Back to home

Privacy Policy

Last updated: April 2, 2026

IronVoice ("we," "us," or "our") operates the AI receptionist platform at ironvoice.ai. This Privacy Policy explains how we collect, use, store, and protect information when you use our Service. By using IronVoice, you agree to the practices described in this policy.

1. Information We Collect

We collect the following categories of information:

Account Information

  • Name, email address, and password (hashed with argon2id — we never store plaintext passwords).
  • Company name, business address, phone number, and location details.
  • Email verification status.

Knowledge Base Content

  • Business information, FAQs, operating hours, service descriptions, and custom instructions you provide to train your AI receptionist.

Call & Communication Data

  • Caller phone numbers, call duration, call timestamps, and call outcomes.
  • Call recordings and AI-generated transcripts.
  • Chat messages exchanged through the IronBot widget.
  • SMS messages sent to and from your IronVoice phone number.
  • Email messages processed through connected email accounts.
  • AI-generated summaries of conversations.

Payment Information

  • Billing details are collected and processed by Stripe. IronVoice does not store your full credit card number, CVV, or other sensitive payment card data on our servers. We store your Stripe customer ID and subscription status.

Usage & Technical Data

  • IP addresses (used for rate limiting and security).
  • Browser type and device information (from standard HTTP headers).
  • Pages visited, features used, and actions taken within the dashboard.
  • Call volume, usage metrics, and overage counts for billing purposes.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service — to operate your AI receptionist, generate responses based on your knowledge base, route calls, process messages, and deliver chatbot functionality.
  • Account Management — to create and maintain your account, verify your identity, and manage your subscription.
  • Billing & Payments — to process subscription charges, track call usage for overage billing, and manage invoices through Stripe.
  • Communication — to send you transactional emails such as email verification, welcome messages, provisioning confirmations, and important service notifications.
  • Security — to detect and prevent fraud, abuse, spam, and unauthorized access through rate limiting, signature validation, and monitoring.
  • Service Improvement — to understand usage patterns, diagnose technical issues, and improve the reliability and quality of the platform.
  • Legal Compliance — to comply with applicable laws, regulations, and legal processes.

We do not sell your personal information to third parties. We do not use your knowledge base content or call data to train AI models. Your data is used solely to provide the Service to you.

3. Call Recording & AI Processing

When a call is handled by your IronVoice AI receptionist, the following processing occurs:

  • Speech-to-Text:The caller's spoken words are transcribed in real time by Deepgram (via Twilio ConversationRelay) to convert speech into text for AI processing.
  • AI Response Generation: The transcribed text is sent to OpenAI GPT-4o-mini along with your knowledge base content to generate a contextual response.
  • Text-to-Speech: The AI-generated text response is converted back to speech by ElevenLabs and played to the caller.
  • Call Recording: Twilio may record calls for your call history and analytics. Recordings and transcripts are stored in our database and accessible through your dashboard.
  • Call Logging: Metadata about each call (caller number, duration, timestamp, AI-generated summary) is stored in our PostgreSQL database.

Important: You are responsible for complying with all applicable call recording consent laws in your jurisdiction. Many states and countries require one-party or two-party consent before recording calls. You should configure your knowledge base to include appropriate disclosures if required by law.

4. Data Sharing with Third Parties

We share data with the following third-party service providers, solely as necessary to operate the Service:

  • Twilio — receives caller phone numbers, call audio, and SMS message content. Twilio provides phone number provisioning, call routing, recording, and SMS delivery. See Twilio's Privacy Policy.
  • OpenAI — receives transcribed call text, chat messages, SMS content, email content, and your knowledge base context to generate AI responses. See OpenAI's Privacy Policy.
  • ElevenLabs — receives AI-generated text responses to convert them into spoken audio for callers. See ElevenLabs' Privacy Policy.
  • Deepgram — receives call audio (via Twilio ConversationRelay) for real-time speech-to-text transcription. See Deepgram's Privacy Policy.
  • Stripe — receives your name, email, and payment card information to process subscription payments and manage billing. IronVoice does not have access to your full card details. See Stripe's Privacy Policy.
  • Resend — receives your email address to deliver transactional emails (verification, welcome, provisioning notifications). See Resend's Privacy Policy.

We may also share information if required by law, legal process, or government request, or to protect the rights, property, or safety of IronVoice, our users, or the public.

5. Data Storage & Security

Your data is stored on managed PostgreSQL databases hosted on Railway infrastructure in the United States. We implement the following security measures:

  • All data in transit is encrypted via TLS/HTTPS.
  • Passwords are hashed using argon2id and never stored in plaintext.
  • Authentication uses secure, httpOnly cookies with JWT tokens.
  • API endpoints are protected with rate limiting to prevent brute-force attacks.
  • Twilio webhook signatures are validated to prevent spoofing.
  • Customer data is isolated per account — multi-tenant architecture with row-level access controls prevents cross-account data access.
  • Security headers (X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy) are applied to all responses.

While we take reasonable precautions to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify affected users promptly in the event of a data breach.

6. Cookies & Tracking

IronVoice uses a minimal cookie approach:

  • Session Cookie— a single httpOnly, secure cookie named "session" that contains your encrypted JWT authentication token. This cookie is essential for the Service to function and cannot be disabled.

We do not use third-party tracking cookies, advertising pixels, or analytics scripts that track you across other websites. We do not participate in ad networks or sell data to advertisers.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request correction of inaccurate or incomplete data. You can update most account information directly through your dashboard.
  • Deletion — request deletion of your account and all associated data, including knowledge base content, call recordings, transcripts, and conversation histories. Deletion is permanent and completed within 30 days.
  • Export — request a machine-readable export of your data before account deletion.
  • Restriction — request that we limit processing of your data in certain circumstances.
  • Objection — object to processing of your data for specific purposes.

To exercise any of these rights, contact us at support@ironvoice.ai. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request.

8. Children's Privacy

IronVoice is a business-to-business service designed for use by businesses and their authorized representatives. The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a person under 18, we will delete that information promptly. If you believe a minor has provided us with personal information, please contact us at support@ironvoice.ai.

9. International Data Transfers

IronVoice is based in the United States, and your data is stored and processed in the United States. If you are accessing the Service from outside the United States, your data will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service, you consent to this transfer. Our third-party providers (Twilio, OpenAI, Stripe, ElevenLabs, Deepgram, Resend) may also process data in the United States or other jurisdictions where they operate.

10. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service. Specific retention periods include:

  • Account Information — retained for the duration of your subscription and deleted within 30 days of account closure.
  • Call Recordings & Transcripts — retained for the duration of your subscription. Accessible through your dashboard for your records.
  • Chat, SMS & Email Logs — retained for the duration of your subscription.
  • Knowledge Base Content — retained for the duration of your subscription and deleted upon account closure.
  • Payment Records — billing transaction records may be retained for up to 7 years as required for tax and legal compliance.
  • Security Logs — IP addresses and rate-limiting data are retained temporarily (typically less than 24 hours) and are not stored persistently.

After account termination, all customer data (knowledge base, call recordings, transcripts, conversation histories) is permanently deleted within 30 days. Some data may persist in encrypted backups for a limited period but will not be actively used or accessible.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by email or through a prominent notice on the Service at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We are committed to working with you to resolve any privacy concerns.