Privacy Policy

Last updated: March 1, 2026

1. Introduction

Toccavi ("we", "us", "our") operates the toccavi.ai website and the Toccavi voice AI platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using Toccavi, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name and email address (via Google, GitHub, or Apple OAuth)
  • Profile picture (if provided by your OAuth provider)
  • Account preferences and settings

2.2 Business Information

When you configure your voice agent, you may provide:

  • Business name, industry, address, phone number, and website
  • Business hours and service descriptions
  • Custom instructions and agent personality settings
  • Logo and branding materials

2.3 Voice & Conversation Data

When you interact with the Service via voice or phone:

  • Voice audio is streamed in real-time to Amazon Web Services (AWS) for AI processing and is not stored after the session ends
  • Conversation transcripts are generated and stored to provide activity history and improve the agent's performance
  • Phone call metadata (caller number, duration, outcome) is logged

2.4 Connected Services

When you connect third-party services (Google Calendar, Gmail, Microsoft Outlook, etc.):

  • OAuth access tokens and refresh tokens are encrypted at rest and stored securely
  • We access only the scopes you explicitly authorize (e.g., calendar events, sending email)
  • We do not access, store, or share your contacts, files, or data beyond the authorized scopes

2.5 Usage & Technical Data

  • Log data (IP address, browser type, pages visited)
  • Feature usage patterns and session analytics
  • Error logs for debugging and reliability

3. How We Use Your Information

We use your information to:

  • Provide the Service — power your voice AI agents, manage phone calls, schedule appointments, and capture leads on your behalf
  • Improve AI quality — use conversation context (memories, business profile) to make your agent more accurate and helpful
  • Process payments — via Stripe for subscription billing
  • Communicate with you — send account notifications, billing receipts, and service updates
  • Maintain security — detect fraud, abuse, and unauthorized access
  • Meet legal obligations — comply with applicable laws and regulations

4. Google API Services — Limited Use Disclosure

Toccavi's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We only request access to the Google API scopes necessary for the features you enable (calendar management, email sending/reading)
  • We do not use Google user data for advertising purposes
  • We do not sell Google user data to third parties
  • We do not use Google user data to train general-purpose AI models
  • Google OAuth tokens are encrypted at rest and only decrypted when performing authorized operations on your behalf
  • You can revoke Google access at any time from your Toccavi Settings page or from your Google Account permissions

5. Third-Party Services

We use the following third-party services to operate Toccavi:

  • Amazon Web Services (AWS) — AI voice processing (Amazon Nova Sonic), compute infrastructure
  • OpenAI — text embeddings for semantic memory search
  • Twilio — phone number provisioning, voice calls, and SMS
  • Stripe — payment processing and subscription management
  • Google APIs — Calendar, Gmail, Maps, Places, and Geocoding (when connected/enabled)
  • Microsoft Graph — Outlook Calendar and Email (when connected)

Each third-party service processes data according to their own privacy policies. We only share the minimum data necessary for each service to function.

6. Data Storage & Security

  • All data is stored in encrypted PostgreSQL databases hosted on AWS (US-East region)
  • OAuth tokens are encrypted at rest using AES-256 encryption
  • All connections use TLS/HTTPS
  • Voice audio is processed in real-time and not stored permanently
  • We implement industry-standard security practices including parameterized queries, input validation, and access controls

7. Data Retention

  • Account data — retained while your account is active; deleted upon account deletion
  • Conversation transcripts — retained for 90 days by default, then automatically purged
  • Voice audio — not stored; processed in real-time only
  • Memories (AI knowledge) — retained while the associated agent exists; can be archived or deleted by the user at any time
  • Billing data — retained as required by applicable financial regulations

8. Your Rights

You have the right to:

  • Access your personal data stored in our systems
  • Correct inaccurate business profile or account information
  • Delete your account and all associated data
  • Export your conversation history and business profile data
  • Revoke third-party connections (Google, Microsoft, etc.) at any time
  • Opt out of non-essential communications

To exercise any of these rights, contact us at admin@toccavi.ai.

9. Children's Privacy

Toccavi is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: