Privacy Policy

Effective Date: May 27, 2026 · Last Updated: May 27, 2026

This Privacy Policy explains how PhoneGal LLC (“PhoneGal,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the PhoneGal service, including our website at phonegal.com, the customer dashboard, the AI receptionist telephony service, the PhoneGal iOS mobile application, and related features (collectively, the “Service”). It applies to (a) the businesses and individuals who subscribe to or use the Service (“Customers”) and (b) the individuals whose calls are answered by the Service on a Customer’s behalf (“Callers”). This Privacy Policy is incorporated into our Terms of Service.

1. Our Role & Your Role

For Customer account information (such as billing details and dashboard credentials), PhoneGal is the “controller” (or business operator) of that information. For Caller information collected during calls answered on a Customer’s behalf, the Customer is the controller and PhoneGal acts as a “processor” or “service provider” under applicable law — we process that Caller information for the Customer and on the Customer’s instructions. Each Customer is responsible for providing its own privacy disclosures to Callers and for ensuring that the Customer has a lawful basis to record, transcribe, and process calls.

2. Information We Collect

a) Information you provide as a Customer

  • Account & contact information — name, email address, telephone number, business name, business address, role, and password.
  • Business profile content — business hours, services offered, pricing, scripts, FAQs, service area, integrations data, and other content you provide to configure the AI receptionist.
  • Billing information — payment method last-four digits, billing address, tax identifiers; full payment-card data is collected and stored by our payment processor (we do not store full card numbers on our systems).
  • Communications — messages you send to our support team, survey responses, and feedback.

b) Information collected from Callers during calls

  • Call audio recordings and transcripts generated during the call.
  • Caller-ID information made available by the telecommunications network (telephone number, carrier-provided name where available).
  • Call metadata — date, time, duration, ringing and connection events, hold time, disconnect reason, telephone numbers involved.
  • Information the Caller provides verbally in response to the AI receptionist’s prompts — for example, the Caller’s name, callback number, service address, nature of the request, and any information necessary to qualify or fulfill the inquiry.
  • DTMF (touch-tone) digits entered by the Caller.

c) Information collected automatically when you use our website or dashboard

  • Device & usage information — IP address, browser type and version, operating system, device identifiers, referring URL, pages viewed, time spent, clicks, scrolls, and errors encountered.
  • Cookies and similar technologies — see Section 6.

d) Information collected automatically when you use the PhoneGal iOS application

  • Push-notification device token — an opaque identifier issued by Apple Push Notification service (“APNs”) that allows us to deliver lead-capture notifications to your device. We do not collect Apple’s Advertising Identifier (IDFA) and do not request App Tracking Transparency permission.
  • Device label and application metadata — a short label your iOS device reports to applications (typically a generic identifier such as “iPhone” on current iOS versions; this is used solely to identify the active session in our records), application version and build number (included in any support submissions you choose to send), and the iOS environment (sandbox or production) so we route push notifications to the correct APNs host.
  • Authentication metadata — the email address you sign in with, the long-lived API token issued to your device, and timestamps for when the token was last used. The API token is stored on your device in the iOS Keychain and is sent to our servers only as a bearer credential.
  • Diagnostic information — IP address and user-agent string for API requests, and timestamps of sign-in attempts. We do not embed third-party analytics, crash-reporting, advertising, or behavioral-tracking software-development kits (SDKs) in the iOS application.

e) Information we receive from third parties

  • Subprocessors — telephony providers, AI model providers, payment processors, email providers, and analytics providers may share information with us about your use of, or the operation of, the Service.
  • Integrations you connect — if you connect a calendar, CRM, or other tool, we receive information from that service consistent with the permissions you authorize.

3. How We Use Information

We use the information described in Section 2 for the following purposes:

  • to provide, operate, secure, maintain, and support the Service, including to answer calls, generate AI responses, deliver lead summaries and notifications to the Customer’s authorized contacts (including by email and, if you have installed the PhoneGal iOS application and granted notification permission, by push notification delivered through Apple Push Notification service), and synchronize with integrations;
  • to bill and collect fees, and to communicate with you about your account, plan, and billing;
  • to send you administrative messages, security alerts, and updates about the Service;
  • to provide customer support and respond to your inquiries;
  • to monitor, troubleshoot, and improve the performance, quality, and reliability of the Service, including on a de-identified or aggregated basis;
  • to detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms of Service;
  • to comply with legal obligations, respond to lawful requests, and enforce our agreements; and
  • with your consent or as otherwise permitted by law, to send you marketing communications about new features (you can opt out at any time as described in Section 9).

AI training. We do not use Caller audio recordings, transcripts, or Caller-provided personal information to train artificial-intelligence models, and we require our AI-model Subprocessors to make commitments to the same effect (including no-train and zero-data-retention terms where available). We may use de-identified or aggregated information derived from the Service to evaluate, debug, and improve the Service, as permitted under applicable law (including the California Consumer Privacy Act’s service-provider and deidentification standards).

No sale of personal information for monetary or commercial benefit. We do not sell personal information for monetary or other commercial consideration as that activity is commonly understood, and we have not done so in the preceding twelve (12) months.

Analytics & the CCPA definitions of “sale” and “sharing.” The California Consumer Privacy Act (as amended by the California Privacy Rights Act) defines “sale” and “sharing” broadly to include certain disclosures of personal information to third parties for valuable consideration or for cross-context behavioral advertising. Because our marketing website at phonegal.com uses Google Analytics (see Sections 5 and 6), some regulators and courts may take the position that this constitutes a “sale” or “sharing” under those broad definitions, even though we receive no money and do not use Google Analytics’ advertising features. Out of an abundance of caution, we treat any Google Analytics activity as subject to the opt-out mechanisms available to you under the CCPA/CPRA and analogous state laws — we honor the Global Privacy Control (GPC) signal as a valid opt-out, and the Google-Analytics-specific opt-out options described in Section 6 are also available. We do not engage in cross-context behavioral advertising and do not share personal information with advertising networks. If our practices change, we will update this Policy and provide additional opt-out mechanisms as required by applicable law.

5. How We Share Information

We do not sell personal information, and we do not share personal information with third parties for their own independent marketing purposes. We share information only as follows:

  • With the Customer. Caller information is delivered to the Customer (and to contacts the Customer designates) as the core purpose of the Service.
  • With Subprocessors who help us operate the Service under contractual confidentiality and data-protection obligations. Our current Subprocessors are:
    • Telephony — SignalWire (telephone-number provisioning, inbound call routing, call recording storage, SMS delivery);
    • AI language model — OpenAI, accessed by us through SignalWire’s AI Agent service (generation of conversational text responses during calls);
    • Text-to-speech (voice synthesis) — Cartesia (synthesis of the receptionist’s spoken audio responses);
    • Cloud hosting and infrastructure — Vultr (compute, storage, logging);
    • Payment processing — Stripe (subscription billing, payment-method storage; we do not store full card numbers on our systems);
    • Transactional email — Resend (sign-in messages, account notifications, lead-capture notifications);
    • Mobile push notifications — Apple Push Notification service (APNs), operated by Apple Inc., for delivering lead-capture notifications to iOS devices on which the PhoneGal application is installed and notifications have been enabled. APNs receives the device token and the notification payload (including the caller’s name and a brief description of the lead) at the time of delivery;
    • Marketing-website analytics — Google Analytics (Google LLC) on the marketing website at phonegal.com (property identifier G-CVXLV05RJK) to measure aggregate site usage, page-view counts, traffic sources, and basic device characteristics. Google Analytics sets first-party cookies on the marketing website and receives the IP address (which Google truncates), pseudonymous device identifiers, and event metadata for the pages you view. Google Analytics is not embedded in the customer dashboard at cloud.phonegal.com or in the PhoneGal iOS application.

    We will use commercially reasonable efforts to maintain an accurate Subprocessor list. If we add or replace a Subprocessor in a way that materially changes the categories of personal information processed or the geographic location of processing, we will update this Policy and, where required by applicable law, provide advance notice to affected Customers.

  • For legal reasons — to comply with a subpoena, court order, or other valid legal process; to enforce our Terms; to investigate suspected fraud or violations; to protect the rights, property, or safety of PhoneGal, our users, or others; or as otherwise required by law.
  • In connection with a business transfer — if PhoneGal is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to commercially reasonable confidentiality protections.
  • With your consent — for any other purpose disclosed to you at the time of collection.

6. Cookies & Similar Technologies

We use cookies, local storage, and similar technologies on our marketing website at phonegal.com and on the customer dashboard at cloud.phonegal.com. Cookies fall into the following categories:

  • Strictly necessary — required to operate the Service (for example, authentication and security on the customer dashboard);
  • Preferences — remember your settings, such as dark-mode preference;
  • Analytics — on the marketing website only, Google Analytics first-party cookies measure aggregate site usage (see below).

You can control cookies through your browser settings; however, disabling strictly necessary cookies may prevent the Service from functioning. We do not currently respond to “Do Not Track” signals because no industry standard for compliance has been finalized; we will reassess as standards evolve. Where required by applicable law (including the California Privacy Rights Act and analogous state laws), we honor the Global Privacy Control (GPC) signal as a valid request to opt out of the “sale” or “sharing” of personal information.

Marketing website. Our marketing website at phonegal.com uses Google Analytics (gtag.js) to measure aggregate site usage. Google Analytics sets first-party cookies and receives a truncated IP address, pseudonymous device identifiers, and event metadata. We have configured Google Analytics to use IP-address truncation; we do not use Google Analytics’ advertising features (such as Google Signals, demographics, or remarketing audiences), and we do not link Google Analytics data with any advertising platform. We do not embed Meta Pixel, LinkedIn Insight Tag, or other third-party advertising or cross-site tracking pixels on the marketing website. The customer dashboard at cloud.phonegal.com uses only strictly-necessary cookies for sign-in and security, and the PhoneGal iOS application uses no cookies or third-party SDKs at all (see below).

Your choices on the marketing website. You can opt out of Google Analytics on phonegal.com in several ways: (a) install Google’s official Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout; (b) enable the Global Privacy Control (GPC) signal in a supporting browser or extension — we treat GPC as a valid opt-out of any “sale” or “sharing” under U.S. state privacy laws; (c) use your browser’s built-in tracking-prevention controls; or (d) clear or block first-party cookies from phonegal.com in your browser settings. Disabling these cookies will not prevent you from using the marketing website or the customer dashboard.

PhoneGal iOS application. The PhoneGal iOS application does not use cookies, web beacons, the Apple Advertising Identifier (IDFA), or third-party analytics, advertising, or cross-app tracking SDKs. Authentication is performed using a bearer token stored in the iOS Keychain on your device. You can revoke that token at any time by signing out from the in-app account menu, and you can disable push notifications at any time from the iOS Settings app. Uninstalling the application clears the token and the device’s push-notification registration.

7. Data Retention

We retain personal information for as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods include:

  • Customer account information — for the duration of the subscription, plus a reasonable period to allow for reactivation and to comply with tax and audit requirements (generally up to seven (7) years for billing records);
  • Call audio recordings — by default, up to one hundred twenty (120) days, unless your plan or configuration specifies otherwise;
  • Call transcripts and structured call data — retained for the duration of your subscription so they remain available in your dashboard for search, audit, and follow-up, unless you request earlier deletion;
  • Server logs and analytics — typically up to ninety (90) days;
  • Mobile push-notification device tokens — retained while your device is signed in and active. Tokens that have not been used for delivery in thirty (30) days are excluded from further delivery. Tokens are deleted when you sign out from the iOS application; they are marked inactive and removed from further delivery (and may be hard-deleted thereafter) when Apple notifies us that the token is no longer valid or when the application is uninstalled and we receive that signal on the next push attempt;
  • iOS API authentication tokens — retained until you sign out, until you revoke the device from the dashboard, or until we revoke the token for security reasons (whichever is earliest). Revoked tokens are retained in a revoked state (and cannot be used to authenticate further requests) for audit purposes;
  • Backups — database and configuration backups are retained on a rolling cycle of up to thirty (30) days, after which they are purged in the ordinary course. Infrastructure-level snapshots managed by our hosting provider may be retained for longer periods per that provider’s standard policies.

When personal information is no longer needed, we will delete or de-identify it, except where retention is required by law or where deletion is technically infeasible (in which case we will isolate and protect it from any further use).

Post-termination retention. The retention periods listed above apply during your active subscription. Following termination of a subscription, the post-termination retention provisions in Section 13 of the Terms of Service control, except where a longer retention is required by law or by our standard backup cycle.

8. Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, and disclosure. Our current safeguards include: encryption of data in transit using Transport Layer Security (TLS); AES-256-GCM authenticated encryption at rest for sensitive credential and integration secrets, with additional-authenticated-data binding to prevent cross-field misuse; passwordless email-based sign-in with single-use, time-limited magic-link tokens (and, for the iOS application, long-lived bearer tokens stored in the iOS Keychain that are individually revocable); role-based access controls within our administrative tooling; structured logging and monitoring of webhook authentication events; per-Customer signing secrets for telephony webhooks; rate-limiting on authentication endpoints; and contractual confidentiality and data-protection obligations with our Subprocessors. No method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials (including any magic-link token, bearer token, or session cookie issued to you or to your devices) and for promptly notifying us of any suspected unauthorized use.

Security-incident notification. If we become aware of a security incident that has resulted, or is reasonably likely to result, in the unauthorized access, acquisition, disclosure, alteration, or loss of personal information, we will notify affected Customers without undue delay and in any event within the time required by applicable law (including, where applicable, the seventy-two (72) hour window under the European General Data Protection Regulation and the timelines under U.S. state breach-notification statutes). Notification will include the information required by applicable law and may be delivered by email to the address on file or by other reasonable means.

9. Your Rights & Choices

Subject to applicable law, you may have the right to:

  • access personal information we hold about you;
  • correct inaccurate or incomplete personal information;
  • delete personal information, subject to limited legal exceptions;
  • port personal information you provided to us, in a structured, machine-readable format;
  • restrict or object to certain processing;
  • withdraw consent at any time where processing is based on consent (without affecting the lawfulness of prior processing);
  • opt out of marketing communications by clicking “unsubscribe” in any marketing email or contacting us; and
  • file a complaint with a supervisory authority where applicable.

To exercise these rights, please contact us at support@phonegal.com. We may need to verify your identity before fulfilling your request and may decline requests as permitted by law.

Callers. If you are a Caller and want to access, correct, or delete information collected about you during a call, please contact the Customer (the business you called) directly, since the Customer is the controller of that information. We will assist the Customer in honoring your request to the extent required by law.

California residents. California residents have additional rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”), including the right to know what personal information is collected, the right to delete personal information (with exceptions), the right to correct inaccurate personal information, the right to opt out of the “sale” or “sharing” of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA), and the right to limit the use of sensitive personal information. We do not discriminate against any consumer for exercising these rights.

Residents of other U.S. states. Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky, and other states with comprehensive consumer-privacy laws may have rights similar to those described above, including rights to access, correct, delete, and port personal information, to opt out of targeted advertising, the “sale” or “sharing” of personal information, and certain profiling, and to appeal a denial of these rights. We do not engage in “sales,” “sharing,” or cross-context behavioral advertising as those terms are defined under these laws. To exercise any applicable right, please contact us at support@phonegal.com.

Sensitive personal information. We do not intentionally collect categories of “sensitive personal information” as defined by the CCPA/CPRA or analogous laws. However, because the AI receptionist captures whatever a Caller chooses to say, sensitive information may be incidentally included in a call recording or transcript. We apply the safeguards described in Section 8 to all such information and do not use it for purposes other than providing the Service.

10. Call Recording & Caller Notice

When a Caller is connected to a PhoneGal-powered receptionist, where the Customer’s business location or the Caller’s location requires it, the Service will announce that the call may be recorded. The Service does not proactively announce that the Caller is speaking with an artificial-intelligence assistant; if a Caller asks directly whether they are speaking with a person, the Service will identify itself truthfully as a virtual or AI assistant rather than represent itself as a human. As described in our Terms of Service, each Customer is solely responsible for ensuring that recording and processing of inbound calls complies with applicable laws, including any “two-party” or “all-party” consent requirements. If you are a Caller and do not consent to AI handling or recording of the call, you may end the call and contact the business by an alternative method.

11. Children’s Privacy

The Service is intended for use by adults in connection with a business and is not directed to children. Consistent with the Children’s Online Privacy Protection Act (“COPPA”), 15 U.S.C. §§ 6501–6506, and its implementing regulations, we do not knowingly collect personal information from children under the age of thirteen (13). Our Terms of Service additionally require that account holders be at least eighteen (18) years of age. If you are a parent or guardian and believe we may have collected information from a child under thirteen, please contact us at support@phonegal.com and we will take reasonable steps to delete it. Where applicable law sets a higher age of consent for the processing of children’s personal information, we honor that higher age.

12. International Users & Cross-Border Transfers

PhoneGal is based in the United States, and the Service is currently offered only to businesses located in the United States. Information we collect is processed and stored in the United States and, in limited circumstances, in other countries where our Subprocessors operate (for example, our hosting infrastructure is located in the United States; certain Subprocessor support functions may be performed from other jurisdictions). We do not knowingly collect personal information from individuals located in the European Economic Area, the United Kingdom, or Switzerland.

By using the Service, you understand that your information will be transferred to, stored, and processed in the United States, and you consent to such transfer to the extent permitted by applicable law. If we expand availability of the Service to other regions, we will update this Policy and adopt appropriate cross-border transfer mechanisms (for example, the European Commission’s 2021 Standard Contractual Clauses for EU transfers, the UK Addendum to the SCCs for UK transfers, and the Swiss Federal Data Protection and Information Commissioner’s recognized mechanisms) before commencing such transfers.

14. Changes; Interpretation

We may update this Privacy Policy from time to time to reflect changes to the Service, applicable law, or our practices. When we do, we will revise the “Last Updated” date above and, if the change is material, we will provide additional notice (for example, by email or through the Service) before the change takes effect. Your continued use of the Service after the effective date of any change constitutes your acceptance of the revised Privacy Policy.

Interpretation. Headings used in this Privacy Policy are for convenience only and do not affect its interpretation. Capitalized terms used in this Privacy Policy but not defined here have the meaning given to them in the Terms of Service.

15. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

PhoneGal LLC
6844 Bardstown Rd #504
Louisville, KY 40291
support@phonegal.com