Data Handling Guide.

1. How a call flows through our system

When someone calls a business using our AI receptionist, this is the path the audio and data take. Nothing is persisted on our server beyond live call state; permanent storage happens at the Airtable step.

• Twilio receives the call, routes it via Canadian points of presence, and streams audio over an encrypted WebSocket to our server.
• Voice Agent runs on our Canadian VPS. It transcribes the caller's speech, sends the transcript to the AI for processing, and speaks the AI's response back via Twilio.
• Claude AI (Anthropic) processes the conversation in real time. Anthropic's API runs a zero-retention policy — inputs are not stored or used for model training.
• Airtable stores the call record, transcript summary, and appointment details after the call ends — the first point where anything is persisted.

2. Encryption & security

In transit

• All HTTP traffic uses TLS 1.2+ (TLS 1.3 preferred). Enforced at nginx with HSTS and a modern cipher suite.
• Twilio audio streams use encrypted WebSocket connections.
• API calls to Anthropic, Airtable, and Stripe use TLS-encrypted HTTPS.

At rest

• Airtable encrypts all stored data with AES-256.
• Our secrets file (/opt/secrets/secrets.enc.yaml) is encrypted with SOPS + age. Plaintext never touches disk — the file is decrypted in memory at service start.
• File permissions locked down (chmod 600). Secrets never written to logs, never passed on command lines, never committed to code.
• Redis (in-memory cache) stores temporary call state with automatic expiry — nothing persists to disk.
• PostgreSQL database hosting workflow data uses per-database credentials rotated via the same SOPS store.

Canadian hosting

• Primary server infrastructure is hosted in Canada (VPS provider: Hostinger, Canadian region).
• Twilio is configured to route calls via Canadian points of presence where available.

3. Data retention schedule

Retention is enforced by automated scripts that run weekly. Not aspirational — they run in production and can be audited via --dry-run.

4. Automated data lifecycle

Concrete jobs that enforce the retention schedule above:

• Weekly transcript purge (data_retention.py, Sunday 03:30 UTC) — transcripts older than 90 days permanently deleted. AI-generated summaries (no direct identifiers) are retained.
• Weekly caller anonymization — call records older than 12 months have the caller phone number replaced with ANONYMIZED. Aggregate statistics remain.
• Weekly recording cleanup — Twilio recording SIDs older than 90 days are deleted via the Twilio Recordings API, then the reference is cleared on our side.
• Weekly execution purge — n8n workflow execution data older than 90 days is removed.
• Nightly regression tests — a separate cron runs end-to-end tests verifying the retention jobs and deletion pipeline still work; alerts go to the operator on any failure.

All retention jobs support --dry-run — you can see exactly which rows would be affected without executing.

5. Right to erasure — deletion mechanics

When deletion is triggered

Full data deletion (per the schedule above — 90 days for transcripts/recordings, 12 months for metadata) is triggered automatically when a business client's service is disabled for any of:

• The client cancels their subscription through the Stripe billing portal
• A full refund is issued — service is disabled within seconds of the Stripe refund event; the retention clock starts at the disable timestamp
• A chargeback (bank dispute) is filed — same behaviour as a full refund
• A trial expires without conversion to a paid plan
• An agency partner's account is cancelled, orphaning their client accounts (30-day grace period before client disable)

Partial refunds (goodwill credits) do not disable service or trigger the deletion timeline.

What gets deleted (business-client offboarding)

• All voice call records associated with the business
• All Twilio recordings (audio files)
• All appointments, staff records, business hours, holidays, and service listings
• All cached data in Redis
• The client record itself

Audit trail

Every deletion action is logged: timestamp, record counts, operator identity. The audit log is kept separately from the data being deleted, so deletion events remain verifiable.

Individual caller requests

If an individual caller (not a business client) requests deletion of their data, submit a request via our privacy request form. We verify the request by email, then locate and delete all records associated with your phone number within 30 days.

6. Sub-processors

Third-party services that process data as part of service delivery. Data they see and their own compliance posture:

Self-hosted (not a sub-processor): Redis runs on our own Canadian VPS as an in-memory cache for temporary call state. Data auto-expires; nothing persists to disk.

7. Per-tenant isolation

• Every business is assigned a unique tenant ID.
• Every Airtable query, Redis key, and workflow execution is scoped by tenant ID. Cross-tenant access is not a code path that exists.
• API tokens are scoped to minimum required permissions. Credentials are never shared between tenants.
• Portal access is authenticated per-tenant with JWT tokens carrying the tenant claim.
• Redis cache keys are namespaced by tenant ID with automatic expiry.

8. Access controls

• API tokens — scoped to minimum required permissions; rotated via the SOPS store.
• File permissions — secrets stored with chmod 600 (owner-only access).
• No shared credentials — each service uses its own authentication.
• Portal authentication — bcrypt-hashed passwords, JWT with short expiry.
• Environment isolation — secrets loaded from permission-restricted environment files at service start, never committed to code.

9. Backups

Automated backups protect against data loss. Stored locally on our Canadian infrastructure — no cross-border transfer.