Privacy Policy
Voice Edge
Last updated: 27 June 2026 · Version 1.0
Data controller: [RAZÓN SOCIAL DEL PROVEEDOR], holding tax ID [CIF] and with registered office at [DOMICILIO SOCIAL] (the "Provider"). Voice Edge is the commercial brand of the cloud PBX and contact-centre service provided by the Provider through the domain ellisce.com. Privacy contact: [EMAIL DE PRIVACIDAD]. Data Protection Officer (DPO): [DPO, if applicable].
This Policy explains how the Provider processes the Personal Data for which it is the Controller: the Account Data of Authorized Users. It does not govern Customer Data (contacts, recordings, transcriptions, call detail records (CDR), among others): with respect to that data the Provider acts as Processor and section 2 of this Policy, the service agreement and the Data Processing Agreement (DPA) prevail.
1. Who the Controller is and how to make contact
1.1. The Controller of the data described in this Policy is [RAZÓN SOCIAL DEL PROVEEDOR], [CIF], [DOMICILIO SOCIAL].
1.2. For any question about this Policy or about the processing of Personal Data by the Provider, and to exercise the rights set out in section 8, the contact channel is [EMAIL DE PRIVACIDAD]. Where the Provider has appointed a Data Protection Officer, its contact details are [DPO, if applicable].
1.3. Processing is governed by Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 on the Protection of Personal Data and the guarantee of digital rights (LOPDGDD), Law 34/2002 on information society services and electronic commerce (LSSI-CE), Directive 2002/58/EC (ePrivacy) and, as regards commercial communications and electronic communications services, Law 11/2022, the General Telecommunications Act.
2. What this Policy covers and what it does not: data protection roles
2.1. The Provider is the Controller only in respect of Account Data: the data of Authorized Users (identification, credentials and security, technical data, approximate IP-based geolocation, session cookies, support) and the billing data of the Customer's account. This Policy governs that processing.
2.2. The Provider is the Processor, and not the Controller, in respect of Customer Data: the contacts and lists that the Customer uploads to the Service, and the recordings, transcriptions, metadata, call detail records (CDR), tags, notes and other content generated by the calls the Customer makes or receives. The Controller of that data is the Customer. The Provider stores and processes it on the Customer's instructions, under the terms of the service agreement and the Data Processing Agreement (DPA).
2.3. Accordingly, individuals whose data appears within Customer Data (for example, the Call Parties to the calls or the contacts in the Customer's lists) must address their requests and the exercise of their rights to the Customer as Controller, through the Customer's own privacy policy. The Provider, as Processor, will assist the Customer in accordance with the DPA but does not decide on its own about that data.
2.4. The remainder of this Policy concerns Account Data only.
3. Categories of Personal Data processed by the Provider
3.1. Identification data. The Authorized User's name and surname, email address, the Customer organisation they belong to and their role or permissions within it.
3.2. Credentials and security data. The password, always stored in hashed form and never in clear text; the status and secret of the second authentication factor (TOTP) where the User enables it; short-lived email verification and password reset tokens; session identifiers; and security records (logins, failed attempts, session revocation and closure, credential changes).
3.3. Technical and connection data. IP address, user agent (browser and device) and usage timestamps (last login and last activity of each session).
3.4. Approximate IP-based geolocation. The country derived from the session's IP address. The Provider uses it for security purposes: to detect access from a country other than the one where the session started and to close the session where appropriate. The derivation is performed locally, using a geolocation database installed on the Provider's infrastructure, without querying any third party. No precise or GPS location is obtained.
3.5. Session cookies. A technical cookie necessary to keep the Authorized User's session signed in and to protect it against unauthorised access. See section 11.
3.6. Billing data. The contracted plan, Service usage (among others, artificial-intelligence credits and prepaid wallet balance), billing data and the data needed to process payment through the payment provider. The Provider does not store full card details; payment is handled by the provider named in section 5.
3.7. Support data. The content of the support tickets and of the support-thread messages that the Authorized User sends to the Provider, together with the account data associated with the request.
3.8. Source of Account Data. The Authorized User provides their data directly upon registration or, where their account is created by the administrator of the Customer organisation (for example, by invitation), the Provider receives from the Customer the identification data needed to set up the account (name, email address and role). In that case, the Account Data originates from the Customer and this Policy is made available to the Authorized User on their first access to the Service (Art. 14 GDPR).
4. Purposes and legal bases
4.1. Provision of the Service and account management. Creating and administering the Authorized User's account, authenticating them, assigning them to the Customer organisation and their permissions, and enabling them to use the contracted features (among others, the webphone, call flows, queues, campaigns, reports). Legal basis: performance of the contract (Art. 6(1)(b) GDPR).
4.2. Billing and collection. Issuing invoices, collecting payment for the Service, monitoring usage and balance, and managing non-payment. Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and compliance with legal accounting and tax obligations (Art. 6(1)(c) GDPR).
4.3. Security of accounts and of the Service. Recording logins and security events, applying access-attempt limits, blocking abusive IP addresses, maintaining the second authentication factor and closing sessions on a change of connection country. Legal basis: the Provider's legitimate interest (Art. 6(1)(f) GDPR) in protecting accounts and the Service against unauthorised access and fraud and, where applicable, compliance with legal obligations (Art. 6(1)(c) GDPR).
4.4. Support. Handling and resolving requests submitted through the support module. Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and the legitimate interest in providing adequate support (Art. 6(1)(f) GDPR).
4.5. Service communications. Sending operational and security notices relating to the account (for example, email verification, password reset, material changes to the Service or to this Policy, and support updates). Legal basis: performance of the contract (Art. 6(1)(b) GDPR) and legitimate interest (Art. 6(1)(f) GDPR). These communications are not marketing and are necessary to use the Service.
4.6. Legal compliance and defence of claims. Retaining the information strictly necessary to respond to requests from competent authorities and to bring or defend claims. Legal basis: compliance with legal obligations (Art. 6(1)(c) GDPR) and legitimate interest (Art. 6(1)(f) GDPR).
4.7. Cookies. The technical session cookie described in section 11 is necessary to provide the Service and is exempt from consent under Art. 22(2) LSSI-CE. Should the Provider in future introduce non-necessary cookies (for example, analytics), it would seek the user's prior consent (Art. 6(1)(a) GDPR) and update this Policy.
4.8. Legitimate interest balancing. For the processing based on the Provider's legitimate interest (clauses 4.3, 4.4, 4.5 and 4.6), the Provider has carried out the balancing test required by Art. 6(1)(f) GDPR between that interest and the rights and freedoms of the Authorized User. The User may object to this processing on grounds relating to their particular situation, in accordance with Art. 21 GDPR, by contacting [EMAIL DE PRIVACIDAD].
4.9. Automated decisions. The Provider does not take decisions based solely on automated processing that produce legal effects concerning the Authorized User or similarly significantly affect them, within the meaning of Art. 22 GDPR. The automatic closure of a session on a change of connection country (clause 4.3) is a security measure and not a decision of that nature.
5. Recipients and the Provider's processors
5.1. The Provider does not sell Account Data and does not disclose it to third parties for their own purposes. To provide the Service it relies on suppliers that process Account Data on the Provider's behalf, as Processors, under a contract compliant with Art. 28 GDPR:
5.2. Hosting and infrastructure: [PROVEEDOR DE HOSTING/INFRAESTRUCTURA], to host the application and the database.
5.3. Transactional email: [PROVEEDOR DE EMAIL TRANSACCIONAL], to send the account and security emails described in clause 4.5.
5.4. Payment processing: [PROVEEDOR DE PAGO], to process payment for the Service.
5.5. The suppliers that process Customer Data (among others, Deepgram for speech transcription and the language-model provider or providers accessed through a gateway, for example [OpenRouter], for quality control and the AI assistant) act as Sub-processors in respect of that data and are set out in the Data Processing Agreement (DPA), not in this Policy, because they process Customer Data and not Account Data.
5.6. The Provider may disclose Account Data to authorities, courts or law-enforcement bodies where there is a legal obligation or a valid request.
6. International transfers and Data Region
6.1. Account Data is hosted and processed mainly within the European Union. Certain Processors —in particular payment processing and transactional email (clauses 5.3 and 5.4)— may process limited data outside the European Economic Area, in which case the safeguards in clause 6.3 apply.
6.2. The Data Region (EU or the Americas) determines where the Service's data is hosted and processed and is chosen by the Customer for its organisation. The Provider currently delivers the Service from the European Union region. Where the Customer selects the Americas region, the Provider will deliver it on the terms of the service agreement and the DPA. PBX telephony is processed to the GDPR standard regardless of the Data Region. The transfers and safeguards applicable to the chosen Data Region are governed by the DPA, including, where appropriate, the Standard Contractual Clauses.
6.3. Should any of the Provider's Processors process Account Data outside the European Economic Area, that transfer would rely on an adequacy decision of the European Commission or, failing that, on the Standard Contractual Clauses approved by the Commission together with any appropriate supplementary safeguards (Arts. 44 to 49 GDPR).
7. Retention periods
7.1. Account data. For as long as the Authorized User's account is active and the relationship with the Customer subsists.
7.2. After termination. Once the account or the contractual relationship ends, the Provider deletes or anonymises Account Data within 30 days, unless it must retain it under the obligations in clause 7.5.
7.3. Sessions and associated technical data. Until the session expires, is closed by the User or is revoked. Security records are kept for 12 months.
7.4. Email verification and password reset tokens. For their brief validity period; they expire automatically.
7.5. Billing data. For the periods required by the applicable commercial and tax legislation (in Spain, as a general rule, those set out in the Commercial Code and in tax legislation).
7.6. Support data. For the duration of the contractual relationship and, thereafter, for the period needed to meet legal obligations and to defend against possible claims.
8. Data protection rights
8.1. The Authorized User may exercise, in respect of their Account Data, the rights of access, rectification, erasure, objection, restriction of processing and portability, and may withdraw consent where processing is based on it, without this affecting the lawfulness of processing carried out beforehand.
8.2. To exercise them, a request to [EMAIL DE PRIVACIDAD] stating the right being exercised is sufficient. The Provider may ask for reasonable information to verify the requester's identity. The exercise is free of charge and is answered within one month, extendable in accordance with Art. 12 GDPR.
8.3. Some of these rights can be exercised directly from the Service's panel: the Authorized User can view and update their data, review and revoke active sessions and manage the second authentication factor from the account section.
8.4. Requests concerning Customer Data (for example, from a Call Party or a contact in a list) must be addressed to the Customer as Controller, as set out in clause 2.3.
9. Complaint to the supervisory authority
9.1. The Authorized User has the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), C/ Jorge Juan 6, 28001 Madrid, www.aepd.es, or with the supervisory authority of their Member State of residence, if they consider that the processing of their Account Data infringes data protection law. Beforehand, they may contact the Provider through [EMAIL DE PRIVACIDAD].
10. Security measures
10.1. The Provider applies technical and organisational measures appropriate to the risk, in accordance with Art. 32 GDPR. These include: encryption of communications in transit; storage of passwords using a hash function, never in clear text; a second authentication factor (TOTP) available to Users; role- and permission-based access control; isolation of data by Customer organisation; logging of security events; access-attempt limits; blocking of abusive IP addresses; and closure of sessions on a change of connection country.
10.2. The Provider does not provide legal advice. The Customer is responsible for the regulatory compliance of its own activity, including the lawfulness of recording calls, the legal basis for contacting the individuals on its lists, and compliance with telemarketing and advertising-exclusion rules, on the terms of the service agreement and the DPA.
11. Cookies
11.1. The Service uses a technical session cookie, necessary to authenticate the Authorized User, keep their session signed in and protect it against unauthorised access. Without this cookie the Service cannot operate.
11.2. The Provider does not use advertising cookies or third-party tracking cookies, either on the ellisce.com site or in the Service's panel. Because it is necessary, the session cookie is exempt from consent under Art. 22(2) LSSI-CE.
11.3. Should non-necessary cookies be introduced in future, the user's prior consent would be sought and this section would be updated.
12. Changes to this Policy
12.1. The Provider may amend this Policy. The version in force is always the one published at ellisce.com, identified by its version number and its last-updated date.
12.2. Where the changes are material, the Provider will give notice by email or through the Service's panel a reasonable time before they take effect.