anthropic (Claude) — used to generate and refine the agent's knowledge and conversational prompts from the facts a business provides.
  • Supabase — our database provider, hosting business, agent, call, booking, and message records with row-level security.
  • Twilio — sends SMS notifications (booking confirmations, lead alerts, payment links) and provides phone numbers.
  • Resend — sends transactional email (account and notification emails).
  • Stripe — processes subscription billing and, where a business enables it, in-call payment links. Stripe only sees data necessary to process a payment.

Full details are in our subprocessor list, inside the DPA. We may also disclose data where required by law, for example in response to a valid court order.

5. International transfers

Some subprocessors (including Anthropic and Stripe) may process data outside the UK. Where this happens we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or an equivalent adequacy mechanism to ensure data receives an equivalent standard of protection.

6. Call recording disclosure

Under the Privacy and Electronic Communications Regulations (PECR) and general UK data protection law, we do not record calls covertly. Every call handled by an Answered agent opens with a spoken disclosure that the call may be recorded and transcribed for service quality, training, and record-keeping purposes, before any substantive conversation takes place. If a caller does not wish to continue after hearing that disclosure, they are free to hang up or ask to be transferred to a human line, where the business has configured one.

7. Data retention

Call recordings and transcripts are retained for 90 days by default, after which they are permanently deleted. A business can request a shorter or longer retention window by contacting us, subject to any minimum retention required for fraud prevention or legal compliance. Business account data, facts, and billing records are retained for as long as the account is active, and for a limited period afterwards to meet accounting and legal obligations.

8. Your rights

Under UK GDPR, both business owners and callers have the right to:

  • Access the personal data we hold about them.
  • Correct inaccurate data.
  • Request deletion of their data ("right to be forgotten").
  • Request a portable copy of their data in a machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent where processing relies on consent.
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

When a business deletes its account, we cascade-delete every record tied to that business — its agents, knowledge facts, calls, bookings, and messages — and trigger deletion of the corresponding call data held by Retell via their data deletion API. Callers who want their own call data removed from a specific business's records should contact that business directly, or contact us and we will relay the request.

9. Security

We encrypt data in transit (TLS) and at rest, restrict database access with row-level security policies scoped to each business, and limit staff access to the minimum needed to operate and support the service. No system is 100% secure, and we cannot guarantee absolute security, but we take reasonable technical and organisational measures appropriate to the sensitivity of the data involved.

10. Contact us

For any question about this policy or to exercise a data-protection right, contact us at privacy@answered.co.uk. (Placeholder address — update once the production domain is finalised.) We aim to respond to all requests within one month, as required by UK GDPR.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be communicated to business owners by email. The "last updated" date at the top of this page always reflects the current version.