Back to home

Privacy Policy

How we collect, use, and protect your data.

Last updated: June 23, 2026

This Privacy Policy is published by CallMissed Technologies Pvt. Ltd.("CallMissed", "we", "us"), a Data Fiduciary under the Digital Personal Data Protection Act, 2023 ("DPDPA") and the Digital Personal Data Protection Rules, 2025 ("DPDP Rules"). It explains what personal data we collect, why we collect it, how we store and protect it, and your rights.

This notice is provided in plain language as required under the DPDP Rules. For cookie-specific information, see our Cookies Policy. For contractual processing terms, enterprise customers may refer to our Data Processing Agreement.


1. Information We Collect

We collect only the personal data reasonably necessary to provide the Service. The categories below are itemised by purpose:

Account Information

  • Data collected: Full name, email address, phone number (optional), organization name, role, authentication identifiers
  • Purpose: Account creation, authentication, tenant management, support, and billing contact
  • Legal basis: Performance of contract; consent where required

If you sign in with a supported identity provider, we receive only the profile information you authorise (typically name and email). We do not receive or store your password for that provider.

Usage Data

  • Data collected: API call metadata (endpoint, model, token counts, latency), conversation metadata (timestamps, channel type, duration), credit transactions, dashboard activity, IP address, device/browser information
  • Purpose: Service delivery, billing, fraud prevention, rate limiting, security monitoring, and product improvement (aggregated/anonymised where possible)
  • Legal basis: Performance of contract; our legitimate uses for security, fraud prevention, and service operation as permitted under the DPDPA

Communication Content

  • Data collected: Messages, audio, transcriptions, and files processed when you deploy AI agents for your customers
  • Purpose: Providing chat, voice, and automation features you configure
  • Legal basis: Performance of contract. Where this content includes personal data of your end-customers, you act as the Data Fiduciary and CallMissed acts as your Data Processor under our Data Processing Agreement; you are responsible for the lawful basis and notices for that data

This content is stored in your tenant's isolated partition. It is never shared across tenants, never used to train third-party AI models, and never sold.

Payment Information

  • Data collected: Billing name, email, phone (for receipts), transaction references, order IDs, payment status, amounts
  • Purpose: Processing payments and statutory financial record-keeping
  • Legal basis: Performance of contract; compliance with a legal obligation (tax and financial record-keeping)

Card numbers, CVVs, UPI PINs, and full bank credentials are processed by our authorised payment gateway and are not stored on CallMissed servers.


2. How We Use Your Information

  • Service delivery: Processing API requests, managing bots, delivering conversation data, and operating real-time voice agents
  • Account management: Authentication, authorization, tenant isolation, and role-based access control
  • Billing and credits: Usage metering, payment reconciliation, plan enforcement, and transaction history
  • Security: Rate limiting, access logging, abuse detection, and incident response
  • Communications: Transactional emails (OTP, receipts, security alerts). Marketing emails only with explicit consent where required
  • Legal compliance: Tax, audit, regulatory reporting, and responding to lawful requests

3. Data Storage, Residency, and Security

Indian hosting

CallMissed hosts primary production systems on Microsoft Azure data centres in India (Central India region). Customer personal data and service content are ordinarily stored and processed within India unless we notify you otherwise in writing or applicable law requires a different approach.

Encrypted backups for production data are maintained within India.

Security safeguards (DPDP Rules, Rule 6)

  • Encryption in transit and at rest for stored personal data
  • Access controls, tenant isolation, and least-privilege administrative access
  • Hashed credentials and API secrets — raw API keys are not stored after issuance
  • Security monitoring, logging, and incident response procedures
  • Regular backups and recovery testing
  • Employee and contractor confidentiality obligations

Further technical detail is available on our Security page.


4. Authorised Service Partners

We engage vetted service partners who process personal data on our instructions and only for specified purposes. We do not publish partner or sub-processor names on public marketing or legal pages; enterprise customers may request the current sub-processor schedule via karan@callmissed.com or our Data Processing Agreement.

All partners are bound by written contracts requiring confidentiality, security safeguards equivalent to ours, assistance with data principal requests, and prompt breach notification.


5. Automated Processing & Artificial Intelligence

CallMissed is an AI platform. To deliver the features you configure, content you submit (such as messages, audio, transcriptions, documents, and prompts) is processed by automated systems and may be transmitted to vetted AI inference, speech-to-text, text-to-speech, and embedding service partners for the sole purpose of generating the requested output. These automated outputs assist your business but may be inaccurate or incomplete; you remain responsible for reviewing AI output before relying on it. We do not use your content to train third-party AI models, and your content is not shared across tenants or sold. Where an interaction produces a decision with legal or similarly significant effect on an individual, a human review path is available on request.


6. Cross-Border Data Transfers

We store and process customer personal data primarily within India. Certain service-partner categories (for example, some AI inference, search, analytics, and global messaging or identity services) may process limited data outside India. Where this occurs we rely on contractual safeguards with each partner and transfer personal data only to jurisdictions not restricted by the Government of India, consistent with Section 16 of the DPDPA. Enterprise customers may request transfer details and the sub-processor schedule under our Data Processing Agreement.


7. Data Retention

We retain personal data only for as long as necessary for the purposes described above:

  • Active accounts: For the life of the account
  • After deletion request: 30-day recovery window, then permanent deletion of account and conversation data (see Account Deletion)
  • Usage logs: Up to 90 days for billing and security, then anonymised or deleted
  • Security/access logs: Retained per applicable Indian cybersecurity directions and our security policy
  • Payment and tax records: Up to 7 years as required under GST, Income Tax, and allied laws
  • Backups: Encrypted backup copies are purged on a rolling schedule, ordinarily within 90 days of deletion from primary systems.

8. Your Rights (DPDPA 2023)

As a data principal, you have the right to:

  • Access — Obtain a summary of personal data we process and the processing activities undertaken
  • Correction — Update inaccurate or incomplete personal data
  • Erasure — Request deletion when consent is withdrawn or processing is no longer necessary (subject to legal retention)
  • Data portability / export — Where supported, export your account data, conversation history, audit logs, and voice transcripts in a portable format through in-product tools or on request
  • Grievance redressal — Raise a complaint with our Grievance Officer
  • Nominate — Designate another individual to exercise your rights in the event of death or incapacity
  • Withdraw consent — Where processing is consent-based, withdraw consent through account settings or by contacting us

To exercise these rights, email support@callmissed.com or use in-product tools where available. We respond within timelines prescribed under applicable law. If you are not satisfied with our response, you may escalate to the Data Protection Board of India once operational under the DPDPA framework.


9. Consent

Where the DPDPA requires consent, we obtain it in a free, specific, informed, and unambiguous manner. We do not use pre-ticked boxes for consent. You may withdraw consent at any time through the same channels used to give it; withdrawal does not affect processing already lawfully completed.


10. Cookies and Local Storage

See our Cookies Policy for details. In summary:

  • Essential cookies/tokens for authentication and security
  • Functional preferences (e.g. theme) stored locally where applicable
  • No third-party advertising cookies on core product surfaces

11. Children's Privacy

CallMissed is a B2B service for businesses and developers. It is not directed at individuals under 18. We do not knowingly collect personal data from minors, and we do not undertake processing likely to cause a detrimental effect on the well-being of a child or use children's data for tracking, behavioural monitoring, or targeted advertising. If you use CallMissed to communicate with your own end-customers, you are responsible for obtaining any verifiable parental consent required under the DPDPA before processing a minor's personal data through the Service. If we learn that we have collected a minor's data without the required consent, we will delete it promptly.


12. Personal Data Breach Notification

In the event of a personal data breach likely to affect your rights:

  • We will notify affected data principals without undue delay in concise, plain language, describing the breach, likely consequences, measures taken, and recommended safety steps (DPDP Rules, Rule 7)
  • We will notify the Data Protection Board of India without undue delay and provide a detailed report within 72 hours where required, unless an extension is granted

13. Applicable Law and Compliance Framework

This Policy is designed to comply with, among others:

  • Digital Personal Data Protection Act, 2023 and Digital Personal Data Protection Rules, 2025
  • Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (during the transitional period)
  • Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 — grievance mechanism
  • CERT-In directions on cybersecurity incident reporting and log retention, where applicable
  • Consumer Protection Act, 2019 and Consumer Protection (E-Commerce) Rules, 2020

14. Changes to This Policy

We may update this Policy from time to time. Material changes will be notified via email or dashboard notice at least 30 days before they take effect, except where immediate change is required by law. The "Last updated" date at the top reflects the latest revision.


15. Contact Us

Registered entity details (Companies Act, 2013 and Consumer Protection (E-Commerce) Rules, 2020):

  • Legal name: CallMissed Technologies Pvt. Ltd.
  • Registered office: Registered office address — pending (update before launch), Pune, Maharashtra 4110XX, India
  • CIN: UXXXXXMH2025PTCXXXXXX
  • GSTIN: 27XXXXXXXXXXXZX

16. Grievance Redressal & Grievance Officer

In accordance with the Information Technology Act, 2000, the IT (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDPA, the contact details of our Grievance Officer are published below.

  • Name / Designation: Grievance Officer (named individual to be appointed)
  • Email: karan@callmissed.com
  • Address: CallMissed Technologies Pvt. Ltd., Registered office address — pending (update before launch), Pune, Maharashtra 4110XX, India

How we handle complaints:

  • We acknowledge every complaint within 24 hours of receipt (IT Rules, 2021).
  • We resolve complaints within 15 days of receipt (IT Rules, 2021), and in any case grievances relating to personal data within the period prescribed under the DPDP Rules, 2025 (not exceeding 90 days).
  • Grievances under the SPDI Rules, 2011 are redressed within one month.

If you are not satisfied with the resolution, you may escalate to the Data Protection Board of India via its official online portal.