Privacy Policy
Zuletzt aktualisiert 12 July 2026
Language notice: This Policy is provided in English and applies to the Service in every market. Please contact us if you need help understanding it.
This Policy explains how Totally Comms, trading as Totally Called (we, us), handles personal data when you visit our website, contact us, or use Totally Called (the Service). For privacy questions or requests, email privacy@totallycomms.com.
1. Our role
We are a controller for account administration, billing, security, support, regulatory onboarding, and our own website and business communications. A Customer is normally the controller for its contacts, calls, messages, recordings and CRM information, and we process that data on the Customer's instructions. If your data appears in a Customer's communications, contact that Customer first where practical; we will assist it with valid requests.
2. Personal data we collect
- Account and identity data — name, business email, user ID, organisation, role, permissions and authentication information.
- Customer and regulatory data — business details, service address, billing country, requested numbers, verified caller IDs, emergency or regulatory address information, and documents or identifiers required by carriers or authorities.
- Communications data — caller and recipient numbers, direction, timestamps, duration, status, disposition, routing and delivery information; SMS content and thread state; and recordings where the Customer enables recording.
- CRM data — Pipedrive organisation and user identifiers, OAuth credentials, contact name, phone number, contact/deal/owner identifiers, open-deal context, and activities needed to match and log communications. We do not copy the Customer's entire CRM database.
- Billing data — plan, subscription and invoice status, metered usage, currency, Stripe customer/subscription/payment references, and payment events. Stripe receives card details directly; we do not store full card numbers.
- Support and business communications — messages you send us, attachments, contact details, and our response history.
- Technical, security and usage data — IP address, device and browser information, authentication and audit events, request identifiers, errors, service configuration, blocklist entries and operational logs. Logs are designed to mask phone numbers, tokens and message bodies.
We receive data from you, your account administrator and users, communications participants, Pipedrive, PropelAuth, Twilio, Stripe, AWS, devices and browsers, and public or official sources used for business and regulatory checks. Some information is required to provide the Service or obtain a phone number; without it, we may be unable to open or operate the account.
3. How and why we use personal data
| Purpose | Typical UK lawful basis when we are controller |
|---|---|
| Open and administer accounts; provide calling, messaging, recording, CRM logging, support and billing | Performance of a contract; legitimate interests in providing a business service |
| Provision numbers and meet carrier, tax, accounting, fraud-prevention, telecoms and lawful-request obligations | Legal obligation; contract; legitimate interests |
| Authenticate users, secure the Service, prevent abuse, investigate incidents, enforce terms and maintain audit records | Legitimate interests in security and protecting customers and networks; legal obligation where applicable |
| Monitor reliability, diagnose faults, reconcile carrier events and improve existing Service features | Legitimate interests in operating and improving the Service |
| Respond to enquiries and send essential account, service, security and legal notices | Contract; legitimate interests; legal obligation |
Where we act as processor, the Customer determines the lawful basis. We do not sell personal data, use Customer call or message content for advertising, or use it to train general-purpose AI models. We do not make decisions producing legal or similarly significant effects about individuals solely by automated means.
4. Call recording and sensitive information
Customers choose whether to record calls and are responsible for notices, consent, lawful basis and industry requirements. The Service can play a recording announcement, but the Customer must configure and use it lawfully. Calls and messages may reveal sensitive or special-category information even though the Service is not designed to request it. Do not use the Service to collect payment-card, health or other sensitive information unless the Customer has established an appropriate lawful and secure process.
5. Who receives personal data
We disclose data only as needed to operate the Service, follow Customer instructions, complete a transaction, protect rights and safety, or comply with law. Recipients include:
| Provider or recipient | Purpose and data involved |
|---|---|
| Amazon Web Services (AWS) | Hosting, databases, queues, encryption and object storage for Service data and recordings. |
| Twilio | Phone numbers, identity and regulatory checks, call and SMS carriage, delivery metadata, and temporary recording handling. |
| PropelAuth | User authentication, identity, organisation membership and invitations. |
| Stripe | Payments, invoicing, subscriptions, fraud prevention and related billing records. |
| Pipedrive | The connected CRM chosen by the Customer; we read and write relevant data at the Customer's direction. |
| Sentry, if enabled for the Service | Error monitoring using scrubbed technical context. We do not intentionally send message bodies, recordings or authentication tokens. |
| Professional advisers, authorities and transaction parties | Legal, accounting, insurance, security, corporate transactions, and lawful requests, limited to what is necessary. |
Providers may act as our processors, subprocessors, or independent controllers depending on the activity. Where required, we contractually require processors to protect personal data. We do not permit them to use Customer Data for their own advertising.
6. International transfers and storage locations
Primary Service storage is hosted by AWS in Ireland (eu-west-1). Recordings may be replicated to AWS in Frankfurt (eu-central-1) for resilience. Calls, messages, authentication and payments may be processed outside the UK and European Economic Area by global providers, including in the United States. Where restricted-transfer rules apply, we rely on an adequacy decision or approved contractual safeguards, such as the UK International Data Transfer Addendum or Agreement and EU Standard Contractual Clauses, together with supplementary measures where appropriate. You may request more information from privacy@totallycomms.com.
7. Retention
We use the following criteria rather than keeping every category for a single fixed period:
- Account, communications, CRM and recording data is kept while the account is active and afterwards while reasonably needed to close the service, respond to requests, resolve disputes, enforce agreements, and meet legal obligations. The Customer may request communications-data erasure or account closure, subject to lawful exceptions.
- Phone numbers may be released 60 days after billing suspension. An account is flagged for full offboarding after 120 days, but deletion is operator-reviewed so that regulatory, dispute, or recovery needs can be checked.
- Billing, tax and transaction records are kept for the period required by applicable tax, accounting and limitation rules.
- Security and audit records are kept for as long as reasonably necessary to investigate abuse, protect the Service and establish legal claims.
- Backups and recording replicas are deleted or overwritten through controlled lifecycle and offboarding processes. Where immediate deletion is not technically possible, data is isolated from ordinary use until deletion.
We consider the amount, sensitivity and purpose of the data, risk of harm, Customer instructions, technical dependencies, and legal requirements when applying these criteria. We may retain a minimal suppression or request record to honour an objection or demonstrate compliance.
8. Security
We use organisational and technical safeguards designed to protect personal data, including tenant isolation, role-based access, encryption in transit and at rest, restricted infrastructure access, masked logs, audit controls, backups, and verification before deleting archived recordings from the carrier. No system is completely secure. Customers are responsible for user access, devices, passwords, connected-account permissions and lawful configuration.
9. Your rights
Depending on where you live and the circumstances, you may have rights to access, correct, erase, restrict or object to processing; receive portable data; and withdraw consent where processing relies on consent. You may also object to direct marketing at any time. These rights can be limited by law and do not always apply where we act only on a Customer's instructions.
Email privacy@totallycomms.com with your request. We may need to verify your identity and locate the relevant Customer account. We will not discriminate against you for exercising a privacy right. UK individuals may complain to the Information Commissioner's Office; EEA individuals may contact their local supervisory authority, and individuals elsewhere may contact their local privacy regulator. We encourage you to contact us first so we can try to resolve the issue.
10. Website storage and cookies
Our public marketing website does not set analytics or advertising cookies and does not run advertising trackers. The Service and embedded applications may use strictly necessary browser storage to maintain authentication, security, organisation selection, user preferences such as theme, and application state. Connected providers, including PropelAuth, Pipedrive and Stripe, may set their own necessary cookies on their domains under their policies. If we add non-essential analytics or advertising technology, we will update this Policy and request consent where required.
11. Children
The Service is a business product and is not directed to children. You must be at least 18 and authorised by a business to create an account. We do not knowingly collect children's personal data as an account provider. Customer communications may incidentally involve minors; the Customer remains responsible for that processing.
12. Changes to this Policy
We may update this Policy as the Service, providers or law change. We will post the new version here and change the date above. Where a change materially affects how we use account data, we will give reasonable notice through the Service or by email where practicable.
13. Contact
Contact Totally Comms about privacy at privacy@totallycomms.com. For support or account closure, contact support@totallycalled.com.