Plain-English privacy.

This Privacy Notice applies to Ajoxi (the company operating ajoxi.com and the Ajoxi product) and the personal data we handle in the course of providing our cloud phone, contact center, and AI services.

It covers our customers (the businesses paying us), our customers’ end users (the people calling or messaging them), and visitors to our marketing site. If you are an end user reaching out about a specific business, that business is the data controller and you should contact them first — but we will help if you cannot reach them.

Account & billing data. Name, work email, company, role, billing address, and payment method (handled by Stripe — we never see card numbers ourselves).

Communications content. Call recordings, transcripts, SMS and chat messages, and AI-generated summaries — strictly as needed to deliver the product. Customers control retention and redaction.

Metadata. Phone numbers, timestamps, call duration, routing decisions, device identifiers, and IP addresses for the calls and messages routed through us.

Usage telemetry. Which features you use inside the admin dashboard, error logs, and audit-log events. Used to improve the product and meet SOC 2 obligations.

Cookies. A small number of essential and analytics cookies on the marketing site. None on the in-product app — sessions are token-based.

Marketing site analytics. We log IP address, approximate location, device info, and pages visited for analytics and abuse prevention.

To provide the service you signed up for — answering calls, routing messages, running AI analysis, attaching recordings to your CRM, billing you.

To prevent fraud and abuse, including STIR/SHAKEN attestation and carrier-required spam detection.

To meet regulatory obligations — TCPA, GDPR, PCI-DSS, and tax/financial reporting.

To improve the product — measuring AI accuracy, identifying performance regressions, surfacing usage patterns to our customer success team.

We do not sell personal data. We do not use customer communications content to train shared AI models without explicit opt-in.

Performance of contract (Art. 6(1)(b)) — for everything required to deliver Ajoxi to a paying customer.

Legitimate interest (Art. 6(1)(f)) — for fraud prevention, security, and product improvement, balanced against your rights.

Legal obligation (Art. 6(1)(c)) — for tax, accounting, and law-enforcement requests we cannot refuse.

Consent (Art. 6(1)(a)) — for marketing emails and optional analytics cookies. Withdrawn at any time, no questions asked.

Sub-processors. A short list of vendors who help us run the service — AWS (hosting), Stripe (billing), Twilio (carrier interconnect for select routes), Datadog (observability), Vercel (frontend hosting). The current list is published at ajoxi.com/security and updated when it changes.

Carriers and regulators. Phone networks who interconnect calls, and government agencies when legally compelled (with a properly served warrant, subpoena, or court order — never voluntary).

Within your organisation. Anyone your admin grants access to in the Ajoxi dashboard.

We do not share with advertisers, data brokers, or social platforms. Ever.

Account & billing. While your account is active, plus seven years for financial records as required by law.

Call recordings, transcripts, AI summaries. As your retention setting dictates — default 90 days, configurable up to seven years (Enterprise).

Audit logs. Three years.

Telemetry & analytics. 13 months, then aggregated.

On termination, we delete personal data within 30 days unless we are legally required to keep it longer. Customers can request earlier deletion at any time.

Wherever you are, you can request to access, correct, export, or delete your personal data, and to restrict or object to certain processing. EU/UK residents have these rights under GDPR; California residents have parallel rights under the CCPA; similar rules apply in many other jurisdictions.

Email privacy@ajoxi.com with your request. We respond within 30 days. If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority (e.g. ICO in the UK, CNIL in France).

Ajoxi is a US company with infrastructure in the US, EU, Canada, and Asia-Pacific. When data is transferred out of the EU/UK, we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.

Customers on Enterprise can pin recordings, transcripts, and PHI metadata to a specific region (US, EU, CA, AU) so the data never leaves that jurisdiction. Cross-region replication is opt-in.

TLS 1.3 in transit, AES-256 at rest, per-tenant keys on recordings, customer-managed keys (BYOK) on Enterprise. SSO + SCIM on every Enterprise plan.

SOC 2 Type II audited annually, ISO 27001 certified, PCI-DSS Service Provider attested. The current report is available under NDA via security@ajoxi.com.

Read more at ajoxi.com/security.

If we make a material change — for example, a new category of data, a new sub-processor, or a new purpose — we will email account admins at least 30 days in advance and update the "Last updated" date at the top of this page. Minor clarifications happen without notice.

Privacy questions: privacy@ajoxi.com. Data Protection Officer (EU): dpo@ajoxi.com. We aim to reply within two business days, even for non-urgent notes.