Privacy Policy

1. Information We Collect

1.1. Account Information

When you create an account, we collect:

• Email address
• Company name (optional)
• Payment information (processed and stored by Stripe; we receive only Stripe customer and subscription identifiers)

1.2. API Key Data

When you generate API keys, we store a SHA-256 cryptographic hash of the key and a 12-character prefix for display purposes. We do not store the full plaintext API key after initial generation.

1.3. Phone Number Configuration

We store phone numbers you register with the Service (in E.164 format), along with the callback endpoint URLs you configure for call handling.

1.4. Call Metadata and Usage Records

For each call processed through the Service, we store the following in our database:

• Call SID (a unique identifier assigned by Twilio)
• Caller and called phone numbers
• Call duration in seconds
• Cost breakdown (itemized platform and estimated third-party costs)
• Timestamp of the call

1.5. Information We Process but Do Not Store

The following information is processed in volatile memory during active calls and is immediately purged upon call termination:

• Customer Credentials — Twilio account SID, Twilio auth token, and OpenAI API keys returned by your onCallStart callback
• Audio Streams — Real-time voice data relayed between Twilio and OpenAI; never buffered to disk or stored
• Transcripts — Generated by OpenAI during the call and delivered to your backend via the onCallEnd callback; not retained by Veevo
• System Prompts and Tool Definitions — AI configuration provided by your backend; held in memory for the call duration only

1.6. Webhook Signing Secrets

We generate and store a webhook signing secret for each account, used to compute HMAC-SHA256 signatures on callback requests. This secret is stored in our database to enable ongoing signature computation.

2. How We Use Information

We use the information we collect to:

• Provide, operate, and maintain the Service
• Authenticate API requests and manage account access
• Route calls between Twilio, OpenAI, and your backend via callback endpoints
• Calculate and report usage for billing purposes via Stripe metered billing
• Deliver call transcripts and cost breakdowns to your callback endpoints
• Sign webhook payloads for security verification
• Detect, prevent, and address technical issues, fraud, and abuse
• Comply with legal obligations

We do not use call content, transcripts, audio, or Customer Credentials for any purpose other than real-time call facilitation. We do not train AI models on your data. We do not sell your data.

3. Information Sharing and Third-Party Services

The Service integrates with the following third-party services. Your use of the Service necessarily involves the transmission of data to these providers:

3.1. Twilio

Twilio provides the telephony infrastructure. During calls, audio streams and call metadata flow between Twilio and our Engine. Twilio receives your Twilio account credentials (provided by your backend) for call authentication. Twilio's privacy practices are governed by Twilio's Privacy Policy.

3.2. OpenAI

OpenAI provides the AI model powering voice conversations. During calls, audio streams, system prompts, and tool definitions are transmitted to OpenAI's Realtime API using your OpenAI API key (provided by your backend). OpenAI's data practices are governed by OpenAI's Privacy Policy.

3.3. Stripe

Stripe processes all payments and manages subscription billing. We transmit usage data (call minutes) to Stripe for metered billing. Payment card details are collected and stored exclusively by Stripe and are never transmitted to or stored by Veevo. Stripe's practices are governed by Stripe's Privacy Policy.

3.4. Your Backend (Customer Callback Endpoints)

The Service transmits call metadata, transcripts, and cost breakdowns to the callback URLs you configure. These transmissions are signed with your webhook secret. You are responsible for the handling and storage of data received at your callback endpoints.

3.5. Other Disclosures

We may disclose information if required by law, regulation, subpoena, court order, or other governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4. Data Security

We implement the following security measures:

• API Key Hashing — Keys are stored as SHA-256 hashes; plaintext keys are never retained after initial issuance
• Timing-Safe Comparison — API key validation uses constant-time comparison to prevent timing attacks
• Webhook Signatures — All callback requests are signed with HMAC-SHA256 using per-account secrets
• Ephemeral Credential Handling — Third-party credentials exist only in volatile memory during active calls and are never written to persistent storage
• HTTPS Enforcement — All API endpoints and callback URLs require HTTPS
• Stripe Signature Verification— All incoming Stripe webhooks are verified using Stripe's signing secret with idempotency checks

While we strive to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention

5.1. Account Data — Retained for the duration of your active account and for 90 days following account termination for billing reconciliation purposes.

5.2. Usage Records — Call metadata and cost breakdowns are retained for the duration of your account to provide usage history and billing records.

5.3. Call Content (Audio, Transcripts, Credentials) — Not retained. Processed in volatile memory during active calls and purged immediately upon call termination. Retention period: zero.

5.4. API Keys — Revoked keys are soft-deleted (marked with a revocation timestamp) and excluded from authentication. Key hashes are purged upon account deletion.

6. Your Rights and Choices

Depending on your jurisdiction, you may have the right to:

• Access — Request a copy of the personal information we hold about you
• Correction — Request correction of inaccurate account information
• Deletion — Request deletion of your account and associated data
• Data Portability — Request an export of your usage records in a machine-readable format
• Objection — Object to certain processing of your information

To exercise any of these rights, contact us at support@veevo.ai. We will respond within 30 days, or within the timeframe required by applicable law.

7. End-User (Caller) Privacy

7.1. Veevo processes phone calls on behalf of our Customers (developers). Callers who interact with AI agents deployed through the Service are "end-users."

7.2. End-user data processed during calls (voice audio, phone numbers, transcript content) is handled as described in Section 1.5 — it is processed in volatile memory and not retained by Veevo after the call concludes.

7.3. Customers are responsible for providing appropriate privacy disclosures to their end-users, including notice of AI interaction, call recording/transcription, and data handling practices.

7.4. End-users with privacy inquiries should contact the Customer (the entity that deployed the AI agent). Veevo will cooperate with Customers to address end-user privacy requests where technically feasible.

8. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States or other jurisdictions where our service providers operate. By using the Service, you consent to such transfers.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on your account at least 30 days before taking effect. The "Last Updated" date at the top of this page reflects the most recent revision.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: