1. Introduction

BAPP&CO LTD (company number 12728081), with registered office at Cades Mead, Wellington, Somerset, United Kingdom, TA21 9AA (“BAPPCO“, “we“, “us“, “our“) is committed to protecting the privacy and security of your personal information.

This Privacy Policy explains how we collect, use, share and protect personal data when you:

• visit our website;
• use our AI Voice Services;
• communicate with us; or
• otherwise interact with our business.

This Privacy Policy should be read together with our Terms of Service and Acceptable Use Policy.

2. Who We Are and How to Contact Us

Data Controller: BAPP&CO LTD
Registered Address: Cades Mead, Wellington, Somerset, United Kingdom, TA21 9AA
Company Number: 12728081

Contact Details:
For privacy queries, data subject rights requests, or complaints:
Email: [email protected]
Post: Data Protection, BAPP&CO LTD, Cades Mead, Wellington, Somerset, TA21 9AA

3. Scope and Application

3.1 Business-to-Business Focus

BAPPCO provides AI Voice Services exclusively to business customers. This Privacy Policy primarily addresses:

• Business contact data (names, work emails, business phone numbers of employees, directors and representatives of our business customers and prospects); and
• Caller data processed through our AI Voice Services on behalf of our business customers.

3.2 Callers to Our Customers’ Services

If you are a caller interacting with AI Voice Services provided by one of our customers:

• Our customer is the data controller responsible for determining how your personal data is used.
• BAPPCO acts as a data processor on behalf of that customer.
• You should refer to our customer’s privacy notice for information about how they use your data.
• This Privacy Policy explains BAPPCO’s role and responsibilities when processing caller data on behalf of customers.

3.3 Our Own Business Contacts

If you are a business contact (e.g. employee of a customer, prospect, supplier or partner), this Privacy Policy explains how BAPPCO processes your personal data as a data controller for our own business purposes.

4. Legal Basis and Applicable Law

We process personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Data (Use and Access) Act 2025 (DUAA) (to the extent in force and applicable)
• Privacy and Electronic Communications Regulations (PECR)

5. Personal Data We Collect

5.1 Business Contact Information (Controller)

When you or your organisation engage with BAPPCO as a customer, prospect, supplier or partner, we may collect:

• Identity data: name, job title, employer/organisation
• Contact data: business email address, business telephone number, business postal address
• Account data: username, Account ID, subscription details
• Communications data: records of emails, calls, meetings and support tickets
• Technical data: IP address, browser type, device information, usage logs
• Marketing and preferences data: marketing consent status, communication preferences

5.2 Caller Data Processed on Behalf of Customers (Processor)

When providing AI Voice Services to our customers, we may process the following personal data on behalf of and on the instructions of our customers:

• Identity and contact data: caller’s name, telephone number, email address
• Call content: voice recordings, transcripts, messages left
• Appointment and booking data: names, dates, times, preferences
• Technical data: call metadata (timestamp, duration, call quality metrics)
• Inferred or derived data: sentiment analysis, call summaries, categorisations generated by AI processing

The types and scope of personal data processed will depend entirely on:

• the customer’s configuration and use of the Services; and
• what information callers provide during interactions.

5.3 Website Visitors

When you visit our website, we may automatically collect:

• Technical data: IP address, browser type and version, time zone, operating system, device identifiers
• Usage data: pages viewed, links clicked, time spent, referral sources

We use cookies and similar technologies – see Section 12 for details.

6. How We Use Personal Data

6.1 Business Contacts (Controller Processing)

We use business contact data for the following purposes:

6.2 Caller Data (Processor Processing on Behalf of Customers)

When processing caller data as a processor, BAPPCO processes personal data only on the documented instructions of our customers and for the following purposes:

• Providing AI Voice Services: answering calls, interacting with callers, taking messages, booking appointments
• Call recording and transcription (where configured by the customer)
• AI analysis and automation: sentiment detection, call classification, workflow triggers
• Service delivery and support: troubleshooting, quality monitoring, service improvements
• Legal compliance: retaining records as required by law or to establish/defend legal claims

Our customers (as controllers) determine:

• the purposes and legal bases for processing caller data;
• what data is collected and how it is used;
• retention periods and deletion policies; and
• responses to data subject rights requests.

BAPPCO’s obligations as a processor are set out in our Terms of Service (Section 8–9 and Schedule 1).

6.3 Website Analytics and Improvement

We use technical and usage data to:

• understand how visitors use our website;
• improve website functionality, performance and security;
• analyse trends and measure marketing effectiveness.

Legal basis: Legitimate interests (improving our services and user experience).

7. Sharing Personal Data

7.1 Third-Party Service Providers (Sub-Processors)

BAPPCO uses carefully selected third-party service providers to help deliver the Services. These providers act as sub-processors and may process personal data on our behalf.

Key third-party providers include:

• Vapi – voice AI platform
• ElevenLabs – voice synthesis and generation
• Twilio – telecommunications and telephony services
• com – scheduling and appointment booking
• Cloud infrastructure and hosting providers
• Email and communication platforms
• Analytics and monitoring tools

We require all sub-processors to:

• implement appropriate security measures;
• process personal data only in accordance with our instructions; and
• comply with UK GDPR and equivalent data protection standards.

A current list of key sub-processors is available on request.

7.2 International Data Transfers

IMPORTANT NOTICE:

Personal data processed through the Services may be transferred to, stored in, and processed in countries outside the United Kingdom and European Economic Area (EEA).

While BAPPCO primarily operates within the UK/EEA, our third-party service providers may store or process data in other jurisdictions, including countries that do not provide an equivalent level of data protection to UK law.

Where international transfers occur, we implement appropriate safeguards, which may include:

• Standard Contractual Clauses (SCCs) approved for use under UK GDPR
• Relying on adequacy decisions issued by the UK government
• Other legally recognised transfer mechanisms

You acknowledge that:

• data storage locations used by third-party providers may change without prior notice;
• BAPPCO cannot control or guarantee specific data storage locations; and
• if you are a business customer, you are responsible for assessing whether transfer arrangements meet your obligations to data subjects.

7.3 Legal Requirements and Protection of Rights

We may disclose personal data if required or permitted by law, including to:

• comply with legal obligations, court orders, or requests from regulators or law enforcement;
• establish, exercise or defend legal claims;
• protect the rights, property or safety of BAPPCO, our customers or others; or
• prevent fraud, security threats or illegal activity.

7.4 Business Transfers

If BAPPCO is involved in a merger, acquisition, sale of assets or similar transaction, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

7.5 No Sale of Personal Data

BAPPCO does not sell personal data to third parties.

8. Data Retention

8.1 Business Contact Data (Controller)

We retain business contact data for as long as necessary to fulfil the purposes for which it was collected, including:

• Active customers: for the duration of the business relationship plus up to 7 years thereafter for legal, tax and accounting purposes
• Prospects and marketing contacts: until you withdraw consent or request deletion, or until we determine the data is no longer relevant (typically reviewed every 2–3 years)
• Financial and invoicing records: 7 years from end of financial year (as required by UK tax law)
• Legal claims: until the claim is resolved and any appeal period has expired

8.2 Caller Data (Processor)

For personal data processed on behalf of customers, retention periods are determined by the customer (as controller) in accordance with their own policies and legal obligations.

BAPPCO’s standard retention approach (unless otherwise instructed by the customer):

• Call recordings and transcripts: retained as configured by customer, typically 30–90 days unless longer retention is required
• Appointment and booking data: retained for the duration necessary to fulfil bookings plus a reasonable period thereafter
• Logs and metadata: retained for up to 12 months for security, troubleshooting and service improvement purposes

Following termination of a customer’s subscription, BAPPCO will delete or anonymise caller data within 90 days, except where longer retention is required by law or to establish/defend legal claims.

8.3 Deletion and Anonymisation

At the end of the relevant retention period, personal data will be:

• securely deleted or destroyed; or
• anonymised such that it can no longer identify individuals, and may be retained for analytics and research purposes.

9. Your Data Protection Rights

9.1 Rights Under UK GDPR

If you are an individual whose personal data we process as a controller (e.g. a business contact), you have the following rights:

• Right of access – request a copy of the personal data we hold about you
• Right to rectification – request correction of inaccurate or incomplete data
• Right to erasure – request deletion of your personal data (in certain circumstances)
• Right to restriction – request that we limit how we use your data
• Right to data portability – receive your data in a structured, commonly used format
• Right to object – object to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making and profiling – not be subject to solely automated decisions with significant effects (where applicable)

9.2 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: [email protected]
Post: Data Protection, BAPP&CO LTD, Cades Mead, Wellington, Somerset, TA21 9AA

We will respond to your request within one month (extendable by up to two further months for complex requests). We may need to verify your identity before processing your request.

9.3 Rights for Callers (Processor Data)

If you are a caller whose data is processed through our customer’s use of the Services, BAPPCO processes your data on behalf of that customer.

To exercise your rights regarding that data, you should contact the customer (the organisation you called) directly. They are the controller responsible for responding to your request.

If you contact BAPPCO, we will direct your request to the relevant customer and assist them in responding, where appropriate.

9.4 Right to Withdraw Consent

Where we rely on consent as the legal basis for processing (e.g. marketing emails), you may withdraw consent at any time by:

• clicking the “unsubscribe” link in marketing emails;
• adjusting your account preferences; or
• contacting us using the details above.

Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

9.5 Right to Complain

You have the right to lodge a complaint with the UK data protection supervisory authority:

Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113
Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

10. Security

10.1 Technical and Organisational Measures

BAPPCO implements appropriate technical and organisational security measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access, including:

• Encryption of data in transit (TLS/SSL) and at rest (where feasible)
• Access controls – role-based permissions, multi-factor authentication
• Security monitoring – logging, intrusion detection, vulnerability scanning
• Incident response procedures – defined processes for detecting and responding to security incidents
• Confidentiality obligations – all personnel with access to personal data are subject to confidentiality commitments
• Regular security reviews and updates to address emerging threats

10.2 Third-Party Security

We require our third-party service providers to implement equivalent security standards and conduct due diligence on their security practices.

10.3 No Guarantee

While we take security seriously, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will take all reasonable steps to protect personal data.

10.4 Data Breach Notification

In the event of a personal data breach that poses a risk to individuals’ rights and freedoms, we will:

• notify the ICO within 72 hours of becoming aware (where feasible);
• notify affected individuals without undue delay where the breach poses a high risk; and
• for customer data (processor role), notify the customer promptly so they can meet their own notification obligations.

11. Automated Decision-Making and AI Processing

11.1 Use of AI in Services

BAPPCO’s AI Voice Services use artificial intelligence and automated processing to:

• answer and interact with callers;
• transcribe and analyse call content;
• categorise calls and trigger workflows; and
• generate summaries and insights.

11.2 Solely Automated Decisions

Where the Services are configured by a customer to make solely automated decisions that have legal or similarly significant effects on individuals (e.g. automatically approving or denying service requests), Article 22 UK GDPR applies.

Our customers (as controllers) are responsible for:

• ensuring such processing is lawful under Article 22 (e.g. necessary for contract performance, explicit consent, or authorised by law);
• implementing safeguards such as the right to human review;
• informing data subjects about the logic, significance and consequences of automated decisions; and
• providing mechanisms for data subjects to contest decisions.

BAPPCO provides tools and documentation to help customers comply with these obligations, but customers remain solely responsible for ensuring their use of AI features complies with UK GDPR, DUAA and other applicable law.

11.3 Profiling and Analysis

AI processing may involve profiling (automated analysis to evaluate or predict characteristics, behaviour or preferences). Profiling is conducted:

• only on the instructions of customers (when acting as processor); or
• for legitimate business purposes such as service improvement and analytics (when acting as controller, using anonymised/aggregated data where possible).

11.4 AI Output Disclaimer

AI-generated outputs (transcripts, summaries, classifications) may be inaccurate, incomplete or inappropriate. BAPPCO and our customers should review AI outputs and not rely solely on them for critical decisions without human oversight.

12. Cookies and Tracking Technologies

12.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites function, improve user experience and provide analytics.

12.2 Cookies We Use

Our website may use the following types of cookies:

12.3 Managing Cookies

You can control and delete cookies through your browser settings. Note that disabling certain cookies may affect website functionality.

For more information:

• aboutcookies.org
• allaboutcookies.org

To opt out of Google Analytics: tools.google.com/dlpage/gaoptout

12.4 Do Not Track Signals

Our website does not currently respond to “Do Not Track” browser signals, but you can control cookies as described above.

13. Children’s Privacy

BAPPCO’s Services are not directed at children under the age of 18 and are intended for business use only.

We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

If you believe we have collected data from a child, please contact us immediately.

14. Third-Party Links

Our website may contain links to third-party websites, services or resources. BAPPCO is not responsible for the privacy practices or content of third-party sites.

We encourage you to review the privacy policies of any third-party sites you visit.

15. Marketing and Communications

15.1 Marketing Emails

If you are a business contact, we may send you marketing communications about our products, services, events and offers where:

• you have consented to receive marketing; or
• we have a legitimate interest (e.g. you are an existing customer and we are marketing similar services), and you have not opted out.

15.2 Opt-Out

You can opt out of marketing communications at any time by:

• clicking the “unsubscribe” link in any marketing email;
• updating your preferences in your Account settings; or
• contacting us at [email protected]

15.3 Service Communications

Even if you opt out of marketing, we may still send you essential service communications (e.g. account notifications, billing, security alerts, legal updates) as necessary to fulfil our contract with you.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, legal requirements or for other operational reasons.

Material changes will be notified to customers by email and/or prominent notice on our website at least 30 days before the changes take effect.

The “Last updated” date at the top of this policy indicates when it was last revised.

We encourage you to review this Privacy Policy periodically.

17. Contact Us and Further Information

If you have any questions, concerns or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

Data Protection Contact:
Email: [email protected]
Post: Data Protection, BAPP&CO LTD, Cades Mead, Wellington, Somerset, United Kingdom, TA21 9AA

General Enquiries:
Email: [email protected]

18. Definitions

Terms defined in our Terms of Service (e.g. “Services”, “Customer Data”, “AI Voice Services”, “Controller”, “Processor”, “UK GDPR”) have the same meaning in this Privacy Policy.

END OF PRIVACY POLICY

This Privacy Policy was prepared in accordance with UK GDPR, Data Protection Act 2018, Data (Use and Access) Act 2025 (where applicable), and Privacy and Electronic Communications Regulations. It should be read together with BAPPCO’s Terms of Service and Acceptable Use Policy.