GDPR Compliance

Last Updated: December 17, 2025

AIAnswerPhone is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines our GDPR compliance measures and your rights as a data subject.

1. What is UK GDPR?

The UK GDPR is the UK's data protection law that came into effect on 1 January 2021, replacing the EU GDPR in UK law. It provides individuals with enhanced rights regarding their personal data and imposes strict obligations on organisations that process personal data.

Key principles of UK GDPR include:

• Lawfulness, fairness, and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality
• Accountability

2. Our Legal Basis for Processing

Under UK GDPR, we process your personal data based on the following legal bases:

2.1 Contract (Article 6(1)(b))

We process your data to fulfil our service agreement with you, including:

• Account creation and management
• Providing AI call answering services
• Processing payments and subscriptions
• Delivering call transcripts and notifications

2.2 Legitimate Interests (Article 6(1)(f))

We process data for our legitimate business interests, such as:

• Improving our service quality
• Preventing fraud and ensuring security
• Analysing usage patterns
• Direct marketing (with opt-out options)

2.3 Legal Obligation (Article 6(1)(c))

We process data to comply with legal requirements, including:

• Tax and accounting obligations
• Regulatory compliance
• Court orders and legal requests

2.4 Consent (Article 6(1)(a))

Where we rely on consent, you have the right to withdraw it at any time. This includes:

• Marketing communications
• Non-essential cookies
• Optional data sharing

3. Your Rights Under UK GDPR

As a data subject, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain confirmation that we process your personal data and to access that data, including:

• What personal data we hold about you
• Why we are processing it
• Who we share it with
• How long we keep it

How to exercise: Contact us at hello@aianswerphone.co.uk with "Data Subject Access Request" in the subject line.

3.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data. You can update most information directly through your account dashboard.

3.3 Right to Erasure - "Right to be Forgotten" (Article 17)

You can request deletion of your personal data when:

• It is no longer necessary for the original purpose
• You withdraw consent (where consent was the basis)
• You object to processing and there are no overriding legitimate grounds
• It has been unlawfully processed

Note: We may retain certain data where required by law (e.g., financial records for 7 years).

3.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your data in certain circumstances, such as when you contest its accuracy or object to processing.

3.5 Right to Data Portability (Article 20)

You can request a copy of your data in a structured, commonly used, and machine-readable format. This applies to data you provided and that we process by automated means based on consent or contract.

3.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we can demonstrate compelling legitimate grounds.

3.7 Rights Related to Automated Decision-Making (Article 22)

You have rights regarding automated processing, including profiling, that produces legal or similarly significant effects. Our AI call answering service does not make automated decisions that significantly affect you without human review.

4. How to Exercise Your Rights

To exercise any of your GDPR rights:

1. Email us: hello@aianswerphone.co.uk or dpo@aianswerphone.co.uk
2. Specify your request: Clearly state which right you wish to exercise
3. Provide identification: We may need to verify your identity for security

We will respond to your request within one month (may be extended by two months for complex requests).

5. Data Protection Measures

We implement appropriate technical and organisational measures to protect your personal data:

5.1 Technical Measures

• Encryption: Data encrypted in transit (TLS/SSL) and at rest
• Access Controls: Role-based access with authentication
• Secure Infrastructure: Hosted on secure, compliant servers
• Regular Backups: Encrypted backups with secure storage
• Security Monitoring: Continuous monitoring for threats

5.2 Organisational Measures

• Staff Training: Regular GDPR and data protection training
• Data Protection Officer: Designated DPO for compliance
• Policies and Procedures: Comprehensive data protection policies
• Data Processing Agreements: Contracts with all processors
• Incident Response: Procedures for data breach notification

6. Data Processing Records

We maintain records of our processing activities as required by UK GDPR Article 30, including:

• Purposes of processing
• Categories of data subjects and personal data
• Categories of recipients
• Data retention periods
• Security measures

7. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

• We will notify the ICO within 72 hours of becoming aware
• We will notify you without undue delay if the breach poses a high risk
• We will provide details of the breach and measures taken

8. International Data Transfers

Your data is primarily stored within the UK and EEA. If we transfer data outside the UK/EEA, we ensure appropriate safeguards:

• Adequacy decisions by the UK government
• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules
• Other approved transfer mechanisms

9. Data Retention

We retain personal data only for as long as necessary:

• Account Data: While your account is active, plus 7 years for legal compliance
• Call Recordings: According to your subscription plan settings
• Financial Records: 7 years as required by UK tax law
• Marketing Data: Until you unsubscribe or object

After retention periods expire, data is securely deleted or anonymised.

10. Children's Data

Our service is not intended for individuals under 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it immediately.

11. Complaints

If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office:

We encourage you to contact us first so we can address your concerns directly.

12. Updates to This Page

We may update this GDPR compliance page to reflect changes in our practices or legal requirements. The "Last Updated" date at the top indicates when changes were made.

13. Contact Our Data Protection Officer

For GDPR-related inquiries, you can contact our Data Protection Officer:

• Email: dpo@aianswerphone.co.uk
• General Inquiries: hello@aianswerphone.co.uk

14. Related Documents

For more information, please review:

• Privacy Policy - Detailed information about data collection and use
• Cookie Policy - Information about our use of cookies
• Terms of Service - Our service terms and conditions