Privacy Policy

1. Information We Collect

Account Information

When you create a CallMissed account, we collect your full name, email address, phone number (optional), and organization name. If you sign in with Google, we receive your Google profile name, email, and unique Google ID. We do not store your Google password or access any data beyond basic profile information.

Phone numbers provided during registration are used solely for payment processing (Cashfree) and account recovery. We never share your phone number with third parties for marketing.

Usage Data

We automatically collect information about how you use our services, including API call logs (endpoint, model, token counts, latency, IP address), conversation metadata (timestamps, channel type, duration), credit transactions (purchases, deductions, balance changes), and dashboard activity. This data is used to provide usage analytics, enforce plan limits, and prevent abuse.

Communication Content

When you deploy AI agents, the content of conversations between your customers and your bots (messages, audio transcriptions, synthesized audio) is processed through our platform. This content is stored in your tenant's isolated database partition and is never shared across tenants, never used to train AI models, and never sold to third parties.

Payment Information

Payment processing is handled by Cashfree Payments, our PCI-DSS compliant payment processor. We do not store credit card numbers, CVVs, UPI PINs, or full bank account details on our servers. We only store transaction references (order IDs, payment status, amounts) for billing reconciliation.

Technical Data

We collect IP addresses, browser user-agent strings, device information, and referral URLs for security monitoring, rate limiting, domain whitelisting enforcement, and abuse prevention.

2. How We Use Your Information

• Service delivery: Processing API requests (LLM, STT, TTS), managing bots, delivering conversation data, and providing real-time voice agent functionality
• Account management: Authentication (JWT, Google OAuth, OTP), authorization, tenant isolation, and role-based access control
• Billing and credits: Tracking API usage, managing credit balance, processing payments via Cashfree, enforcing plan limits, and generating transaction history
• Security: Rate limiting (per-IP and per-API-key), domain whitelisting, SSRF prevention, webhook signature verification, brute-force protection, and access logging
• Email notifications: Welcome emails, OTP verification codes, payment confirmations, credit balance alerts, password reset confirmations, and API key creation alerts. We never send marketing emails without explicit consent.
• Service improvement: Aggregated, anonymized usage patterns to improve reliability, performance, and capacity planning

3. Data Storage and Security

All data is stored on AWS infrastructure in the ap-south-1 (Mumbai) region, ensuring data residency within India. Our database runs on Amazon RDS PostgreSQL 16 with encryption at rest (AES-256) enabled. All data in transit is encrypted using TLS 1.3.

Multi-Tenant Isolation

We implement strict multi-tenant data isolation at the database level. Every query is scoped to your tenant ID through middleware enforcement. No tenant can access another tenant's data through our API, dashboard, or any other interface.

Credential Security

• Passwords are hashed using bcrypt with 12 rounds of salting
• API keys are stored as SHA-256 hashes — we never store or log raw API keys after creation
• OTP codes are stored as SHA-256 hashes with 10-minute expiry and 5-attempt lockout
• JWT access tokens expire after 24 hours; refresh tokens after 7 days
• Payment webhook signatures are verified using HMAC-SHA256
• Credit balance modifications use atomic database operations to prevent manipulation

Security Headers

All API responses include: Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, and Referrer-Policy headers.

4. Credit System and Payments

CallMissed uses a credit-based billing system where 1 credit = ₹1. Credits are deducted server-side for each API call (LLM, STT, TTS). The credit balance is maintained atomically in the database and cannot be manipulated through the API.

Payment processing is handled by Cashfree Payments. Payment verification occurs through three independent mechanisms: client-side verification, server-side webhook, and hourly reconciliation — ensuring no successful payment is ever missed.

All credit transactions (purchases, deductions, bonuses, refunds) are logged in an append-only audit ledger that cannot be modified or deleted.

5. Third-Party Services

We use the following third-party services. Data shared with each is limited to the minimum required for functionality:

• Sarvam AI — Audio files (for STT), text (for TTS/LLM). Processes Indian language content.
• OpenRouter — Chat messages (for LLM routing to GPT, Claude, Gemini, etc.)
• ElevenLabs — Text content (for premium TTS voices)
• Cashfree Payments — Customer email, phone, name (for payment processing). PCI-DSS compliant.
• Brevo — Email addresses and names (for transactional emails only)
• WhatsApp Business API (Meta) — Message content (for WhatsApp bot delivery)
• Twilio — Audio streams (for voice call connectivity)
• Google Identity Services — Email and profile name (for OAuth sign-in)
• AWS (Amazon Web Services) — All infrastructure. Data stays in ap-south-1 (Mumbai).
• Vercel — Frontend hosting only. No user data is stored on Vercel.

6. Data Retention

We retain your data for the duration of your account. When you delete your account:

• Account data (name, email, phone) is deleted within 30 days
• Conversation content, bot configurations, and knowledge base entries are deleted within 30 days
• API usage logs are anonymized and retained for up to 90 days for billing reconciliation
• Payment records are retained for 7 years as required by Indian tax regulations
• Credit transaction logs are retained for 7 years for audit compliance
• Database backups containing your data are purged within 90 days

7. Your Rights (DPDPA 2023 Compliance)

Under the Digital Personal Data Protection Act, 2023 (India) and applicable international privacy laws, you have the right to:

• Access — View all personal data we hold about you via the dashboard or API
• Correction — Update inaccurate information in your profile settings
• Erasure — Request deletion of your account and all associated data
• Data portability — Export your conversation data, bot configurations, and usage history
• Withdraw consent — Deactivate your account to stop all data processing
• Grievance redressal — File a complaint with our Data Protection Officer
• Nominate — Designate a person to exercise your rights in case of your death or incapacity

To exercise any of these rights, contact our Data Protection Officer at support@callmissed.com. We will respond within 30 days.

8. Cookies and Local Storage

We use minimal browser storage:

• Authentication cookie (cm_logged_in): A boolean flag on .callmissed.com to detect login state across subdomains. Contains no personal data. Expires after 30 days.
• Local storage: JWT tokens, user preferences, and API key (playground only) stored in browser local storage, scoped to the specific subdomain origin.

We do not use tracking cookies, advertising cookies, third-party analytics, or fingerprinting technologies.

9. International Data Transfers

Your data is stored in India (AWS ap-south-1, Mumbai). When you use OpenRouter or ElevenLabs models, your API request content may be processed in the provider's region (typically US or EU). By using these models, you consent to this transfer. Sarvam AI processes all data within India.

10. Children's Privacy

CallMissed is a B2B service designed for businesses and developers. It is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a minor, we will delete it promptly.

11. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify you via email within 72 hours of discovery, as required by DPDPA 2023. We will also notify the Data Protection Board of India as required by law.

12. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes via email or a notice on our dashboard at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

13. Contact Us

For privacy-related inquiries:

• Data Protection Officer: support@callmissed.com
• General inquiries: hello@callmissed.com
• Security issues: support@callmissed.com
• Entity: CallMissed Technologies Pvt. Ltd.
• Location: India