This Privacy Policy describes how AllForce ("AllForce", "we", "us") collects, uses, shares, and protects personal data when you use our platform at allforce.ai and related services (the "Service").
We are committed to protecting personal data and complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the Spanish Data Protection Act (Ley Orgánica 3/2018, LOPDGDD), and the ePrivacy Directive (2002/58/EC) as implemented in Spain. Where we receive data from Google APIs, we additionally comply with the Google API Services User Data Policy, including the Limited Use requirements described in Section 7 below.
1. Controller & Contact
For data we collect about our customers and website visitors, AllForce is the data controller.
- Company: AllForce
- NIE: Y4337691C
- Address: Calle Aulaga 2, 29639 Benalmadena, Spain
- Privacy contact: privacy@allforce.ai
Note: AllForce is currently registered in Spain. We plan to relocate the company to Denmark once we reach proof of concept. When that happens, this Policy will be updated to reflect the new Danish entity, registered address, and supervisory authority. Protection of your personal data under GDPR remains unchanged by the relocation.
The Spanish Data Protection Agency is AEPD — Agencia Española de Protección de Datos (aepd.es). You have the right to lodge a complaint with the AEPD or the supervisory authority of your country of residence.
2. Controller vs Processor roles
It is important to understand the two roles we play under GDPR, because they determine who is responsible for your data:
- We act as data controller for data about our customers (account holders) and website visitors — for example, your name, email address, company name, billing details, login sessions, and the way you use our dashboard.
- We act as data processor for data our customers process through the Service — for example, end-user phone numbers, names, call recordings, call transcripts, and knowledge base content. Our customer (the business deploying an AI employee) is the controller of that data. Our processing of that data is governed by our customer's agreement with us (these Terms + Privacy Policy, and, for enterprise customers, a separate Data Processing Agreement).
3. What data we collect (as controller)
3.1 Data you give us
- Account data: name, email, password hash, phone number, company name, role, language preference.
- Billing data: billing address, VAT number, payment method details (handled by Stripe — we do not store card numbers), invoices.
- Support data: messages, tickets, feedback, screen recordings you provide.
- Integration credentials: API keys, OAuth tokens, phone provider credentials (encrypted at rest).
- Demo-funnel data: if you try our public landing-page demo (for example, at
/l/try-your-agentor/l/hire-your-agent) we collect the name, phone number, website URL and (optionally) email you submit, plus call duration and outcome of any demo call. This information lets us deliver the demo you requested and follow up about your experience and AllForce — see §5 for the legal basis and your opt-out rights.
3.2 Data we collect automatically
- Usage data: pages visited, features used, session timestamps, clicks.
- Device & connection: IP address, user agent, browser type, operating system, approximate location (country/region), session cookies.
- Security events: login attempts, 2FA events, trusted-device fingerprints, suspicious-activity flags.
3.3 Data we collect from third parties
- Payment and fraud-prevention signals from our payment processor.
- Authentication data if you sign in via Google OAuth.
4. Data we process on behalf of our customers (as processor)
When our customer deploys an AI employee that makes or receives a call, the following data may pass through the Service:
- End-user phone numbers and names;
- Real-time audio streams;
- Call recordings (if enabled by the customer);
- Speech-to-text transcripts;
- Call metadata (duration, disposition, outcome);
- Any personal data included in the customer's knowledge base, scripts, or CRM integrations.
We process this data only on documented instructions from our customer and solely to provide the Service. Our customers are responsible for the lawfulness of their processing, including obtaining any required consents from end users.
5. Legal bases for processing (Art. 6 GDPR)
| Purpose | Legal basis |
|---|---|
| Providing and administering the Service to our customers. | Contractual necessity (Art. 6(1)(b)). |
| Billing, invoicing, collections, tax compliance, anti-fraud. | Contract and legal obligation (Art. 6(1)(b), (c)). |
| Keeping the Service secure, investigating incidents, preventing abuse. | Legitimate interest in operating a secure platform (Art. 6(1)(f)). |
| Product analytics and improvement (aggregated / pseudonymized). | Legitimate interest (Art. 6(1)(f)). |
| Marketing communications to account holders about our products. | Consent (Art. 6(1)(a)) or legitimate interest for existing customers, with opt-out. |
| Storage of analytics / marketing cookies. | Consent (ePrivacy Directive §10). |
| Follow-up communications to prospects who tried our public demo (about their demo experience, AllForce updates, and similar services). | Legitimate interest in direct marketing to a prospect who supplied contact details (GDPR Art. 6(1)(f), Recital 47; Danish Markedsføringsloven §10 stk. 2). Disclosed at point of collection. Easy opt-out at any time — see §10. |
| Processing end-user call data on behalf of our customers. | Our customer's legal basis, as controller. We process on their instructions. |
6. Subprocessors
We use carefully selected third-party subprocessors to deliver the Service. A change to this list will be announced at least 30 days in advance via email or dashboard notice. Our current subprocessors are:
| Provider | Purpose | Location |
|---|---|---|
| OpenAI | Large language models (conversation reasoning). | United States (SCCs in place) |
| ElevenLabs | Text-to-speech. | United States (SCCs in place) |
| Cartesia | Text-to-speech. | United States (SCCs in place) |
| Deepgram | Speech-to-text. | United States (SCCs in place) |
| Groq | Inference acceleration for language models. | United States (SCCs in place) |
| LiveKit | Real-time audio transport. | United States (SCCs in place) |
| Telnyx | Telephony (SIP trunking, phone numbers). | United States / EU (data residency options) |
| Stripe | Payment processing and tax calculation. | EU and US (adequacy / SCCs) |
| Vultr | Cloud hosting & database. | EU (Frankfurt) primary region |
| Anthropic | Platform tooling & some AI capabilities. | United States (SCCs in place) |
| OAuth sign-in, Google Calendar and Gmail integrations (when you enable them). | EU / US (adequacy / SCCs) |
7. Google User Data (Gmail and Calendar integrations)
AllForce offers optional integrations with Google services. When you choose to connect your Google account, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Connecting Google services is entirely optional; you can use AllForce without enabling any Google integration.
7.1 What we access
AllForce only requests the minimum scopes required to deliver the connected feature:
- Sign in with Google — we receive your name, email address, and profile picture (the standard
emailandprofilescopes). These are used only to create or sign you into your AllForce account. - Gmail integration (only if you click "Connect Gmail" in the dashboard) — we request the
gmail.readonly,gmail.send,gmail.compose,gmail.modify, andgmail.labelsscopes. We use these to display your inbox in the AllForce dashboard, send follow-up emails on your behalf when configured by your AI employee, and apply labels for organisation. - Google Calendar integration (only if you click "Connect Calendar") — we request the
calendarscope. We use this so the AI employee can check your availability and create events when booking appointments during calls.
7.2 How we use Google user data
Data received from Google APIs is used only to provide and improve the user-facing features described above. Specifically:
- Email content (subject, body, sender, recipient, attachments) is stored in our database so it can be displayed in the AllForce inbox UI and used by features you explicitly enable.
- Calendar events read from your Google Calendar are used solely to determine availability for appointment booking; events created on your calendar reflect appointments confirmed during AI employee calls.
- We never use Google user data to develop, improve, or train generalised or non-personalised artificial intelligence and/or machine learning models. The AI models within AllForce are not trained on customer Gmail or Calendar content.
- We never sell, transfer, or share Google user data with third parties for advertising, marketing, or any unauthorised purpose.
- We never allow humans to read your Gmail or Calendar data except: (a) with your explicit consent; (b) for security investigations to detect abuse or resolve a security incident; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymised so that it can no longer identify any individual.
7.3 Storage, retention, and deletion
Google API access tokens and refresh tokens are stored encrypted at rest in our database. Email content fetched into the AllForce dashboard is retained for as long as your integration remains connected, or until you delete it from the AllForce dashboard. You can disconnect your Google account at any time from the Integrations page; doing so revokes our access tokens and prevents further data retrieval. To delete Google-derived data already stored in AllForce, use the in-product delete controls or email privacy@allforce.ai.
7.4 Your control
You can review and revoke AllForce's access to your Google account at any time via your Google Account settings at myaccount.google.com/permissions. Revoking access in Google immediately disables Gmail and Calendar features in AllForce; previously stored data remains until you delete it via AllForce or request deletion.
8. International transfers
Some of our subprocessors are located outside the European Economic Area (EEA), primarily in the United States. Where data is transferred outside the EEA, we rely on one or more of:
- An adequacy decision by the European Commission;
- The EU-US Data Privacy Framework, where the recipient is certified;
- The European Commission's Standard Contractual Clauses (SCCs), supplemented with additional safeguards such as encryption in transit and at rest.
You may request a copy of the specific safeguards by emailing privacy@allforce.ai.
9. How long we keep data
| Data category | Retention |
|---|---|
| Active account data | For the duration of your account. |
| Customer account data after account closure | Deleted within 30 days of termination (or on written request), except for data we must keep to comply with legal obligations. |
| Invoices and accounting records | 6 years (Spanish Código de Comercio, Art. 30). |
| Security logs | Up to 12 months. |
| Call recordings & transcripts | As configured by the customer (default 90 days, unless the customer has agreed a different retention in writing). |
| Support tickets and communications | Up to 3 years after the ticket is closed, or as long as necessary for warranty claims. |
| Marketing consents | Until you withdraw consent, plus up to 2 years for proof-of-consent purposes. |
When we no longer need personal data, we either delete or anonymize it so it can no longer be associated with an identifiable individual.
10. Your rights (GDPR)
Under GDPR, you have the following rights in respect of your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — ask us to delete your personal data ("right to be forgotten"), subject to legal retention obligations.
- Right to restriction — ask us to pause processing while a dispute is resolved.
- Right to data portability — receive your personal data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interest or for direct marketing.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Right to lodge a complaint — contact the AEPD or your local supervisory authority.
To exercise any right, email privacy@allforce.ai. We will respond within one month, extendable by two further months for complex requests. We may need to verify your identity before acting on a request.
Demo follow-up opt-out: if you tried our public landing-page demo and would prefer we not contact you again about AllForce, simply reply "stop" to any SMS or call we send, or email privacy@allforce.ai with the phone number or email you used. We honor opt-out requests immediately and maintain a suppression list to ensure we do not contact you again.
End users (call recipients): if you have been called by an AI employee and wish to exercise your rights in respect of that call, please contact the customer who placed the call first, as they are the controller of that data. Our Recording Disclosure explains this in more detail.
11. Cookies & similar technologies
We use a small number of cookies to operate the Service. Strictly necessary cookies (session, authentication, security, load balancing) are used without consent, as permitted by the ePrivacy Directive. Any analytics or marketing cookies require your prior consent via our cookie banner, and you may withdraw consent at any time from the banner's settings.
When you grant consent, we may load the following third-party technologies. Each fires only after your explicit opt-in via our cookie banner and stops firing immediately on withdrawal:
| Tool | Purpose | Provider |
|---|---|---|
| Google Tag Manager | Loads and manages other tags; no analytics data of its own. | Google Ireland Ltd. (EU) |
| Google Analytics 4 | Aggregated, pseudonymized usage statistics so we can improve the Service. | Google Ireland Ltd. (EU) |
| Meta (Facebook) Pixel & Conversions API | Conversion measurement and remarketing for our paid advertising. IP addresses are truncated where supported. | Meta Platforms Ireland Ltd. (EU) |
We never sell your personal data, and we do not allow these third-party tools to use it for their own independent purposes beyond what is necessary to provide the service to us.
12. Security
We apply appropriate technical and organizational measures to protect personal data, including:
- TLS encryption in transit;
- Encryption at rest for sensitive fields (credentials, tokens, recordings);
- Access controls, least-privilege permissions, and two-factor authentication for our staff;
- Network segmentation, firewalling, and rate limiting;
- Audit logging for privileged actions;
- Regular backups and documented disaster-recovery procedures;
- Employee training and confidentiality commitments.
In the event of a personal data breach likely to result in a risk to affected individuals, we will notify the AEPD within 72 hours and affected data subjects as required by Art. 33-34 GDPR. For customers, we will additionally notify the customer without undue delay if a breach affects their processed data.
13. Children
The Service is not directed at children under 18 and we do not knowingly collect personal data from children. If you believe we have inadvertently collected data about a child, please contact privacy@allforce.ai and we will delete it.
14. Automated decision-making & profiling
We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing. Our customers may use AI employees to interact with you; those are conversational tools, not automated decision-making systems under Art. 22 GDPR. Decisions about your relationship with our customer (for example, whether to offer you a service) are made by our customer, not by us.
15. Changes to this Policy
We may update this Privacy Policy to reflect changes in law, technology, or our business. Material changes will be communicated at least 30 days in advance via email or dashboard notice. The "Last updated" date at the top of this page is authoritative.
16. Contact
Questions about privacy? Email us at privacy@allforce.ai.