Back to Eloquium

Privacy Policy

Last updated: April 6, 2026

1. Data Controller

The data controller is Codex Ingenium Holding OÜ, a company incorporated in Estonia (European Union), with registered office in Tallinn, Estonia. For any privacy-related questions you can write to hello@eloquium-ai.com.

2. Data we collect

We collect the following categories of personal data to provide and operate the Eloquium service:

2.1 Account data

Name, email address, company name. Passwords are stored exclusively as irreversible cryptographic hashes and are never accessible in clear text.

2.2 Payment data

Payments are processed entirely by Stripe, Inc. We never receive, store, or have access to your credit card numbers or bank details. We only retain a Stripe customer identifier, the plan type, and the transaction history (amounts and dates).

2.3 Call data

Audio recordings of calls handled by your AI assistant, automatic transcriptions, phone numbers of callers, call duration, and AI-generated summaries.

2.4 Knowledge base documents

Files you upload to configure your assistant (PDF, text, etc.). These documents remain your property and are used exclusively to personalise the assistant's responses.

2.5 Browsing data

We use Plausible Analytics, a European and cookie-free analytics service. No cookies are installed, no personal data is collected, and no individual user profiles are created. The collected data (page views, referrer, country) is fully anonymised and aggregated.

3. Legal basis for processing

We process your personal data on the following legal bases under GDPR:

  • Contract performance (Art. 6(1)(b) GDPR): processing necessary to provide the service you subscribed to.
  • Consent (Art. 6(1)(a) GDPR): for optional marketing communications. You may withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f) GDPR): for anonymised analytics aimed at improving the service, and for fraud and abuse prevention.

4. Sub-processors

To provide the service, we use the following sub-processors:

  • Supabase, Inc. — database and authentication (EU region, Frankfurt, Germany).
  • Vapi, Inc. — voice AI processing (USA — with EU Standard Contractual Clauses).
  • Deepgram, Inc. — speech-to-text transcription (USA — with SCC).
  • Anthropic, PBC — AI language model (USA — with SCC).
  • ElevenLabs, Inc. — text-to-speech voice synthesis (USA — with SCC).
  • Telnyx LLC — telephony and phone numbers (USA — with SCC).
  • Stripe, Inc. — payment processing (USA — with SCC).
  • Vercel, Inc. — web application hosting (global edge locations).
  • Plausible Insights OÜ — privacy-friendly web analytics (EU, Estonia).

5. Data retention

We apply the following retention periods:

  • Account data: retained for the duration of the active account, plus 30 days after deletion to allow recovery.
  • Call audio recordings: automatically deleted after 90 days.
  • Call transcriptions and summaries: retained for the duration of the active account.
  • Knowledge base documents: deleted within 30 days of account cancellation.
  • Invoicing and fiscal data: retained for 10 years as required by applicable tax law.

6. International data transfers

Your primary data is stored within the European Union (Supabase, Frankfurt). Some sub-processors are based in the United States. For each US sub-processor, we have entered into EU Standard Contractual Clauses (SCC) as adopted by the European Commission, supplemented by appropriate technical measures (encryption in transit and at rest, access controls, pseudonymisation where possible).

7. Your rights

Under GDPR you have the following rights:

  • Right of access (Art. 15): obtain a copy of your personal data.
  • Right to rectification (Art. 16): correct inaccurate data.
  • Right to erasure (Art. 17): request deletion of your data.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest.
  • Right to restriction (Art. 18): request limitation of processing.
  • Right to lodge a complaint: you may file a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or with the supervisory authority of your country of residence.

8. Cookies

Eloquium uses only strictly necessary technical cookies for authentication session management (Supabase auth token). We also set a cookie to remember your cookie preferences (eloquium-consent, valid for 365 days). We do not use profiling, marketing, or third-party cookies. Analytics are provided by Plausible, which operates entirely without cookies. For full details, see our Cookie Policy.

9. Transparency (EU AI Act)

Eloquium complies with the EU AI Act (Regulation 2024/1689). Our AI voice assistants clearly disclose to callers at the beginning of every call that they are interacting with an artificial intelligence system, as required by Article 50.

10. Changes to this policy

We may update this privacy policy to reflect changes in the service or applicable legislation. In the event of substantial changes, we will notify you via email at least 15 days in advance. The updated version will always be available at this page with the new effective date.

11. Contact

For any request regarding this policy or the exercise of your rights, write to: hello@eloquium-ai.com.