Privacy Policy

1. Introduction and Identity

Coldread ("we", "us", "our") is a sales call intelligence platform operated by Prestige Corporate Events Ltd, a company registered in England and Wales. We provide AI-powered transcription, analysis, and contact intelligence services for sales teams.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use our platform at coldread.ai (the "Service"). It applies to:

• Account holders ("Customers") who sign up to use Coldread
• Call participants ("Data Subjects") whose calls are processed through Coldread
• Website visitors who browse our website

For the purposes of data protection law, our Customers act as data controllers for the call recordings and associated data they submit to Coldread. We act as a data processor on their behalf. For account data and website visitor data, we act as the data controller.

Contact us about privacy: privacy@coldread.ai

2. Data We Collect

2.1 Account Data (from Customers)

When you create an account, we collect:

• Email address and name (via our authentication provider, Clerk)
• Organisation name and details
• VoIP integration credentials (encrypted with AES-256-GCM)
• Custom configuration (sales stages, tags, compliance checks)
• Billing information (processed by Stripe; we do not store card numbers)

2.2 Call Data (from Call Participants)

When your VoIP provider sends call data to Coldread, we receive and process:

• Call recordings (audio files)
• Call metadata: phone numbers, call direction, duration, timestamps, VoIP provider identifiers
• Speaker identification via automated diarisation (distinguishing who said what)

2.3 AI-Generated Data

Our AI systems automatically generate the following data from call recordings and transcripts. All AI-generated data is clearly labelled as such in our interface.

• Transcripts: Full text transcription of call audio with speaker attribution
• Call analysis: Summaries, sentiment analysis, key moments, action items, competitor mentions
• Professional context: Job title, company, industry, seniority (as mentioned in conversation)
• Behavioural insights: Communication style, decision-making patterns, objections raised, buying signals, stated priorities
• Personal context: Interests, hobbies, and rapport-building topics mentioned during calls
• Compliance analysis: Whether calls meet your defined compliance requirements
• Talk ratio metrics: Speaking time distribution between parties

2.4 Website Data

When you visit our website, we may collect:

• Cookies set by our authentication provider (Clerk) for session management
• Basic analytics data collected by our hosting provider (Vercel)

3. How We Use Your Data

4. AI and Automated Decision-Making

Coldread uses artificial intelligence to process call recordings. This section explains how our AI works, in compliance with GDPR Article 22 (automated individual decision-making, including profiling).

4.1 What Our AI Does

Our AI systems perform the following automated processing:

• Transcription: Converting audio recordings to text with speaker identification
• Call analysis: Extracting summaries, sentiment, key moments, action items, and compliance checks
• Contact Intelligence: Building profiles of call participants based on information mentioned during conversations, including professional context, communication preferences, stated interests, and behavioural patterns

4.2 Contact Intelligence Profiling

Our Contact Intelligence feature constitutes profiling under GDPR Article 4(4). It automatically processes personal data to evaluate certain personal aspects, particularly analysing communication patterns, professional context, and stated preferences.

Key safeguards we have implemented:

• Opt-in only: Contact Intelligence profiling is disabled by default and must be explicitly enabled by the Customer (organisation administrator)
• No protected characteristics: Our AI is instructed not to infer age, race, ethnicity, religion, health status, disability, sexual orientation, or other protected characteristics
• AI-generated labels: All profiling data is clearly marked as "AI-generated" in the user interface
• No sole automated decisions: Coldread does not make decisions with legal or similarly significant effects based solely on automated profiling. The profiling data is provided as an aid to human decision-makers
• Human oversight: Customers can review, edit, and delete any AI-generated profile data

4.3 Your Rights Regarding AI Profiling

Under GDPR Article 22, data subjects (call participants) have the right to:

• Be informed that AI profiling is taking place
• Object to profiling and request that their data not be used for automated analysis
• Request human intervention to review any AI-generated conclusions about them
• Contest any AI-generated profile data they believe to be inaccurate
• Obtain an explanation of how AI conclusions about them were reached
• Request deletion of their AI-generated profile data

To exercise these rights, contact your Coldread Customer (the organisation that recorded the call) directly, or email us at privacy@coldread.ai.

4.4 AI Training

We do not use your call recordings, transcripts, or any personal data to train AI models. Our AI providers process your data only to deliver the requested service, under strict data processing agreements with zero data retention policies enabled.

5. Who We Share Data With (Sub-Processors)

We use the following third-party service providers (sub-processors) to deliver Coldread. Each provider processes data under a Data Processing Agreement (DPA) with appropriate safeguards.

We will notify Customers of any changes to our sub-processor list at least 30 days before the change takes effect. If you object to a new sub-processor, you may terminate your agreement with us.

6. International Data Transfers

Coldread's infrastructure is primarily hosted in the United States. If you are located in the UK or European Economic Area (EEA), your personal data will be transferred to the US for processing.

We protect these transfers through the following mechanisms:

• Standard Contractual Clauses (SCCs): We include EU-approved SCCs in our Data Processing Agreements with Customers and in our agreements with sub-processors
• UK International Data Transfer Agreement (IDTA): For UK-based Customers, we use the UK IDTA addendum to the SCCs
• EU-US Data Privacy Framework: Where applicable, our sub-processors participate in the EU-US Data Privacy Framework

A copy of the applicable transfer mechanism is available upon request at privacy@coldread.ai.

7. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy. Specific retention periods are:

When an account is cancelled, we follow this deletion schedule:

• Day 0: Account suspended, data preserved
• Day 14: Final warning notification
• Day 30: All personal data permanently deleted from our database, audio storage, and all sub-processor systems

8. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

• Encryption in transit: All data transmitted over TLS 1.2 or higher
• Encryption at rest: Database encryption provided by Supabase (AWS), audio files encrypted at rest in Cloudflare R2
• Credential encryption: VoIP API keys encrypted with AES-256-GCM before storage
• Access control: Multi-tenant architecture with organisation-level data isolation; users can only access their own organisation's data
• Private audio storage: Call recordings stored in private cloud storage, accessible only via time-limited signed URLs
• Authentication: Managed by Clerk with support for multi-factor authentication
• Sub-processor controls: Zero data retention and training opt-out enabled on all AI sub-processors

9. Your Rights

9.1 Rights Under UK GDPR and EU GDPR

If you are located in the UK or EEA, you have the following rights:

• Right of access (Art. 15): Request a copy of all personal data we hold about you
• Right to rectification (Art. 16): Request correction of inaccurate personal data
• Right to erasure (Art. 17): Request deletion of your personal data. We will delete your call recordings, transcripts, AI analysis, and contact profile data. See Section 10 for our deletion process
• Right to restrict processing (Art. 18): Request that we limit how we process your data
• Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON/CSV)
• Right to object (Art. 21): Object to processing based on legitimate interest
• Right to object to profiling (Art. 22): Object to automated profiling. See Section 4.3 for full details
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

How to exercise your rights: If you are a call participant, contact the organisation that recorded your call (the data controller). They will coordinate with us to fulfil your request. You may also contact us directly at privacy@coldread.ai.

Response timeline: We will respond to all data subject requests within 30 days. If a request is complex, we may extend this by up to 60 additional days, and we will inform you of the extension.

Supervisory authority: You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local EU data protection authority.

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: Request the specific categories and pieces of personal information we have collected about you
• Right to delete: Request deletion of your personal information
• Right to correct: Request correction of inaccurate personal information
• Right to opt-out of sale/sharing: We do not sell or share personal information as defined by the CCPA
• Right to non-discrimination: We will not discriminate against you for exercising your privacy rights
• Right to limit use of sensitive personal information: You may limit our use of sensitive personal information to what is necessary to provide the Service

To exercise your CCPA rights, email privacy@coldread.ai with "CCPA Request" in the subject line. We will verify your identity before processing your request.

9.3 Rights Under Other US State Privacy Laws

We respect the privacy rights granted by other US state privacy laws, including those in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and other states with consumer privacy legislation. Contact us at privacy@coldread.ai to exercise any applicable rights.

10. Data Deletion Process (Right to Erasure)

When we receive a valid deletion request, we perform a complete cascade deletion across all systems:

1. Call recordings are permanently deleted from Cloudflare R2 storage
2. Transcripts and AI analysis are permanently deleted from our database
3. Contact Intelligence profiles are permanently deleted from our database
4. Associated metadata (call records, tags, compliance checks) is permanently deleted
5. Confirmation is sent to the requestor once deletion is complete

Important: Because we do not train AI models on individual call data, deletion of your data from our database and storage constitutes full erasure. No personal data persists in any AI model weights.

We retain a minimal audit log of the deletion request itself (date, type of data deleted, confirmation) for 36 months for legal compliance purposes. This log does not contain any personal data from the deleted records.

11. Call Recording Consent

Coldread does not record calls. Call recordings are made by our Customers' VoIP providers (such as Aircall, Ringover, or JustCall) and submitted to Coldread for processing.

Our Customers (data controllers) are responsible for obtaining all necessary consents and authorisations required by applicable law to record calls, including:

• Two-party/all-party consent where required (California, UK, and other jurisdictions)
• Pre-call disclosure that the call will be recorded and analysed by AI
• Separate consent for AI profiling (Contact Intelligence) where applicable under GDPR Article 22

Coldread provides guidance and tools to help Customers manage consent obligations, but the legal responsibility for obtaining consent rests with the Customer. See our Terms of Service for the full consent warranty.

12. Children's Privacy

Coldread is a business-to-business service and is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. Our Customers agree in our Terms of Service not to submit call recordings involving minors. If we become aware that we have processed data of a person under 16, we will delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify active Customers by email at least 30 days before material changes take effect
• Provide a summary of changes in the notification

Continued use of the Service after the effective date of changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account.

14. Contact Us

For privacy-related enquiries, data subject requests, or complaints:

• Email: privacy@coldread.ai
• Postal address: Prestige Corporate Events Ltd, [Registered address]

We aim to respond to all enquiries within 5 business days. Data subject access requests will be fulfilled within 30 days as required by law.