callmy.attorney logocallmy.attorney
Sign inGet started
LEGAL

Privacy Policy

Last updated: 2026-05-26

Template notice. This Privacy Policy is a starting template that reflects the data flows in the Service as built. It has not been reviewed by counsel. Before any production launch, this document must be reviewed and revised by a qualified attorney for your jurisdiction.

1. Who we are

callmy.attorney(“Provider”, “we”, “us”, “our”) operates Lawyer Assistant (the “Service”), an AI-powered voice intake system for law firms. This policy describes how we collect, use, and share information when you or your callers interact with the Service.

2. Two kinds of people we collect data about

We process information for two distinct groups, and our obligations differ for each:

  • Subscribers — lawyers, law firms, and their authorized users who sign up for, configure, and pay for the Service.
  • Callers — individuals who dial a phone number routed through the Service to schedule a consultation with a Subscriber.

3. Information we collect

From Subscribers

  • Account information from our authentication provider: name, email address, profile photo, organization (firm) name and slug.
  • Calendar credentials: encrypted OAuth refresh tokens for Google Calendar and/or Microsoft 365 accounts you connect.
  • Service configuration: office hours, supported languages, default consultation length, agent prompt customizations, voice preferences, phone number identifiers.
  • Optional bring-your-own credentials (e.g., ElevenLabs API key), encrypted at rest if you choose to provide them.

From Callers

When you dial a phone number routed through the Service, we process the following on behalf of the Subscriber whose number you called:

  • Your phone number, in E.164 format.
  • Voice audio of the call, if call recording is enabled on the Subscriber's account.
  • A transcript of the call produced by automated speech recognition.
  • Information you provide during intake: your name, callback phone, email address, jurisdiction (e.g., state or country), practice area of interest, urgency, and a brief non-privileged summary of your matter.
  • The inferred language of the call.
  • Call metadata: start time, end time, duration, and a unique call identifier.

From all visitors

  • IP address, user agent, and basic device characteristics.
  • Strictly necessary authentication cookies. We do not use advertising or third-party analytics cookies.

Information we intentionally do NOT collect

The AI agent is configured with strict privacy guardrails and will decline to ask for, repeat, or record the following categories of sensitive information during a call:

  • Social Security numbers, taxpayer ID numbers, or any other government identification numbers.
  • Bank account numbers, credit card numbers, or other payment credentials.
  • Medical record details or treatment specifics.
  • Passwords or account credentials.
  • Immigration A-numbers.
  • Privileged attorney-client communication content.

If a Caller volunteers such information, the agent is instructed to steer the conversation back to non-privileged intake and not acknowledge or repeat the value. We make no guarantee, however, that sensitive information will never be captured in a transcript if volunteered repeatedly; Subscribers should review and redact transcripts before sharing externally.

4. How we use the information

  • To answer inbound calls and conduct voice intake on behalf of the Subscriber.
  • To query free/busy data and write events to a secondary calendar in the Subscriber's connected calendar account.
  • To send transactional emails: consultation confirmations with calendar invites to Callers; intake summaries with transcripts to Subscribers.
  • To improve the quality, reliability, and security of the Service.
  • To comply with legal obligations and respond to lawful requests.

We do not sell personal information. We do not use call audio, transcripts, or intake data to train our machine learning models or those of our sub-processors.

5. AI disclosure and call recording

  • Calls answered by the Service are handled by an AI agent, not a human.
  • At the start of each call, the agent identifies itself as an AI assistant.
  • Calls may be recorded. Recording laws and AI-disclosure laws vary by jurisdiction (e.g., California AB 2905, Florida SB 1262, two-party consent recording statutes in CA / FL / IL / MD / MA / MT / NH / PA / WA, the EU AI Act, UK Ofcom CLI rules).
  • Subscribers are responsiblefor ensuring the agent's opening message, recording practices, and overall use of the Service comply with the laws of every jurisdiction from which their callers may originate.

6. Sub-processors and service providers

We rely on the following sub-processors to deliver the Service. Each is contractually obligated to process data only as necessary to provide the contracted service.

ProviderRoleData we share
Clerk, Inc.User authentication and organization managementSubscriber name, email, profile photo, social-login identifiers
Vapi Labs, Inc.Real-time call orchestration, speech-to-text (via Deepgram), function-call routing, optional call recording storageCaller phone number, full call audio, transcripts, function-call payloads (slot selection, intake fields)
Twilio, Inc.Phone number provisioning and PSTN connectivity (when Subscriber selects a Twilio-backed number)Caller phone number, call metadata; no audio content
ElevenLabs, Inc.AI voice synthesis (text-to-speech) for the agent's spoken outputText the agent speaks (never inbound caller speech)
OpenAI, Inc. and/or Anthropic, PBC (via Vercel AI Gateway)Large language model providing the agent's reasoning and post-call intake extractionConversation turns, system prompts, transcripts. We route through providers with zero data retention configured where available.
Resend, Inc.Transactional email deliveryRecipient email, message subject, message body, .ics attachment
Google LLCCalendar free/busy lookups and event creation on a secondary calendar (Subscribers who connect Google only)Encrypted OAuth tokens, event title and description, attendee email, start/end times
Microsoft CorporationSame as Google, for Outlook / Microsoft 365 connectionsEncrypted OAuth tokens, event metadata, attendee email
Neon, Inc.Managed Postgres database hostingAll structured Subscriber and call data, including transcripts and intake summaries
Vercel, Inc.Application hosting, AI Gateway routing, Vercel Blob private object storage for audio recordingsAll HTTP request traffic, including audio recordings stored in private buckets
ngrok, Inc. (development only)Local development tunneling. Not used in production.Request traffic during development only

We may add or replace sub-processors. Material changes will be announced in this policy and, where required, communicated to Subscribers in advance.

7. Data retention

  • Call transcripts, audio recordings, and structured intake data are retained for the period configured in the Subscriber's agent settings (default 90 days). After the retention window, records are automatically purged on a scheduled job.
  • Booking records (calendar event identifiers, scheduled time, participant emails) are retained while the consultation is upcoming and for a reasonable period afterward.
  • Audit logs are retained for one year for security and incident response.
  • Subscriber account information is retained for the lifetime of the account. Deleting the account removes the organization record; associated data is purged within 30 days, subject to lawful retention obligations.

8. Data security

  • All data is transmitted over TLS 1.2 or higher.
  • OAuth refresh tokens, ElevenLabs API keys, and similar credentials are encrypted at rest with AES-256-GCM using a server-side key.
  • Audio recordings live in private object storage with signed, expiring URLs scoped to authenticated members of the relevant organization.
  • Database access is restricted by network controls and credential rotation.
  • Webhook payloads from Vapi are HMAC-verified before being processed.
  • OAuth state during the calendar-connection flow is HMAC-signed and bound to the requesting user.

No security control is perfect. If you discover a security issue, please report it to info@callmyattorney.io.

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or object to the processing of your personal information; to withdraw consent; and to lodge a complaint with a supervisory authority. Specific rights frameworks include:

  • The EU and UK General Data Protection Regulation (GDPR / UK GDPR)
  • The California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA)
  • Other state and national privacy laws as applicable

To exercise these rights, contact info@callmyattorney.io. We respond within 30 days. We may need to verify your identity before fulfilling certain requests.

10. If you are a Caller

If your data was collected because you dialed a phone number routed through the Service, the Subscriber whose number you called is the data controller for your information; we act as their processor. You may direct deletion or access requests directly to the Subscriber. You may also contact us at info@callmyattorney.io and we will route the request appropriately.

11. International data transfers

The Service and its sub-processors operate primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the U.S., which may have data protection laws that differ from your jurisdiction. Where required, we rely on Standard Contractual Clauses or equivalent legal mechanisms for international transfers.

12. Children's privacy

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, please contact us and we will delete it.

13. Cookies

We use only strictly-necessary authentication cookies (set by our authentication provider). We do not use advertising, marketing, or third-party analytics cookies. Disabling cookies will prevent you from signing in.

14. Not a HIPAA covered entity

The Service is not designed as a HIPAA covered entity or business associate and is not intended for the transmission of Protected Health Information. Subscribers and Callers should not use the Service to collect medical record specifics. See Section 3 for what the agent is configured to refuse.

15. Text messaging (SMS)

  • When you provide a mobile phone number to the Service (for example, as a Caller booking a consultation), you consent to receive transactional text messages such as appointment confirmations and reminders.
  • Message frequency varies based on your interactions — typically one or a few messages per booking.
  • Message and data rates may apply, depending on your mobile carrier and plan.
  • Reply STOP at any time to opt out of further messages, or HELP for assistance.
  • We do not sell or share mobile phone numbers, or any information gathered through the SMS program, with third parties or affiliates for their own marketing or promotional purposes. Mobile numbers are used solely to deliver the transactional messages described above.

16. Changes to this policy

We may revise this policy. We will post the revised version here and update the “Last updated” date. For material changes affecting Subscribers, we will email the address on file before the change takes effect.

17. Contact

callmy.attorney
info@callmyattorney.io