Privacy Policy
Effective Date: April 5, 2026 Last Updated: May 24, 2026 Version: 2.1
1. Introduction
hiroi ("we", "us", "our") operates the hiroi platform at https://hiroi.ai ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal information across all channels of our omni-channel AI agent platform, including phone calls, SMS messaging, email campaigns, web chat widgets, and integrations with third-party services.
This policy applies to:
- Registered users (businesses and individuals who create hiroi accounts)
- End contacts (individuals who receive calls, SMS, emails, or chat interactions initiated through the Service)
- Website visitors who interact with AI agent chat widgets deployed by our customers
2. Data Controller and Processor Roles
| Role | Who | For What Data |
|---|---|---|
| Data Controller | hiroi | Registered user account data |
| Data Controller | Registered users (customers) | Contact data and communication data generated by their AI agents |
| Data Processor | hiroi | Processing contact/communication data on behalf of registered users |
For enterprise customers, our Data Processing Agreement governs the processor relationship.
Important: If you received a call, SMS, or email from a hiroi-powered AI agent, the business that deployed that agent is the data controller for your information. Contact that business directly to exercise data rights regarding their outreach.
3. Information We Collect
3.1 Account Information (Registered Users)
When you create an account, we collect:
| Data | Source | Purpose |
|---|---|---|
| Email address | Google, Apple, or Microsoft OAuth / magic link | Account identification, notifications |
| Display name | OAuth provider | Personalization |
| Profile picture URL | OAuth provider | Avatar display |
| Authentication credentials | OAuth token / magic link token | Account access |
| Business name | Account setup | Organization management |
| Phone number | Account setup (optional) | Account security, support |
3.2 Third-Party Integration Data
When you connect a third-party account (e.g., Microsoft 365), we may access:
| Data | Purpose | Stored By hiroi |
|---|---|---|
| Email messages (read) | Display in unified inbox, AI context | Metadata only; content processed in-memory |
| Email send capability | Send emails on your behalf | Email logs only |
| Calendar events | Schedule appointments, check availability | Cached per session |
| Calendar write | Create/modify appointments | Event creation logs |
We access third-party integration data only to perform the specific functions you activate. We do not store the full content of email messages beyond what is needed for in-session processing.
3.3 Contact Data
When you import or create contacts, we store:
| Data | Purpose | Sensitivity |
|---|---|---|
| Name | Contact identification | Medium |
| Phone number(s) | Call and SMS delivery | High - PII |
| Email address(es) | Email campaign delivery | High - PII |
| Company/job title | Personalization, enrichment | Medium |
| Custom fields | Your business use case | Variable |
| Contact notes | Context for AI agents | Medium |
| Consent records | TCPA/GDPR compliance | High - legally required |
| Do-not-contact flags | Compliance, opt-out tracking | High - legally required |
| Interaction history | Campaign analytics, AI context | High |
3.4 Communication Data
When your AI agents make calls, send SMS, or send emails, we collect:
| Data | Purpose | Sensitivity |
|---|---|---|
| Call recordings | Transcription, quality review | High - may contain PII |
| Call transcripts | AI analysis, search, review | High - may contain PII |
| Call metadata (duration, outcome, timestamps) | Analytics, billing | Medium |
| SMS message content (sent and received) | Delivery, analytics, unified inbox | High - may contain PII |
| Email content (sent and received) | Delivery, analytics, unified inbox | High - may contain PII |
| Delivery status and carrier responses | Deliverability analytics | Low |
| Call/SMS opt-out signals | Compliance | High - legally required |
3.5 Agent Configuration Data
When you use the Service, we store:
- AI agent configurations (name, personality, voice, system prompt)
- Campaign settings and schedules
- Phone number assignments
- Widget site settings and domain safelists
- Knowledge base documents
- Email templates and campaign content
3.6 Usage and Analytics Data
We automatically collect:
- Feature usage patterns (aggregate)
- API request metadata (timestamps, response codes, latency)
- Campaign performance metrics
- Error and performance data
3.7 Payment Information
Payment processing is handled by Stripe. We store only:
- Stripe customer identifier (not your card details)
- Credit balance and transaction history (amounts, dates, actions)
- Subscription tier and billing cycle
We do not store credit card numbers, CVVs, or bank account details.
3.8 Activity Logs
For security and audit purposes, we log:
- Authentication events (login, logout, failed attempts)
- Account changes (settings updates, agent modifications)
- Campaign creation, launch, and completion events
- IP addresses and user agents for security events
4. How We Use Your Information
| Purpose | Legal Basis |
|---|---|
| Operate and deliver the Service | Contract performance |
| Process AI calls, SMS, and email campaigns | Contract performance |
| Store and manage contact records | Contract performance |
| Authenticate and secure accounts | Legitimate interest |
| Prevent abuse, spam, and regulatory violations | Legitimate interest + legal obligation |
| Send essential account notifications | Contract performance |
| Generate aggregate analytics and campaign reports | Contract performance |
| Process payments and manage credits | Contract performance |
| Comply with legal obligations (TCPA, CAN-SPAM, etc.) | Legal obligation |
| Maintain call recordings and transcripts | Contract performance + legal obligation |
We do not use your data for:
- Selling to third parties
- Advertising or marketing profiling of our customers
- Training AI models on your contact data or conversation content
4.1 Call Recording and Transcription
Call recordings and transcripts are processed to:
- Provide you with a searchable record of conversations
- Enable AI agents to maintain context across calls
- Generate call summaries and outcome data
- Support quality review and compliance auditing
Recordings are stored for 90 days by default. You can configure longer or shorter retention periods in your account settings, subject to plan limits.
5. Third-Party Data Sharing
We share data with the following service providers:
| Provider | Data Shared | Purpose |
|---|---|---|
| OpenAI | Conversation content, call transcripts, system prompts, document embeddings | AI response generation (GPT-4o), text embeddings |
| Anthropic | Conversation content, call transcripts, system prompts | AI response generation (Claude) |
| Microsoft Azure | All application data (encrypted) | App hosting (US East 2); Azure SQL Database; Azure AI Content Safety; telephony and email via ACS |
| Azure Communication Services | Phone numbers, call audio, SMS content, email content | Calls, SMS, email delivery |
| OAuth tokens | Authentication | |
| Apple | OAuth tokens | Authentication |
| Microsoft | OAuth tokens; calendar and email data when integration is enabled | Authentication; Microsoft 365 integration |
| Stripe | Customer ID, payment method tokens, transaction data | Payment processing |
| Cloudflare | Network traffic metadata, IP addresses | CDN, DNS, DDoS protection |
For a complete list of sub-processors, see our Subprocessors page.
We do not sell your personal information to third parties.
6. Data Retention
| Data Type | Default Retention | After Retention |
|---|---|---|
| Account data | Until account deletion + 30 days | Permanently deleted |
| Contact records | Until deleted by customer + 30 days | Permanently deleted |
| Call recordings | 90 days (configurable) | Permanently deleted |
| Call transcripts | 1 year | Permanently deleted |
| SMS message content | 1 year | Permanently deleted |
| Email campaign content | 2 years | Permanently deleted |
| Conversation data (chat) | 1 year | Permanently deleted |
| Consent records | 5 years | Permanently deleted (legal requirement) |
| Opt-out / DNC records | 5 years | Permanently deleted |
| IP addresses | 90 days | Anonymized (set to null) |
| Activity logs | 2 years | Permanently deleted |
| Payment records | 7 years | Anonymized (tax/legal requirement) |
| Data export files | 7 days | Permanently deleted |
You can request earlier deletion through your account settings or by contacting privacy@hiroi.ai.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
7.1 Right to Access
Request a copy of all personal data we hold about you. Use the "Export My Data" feature in account settings, or contact us.
7.2 Right to Rectification
Update your account information through your profile settings.
7.3 Right to Erasure
Delete your account through account settings. Deletion includes a 30-day grace period. After the grace period, all personal data is permanently removed, subject to legal retention requirements.
7.4 Right to Data Portability
Export your data in machine-readable format (JSON) through your account settings.
7.5 Right to Restrict Processing
Request restriction of processing of your data in certain circumstances.
7.6 Right to Withdraw Consent
Where processing is based on consent, withdraw consent at any time through your account settings.
7.7 Right to Object
Object to processing based on legitimate interest by contacting privacy@hiroi.ai.
7.8 Automated Decision-Making
AI-generated calls, messages, and chat responses constitute automated processing. You can request human review of decisions that significantly affect you.
8. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: AES-256 database encryption
- Call recording security: Recordings stored encrypted; access restricted by role
- Access controls: Role-based access, principle of least privilege
- Authentication security: Secure session management, CSRF protection, rate limiting
- API key security: Keys hashed, never stored in plaintext
- Audit logging: All access and changes are logged
For more details, see our Security Policy.
9. Cookies
We use cookies and similar technologies as described in our Cookie Policy.
10. International Data Transfers
Your data may be processed outside your country of residence. Our primary infrastructure is in the United States (Azure US East 2). We ensure appropriate safeguards for international transfers:
- Standard Contractual Clauses (SCCs) for transfers from the EEA/UK to the United States
- Data processing agreements with all sub-processors
- Evaluation of recipient country data protection laws
- Supplementary technical measures (encryption in transit and at rest)
| Provider | Location | Transfer Mechanism |
|---|---|---|
| OpenAI | United States | SCCs, DPA |
| Anthropic | United States | SCCs, DPA |
| Microsoft Azure / ACS | United States (East 2) | SCCs, EU-US Data Privacy Framework |
| United States | SCCs, EU-US Data Privacy Framework | |
| Apple | United States | SCCs, DPA |
| Stripe | United States | SCCs, EU-US Data Privacy Framework |
| Cloudflare | Global (edge nodes) | SCCs, EU-US Data Privacy Framework |
11. Children's Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn we have collected such information, we will promptly delete it.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under CCPA as amended by CPRA:
12.1 Right to Know
You have the right to request disclosure of the personal information we collect, use, and share. See Section 3 for categories of information collected.
12.2 Right to Delete
Request deletion of your personal information, subject to certain exceptions. Use the account deletion feature or contact us.
12.3 Right to Correct
Request correction of inaccurate personal information.
12.4 Right to Opt-Out of Sale or Sharing
We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
12.5 Right to Limit Use of Sensitive Personal Information
Where we process sensitive personal information (such as call recordings that may contain sensitive disclosures), you may request that we limit processing to what is necessary to provide the Service.
12.6 Right to Non-Discrimination
We will not discriminate against you for exercising your CCPA/CPRA rights.
12.7 How to Exercise
Contact privacy@hiroi.ai or use self-service tools in your account settings. We respond to verifiable requests within 45 days.
13. TCPA and Telemarketing Compliance
13.1 Consent Records
We store consent records provided by our customers (registered users) to support their TCPA compliance obligations. Customers are responsible for obtaining, maintaining, and providing evidence of consent.
13.2 Do Not Call Registry
hiroi does not scrub contact lists against the National DNC Registry. Customers are responsible for maintaining compliance with DNC obligations for their contact lists.
13.3 Opt-Out Processing
When a contact sends an opt-out keyword (e.g., "STOP", "UNSUBSCRIBE") via SMS, or requests not to be called during a phone interaction, hiroi automatically flags that contact as do-not-contact. This flag is visible to the customer and prevents further automated outreach to that contact through our platform.
14. Contact Agent Privacy (End Contacts)
If you are an individual who received a call, SMS, or email from a hiroi-powered AI agent:
- The business that deployed the AI agent is the data controller for your information
- hiroi acts as a data processor on behalf of that business
- To exercise your data rights (access, deletion, opt-out), contact the business directly
- To report abuse or unwanted contact, email abuse@hiroi.ai with the phone number or email address used to contact you
15. Widget End-User Privacy
When you interact with an AI agent chat widget on a third-party website:
- The agent owner (registered user) is the data controller for your conversation
- hiroi processes your data as a data processor on behalf of the agent owner
- hiroi collects IP address and user agent for rate limiting and abuse prevention
- The agent owner's privacy policy governs collection of your data on their website
Agent owners deploying hiroi widgets are responsible for:
- Including a privacy policy that discloses the use of an AI agent and data collection practices
- Obtaining any necessary consent from website visitors
- Providing mechanisms for visitors to exercise data subject rights
- Ensuring lawful use of the AI agent in their jurisdiction
16. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes via:
- Email notification to your registered email address
- Prominent notice within the Service
- Updated "Last Updated" date at the top of this page
Your continued use of the Service after changes constitutes acceptance of the updated policy.
17. Contact
For privacy-related inquiries:
hiroi - Privacy Email: privacy@hiroi.ai