Privacy Policy

Elion AI ("we", "us") provides AI voice agents that handle phone calls on behalf of your business. To deliver this service, we process voice and text data from those calls. This policy explains what we collect, how we use it, who we share it with, and your rights over the data.

If you are an end caller (someone calling a business that uses Elion AI), the business operating the agent is the data controller of your conversation. Elion AI acts as their data processor.

We collect the following categories of data when you use Elion AI:

• Account data: name, email, password hash, and authentication metadata for signing in.
• Business data: your business name, industry, hours, services, pricing, FAQs, and any context you upload to train your agent.
• Call audio: recordings of calls handled by your agent. Stored as encrypted audio files associated with your account.
• Transcripts: machine-generated text transcripts of every call, including timestamps and speaker turns.
• Lead data: structured fields the agent captures during a call — typically caller name, phone number, intent, requested time, and any custom fields you configure.
• Call metadata: phone numbers (caller and called), call duration, start/end timestamps, outcome, and routing information from the carrier.
• Usage and billing data: minutes consumed, plan tier, invoice records, and payment method tokens (we never see full card numbers — see Stripe below).
• Technical data: IP address, browser, device type, and dashboard activity logs used for security and debugging.

We use the data above strictly to operate the Service for you. Specifically:

• To answer calls, transcribe audio, generate responses, and synthesize voice replies in real time.
• To deliver leads, summaries, and notifications to the destinations you configure (email, CRM, calendar).
• To show you call history, recordings, transcripts, and analytics in your dashboard.
• To bill correctly for usage, send receipts, and manage your subscription.
• To detect and prevent abuse, fraud, and security incidents.
• To debug issues you report and improve reliability of the Service.
• To comply with legal obligations and respond to lawful requests.

We do not sell your data. We do not use your call audio, transcripts, or business data to train shared AI models. We do not use this data for advertising or share it with advertising networks.

Elion AI is built on top of specialized providers. To deliver the Service, your data is processed by the following sub-processors. Each is bound by a data processing agreement with us.

• Twilio: telephony — provisions phone numbers, routes inbound and outbound calls, and streams audio to our pipeline. Twilio receives call metadata and audio. https://www.twilio.com/legal/privacy
• Vapi: real-time voice AI orchestration — runs the speech-to-text, LLM, and conversation state machine that powers your agent. Vapi processes call audio and transcripts during the call.
• ElevenLabs: voice synthesis — converts the agent's text responses into spoken audio. ElevenLabs processes the text the agent says (not caller audio).
• Anthropic / OpenAI: large language model inference for understanding intent and generating responses. Transcript text is sent to these providers under zero-data-retention agreements where available.
• Supabase: database and authentication — stores your account, business config, transcripts, leads, and call metadata in encrypted Postgres.
• Cloudflare R2 / AWS S3: object storage for call audio recordings, encrypted at rest.
• Stripe: payment processing — handles subscriptions and invoicing. We never see your full card number; Stripe stores it as a tokenized payment method.
• Railway: application hosting — runs the Elion AI backend services that orchestrate calls and serve the dashboard.

Your data is stored on infrastructure located primarily in the United States and the European Union. We apply the following safeguards:

• Encryption in transit: all connections use TLS 1.2+.
• Encryption at rest: audio files, database rows, and backups are encrypted on disk.
• Access control: production data access is restricted to a small set of engineers, requires SSO and MFA, and is logged.
• Tenant isolation: every record is scoped to a tenant ID; row-level security enforces that one customer cannot read another's data.
• Secrets management: API keys and credentials are stored in encrypted secret managers, never in code.
• Monitoring: we log security events and review them for anomalies.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you without undue delay and within the timeframes required by applicable law.

• Call audio: retained for 30 days by default, then permanently deleted. You may shorten or extend this in your settings (subject to plan limits).
• Transcripts and lead data: retained for the life of your account so you can search history. Deleted on account closure.
• Account and billing records: retained for as long as your account is active, plus up to 7 years after closure where required for tax and legal compliance.
• Backups: purged on a rolling 90-day schedule after deletion from primary systems.

Depending on where you live, you may have the following rights over your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: correct data that is inaccurate or out of date.
• Deletion: ask us to delete your data, subject to legal retention obligations.
• Portability: export your data in a structured, machine-readable format.
• Objection and restriction: object to or restrict certain processing.
• Withdraw consent: where processing is based on consent, withdraw it at any time.

Most of these can be exercised directly from your dashboard (export call history, delete recordings, close account). For anything else, email privacy@elionagent.com and we will respond within 30 days.

If you are an end caller and want your data removed from a specific business's account, contact that business directly — they control their agent's data.

Elion AI is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to us, contact privacy@elionagent.com and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-product notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the latest revision.

Privacy questions, data requests, or concerns? Email privacy@elionagent.com or write to us at the address listed in your contract.