Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.salesfrank.com/llms.txt

Use this file to discover all available pages before exploring further.

Privacy Policy

salesfrank.com — Platform for AI-Powered Phone Communication

As of: March 2026

1. Controller and Contact Details

1.1 Controller

Another Side Ventures Free Zone LLC Al Shohada Road Ras Al Khaimah United Arab Emirates Email: info@salesfrank.com Website: salesfrank.com

1.2 EU Representative pursuant to Art. 27 GDPR

As Another Side Ventures Free Zone LLC is established outside the European Union but offers goods and services to individuals in the EU and processes personal data of individuals in the EU, the following representative in the European Union has been designated pursuant to Art. 27(1) GDPR: Thomas Bergmann Email: info@salesfrank.com The EU representative serves as a point of contact for data subjects and supervisory authorities with regard to all matters relating to the processing of personal data.

1.3 Contact for Data Protection Inquiries

For all questions regarding data protection, the exercise of your data subject rights, or complaints, please contact: Email: info@salesfrank.com We endeavor to respond to your inquiry within 30 days of receipt. In particularly complex cases, the deadline may be extended by a further two months in accordance with Art. 12(3) GDPR, of which we will inform you in a timely manner.

2. Principles of Data Processing

We process personal data in accordance with the General Data Protection Regulation (GDPR), the respectively applicable national data protection laws of the EU Member States, and the Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz (TDDDG) (Telecommunications Digital Services Data Protection Act). We process personal data only insofar as:
  • the data subject has given consent (Art. 6(1)(a) GDPR)
  • the processing is necessary for the performance of a contract (Art. 6(1)(b) GDPR)
  • the processing is necessary for compliance with a legal obligation (Art. 6(1)(c) GDPR)
  • the processing is necessary for the purposes of legitimate interests (Art. 6(1)(f) GDPR)

3. Processing of Personal Data in Detail

3.1 Visiting Our Website (salesfrank.com / salesfrank.com)

3.1.1 Server Log Files

Each time our website is accessed, information that your browser transmits to our server is automatically collected. This data is stored in server log files:
DataDescription
IP addressThe IP address of the accessing device
Date and timeTime of access
Page/file accessedURL of the accessed resource
Referrer URLWebsite from which the access originated
Browser and operating systemBrowser type, version, operating system used
Amount of data transferredAmount of data transferred as part of the request
Status codeHTTP status code of the server response
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in the technical provision and security of the website). Retention period: Server log files are automatically deleted after 30 days. Hosting: Our website is hosted via Framer (Framer B.V., Netherlands). Framer processes the above-mentioned data on our behalf. Server location: EU.

3.1.2 Contact Forms and Appointment Booking

When you fill out a contact form on our website or book an appointment (via Cal.com or Calendly), the data you enter is processed:
DataPurpose
NameIdentification and personal address
Email addressContact and appointment confirmation
Phone number (optional)Telephone contact
Company (optional)Assignment and meeting preparation
Message / inquiryProcessing your request
Selected appointmentAppointment scheduling
Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures at the request of the data subject). Retention period: Inquiry data is deleted after completion of processing or after expiration of statutory retention periods. Third-party appointment booking: Appointment booking is carried out via Cal.com (Cal.com, Inc.) or Calendly (Calendly LLC). When you book an appointment, the privacy policies of the respective provider also apply. The use of these services is voluntary.

3.1.3 Test Call Function

When you request a free test call via our website, we process:
DataPurpose
Phone numberConducting the test call
Name (optional)Personal address during the test call
Call recordingDemonstration of platform functionality
TranscriptDocumentation of the test conversation
Legal basis: Art. 6(1)(a) GDPR (consent — by actively requesting the test call, you consent to the processing) in conjunction with Art. 6(1)(b) GDPR (pre-contractual measures). Retention period: Test call data is deleted after 90 days, provided no contractual relationship is established.

3.2 Registration and Use of the Platform (Customers)

3.2.1 Registration and User Account

Upon registration on our platform, we collect the following data:
DataPurposeLegal basis
First and last nameIdentification, contracting partyArt. 6(1)(b) GDPR
Email addressCommunication, login, notificationsArt. 6(1)(b) GDPR
Phone numberContact, verificationArt. 6(1)(b) GDPR
Company data (company name, address, VAT ID)Contract processing, invoicingArt. 6(1)(b), (c) GDPR
Password (stored encrypted)AuthenticationArt. 6(1)(b) GDPR
IP address and login timestampSecurity, abuse preventionArt. 6(1)(f) GDPR
Retention period: Account data is stored for the duration of the contractual relationship. After termination of the contract and expiration of the 30-day data export period, the data is deleted within 90 days, unless statutory retention obligations apply.

3.2.2 Use of the Platform

In the course of using the platform, we process the following data:
DataPurposeLegal basis
Campaign configurations (prompts, scripts)Provision of platform functionalityArt. 6(1)(b) GDPR
Usage statistics (calls, minutes, campaigns)Billing, dashboard, plan managementArt. 6(1)(b) GDPR
Technical usage data (page views, clicks within the platform)Product improvement, bug fixingArt. 6(1)(f) GDPR

3.2.3 Payment Processing

Payment processing is carried out by the payment service provider Stripe Payments Europe Ltd (Ireland). In the course of payment processing, the following data is transmitted to Stripe:
DataPurpose
NameAssignment of payment
Email addressPayment receipts, communication
Payment information (credit card, SEPA, etc.)Execution of payment
Billing addressInvoicing
Purchase amount and planBilling
Legal basis: Art. 6(1)(b) GDPR (performance of contract). Stripe processes payment data as an independent controller in accordance with its own privacy policy (stripe.com/privacy). Stripe is PCI DSS Level 1 certified and processes payment data within the EU (Stripe Payments Europe Ltd, Ireland). Retention period: Invoice data is retained in accordance with statutory retention periods (Section 147 AO, Section 257 HGB) for up to 10 years.

3.3 Processing of Contact Data by Our Customers (Processing on Behalf)

3.3.1 Role Allocation

Our customers use the platform to conduct automated phone calls to their contact persons. In this context:
  • Our customer is the Controller (Art. 4(7) GDPR) for the personal data of the contact persons. The customer decides on the purpose and means of processing.
  • We act as the Processor (Art. 4(8) GDPR) and process the data exclusively on the documented instructions of the customer.
The rights and obligations are governed by a Data Processing Agreement (DPA) pursuant to Art. 28 GDPR.

3.3.2 What Data Do We Process on Behalf of Our Customers?

Data CategoryDescriptionSource
Contact dataPhone number (required), possibly name, email, company data, and other information uploaded by the customerUploaded by the customer
Call recordingsAudio recording of the entire phone conversationAutomatically created during the call
TranscriptsComplete transcription of the conversationAutomatically created by speech recognition
Call metadataDate, time, duration, call status, outcomeAutomatically captured
Extracted dataStructured information extracted from the conversation (e.g., appointment data, qualification results)Automatically extracted by AI analysis
The processing is carried out exclusively for the purpose of providing the platform functionality on behalf of the customer. The legal basis for the processing is determined by the respective customer as the Controller.

3.3.4 Recording and Transcription of Conversations

Phone conversations conducted via the platform are recorded and transcribed. The recordings and transcripts are stored exclusively on servers within the European Union (Microsoft Azure, Region EU West, Netherlands). The recording serves the following purposes:
  • Traceability of conversation contents by the customer
  • Quality assurance and optimization of AI agents
  • Data extraction (e.g., agreed appointments, conversation outcomes)
  • Documentation of the conversation conduct
Retention period: For the duration of the contractual relationship between us and the customer. The customer can view and delete recordings and transcripts at any time via the dashboard. After termination of the contract, all data is deleted within 90 days at the latest.

3.3.5 AI-Powered Conversation Conduct

The platform uses AI models (Large Language Models) for automated conversation conduct. The AI processing takes place on servers within the EU:
ComponentProviderProcessing Location
Language model (LLM)Azure OpenAI Service / Azure AI (Google Gemini)Microsoft Azure, EU West (Netherlands)
Voice communication infrastructureLiveKit (self-hosted)Microsoft Azure, EU West (Netherlands)
Fallback voice infrastructureVAPI (self-hosted)Amazon Web Services, EU (Frankfurt)
The AI models are not trained with the data of our customers or their contact persons.

3.3.6 No Independent Analysis

We do not carry out any independent analysis of conversation contents. The processing is carried out exclusively on behalf of and on the instructions of the customer. No sentiment analysis, emotion recognition, biometric voice analysis, or other automated profiling takes place beyond the data extraction configured by the customer.

3.4 Communication by Email

If you contact us by email, we process your email address, your name (if provided), and the content of your message for the purpose of handling your inquiry. Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). Email dispatch: For sending emails (e.g., notifications, invoices), we use the service Resend (Resend, Inc., USA). Resend processes the email address and email content for the purpose of delivery. The transfer is based on Standard Contractual Clauses (SCCs). Emails are not permanently stored by Resend.

4. Use of Third-Party Services and Sub-Processors

4.1 Overview of Services Used

In the course of providing the platform and the website, we use the following third-party services:
ServiceProviderRegistered OfficeProcessing LocationPurposeRole
Microsoft AzureMicrosoft Ireland Operations LtdIreland (EU)EU West (Netherlands)Hosting, compute, database, LLM processing, LiveKit hostingProcessor
Amazon Web ServicesAWS EMEA SARLLuxembourg (EU)EU (Frankfurt)Hosting fallback voice infrastructure (VAPI)Processor
TwilioTwilio Ireland LtdIreland (EU)EU (Ireland)Telephony, number provisioningProcessor
StripeStripe Payments Europe LtdIreland (EU)EUPayment processing (payment data)Independent Controller (processes payment data on the basis of its own privacy policy)
ResendResend, Inc.USAUSAEmail dispatchProcessor
ElevenLabsElevenLabs, Inc.USAUSASpeech synthesis (TTS), speech recognition (STT)Sub-processor
DeepgramDeepgram, Inc.USAUSASpeech recognition (STT)Sub-processor
CartesiaCartesia, Inc.USAUSASpeech synthesis (TTS)Sub-processor
FramerFramer B.V.Netherlands (EU)EUWebsite hostingProcessor

4.2 Self-Hosted Components (No Third-Country Transfer)

The following core components are operated by the Controller on EU infrastructure:
ComponentTechnologyHostingProcessing Location
Primary voice infrastructureLiveKit (open-source, self-hosted)Microsoft AzureEU West (Netherlands)
Fallback voice infrastructureVAPI (self-hosted)Amazon Web ServicesEU (Frankfurt)
DatabaseMongoDB (self-hosted on Azure)Microsoft AzureEU West (Netherlands)
Application serverNestJS + ReactMicrosoft AzureEU West (Netherlands)
LLM processingAzure OpenAI Service / Azure AIMicrosoft AzureEU West (Netherlands)
Since these are self-hosted solutions, no personal data is transmitted to the respective software manufacturers (LiveKit, Inc.; VAPI, Inc.; MongoDB, Inc.). Full technical control over these instances lies with the Controller.

4.3 Voice Service Providers (Transient Real-Time Processing)

For the real-time processing of voice data during phone calls, the voice service providers ElevenLabs, Deepgram, and Cartesia are used. With regard to data processing by these services, the following should be noted: Nature of processing:
  • Audio data is transmitted to the service providers as a real-time stream and processed immediately (transient stream processing)
  • No permanent storage of audio data, transcripts, or generated speech takes place at the service providers
  • Processing takes place in the servers’ working memory and is deleted from memory upon completion of the respective request
Data minimization:
  • Only audio fragments (STT) or text fragments (TTS) are transmitted to the voice service providers
  • No identifying metadata (phone numbers, names, email addresses, company data) is transmitted to the voice service providers
  • The voice service providers are unable to associate the audio data with a specific person
Safeguards for third-country transfer:
  • Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 have been concluded with all voice service providers
  • Participation in the EU-US Data Privacy Framework is verified (where applicable)
  • A Transfer Impact Assessment (TIA) in accordance with EDPB Recommendations 01/2020 has been conducted for each voice service provider
  • Transport encryption is carried out using TLS 1.2 or higher
The complete Transfer Impact Assessments can be viewed upon request.

5. Data Transfers to Third Countries

5.1 Principle

The core systems of the platform (hosting, database, application server, LLM processing, voice communication infrastructure) are operated exclusively within the European Union. The permanent storage of personal data takes place exclusively on EU servers.

5.2 Transfers to the USA

For the services listed below, transient data transfers to the USA take place:
ServiceType of DataType of ProcessingSafeguard
ElevenLabsAudio fragments (STT), text fragments (TTS)Transient, real-timeSCCs + DPA + TIA; where applicable EU-US DPF
DeepgramAudio fragments (STT)Transient, real-timeSCCs + DPA + TIA; where applicable EU-US DPF
CartesiaText fragments (TTS)Transient, real-timeSCCs + DPA + TIA
ResendEmail addresses, email contentTransient (delivery)SCCs + DPA

5.3 Access from the United Arab Emirates

The Controller is established in the UAE. Authorized personnel access the EU systems administratively from there. As this remote access may be classified as a transfer of personal data to a third country within the meaning of Art. 44 et seq. GDPR, Standard Contractual Clauses (SCCs) pursuant to Implementing Decision (EU) 2021/914 have been implemented as the legal basis. Additionally, the following safeguards apply:
  • All data remains on EU servers — no local storage on devices outside the EU
  • Access exclusively via encrypted VPN connection with multi-factor authentication
  • Role-based access control (RBAC)
  • Complete logging of all access
  • Transfer Impact Assessment (TIA) conducted in accordance with EDPB Recommendations 01/2020, which, in conjunction with the SCCs and the supplementary technical measures, confirms an adequate level of protection

5.4 No Transfer to Other Third Countries

Beyond the cases described above, no transfer of personal data to third countries takes place.

6. Retention Periods and Deletion Deadlines

6.1 Overview

Data CategoryRetention PeriodDeletion
Server log files (website)30 daysAutomatic deletion
Contact inquiries (forms)Duration of processing + 6 monthsAfter expiration of the period
Test call data90 days (if no contract is established)Automatic deletion
User account dataContract duration + 90 daysAfter contract termination and expiration of the export period
Contact data (uploaded by customer)Contract durationDeletable by customer at any time; within 90 days after contract termination at the latest
Call recordingsContract durationDeletable by customer at any time; within 90 days after contract termination at the latest
TranscriptsContract durationDeletable by customer at any time; within 90 days after contract termination at the latest
Call metadataContract durationWithin 90 days after contract termination at the latest
Invoice and payment dataStatutory retention period (up to 10 years pursuant to Section 147 AO, Section 257 HGB)After expiration of the statutory period
Email communication3 years after last contactAfter expiration of the period

6.2 Deletion After Contract Termination

After termination of the contractual relationship, the customer receives a 30-day period to export all data via the dashboard export function in machine-readable formats (CSV, JSON). After expiration of this period, all personal data is irrevocably deleted within 90 days at the latest. Deletion is confirmed in writing upon request.

6.3 Statutory Retention Obligations

Insofar as statutory retention obligations (in particular commercial and tax law obligations pursuant to Section 147 AO, Section 257 HGB) preclude immediate deletion, the affected data is restricted and processed only for the legally prescribed purpose. This applies exclusively to invoice data and business correspondence.

7. Your Rights as a Data Subject

7.1 Overview

As a data subject, you have the following rights under the GDPR:
RightArticleDescription
Right of accessArt. 15 GDPRYou have the right to obtain information about the personal data we process. This includes information about the processing purposes, the categories of data processed, the recipients, the retention period, and the origin of the data.
Right to rectificationArt. 16 GDPRYou have the right to request the immediate rectification of inaccurate or the completion of incomplete personal data.
Right to erasureArt. 17 GDPRYou have the right to request the erasure of your personal data, provided the processing is not necessary for compliance with a legal obligation, for the exercise of the right to freedom of expression, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.
Right to restrictionArt. 18 GDPRYou have the right to request the restriction of processing if you contest the accuracy of the data, the processing is unlawful, we no longer need the data, or you have lodged an objection.
Right to data portabilityArt. 20 GDPRYou have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
Right to objectArt. 21 GDPRYou have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR.
Right to withdraw consentArt. 7(3) GDPRInsofar as the processing is based on consent, you have the right to withdraw that consent at any time with effect for the future. The lawfulness of the processing carried out on the basis of consent until the withdrawal is not affected thereby.

7.2 Notice for Contact Persons (Called Persons)

If you were contacted by an AI agent via our platform and wish to exercise your rights as a data subject, please contact:
  1. Primarily: The company that commissioned the call (the “Controller”). This company is usually identified at the beginning of the conversation or upon inquiry.
  2. Alternatively: Us at info@salesfrank.com. We will forward your inquiry to the responsible Controller and assist with processing.

7.3 Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You may in particular contact the supervisory authority of your habitual residence, your place of work, or the place of the alleged infringement.

8. Data Security

We implement comprehensive technical and organizational measures pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk of the processing. These include in particular:
MeasureDescription
Encryption in transitAll data transfers are carried out via TLS 1.2 or higher (Transport Layer Security). This applies to the website, the platform, API communication, and connections to third-party services.
Encryption at restAll data stored on EU servers is encrypted using AES-256 (Encryption at Rest). This includes the database, call recordings, transcripts, and backups.
Access controlRole-based access control (RBAC) with strict separation by areas of responsibility. Multi-factor authentication (MFA) for all administrative access.
Tenant separationLogical separation of data from different customers through individual tenant identifiers.
BackupsAutomated daily backups, stored encrypted in geographically separated availability zones within the EU. Retention: at least 30 days.
MonitoringContinuous monitoring of systems for anomalies and security incidents (24/7).
Incident responseDocumented process for detection, containment, analysis, and remediation of data protection incidents with notification within 24 hours.
Regular reviewAt least annual review and update of security measures.
A detailed description of the technical and organizational measures can be found in Annex 2 of our Data Processing Agreement, which is available upon request.

9. Cookies and Tracking

9.1 Technically Necessary Cookies

Our website and platform use technically necessary cookies that are required for the operation of the website and the provision of platform functionality. These cookies do not store personal data beyond session management.
CookiePurposeRetention Period
Session cookieManagement of the user session after loginSession duration (deleted when the browser is closed)
Authentication cookieMaintenance of login statusMaximum 30 days
CSRF tokenProtection against Cross-Site Request ForgerySession duration
Cookie settingsStorage of your cookie preferences12 months
Legal basis: Section 25(2)(2) TDDDG (technically necessary cookies are exempt from consent requirements).

9.2 Analytics and Marketing Cookies

Analytics or marketing cookies are only set with your explicit consent. Without your consent, no tracking takes place.

10. Automated Decision-Making and Profiling

10.1 AI-Powered Conversation Conduct

The platform uses AI models (Large Language Models) to conduct automated phone conversations. The AI makes automated decisions during the conversation regarding:
  • The next conversational utterance (based on the logic configured by the customer)
  • The qualification of the called person (based on criteria defined by the customer)
  • The conversation outcome (e.g., “appointment scheduled,” “no interest”)
The automated conversation conduct by the AI has no legal effect and no similarly significant impact on the called person within the meaning of Art. 22(1) GDPR. The AI:
  • Does not conclude contracts
  • Does not make legally binding statements
  • Does not carry out scoring or profiling with legal consequences
  • Merely qualifies the interest of the called person based on criteria defined by the customer
The called person can end the conversation at any time (hang up). The final decision regarding business relationships is always made by a human.

11. Changes to This Privacy Policy

We reserve the right to amend this privacy policy as needed to adapt it to changed legal requirements or technical changes. The current version is always available on our website. In the case of material changes affecting your rights, we will — where possible — inform you separately.

12. Validity and Authoritative Language Version

This privacy policy is drafted in German. In the event of discrepancies between different language versions, the German version shall prevail.
Another Side Ventures Free Zone LLC Al Shohada Road, Ras Al Khaimah, UAE EU Representative: Thomas Bergmann Email: info@salesfrank.com As of: March 2026