Privacy Policy
Callweave is voice AI for regulated call workflows. This policy explains how Fractal Signals LLC, the company behind Callweave, handles personal data on its website and in its dealings with prospects and business contacts. It also draws the line, clearly and up front, between that activity and the customer call data we process strictly on our customers' behalf.
Who we are
Callweave is a product of Fractal Signals LLC, a Delaware limited liability company (Delaware file no. 10258703). In this policy, "Callweave", "we", "us" and "our" all refer to Fractal Signals LLC.
For anything to do with personal data or this policy, write to us at privacy@callweave.ai. For everything else, hello@callweave.ai reaches us.
Two roles: when we are a controller and when we are a processor
This is the most important thing to understand about how we handle data, so we put it first. We process personal data in two very different capacities, and only one of them is governed by this policy.
1. Our website, prospects and business contacts — we are the controller
When you visit callweave.ai, book a call review, send us a call sample for evaluation, email us, or negotiate an MNDA or DPA with us, we decide why and how that personal data is processed. For that activity we are the data controller under the UK GDPR and the EU GDPR. This policy governs that processing.
2. Customer call data on the Callweave platform — we are the processor
When a business customer runs calls, recordings, transcripts and case data through the Callweave platform, the personal data of that customer's end users (their callers) is processed by us only on the customer's documented instructions. For that activity we are a data processor acting on behalf of the customer, who is the controller.
That processing is not governed by this consumer-facing policy. It is governed by the Data Processing Addendum we enter into with each customer under Article 28 of the UK and EU GDPR. If you are an end user whose call was handled through Callweave and you have a question about your data, please contact the business you called, since they are the controller and decide how that data is used. See our sample DPA and our list of subprocessors for the detail.
We do not blur these roles. Customer call recordings, transcripts and case data are used only to run the workflows that customer has configured. We never use them to train shared models or to build benchmarks.
What personal data we collect as a controller
We keep this modest. We are a small company and we collect only what we need to talk to prospective and current customers and run our site.
Data you give us
- When you book a call review or get in touch: your name, work email, company, role, and anything you choose to put in your message.
- When you send us a call sample for evaluation: the audio or transcript you upload, which may contain the personal data of the people on the call. We treat this as sensitive and handle it under the retention rules below.
- When we negotiate an MNDA or DPA: the names, roles and contact details of the people signing or negotiating on your side.
- Email correspondence: the contents of emails you send to our hello@ or privacy@ addresses.
Data collected automatically
When you load the site, our hosting and the third-party services the page calls receive technical data such as your IP address, browser type and the pages you view. We describe exactly which third parties this involves in the Cookies and tracking section below.
Legal bases for processing
Under Article 6 of the UK and EU GDPR we rely on the bases set out below. Each purpose maps to one basis.
| Purpose | Data | Lawful basis |
|---|---|---|
| Responding to your enquiry or call-review request | Contact details, message contents, any call sample you send | Legitimate interests (Art. 6(1)(f)) — running and growing our business by answering people who approach us |
| Evaluating a call sample you upload and returning findings to you | Uploaded audio or transcript and its contents | Legitimate interests (Art. 6(1)(f)), and, where the sample contains third-party personal data, performed under your instructions as the controller of that sample |
| Limited B2B marketing to businesses we believe are relevant | Business contact details | Legitimate interests (Art. 6(1)(f)), subject to your right to object at any time |
| Negotiating and performing a contract, MNDA or DPA | Signatory and negotiator contact details, agreement contents | Contract (Art. 6(1)(b)) or legitimate interests where you act through a company |
| Setting non-essential cookies or similar technologies | Cookie and device identifiers | Consent (Art. 6(1)(a)) |
| Meeting our legal, tax and accounting obligations | Transaction and correspondence records | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You can ask us for the detail of that assessment, and you can object to processing based on legitimate interests at any time.
How long we keep it
- Enquiry and contact data: kept while there is a live business relationship or an active conversation, and for a limited period afterwards so we can pick up where we left off and meet our record-keeping obligations. We delete or anonymise it once there is no longer a reasonable need to hold it.
- Uploaded call samples: used only to produce the review you asked for and then deleted, unless you, as the customer, separately opt in to have a sample retained for a defined purpose.
- Contract, MNDA and DPA records: kept for the life of the agreement and for as long as we may need them to establish, exercise or defend legal claims, or as the law requires.
Who we share data with
We do not sell personal data. As a controller we share it only with the service providers that help us run the business, for example our email, hosting, scheduling and document-signing providers, each acting on our instructions under appropriate contractual terms. The third-party services our website itself calls are listed in the Cookies and tracking section. Our current providers are listed and kept up to date on our subprocessors page. We may also disclose data where we are legally required to, or to protect our rights, property or safety.
International transfers
Fractal Signals LLC is established in the United States. If you are in the UK or the EEA, the personal data we process about you as a controller may be transferred to and stored in the US, and may be accessed by our service providers there. Where it is, we put appropriate safeguards in place, such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, together with any supplementary measures needed.
For platform data processed on behalf of customers, EU hosting is available on request, so that customer call data can be kept within the EU. Talk to us if your deployment requires it.
Your rights
If we hold personal data about you as a controller, you have the following rights under the UK and EU GDPR:
- Access — a copy of the personal data we hold about you.
- Rectification — correction of data that is wrong or incomplete.
- Erasure — deletion of your data where there is no longer a good reason for us to keep it.
- Restriction — to limit how we use your data while a question about it is resolved.
- Portability — to receive certain data in a portable format, or have it sent to another provider.
- Objection — to object to processing based on our legitimate interests, including any B2B marketing.
- Withdraw consent — where we rely on consent, you can withdraw it at any time, without affecting processing already carried out.
To exercise any of these, email privacy@callweave.ai. We respond within the timeframes the law sets. If you are an end user whose call was handled through the platform, please direct your request to the business you contacted, as they are the controller of that data.
You also have the right to complain to a supervisory authority. In the UK that is the Information Commissioner's Office (ICO); in the EEA it is the data protection authority in your country. We would appreciate the chance to address your concern first.
Security
We protect personal data with measures that include encryption in transit and at rest, role-based access control, PII redaction options, and audit logging of reviewer actions. No system is perfectly secure, but we work to keep our controls proportionate to the sensitivity of the data we handle. There is more detail on our Trust and Security page.
Cookies and tracking
We try to be specific about what the site actually loads, rather than copying a long generic cookie list. The callweave.ai pages call three third-party services, and your browser makes requests to them when a page loads. Those requests can result in cookies being set by the third party or your IP address being logged by them:
- Google Fonts (fonts.googleapis.com and fonts.gstatic.com) — to load the typefaces used across the site.
- The Lucide icon library served from unpkg.com — to load the icons used in the interface.
- Google's favicon service (google.com/s2/favicons) — used to display the logos of integrations we mention.
These are functional requests. We do not currently use advertising cookies, and we do not use analytics cookies that profile or track visitors across sites. On your first visit a cookie notice records your preference, and you can change or withdraw it any time by clearing this site's data in your browser. If we add analytics in future, we will place it behind a consent mechanism before any non-essential cookie is set.
| Category | What it covers | Set by |
|---|---|---|
| Strictly necessary | Requests required to serve and render the page securely | Us and our hosting provider |
| Third-party / functional | Fonts, icons and integration favicons loaded from external services, which may set cookies or log your IP address | Google (Fonts, favicons) and unpkg.com (Lucide) |
You can block or delete cookies through your browser settings. Blocking third-party requests may affect how fonts or icons display.
Children's data
Callweave is a business-to-business service. Our website and our platform are not directed at children, and we do not knowingly collect personal data from anyone under the age of 16. If you believe a child has provided us with personal data, contact privacy@callweave.ai and we will delete it.
Changes to this policy
We may update this policy as our business or the law changes. When we do, we will revise the date at the top of the page, and for material changes we will take reasonable steps to bring them to your attention.
How to contact us
For any privacy question, request or complaint, email privacy@callweave.ai. For general enquiries, use hello@callweave.ai.