MyDaddy.io (“MyDaddy.io”, “we”, “us”) provides a business phone system and AI agent stack for small teams. This policy describes what data we collect, why, how long we keep it, and the choices you have. It applies to both visitors to mydaddy.io and to workspaces created on the platform.
1. Who this policy covers
- Visitors to our marketing site (
mydaddy.io,/home.html,/integrations.html, etc.) — anonymous browsing. - Workspace owners & agents — people who sign up for an account and configure the phone system.
- End users of a workspace — the customers, prospects, and website visitors who interact with a workspace's AI agent or call its phone numbers.
If you're an end user of a workspace (for example, someone calling a business that uses MyDaddy.io), the business — not MyDaddy.io — is the data controller for the record of that interaction. MyDaddy.io acts as the data processor on that business's behalf. Data subject requests should go to that business first. We'll honour the request if they direct us to.
2. What we collect
2.1 Account data
- Name, email, and authentication identity (Google, Microsoft, or username + password).
- Workspace name, subdomain, and the combo (region) your workspace runs on.
- Per-workspace single sign-on configuration (identity-provider details and credentials) if you've enabled it.
- Billing contact information (when a paid plan is active).
2.2 Phone data
- Outbound and inbound call metadata: extension, to/from phone number, start/end time, outcome, duration.
- SMS metadata: to/from, timestamp, delivery status.
- Registration state for desk phones and softphones (username, device, last seen).
- Call recordings and voicemail audio — only when the workspace has those features enabled.
- AI-generated call transcripts and voicemail transcriptions — only when the workspace has those features enabled.
2.3 AI agent sessions
- Chat/voice transcripts between an end user and the embedded site widget.
- Verification metadata (one-time SMS code delivery status — the code itself is never stored in plaintext after use).
- Inferred intent and a session summary the AI agent writes back to the workspace's CRM/helpdesk, if one is connected.
- For the AI caller agent: the list of leads pulled from the connected CRM under the filters you've configured, plus each call's outcome.
2.4 Integration data
- Access tokens for CRMs and helpdesks you connect (Zoho CRM, Zoho Desk, Freshdesk, etc.). Stored per workspace and used only to read/write records on your behalf.
- Webhook destination URLs and the signing secrets you configure.
2.5 Product telemetry
- Anonymous request logs at the edge (nginx access logs; retained 30 days and then rotated).
- Aggregate usage metrics in Graphite / Grafana (call volume, active workspaces, error rates). No per-call payload is included.
- Crash/exception traces from the sip-server and portal, scrubbed of caller/callee identity before storage.
2.6 Cookies
- Session cookies for portal login (
sessionid,csrftoken) — essential, first-party, HTTP-only. - No advertising, no cross-site tracking. We do not use Google Analytics or similar third-party trackers on the marketing site.
3. How we use it
- To run your phone system: route calls, deliver SMS, keep phones registered, store voicemail and recordings, transcribe audio when asked.
- To run your AI agents: process a visitor's chat/voice with your configured LLM / STT / TTS providers, keep transcripts for review, update your CRM/helpdesk with session summaries.
- To secure the platform: rate-limit abusive traffic, detect fraudulent calls, investigate incidents.
- To bill you: track usage against the plan you're on.
- To communicate service updates: outages, security patches, significant feature changes.
We do not sell personal data, share it with advertisers, or train our own foundation models on your workspace content. Third-party AI providers (OpenAI, Deepgram, ElevenLabs, etc.) process content on a per-request basis under their own data-processing terms; you can see the current list inside your workspace settings and can swap providers.
4. Legal bases (GDPR)
- Performance of a contract: running the phone system and agents you've signed up for.
- Legitimate interest: platform security, abuse prevention, aggregate product metrics.
- Consent: optional features such as call recording, AI transcription, and the AI caller agent. You enable these in the portal — disabling them stops collection going forward.
- Legal obligation: responding to valid court orders and subpoenas.
5. Retention
- Account + workspace config: kept while the workspace is active; deleted within 30 days of workspace deletion.
- Call/SMS metadata: 13 months by default (configurable per workspace).
- Call recordings & voicemail: 90 days by default (configurable; can be 0 to disable).
- AI chat/voice transcripts: 90 days by default.
- Edge access logs: 30 days, then rotated.
- Backups: encrypted daily Postgres snapshots retained 35 days.
Workspace admins can override any of these retention knobs under Settings → Retention.
6. Sharing
We only share data with processors that are essential to operating the service:
- Phone carriers you provision (Twilio, SignalWire, Telnyx, Bandwidth, or any other phone provider) — they see the minimum call data they need to carry the call.
- AI providers you select (OpenAI, Deepgram, ElevenLabs, etc.) — they see only the specific request content needed for a single inference.
- CRMs & helpdesks you connect (Zoho CRM, Zoho Desk, Freshdesk, etc.) — they receive the records you've authorised the workspace to write.
- Our cloud hosting provider — for compute, network, and storage underlying the MyDaddy.io platform.
- Authorities, when compelled by valid legal process. We push back on overbroad requests.
7. International transfers
Each MyDaddy.io workspace is pinned to a combo (a regional server instance). Your workspace's Postgres row records the combo id, and every call / agent session for that workspace is handled on that combo's infrastructure. If you need your data to stay in a specific jurisdiction, choose a combo located there during signup. Cross-combo transfer only happens with an explicit admin action (migration between regions).
8. Security
- Encrypted (TLS) connections for all public traffic, including browser calling and the admin portal.
- Phone signalling is encrypted end-to-end where your phone provider supports it.
- Per-workspace credential isolation: CRM tokens, provider keys, and embed keys stay scoped to the workspace they belong to.
- Our managed database is the source of truth for workspace config; fast caches store only what the phone system needs at call time.
- Third-party credentials are never logged or returned through the portal API.
- Superadmin actions are recorded in an append-only audit log.
9. Your rights
Depending on where you live (GDPR, UK GDPR, CCPA/CPRA, etc.) you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (subject to retention we're legally required to keep).
- Port your data to another service.
- Object to or restrict certain processing.
- Withdraw consent to optional features (recording, AI transcription, AI caller agent).
Email privacy@mydaddy.io from the address on your workspace. We'll reply within 30 days.
10. Children
MyDaddy.io is a B2B product. It is not intended for, and not marketed to, anyone under 16. If you believe a child's data has been collected by a workspace, email privacy@mydaddy.io so we can work with the workspace admin to remove it.
11. Changes to this policy
We'll post material changes to this page and update the “Last updated” date at the top. If a change meaningfully reduces your rights, we'll also email workspace admins at least 14 days before the change takes effect.
12. Contact
Privacy questions, data-access or deletion requests, and security reports all go to privacy@mydaddy.io. For general product questions, see the Contact page or chat us through the widget on this site.