VoiceLab Privacy Policy
Version 2.0.0 — Effective 2026-05-14
This Privacy Policy explains how Modern Approach USA LLC, a New York limited liability company ("VoiceLab," "we," "us," "our"), collects, uses, shares, and protects personal information in connection with the AI voice receptionist and communications platform we operate at voicelabnyc.com (the "Service").
This policy applies to (a) people who hold an account with VoiceLab ("Customers"), (b) callers and SMS recipients who interact with our Customers' AI agents through the Service ("End Callers"), and (c) visitors to voicelabnyc.com.
[ATTORNEY REVIEW REQUIRED] — confirm scope statement and that it correctly distinguishes our Controller-of-our-own-data role from our Processor-of-Customer-data role.
1. Who we are
Modern Approach USA LLC operates the Service. Our registered office is at (written request to legal@voicelabnyc.com).
Contact us about privacy: privacy@voicelabnyc.com.
EU/UK representative: [ATTORNEY REVIEW REQUIRED] — designate an EU/UK Article 27 representative (e.g., via prighter.com) before processing personal data of individuals in the EEA or UK.
2. Categories of data we collect
From Customers (account holders):
- Account information: name, business name, email address, phone number, billing address, role/title.
- Authentication data: hashed password, multi-factor authentication tokens, session identifiers.
- Payment information: last four digits of payment card, card brand, billing ZIP. Full card details are handled by Stripe and never stored on VoiceLab systems.
- Usage information: pages visited, features used, API calls, IP address, browser/device metadata.
- Customer Data: the content you upload, configure, and process through the Service, including AI agent prompts, contact lists, knowledge base documents, and configuration.
From End Callers (callers and SMS recipients of our Customers):
- Phone number (caller ID).
- Voice audio captured during inbound or outbound calls.
- Transcripts of conversations generated from voice audio.
- Call metadata: time, duration, direction, outcome, recordings retention status.
- Conversational content the End Caller provides (name, intent, scheduling info, message body, any other information they share).
From visitors to voicelabnyc.com:
- IP address, browser/device metadata, referrer URL, pages viewed.
- Cookie identifiers (see Section 13).
- Information submitted via contact, demo, or sales forms.
3. Voice processing — how a call flows
When a call is received or placed via VoiceLab, the following voice-processing chain occurs in real time:
- Twilio — the call is connected via Twilio (telephony provider).
- Vapi — audio is streamed to Vapi for voice orchestration.
- Deepgram — Vapi sends audio to Deepgram for real-time speech-to-text transcription.
- OpenAI — transcripts are sent to OpenAI for response generation. We use a zero-retention configuration; OpenAI does not retain or train on Customer Data per their API data usage policy effective March 2023.
- ElevenLabs (or Cartesia as alternative) — response text is sent for text-to-speech synthesis.
- Caller — synthesized voice is streamed back to the End Caller via Twilio.
- Supabase — the full call audio and transcript are stored in VoiceLab's database (Supabase, hosted on AWS us-east-1) for the retention period in Section 7.
Each vendor in this chain is bound to us by a written agreement that limits use of the data to providing services to us.
[ATTORNEY REVIEW REQUIRED] — confirm OpenAI zero-retention configuration is technically enforced and contractually documented before publishing this representation.
4. Subprocessors
We use the following subprocessors to deliver the Service. We post updates to this list at voicelabnyc.com/privacy. Material changes are notified to Customers at least 30 days before they take effect, and Customers may object by terminating the affected subscription before the change takes effect.
| Name | Purpose | Data | Location | DPA URL |
|---|---|---|---|---|
| Supabase | Primary database, file storage, authentication | Account data, Customer Data, call audio, transcripts | United States (AWS us-east-1) | https://supabase.com/legal/dpa |
| Vercel | Application hosting, edge network, serverless functions | Account data, request metadata, IP addresses | United States | https://vercel.com/legal/dpa |
| Stripe | Subscription billing, payments | Account data, payment metadata (full card data handled by Stripe only) | United States | https://stripe.com/legal/dpa |
| Twilio | Inbound and outbound telephony, SMS | Phone numbers, call audio, SMS content, call metadata | United States | https://www.twilio.com/legal/data-protection-addendum |
| Vapi | Voice orchestration | Call audio, transcripts, agent configuration | United States | https://vapi.ai/legal/dpa |
| Deepgram | Speech-to-text transcription | Call audio | United States | https://deepgram.com/legal/dpa |
| OpenAI | Large language model (response generation) | Transcripts, agent prompts (zero-retention configuration) | United States | https://openai.com/policies/data-processing-addendum |
| ElevenLabs | Text-to-speech synthesis | Response text | United States | https://elevenlabs.io/dpa |
| Cartesia | Text-to-speech synthesis (alternative provider) | Response text | United States | https://cartesia.ai/legal/dpa |
| Resend or Postmark | Transactional email delivery | Account email, message content | United States | https://resend.com/legal/dpa or https://postmarkapp.com/dpa |
| PostHog | Product analytics (US instance) | Usage metadata, IP address, session events | United States | https://posthog.com/dpa |
| Sentry | Error and performance monitoring | Error metadata, stack traces, IP address | United States | https://sentry.io/legal/dpa/ |
| Mercury | Banking partner — payment metadata only | Bank transfer metadata (no End Caller data) | United States | [ATTORNEY REVIEW REQUIRED] — confirm Mercury Business banking DPA URL or whether a DPA is contractually required |
[ATTORNEY REVIEW REQUIRED] — verify each DPA URL is current and that we have executed each subprocessor DPA before relying on it in this list.
5. Purposes for which we use information
We use information to:
- Provide, operate, and maintain the Service.
- Authenticate Customers and End Callers, and protect account security.
- Process payments and manage billing.
- Communicate with Customers about their accounts, the Service, and changes to legal terms.
- Improve the Service, including AI quality and reliability, using aggregated and de-identified data.
- Detect, prevent, and respond to fraud, abuse, and security incidents.
- Comply with legal obligations and respond to lawful requests from public authorities.
- With Customer consent, send marketing communications about new features (Customers can opt out at any time via the unsubscribe link in those emails).
We do not sell personal information. We do not use Customer Data or End Caller information to train third-party AI models. We use only de-identified, aggregated metrics to improve our own product features.
6. Legal bases for processing (GDPR / UK GDPR)
For individuals in the European Economic Area, United Kingdom, or Switzerland, our legal bases for processing personal data are:
- Contract performance (Art. 6(1)(b) GDPR) — to provide the Service to a Customer who has entered into a contract with us, and to enable Customers to communicate with End Callers.
- Legitimate interests (Art. 6(1)(f) GDPR) — to operate, secure, monitor, and improve the Service, to detect and prevent fraud, and to develop new features. We balance our interests against your rights and freedoms before relying on this basis.
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, anti-money-laundering, and other legal requirements.
- Consent (Art. 6(1)(a) GDPR) — where required, for marketing communications, certain cookies, and biometric processing under applicable law. You may withdraw consent at any time without affecting the lawfulness of prior processing.
For special categories of personal data (including biometric data, where applicable), we rely on explicit consent (Art. 9(2)(a) GDPR) or another applicable Article 9 condition.
[ATTORNEY REVIEW REQUIRED] — confirm GDPR legal-basis mapping with EU-qualified privacy counsel.
7. Data retention
We retain personal information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Default and HIPAA-mode retention windows are below; Customers may configure shorter retention for certain data categories within the limits below.
| Data category | Default retention | HIPAA-mode retention |
|---|---|---|
| Account information | Life of account + 6 years (tax/legal records) | Same |
| Customer Data (configurations, prompts, knowledge base) | Life of account | Same |
| Call recordings | 90 days | 30 days, or 6 years for designated record-set (configurable) |
| Call transcripts | 90 days | 30 days, or 6 years for designated record-set (configurable) |
| SMS history | 12 months | 30 days |
| API logs | 90 days | 90 days |
| Security/audit logs | 1 year (minimum) | 6 years (HIPAA Security Rule § 164.316(b)(2)) |
| Billing records | 7 years (IRS) | 7 years |
You can request earlier deletion of your data by emailing privacy@voicelabnyc.com, subject to our legal retention obligations and any contractual obligations to a Customer (where you are an End Caller).
8. Sharing and sale of personal information
We share personal information only with:
- Subprocessors listed in Section 4, under written contracts limiting their use to providing services to us.
- Customers, where we are processing End Caller data on their behalf — End Callers should direct privacy requests about a specific Customer's data to that Customer first.
- Public authorities and law enforcement, when required by valid legal process or to protect rights, safety, or property.
- Successors, in connection with a merger, acquisition, financing, reorganization, or sale of assets — subject to confidentiality obligations and notice to affected individuals where required by law.
We do not sell personal information as that term is defined in the California Consumer Privacy Act, and we do not "share" personal information for cross-context behavioral advertising.
9. International data transfers
We are based in the United States, and our subprocessors process data primarily in the United States. For personal data originating in the European Economic Area, United Kingdom, or Switzerland, transfers to the United States are made under the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum, where applicable), together with supplementary technical and organizational measures as required.
A copy of the Standard Contractual Clauses we rely on is available on request to privacy@voicelabnyc.com.
[ATTORNEY REVIEW REQUIRED] — confirm whether to certify under the EU–U.S. Data Privacy Framework (DPF) and update this section accordingly.
10. Biometric information
When you call, are called by, or otherwise interact with an VoiceLab-powered system, your voice audio is captured, transmitted, and processed by our voice-processing vendors (see Section 3). To the extent any such processing constitutes the collection of "biometric identifiers" or "biometric information" under the Illinois Biometric Information Privacy Act (740 ILCS 14, "BIPA"), the Texas Capture or Use of Biometric Identifier statute (Tex. Bus. & Comm. Code § 503.001, "CUBI"), the Washington biometric statute (RCW 19.375 and HB 1493), or any similar law:
- Explicit consent. We process voice audio only after the End Caller has been informed via the AI disclosure described in Section 11 and has continued the call. Where applicable law requires written or specific opt-in consent for biometric processing, the responsibility for obtaining that consent rests with the Customer who initiates or operates the call line, who is the controller of that interaction.
- Purpose. To authenticate the End Caller (where Customer-configured), to convert speech to text for the operation of voice-based customer service on behalf of our Customer, and to synthesize a spoken response.
- Retention limit. Voice recordings are retained for the period stated in Section 7. Any biometric-identifier byproducts of processing (e.g., voice embeddings used by speech engines) are not retained beyond the lifetime of the underlying call recording, and in no event longer than three years from the End Caller's last interaction with the Service, as required by 740 ILCS 14/15(a).
- Deletion right. End Callers may request deletion of voice audio and any biometric byproducts by emailing privacy@voicelabnyc.com. We will honor verified deletion requests within 30 days, subject to legal retention obligations.
- Third-party disclosure. Voice data is shared only with the subprocessors listed in Section 4, under written contracts limiting use to providing the Service.
- No sale. We do not sell biometric information.
If you have not consented to such processing and you have received a call from an VoiceLab-powered system, please advise the AI at any time during the call by saying "stop" or similar — the AI will end the call and we will add your number to our internal do-not-call list maintained on behalf of the Customer who initiated the call.
[ATTORNEY REVIEW REQUIRED] — confirm BIPA / CUBI / Washington compliance posture and explicit-consent flow before relying on this section. Voice biometrics are a high-litigation area in Illinois.
11. AI disclosure
Calls handled by VoiceLab are handled by an artificial intelligence assistant. We disclose this at the beginning of every call by speaking a recorded notice within the first seconds. This disclosure cannot be disabled by Customers. Where state or local law (such as California Bus. & Prof. Code § 17941, the "California Bot Disclosure Law") requires additional disclosures, the AI is configured to make those disclosures upon request.
12. Your rights
California (CCPA / CPRA)
California residents have the right to:
- Know what personal information we collect, use, share, and disclose.
- Delete personal information, subject to legal retention obligations.
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information. We do not sell or share personal information for cross-context behavioral advertising.
- Limit use of sensitive personal information. Voice recordings are sensitive personal information.
- Not be discriminated against for exercising your rights.
To exercise: email privacy@voicelabnyc.com with subject "CCPA Request" and provide your name and a way to verify your identity. You may designate an authorized agent to make a request on your behalf.
We are a "Service Provider" under CCPA when processing data on behalf of our Customers. Requests about a specific Customer's data should be directed to that Customer first; we will assist Customers in fulfilling such requests.
EU / UK / Switzerland (GDPR / UK GDPR)
EU/UK/Swiss residents have the rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent. To exercise: email privacy@voicelabnyc.com.
We are a "Processor" under GDPR when processing data on behalf of our Customers (the "Controller"). Requests about a specific Customer's data should be directed to that Customer first.
You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is at https://edpb.europa.eu/about-edpb/board/members_en.
Other U.S. states
Residents of states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted) have similar rights. Email privacy@voicelabnyc.com to exercise.
13. Cookies and analytics
We use:
- Essential cookies for authentication, security, and site functionality (e.g., session token, CSRF token). These cannot be disabled.
- Analytics cookies (PostHog) to understand product usage and improve the Service.
- Error monitoring (Sentry) to detect and diagnose application errors.
For visitors in the EU, UK, or EEA, non-essential cookies are not loaded until you accept them via our cookie banner. For California residents, you can opt out of any "sale" or "sharing" by using the link in our footer. See our Cookie Preferences page at voicelabnyc.com/cookie-preferences for full details and to manage your choices.
14. Children
The Service is not directed to anyone under 13 (or under 16 in the EEA/UK). We do not knowingly collect information from anyone under those ages. If you become aware that a child has provided personal information through the Service, email privacy@voicelabnyc.com and we will delete it.
15. Changes to this policy
We may update this Privacy Policy from time to time. The "Effective" date at the top reflects the latest update. Material changes are notified to Customers at least 30 days in advance via email and a prominent notice on the Service. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
Each prior version of this policy remains accessible at voicelabnyc.com/privacy/v[X.Y].
16. Security
We use encryption in transit (TLS 1.3) and at rest (AES-256), tenant isolation via Postgres row-level security, role-based access controls, and audit logging. We perform periodic vendor reviews. Despite these measures, no system is perfectly secure. In the event of a data breach affecting your personal information, we will notify affected individuals and applicable regulators within the timeframes required by law.
Report a vulnerability: security@voicelabnyc.com.
Contact
Modern Approach USA LLC (written request to legal@voicelabnyc.com)
privacy@voicelabnyc.com
[ATTORNEY REVIEW REQUIRED] — full document. This draft is intended as a starting point for review by New York–licensed privacy counsel (and, ideally, EU-qualified counsel for the GDPR sections) before publication.