Privacy Policy
_Last updated: 2026-04-29_
This policy describes the data Callelo (the "Service") collects about you, how we use it, who we share it with, and what your rights are. It applies to anyone with a Callelo account, regardless of whether they joined as part of an organisation.
Data we collect
- Account data — name, email address, username, profile image,
password (stored as a bcrypt hash), and creation timestamp.
- Voice transcripts — every training session produces a transcript
of what you (the trainee) said and what the AI persona said. We use the transcript to evaluate your performance and surface coaching feedback. Transcripts may resemble real direct reports if you invented a persona based on someone you know — even though the scenario is invented, EU regulators consider the transcript PII-adjacent and we treat it accordingly.
- Evaluations & scoring — the per-session score, sub-skill rating
changes, and AI-generated coaching summary derived from your transcript.
- Org / team membership — which orgs and teams you belong to, your
role (admin / member), and the lifecycle of your invites.
- Billing data — for orgs that subscribe to a paid plan, we retain
the Stripe customer id, subscription status, and per-period usage totals. We do NOT retain credit-card numbers; those live with Stripe.
- Operational logs — request IDs, IP addresses, and user-agent
strings on a short retention horizon for security investigations.
Third-party processors
Callelo shares the data above with the following processors so the service can function. Each is bound by a data-processing agreement.
| Processor | What we share | Why |
|---|---|---|
| Google Gemini | Voice audio + transcript turn-by-turn | Real-time AI persona |
| Stripe | Org email, billing address, payment intent | Subscription billing |
| Sentry | Error stack traces (PII redacted) | Crash reporting |
| Email provider | Recipient email, rendered template body | Transactional email |
| Google Cloud | All of the above (storage + compute host) | Infrastructure |
Retention
| Data class | Free plan | Paid plans |
|---|---|---|
| Voice transcripts | 90 days from `endedAt` | Until you delete |
| Evaluations & scoring | While your account exists | While your account exists |
| Audit log entries | Lifetime of the org (Article 17(3)(b)) | Lifetime of the org |
| Billing data | 7 years (regulatory) | 7 years (regulatory) |
| Operational logs | 30 days | 30 days |
When you delete a voice session (or the auto-retention sweep does, on the free plan), the row is soft-deleted with a `deletedAt` timestamp and held for a 30-day recovery window before the daily retention enforcer hard-deletes it. You can restore the session from Settings → Privacy → Recently deleted within that window. After the 30-day purge, the row and its dependents (evaluation, ratings, coach feedback) are gone for good.
Coaches see live data, not snapshots — a deleted session disappears from their view immediately, and reappears if you restore it within the recovery window.
Deleting your account anonymises (does not delete) audit-log entries you authored, per GDPR Article 17(3)(b). The actor link is removed but the rows are retained as part of the org's legitimate-interest history.
Your rights
You can act on these rights from the Settings → Privacy page in the Callelo app:
- Right to export (Article 15 + 20) — request a JSON archive of
every row Callelo holds about your account. We email you a signed download link within 5 minutes; the link expires after 7 days. Limited to one export per 24 hours.
- Right to erasure (Article 17) — request that your account be
deleted. We schedule the deletion 7 days out and email you a cancellation link in case the request was made in error. After the grace period, your user-identifying rows are removed; audit-log entries you authored are anonymised (actor link removed) but the rows themselves are retained.
- Right to correction — edit your name, username, profile image,
email, and preferences directly from the Settings page.
- Right to restriction and right to object — contact our DPO
at the address below.
What deletion preserves
Deleting your account does NOT cascade-cancel an active paid subscription owned by your org. Cancel billing separately at Settings → Billing before requesting account deletion if you don't want a final billing period to run after your account is gone.
If you are the only admin of an org with other members, you must promote another admin or transfer ownership before your account can be deleted. See Settings → Members to manage org admins.
Transcript security
Transcripts are protected today by Cloud SQL volume-level encryption plus per-tenant access controls. App-layer (per-row) encryption with KMS-managed keys is on the roadmap but is not currently shipped — a defensible posture for the present threat model, re-evaluated when an enterprise customer asks.
When app-layer encryption ships, the encryption key will be sourced from `process.env.TRANSCRIPT_ENCRYPTION_KEY` (KMS-backed in production, ad-hoc in development). Rotation will be a two-step process: re-encrypt all live transcripts under the new key in a background job, then revoke the old key version once the migration completes. The schema will carry a `transcriptKeyVersion` column so the app layer always knows which key to use for a given row.
Auditability
Every soft-delete, restore, and hard-delete of a session writes one row to `AuditEvent` with these actions and `meta.trigger` payload:
* `user_content.session_soft_deleted` — `meta.trigger: "user"` for an explicit click, `"retention_cron"` for the automated sweep. * `user_content.session_restored` — always `"user"`. * `user_content.session_hard_deleted` — `"retention_cron"` for the automated 30-day purge, `"gdpr_erasure"` for the right-to-erasure cascade, `"user"` for an explicit immediate-purge action.
The same audit-log retention rule applies — rows persist for the lifetime of the org under Article 17(3)(b).
DPO contact
Privacy questions, regulatory requests, or anything you'd rather not file via the Settings page:
Email: privacy@callelo.com
Changelog
- 2026-04-29 — Initial publication. Documents export + erasure
rights, third-party processors, retention horizons, voice-session retention + recovery flow.