1. How a Call Flows Through Our System
When someone calls a business using iHospitality's AI receptionist, here is exactly what happens with their data:
- Twilio receives the incoming call, routes it to our voice agent, and handles audio streaming. Twilio operates Canadian points of presence for call routing.
- Voice Agent runs on our Canadian server. It receives the caller's speech, sends it to the AI for processing, and speaks the AI's response back to the caller.
- Claude AI (Anthropic) processes the conversation in real time. Anthropic's API has a zero-retention policy — inputs are not stored or used for model training.
- Airtable stores the call record, transcript summary, and any appointment details after the call ends.
Key point: Your call audio is streamed in real time and is not permanently stored on our server. Post-call recordings (if enabled) are stored by Twilio and automatically deleted after 90 days.
2. Encryption & Security
In Transit
- All HTTP traffic uses TLS 1.2+ (HTTPS)
- Twilio audio streams use encrypted WebSocket connections
- API calls to Anthropic and Airtable use TLS-encrypted HTTPS
At Rest
- Airtable encrypts all stored data with AES-256
- Server-side secrets (API tokens, keys) are stored in permission-restricted files (
chmod 600) and never hardcoded - Redis (in-memory cache) stores temporary call state with automatic expiry — data does not persist to disk
Canadian Hosting
- Our primary server infrastructure is hosted in Canada
- PIPEDA-first design — Canadian data residency by default
3. Data Retention Schedule
We enforce strict retention limits. These are automated and run weekly — they are not manual or aspirational.
| Data Type | Retention | What Happens After | PIPEDA Rationale |
|---|---|---|---|
| Call transcripts | 90 days | Permanently deleted | Contains personal info, possibly health info. Minimize retention. |
| Call recordings (audio) | 90 days | Permanently deleted from Twilio | Storage-intensive and privacy-sensitive. |
| Call logs & metadata | 12 months | Caller phone number anonymized; aggregate stats retained | Reasonable business purpose for trend analysis. |
| Appointments | 12 months after completion | Deleted | Business records, needed for no-show patterns. |
| AI call summaries | Retained | Contain no direct personal identifiers | Operational value; no PII after transcript deletion. |
| n8n workflow execution data | 90 days | Purged from database | Internal operational data, not needed long-term. |
4. Automated Data Lifecycle
Our data retention is enforced by automated processes:
- Weekly transcript purge — transcripts older than 90 days are permanently deleted from the database. AI-generated call summaries (which contain no direct personal identifiers) are retained.
- Weekly caller anonymization — call records older than 12 months have the caller phone number replaced with "ANONYMIZED". Aggregate statistics remain for business reporting.
- Weekly recording cleanup — Twilio recording SIDs older than 90 days are deleted via API, then the reference is cleared from our records.
- Weekly execution purge — internal workflow execution data older than 90 days is removed.
All retention processes support --dry-run mode for auditability and can be run on-demand.
5. Right to Erasure
Under PIPEDA, individuals have the right to request deletion of their personal information. We support this through an automated, audit-logged deletion process.
What Gets Deleted
When a business client requests full data deletion (offboarding), our process removes:
- All voice call records associated with the business
- All Twilio recordings (audio files)
- All appointments, staff records, business hours, holidays, and service listings
- All cached data in Redis
- The client record itself
Audit Trail
Every deletion action is logged with timestamps, record counts, and operator identity. The audit log is retained separately for compliance verification.
Individual Caller Requests
If an individual caller (not a business client) requests deletion of their data, email privacy@ihospitality.ca. We will locate and delete all records associated with your phone number within 30 days.
6. Sub-Processors
These third-party services process data as part of our service delivery:
| Provider | Purpose | Data Shared | Certifications |
|---|---|---|---|
| Twilio | Call routing, telephony, SMS | Phone numbers, call audio, SMS content | SOC 2 Type II, ISO 27001, Canadian PoPs |
| Anthropic | AI conversation processing | Call transcript (real-time, streamed) | Zero-retention API policy, SOC 2 Type II |
| Airtable | Business data storage | Call records, appointments, client profiles | SOC 2 Type II, AES-256 at rest |
| Redis (self-hosted) | Temporary call state caching | Call metadata (auto-expires) | Self-hosted on Canadian server, in-memory only |
7. Per-Tenant Isolation
Each business client's data is logically separated:
- Every business is assigned a unique tenant ID
- All queries are scoped to the tenant — one business cannot access another's data
- API tokens are scoped and credentials are not shared between tenants
- Portal access is authenticated per-tenant with JWT tokens scoped to each client
- Redis cache keys are namespaced by tenant ID with automatic expiry
8. Access Controls
- API tokens — scoped to minimum required permissions
- File permissions — secrets stored with
chmod 600(owner-only access) - No shared credentials — each service uses its own authentication
- Portal authentication — bcrypt-hashed passwords, JWT with 48-hour expiry
- Environment isolation — secrets are loaded from protected environment files, never committed to code
9. Backups
We maintain automated backups to protect against data loss:
| What | Frequency | Retention | Integrity |
|---|---|---|---|
| Application database (SQLite) | Daily | 30 days rolling | Integrity check on every backup |
| Business data (Airtable) | Weekly | 6 months | Full table export with pagination |
Backups are stored locally on our Canadian server infrastructure.