Privacy Policy
We take your privacy seriously. This policy explains what data we collect, how we use it, who we share it with, and your rights.
Last updated: March 2, 2026
Summary: orderer.io helps businesses answer phone calls with AI. In doing so, we collect information from the businesses that use our platform (Operators) and from the people who call those businesses (Callers). We do not sell personal data. We store call recordings and transcripts on your account and delete them on request.
1. Who We Are
orderer ("orderer," "we," "our," or "us") is a sole proprietorship operating the orderer.io platform — an AI-powered phone answering service for businesses. For privacy inquiries, contact us at: legal@orderer.io.
This Privacy Policy applies to our website (orderer.io), our web application, our APIs, and all related services (collectively, the "Service"). It describes how we handle personal information in connection with the Service.
2. Information We Collect
We collect information in the following categories:
2.1 Account & Business Information (Operators)
When a business ("Operator") creates an account, we collect:
- Name, email address, and password (hashed)
- Business name, address, phone number, industry, and hours
- Billing information (processed by Stripe; we store only the last 4 digits of card, expiry, and billing address)
- Plan and usage data (minutes consumed, calls handled)
- AI configuration preferences (voice, greeting, personality settings)
- Menu, service catalog, FAQ, or other business content uploaded by the Operator
2.2 Call Data (Callers)
When a person calls a phone number managed by orderer on behalf of an Operator, we collect:
- Caller phone number (CLI/ANI)
- Audio recording of the call
- AI-generated transcript of the call
- Orders, bookings, or other information provided during the call
- Call metadata: duration, timestamp, call outcome, sentiment score
Important: Call recording laws vary by state. Operators are responsible for ensuring compliance with applicable call recording notice requirements in their jurisdiction. orderer provides configurable in-call disclosure language to assist with this.
2.3 SMS Data
When SMS messaging is enabled by an Operator, we collect:
- Phone numbers of message recipients
- Message content (appointment reminders, order confirmations, follow-ups)
- Opt-in and opt-out records (consent history)
- Delivery receipts and response data
Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
2.4 Website & Usage Data
When you visit orderer.io or use the dashboard, we automatically collect:
- IP address, browser type, operating system, and device type
- Pages visited, time spent, and navigation paths
- Referral source
- Error logs and performance metrics
- Cookie data (see our Cookie Policy)
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the AI phone answering service | Call audio, business config, phone numbers | Contract performance |
| Process and fulfill orders or bookings | Call transcripts, caller info | Contract performance / legitimate interest |
| Deliver SMS follow-ups and reminders | Phone numbers, consent records | Consent (TCPA opt-in) |
| Billing and subscription management | Payment info, usage data | Contract performance |
| Improve AI accuracy and performance | Anonymized/aggregated call data | Legitimate interest |
| Customer support and dispute resolution | Call recordings, transcripts, account data | Legitimate interest |
| Security and fraud prevention | IP addresses, usage patterns | Legitimate interest |
| Legal compliance | Any data required by applicable law | Legal obligation |
We do not use call recordings or transcripts to train our AI models without explicit Operator consent. We do not sell personal information to third parties.
4. AI Processing & Voice Data
Our service uses AI to process voice calls in real time. Voice audio is transmitted to our voice AI infrastructure (powered by Telnyx), where it is transcribed and processed. AI responses are generated using large language model (LLM) infrastructure. The following applies:
- Voice data is processed transiently in memory during the call
- Recordings are stored encrypted at rest after call completion
- Transcripts are generated automatically and stored on the Operator's account
- Operators may delete recordings and transcripts at any time from the dashboard
- We retain call data for a maximum of 90 days after account termination unless legally required to retain it longer
- AI models are not retrained on individual call data without explicit consent
Healthcare Operators: If you operate in a healthcare setting and your callers may share protected health information (PHI), you must notify us prior to using the service so we can execute a Business Associate Agreement (BAA). Use of the Service to process PHI without a BAA is a violation of our terms.
5. Third-Party Service Providers
We share data with the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements:
| Provider | Purpose | Data Shared |
|---|---|---|
| Telnyx | Voice calls, SMS delivery, phone number provisioning | Call audio, phone numbers, SMS content |
| Stripe | Payment processing | Billing name, email, payment card data |
| Supabase | Database hosting (PostgreSQL) | All structured account and call data |
| Vercel | Frontend hosting and edge delivery | IP address, request metadata |
| Railway | Backend API hosting | API request data |
| Sentry | Error tracking and performance monitoring | Error logs (may include account ID, sanitized request data) |
| OpenAI / LLM providers | AI language model for generating responses | Conversation context (transcript snippets, business config) |
We do not share personal information with advertisers, data brokers, or any third party for their own marketing purposes. Mobile information will not be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
6. Data Retention
- Account data: Retained while your account is active, plus 30 days after cancellation to allow reactivation
- Call recordings: Retained per Operator's account settings (default: indefinitely until deleted or account closure); deleted within 30 days of account closure
- Call transcripts: Same as recordings
- SMS records and consent logs: Retained for 4 years from opt-in date as required by TCPA compliance best practices
- Billing records: Retained for 7 years as required by applicable tax law
- Anonymized analytics: May be retained indefinitely
Operators may delete recordings, transcripts, and call logs at any time through the dashboard. To request deletion of all data associated with your account, email legal@orderer.io.
7. Your Rights
7.1 All Users
- Access: Request a copy of personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your personal data
- Portability: Request export of your data in a machine-readable format
- Objection: Object to processing based on legitimate interest
7.2 California Residents (CCPA/CPRA)
California residents have the following additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to know what personal information is collected, used, shared, or sold
- Right to delete personal information
- Right to opt-out of the sale or sharing of personal information (we do not sell data)
- Right to non-discrimination for exercising your rights
- Right to correct inaccurate personal information
- Right to limit use of sensitive personal information
To exercise any California rights, email legal@orderer.io with the subject line "California Privacy Request." We will respond within 45 days.
7.3 European / UK Residents (GDPR)
If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under the General Data Protection Regulation (GDPR). Our legal basis for processing is outlined in Section 3. You have the right to lodge a complaint with your local supervisory authority. Contact us at legal@orderer.io to exercise your GDPR rights.
8. Security
We implement industry-standard security measures to protect your data:
- All data transmitted over TLS 1.2 or higher (encryption in transit)
- Database encryption at rest (AES-256)
- Call recordings stored encrypted
- Access controls: role-based, least-privilege access for all staff
- Regular security audits and vulnerability scanning
- Multi-factor authentication available for all accounts
- SOC 2 Type II compliance (in progress)
Despite our best efforts, no system is 100% secure. In the event of a data breach that affects your rights and freedoms, we will notify affected users in accordance with applicable law.
9. Callers' Privacy (Third-Party Callers)
If you called a business that uses orderer.io and have questions about how your call data was handled, please contact the business directly. Businesses using our platform are the data controllers for calls to their numbers. orderer processes that data as a data processor on their behalf.
If a business cannot address your concern, you may contact us at legal@orderer.io. Note that we can only take action within our contractual authority as the data processor.
10. Children's Privacy
The orderer.io Service is intended for use by businesses and persons 18 years of age or older. We do not knowingly collect personal information from children under the age of 13. If you believe we have inadvertently collected information from a child under 13, please contact us at legal@orderer.io immediately.
11. International Data Transfers
orderer is based in the United States. If you access the Service from outside the US, your data may be transferred to, stored, and processed in the United States and other countries where our service providers operate. By using the Service, you consent to this transfer.
For transfers from the EEA/UK, we rely on Standard Contractual Clauses (SCCs) or other approved transfer mechanisms where required.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Operators of material changes via email at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact Us
For privacy-related questions, requests, or complaints:
- Email: legal@orderer.io
- Subject line: "Privacy Request — [Your Name]"
- Response time: We aim to respond within 5 business days, and will complete all requests within 30 days.