Privacy Policy
Fonexa, operated by FREEDITY SOFTWARE(“Fonexa”, “we”, “us”), is an AI phone receptionist that answers missed calls for small businesses. This Privacy Policy explains what data we collect when you sign up for a Fonexa demo or paid plan, how we use that data, and what choices you have.
By using Fonexa you agree to the practices described here. If you do not agree, please do not use the service.
1. Who we are
Fonexa is a self-serve AI receptionist service operated by FREEDITY SOFTWARE. Contact: support@fonexa.app.
2. Information we collect
Account information.When you sign up we collect: email address, hashed password, business name, vertical (e.g. salon, clinic), preferred language, and the owner’s phone number. We verify the phone number with a one-time SMS code.
Call data.When the AI answers a forwarded call we store: the dialled Fonexa number, the caller’s phone number (as provided by the carrier), the start/end timestamps, the call duration, a turn-by-turn text transcript of the conversation, and an AI-generated summary. We do not store the raw audio of the call.
Google Calendar data.If you choose to connect a Google Calendar, we receive an OAuth access token and refresh token for that account. Using those tokens we read free/busy windows when the AI checks a slot during a call, and we create new events when a booking is captured. We do not read existing event details, attendee lists, descriptions, attachments, or any other field beyond the free/busy windows.
Operational data. Sign-up IP addresses (used for rate-limiting), Twilio numbers we provision on your behalf, usage counters (minutes consumed), and lifecycle timestamps.
Cookies. We set first-party cookies that are strictly necessary for authentication and CSRF protection. We do not use marketing or tracking cookies.
3. How we use information
- To operate the service: route calls, generate transcripts and summaries, capture appointments, send confirmation SMS to the business owner.
- To enforce demo limits (30 minutes / 7 days) and notify you when limits are approached.
- To respond to support requests and to communicate material changes to the service.
- To detect and prevent abuse, fraud, and security incidents.
- To comply with applicable law and respond to lawful requests from authorities.
4. Limited Use of Google Workspace APIs
Fonexa’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
- We only access your Google Calendar to (a) create events for appointments captured by our AI during a call and (b) read free/busy windows so the AI can answer availability questions in real time.
- We do not transfer Google user data to others except as necessary to provide and maintain the user-facing features of our service, and only with your consent.
- We do not use Google user data to serve advertisements.
- We do not allow humans at Fonexa to read your Google user data unless we have your explicit consent, it is necessary to investigate a security incident or abuse, it is required by law, or the data has been aggregated and anonymised.
- You can revoke our access at any time by clicking Disconnect on the Settings page or via your Google Account permissions.
5. Third parties (sub-processors)
We rely on the following providers to deliver Fonexa:
- Supabase — Postgres database and authentication. Data stored in the EU region.
- Twilio — phone number provisioning, voice routing, SMS delivery.
- Vercel — web application hosting.
- Hostinger — server hosting for the voice-processing component.
- Google (Gemini API) — AI summarisation of transcripts.
- Google (Calendar API) — only if you connect a Google Calendar.
- Deepgram — speech-to-text and text-to-speech.
Each provider processes data only as necessary to deliver its specific function and is bound by its own privacy and security commitments.
6. Data retention
Demo accounts: data is retained while the demo is active (up to 7 days from signup or 30 minutes of usage, whichever ends first), then a 24-hour grace period, then a 30-day archival period after which all account data is permanently deleted from our active systems. Backups are rotated within 60 days.
Paid accounts: data is retained for the duration of your subscription plus 30 days after closure, after which it is permanently deleted (subject to legal retention obligations).
Google OAuth tokens are deleted immediately when you click Disconnect or when the linked Fonexa account is deleted.
7. Your rights
If you are in the European Economic Area, the United Kingdom, or Australia, you have the right to: access the data we hold about you, request correction or deletion, request portability, restrict processing, and object to processing. To exercise any of these rights, email support@fonexa.app from the address on your account.
We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
8. Security
All transmissions use TLS 1.2+. Database content is encrypted at rest. Service-role keys and OAuth refresh tokens are stored only on the server; they are never sent to the browser. Access by Fonexa staff is on a need-to-know basis and audited.
No service can guarantee absolute security. If we become aware of a breach affecting your data, we will notify you within 72 hours as required by GDPR Article 33.
9. Children
Fonexa is not directed at individuals under 18. We do not knowingly collect personal data from minors.
10. International transfers
Data may be transferred outside your jurisdiction (for example, to the United States via Twilio or Vercel infrastructure). When we do so we rely on Standard Contractual Clauses or equivalent safeguards.
11. Changes to this policy
We may update this policy. The “Last updated” date at the top reflects the most recent change. Material changes will be communicated by email to your account address.
12. Contact
Questions about this policy or your data? Email support@fonexa.app.