Compliance & Privacy
Coldread is built with GDPR compliance and data privacy at its core. Learn about our security practices and data handling.
GDPR compliance
Coldread is designed to comply with GDPR requirements for call recording and AI processing:
- Data deletion endpoint for right to erasure (Article 17)
- Data Processing Agreements (DPAs) available on request
- Sub-processors documented and accessible
- No sensitive attribute inference (race, religion, health)
Call recording consent
Your responsibility: Ensure you have legal consent to record calls in your jurisdiction. Coldread processes recordings but does not manage consent collection.
Two-party consent states (US): CA, DE, FL, IL, MD, MA, MT, NV, NH, PA, WA. UK/EU: GDPR requires explicit consent with opt-out.
Data retention
Coldread retains call data according to your organization settings:
- Default retention: 24 months for recordings, 36 months for profiles
- Configurable: Adjust retention periods in Settings
- Deletion: Data is permanently deleted after retention period expires
Data security
- All data encrypted at rest (AES-256)
- TLS 1.3 for data in transit
- Access logs and audit trails
- Role-based access control (RBAC)
Sub-processors
Coldread uses third-party services for transcription, AI analysis, and infrastructure. See our full list of sub-processors:
Data deletion
To request data deletion (GDPR Article 17), contact privacy@coldread.ai. We will process deletion requests within 30 days.