Privacy Policy

Effective Date: February 6, 2026

Last Updated: February 4, 2026

1. Introduction

This Privacy Policy ("Policy") describes how Talkif, Inc., a Delaware corporation ("Talkif," "Company," "we," "us," or "our"), collects, uses, discloses, retains, and protects personal information when you use our AI-powered voice calling platform, website, APIs, and related services (collectively, the "Service").

This Policy applies to:

• Account Holders and Users ("Users"): Individuals and organizations that register for and use the Talkif platform to create, manage, and initiate automated voice calls.
• Call Recipients ("Data Subjects"): Individuals who receive voice calls initiated through the Talkif platform by our Users.
• Website Visitors: Individuals who visit our website without registering for an account.

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you are a User, you agree to be bound by this Policy as part of the Terms of Service. If you are a Call Recipient, this Policy informs you of how your data is processed when a Talkif User contacts you through our platform.

2. Data Controller and Contact Information

For purposes of applicable data protection laws (including the EU General Data Protection Regulation, "GDPR"), the data controller depends on the context:

Company Contact Information:

3. Personal Data We Collect

We collect personal data through the following means: directly from you, automatically through your use of the Service, from third-party authentication providers, and from our Users (in the case of Call Recipients).

3.1 Data You Provide Directly

3.2 Data Collected Automatically

3.3 Data from Third Parties

3.4 Sensitive Data

We do not intentionally collect sensitive personal data (also known as "special categories" under GDPR Article 9), including but not limited to: racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, or data concerning sex life or sexual orientation.

However, because our platform facilitates voice calls where Users configure the conversation content, call recordings and transcripts may incidentally contain sensitive information. Talkif does not monitor, analyze, or categorize such incidental sensitive data. Users are responsible for ensuring that their use of call recordings and transcripts complies with applicable laws regarding sensitive data.

4. How We Use Your Data

4.1 Primary Purposes

4.2 Optional Processing (Consent-Based)

4.3 Purposes We Do NOT Pursue

We do not use your personal data for:

• Selling personal data to third parties
• Behavioral advertising or ad targeting
• Building consumer profiles for sale to data brokers
• Training general-purpose AI models (your data is not used to train Anthropic, OpenAI, Google, xAI, ElevenLabs, Cartesia, Deepgram, Soniox, or other AI provider models beyond the scope of processing your specific requests)
• Credit scoring or automated decision-making with legal effects (unless explicitly agreed in an enterprise contract)

5. AI and Automated Processing Disclosures

5.1 AI-Powered Voice Calls

The core function of Talkif is to enable Users to create and deploy AI-powered automated voice calls. When a call is initiated through our platform:

• Large Language Models (LLMs) generate conversational responses in real time based on the User's configured flow and prompts. Conversation context (what the Call Recipient says) is processed by the LLM to generate appropriate responses. Available LLM providers include Anthropic (Claude), OpenAI (GPT), Google (Gemini), and xAI (Grok). The User selects which provider is used per flow.
• Speech-to-Text (STT) services transcribe the Call Recipient's spoken words into text for LLM processing. Available STT providers include Deepgram, Soniox, ElevenLabs (Scribe), and Cartesia (Ink Whisper). Some providers receive raw call audio for transcription.
• Text-to-Speech (TTS) services convert the LLM's text responses into synthesized voice audio delivered to the Call Recipient. Available TTS providers include ElevenLabs, Cartesia, Deepgram, OpenAI, and Google. The User selects which provider is used per flow.

Call Recipients are interacting with an AI system, not a human. Users of the Talkif platform are responsible for disclosing this fact to Call Recipients in compliance with applicable law, including but not limited to the EU AI Act, US state AI disclosure laws, and Turkish regulations.

5.2 AI Call Analysis (Opt-In)

When a User enables AI-powered call analysis:

• Call transcripts are transmitted to the User's selected LLM provider (Anthropic Claude, OpenAI GPT, Google Gemini, or xAI Grok) via API for processing.
• Analysis may include: call summaries, sentiment detection, key topic extraction, and action item identification.
• All LLM providers process API data under their respective terms. Anthropic, OpenAI, Google, and xAI confirm API data is not used for model training. xAI retains API inputs and outputs for up to 30 days, then auto-deletes unless flagged for safety/compliance or legally required.
• Analysis results are stored in the User's account and are accessible only to the User.

5.3 Automated Decision-Making

Talkif employs the following automated decision-making processes:

We do not engage in automated decision-making that produces legal effects or similarly significant effects on individuals solely through automated means, as contemplated by GDPR Article 22, except as described above.

6. Data Sharing and Third-Party Recipients

We share personal data with the following categories of recipients, solely for the purposes described in this Policy.

6.1 Sub-Processors (Service Providers)

Note: LLM, TTS, and STT providers are configurable per flow. A single call uses one LLM provider, one TTS provider, and one STT provider, selected by the User in their flow configuration. Not all sub-processors receive data for every call.

6.2 Disclosures Required by Law

We may disclose personal data to law enforcement, regulatory authorities, courts, or other governmental bodies when required by applicable law, legal process, or governmental request, including:

• Responding to valid subpoenas, court orders, or search warrants
• Complying with regulatory investigations
• Protecting the rights, property, or safety of Talkif, our Users, or the public
• Enforcing our Terms of Service

Where legally permitted, we will notify affected Users before disclosing their data in response to legal process.

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, personal data may be transferred to the successor entity. We will notify affected Users of any such transfer and any changes to this Policy resulting from it.

6.4 No Sale of Personal Data

We do not sell personal data. We do not share personal data with third parties for their own direct marketing purposes. We do not participate in data broker networks.

For purposes of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), we confirm that we have not sold or shared (as those terms are defined under CCPA/CPRA) personal information of consumers in the preceding twelve (12) months.

7. International Data Transfers

Talkif is a United States-based company. If you are located outside the United States, including in the European Economic Area ("EEA"), United Kingdom ("UK"), Switzerland, or Turkey, your personal data will be transferred to and processed in the United States and potentially other countries where our sub-processors operate.

7.1 Transfer Mechanisms

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other countries not recognized as providing an adequate level of data protection, we rely on the following legal mechanisms:

• Standard Contractual Clauses (SCCs): We enter into the European Commission's Standard Contractual Clauses (as approved by Commission Implementing Decision (EU) 2021/914) with our customers (where we act as processor) and with our sub-processors.
• Supplementary Measures: We implement technical and organizational measures to supplement the SCCs, including encryption in transit (TLS 1.2+) and at rest, access controls, and pseudonymization where feasible.

7.2 Transfer to Turkey

For personal data transfers to or from Turkey, we comply with the requirements of Law No. 6698 on the Protection of Personal Data ("KVKK"), including obtaining necessary approvals from the Turkish Personal Data Protection Authority ("KVKK Board") or relying on permitted exceptions under KVKK Article 9.

8. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law.

8.1 Retention Schedules

8.2 Soft Deletion and Data Persistence

When a User requests account deletion:

1. A confirmation email is sent to the account owner.
2. A 7-day grace period begins, during which the deletion can be cancelled.
3. After the grace period, the account and all associated operational data (calls, flows, contacts, phone numbers, schedules, campaigns) are marked for deletion and excluded from all application access.
4. Billing records are retained as required by legal and regulatory obligations.
5. External resources are cleaned up: phone numbers released, routing configurations removed, active sessions revoked.

When you request deletion, your data is excluded from all application access and may be permanently purged after an additional retention period.

9. Data Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction.

9.1 Technical Measures

9.2 Organizational Measures

9.3 Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons:

• GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Article 33). Where the breach is likely to result in a high risk, we will notify affected data subjects without undue delay (GDPR Article 34).
• CCPA/CPRA: We will notify affected California residents in accordance with California Civil Code Section 1798.82.
• KVKK: We will notify the Turkish Personal Data Protection Authority and affected data subjects "as soon as possible" (KVKK Article 12(5)).

10. Your Rights Under GDPR (EEA, UK, and Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the GDPR (or UK GDPR / Swiss FADP):

Exercising Your Rights:

• Email: privacy@talkif.ai
• We will respond within 30 days (extendable by 60 days for complex requests, with notification).
• We may request identity verification before processing your request.
• These rights are not absolute and may be subject to legal exceptions (e.g., we cannot delete billing records required for tax compliance).

Right to Lodge a Complaint:

You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

11. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

11.1 Categories of Personal Information Collected

11.2 Business Purposes for Collection

We collect and use personal information for the following business purposes:

1. Providing the Service (account management, call processing, billing)
2. Security and fraud prevention
3. Debugging and service reliability
4. Legal compliance
5. Service improvement (aggregate, de-identified analytics only)

11.3 Your CCPA/CPRA Rights

11.4 How to Exercise Your Rights

• Email: privacy@talkif.ai

We will verify your identity before processing a request by matching the request to your account information. We will respond within 45 days (extendable by an additional 45 days with notification).

Authorized Agents: You may designate an authorized agent to make a request on your behalf. We may require the agent to provide proof of authorization and may separately verify your identity.

11.5 California "Shine the Light"

California Civil Code Section 1798.83 permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes.

11.6 Financial Incentive Programs

We do not offer financial incentives related to the collection, sale, or deletion of personal information.

12. Your Rights Under KVKK (Turkish Residents)

If you are a resident of Turkey, you have the following rights under Law No. 6698 on the Protection of Personal Data ("KVKK"):

12.1 Rights of Data Subjects (KVKK Article 11)

You have the right to:

1. Learn whether your personal data is being processed.
2. Request information about the processing if your data has been processed.
3. Learn the purpose of processing and whether data is being used for its intended purpose.
4. Know the third parties to whom your personal data has been transferred, domestically or abroad.
5. Request rectification of incomplete or inaccurate personal data.
6. Request deletion or destruction of personal data under the conditions set forth in KVKK Article 7.
7. Request notification of rectification or deletion to third parties to whom your data has been transferred.
8. Object to a result that is exclusively against your interests and that was reached through analysis of your processed data by automated systems.
9. Claim compensation for damages arising from unlawful processing of your personal data.

12.2 Data Transfer Abroad

Your personal data will be transferred to the United States for processing. This transfer is carried out in accordance with KVKK Article 9, based on:

• Explicit consent of the data subject, supplemented by appropriate contractual safeguards

12.3 How to Exercise Your Rights

You may submit requests regarding your KVKK rights to:

• Email: privacy@talkif.ai
• Written petition to our registered address (notarized signature or registered email ("KEP") required for written applications)

We will respond within 30 days from receipt of your request.

13. Call Recording and Telecommunications Disclosures

13.1 Call Recording

Talkif enables Users to record voice calls through our platform. When call recording is enabled:

• Recordings are initiated and stored by Twilio, our telephony infrastructure provider, in accordance with Twilio's security and compliance practices.
• Recording URLs are stored in our database and accessible to the User who initiated or received the call.
• Users are solely responsible for complying with all applicable call recording laws, including but not limited to:
  • Federal wiretap law (18 U.S.C. Section 2511) -- one-party consent at federal level
  • State wiretap and eavesdropping laws, including two-party (all-party) consent states such as California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington
  • EU ePrivacy Directive and member state implementations
  • KVKK and Turkish Electronic Communications Law
  • Any other applicable domestic or international telecommunications regulations

13.2 AI Voice Disclosure

Calls made through Talkif use AI-generated voices (text-to-speech synthesis). Multiple jurisdictions require disclosure that a call recipient is speaking with an artificial or automated system:

• EU AI Act: Requires that persons be informed they are interacting with an AI system.
• US State Laws: Several states (including California SB 1001) require bots to disclose their non-human identity in certain contexts.
• FTC Act: Deceptive practices rules may apply to undisclosed AI callers.

Users are responsible for ensuring appropriate AI disclosure at the beginning of each call. Talkif provides configurable call flow features that allow Users to include disclosure announcements.

13.3 TCPA Compliance (US)

The Telephone Consumer Protection Act ("TCPA") imposes restrictions on automated and prerecorded calls. Because Talkif enables automated AI-powered calling:

• Users must obtain prior express consent (or prior express written consent for telemarketing) from Call Recipients before using the Service to contact them.
• Users must maintain their own Do Not Call lists and comply with the National Do Not Call Registry.
• Users must not use the Service to send unsolicited telemarketing calls.
• Talkif provides tools for managing contact lists, but does not verify that Users have obtained required consent.

Talkif is a technology platform. The User, as the initiator of calls, bears full responsibility for TCPA compliance. See our Acceptable Use Policy and Terms of Service for additional details.

14. Cookies and Tracking Technologies

14.1 Current Usage

The Talkif platform currently uses the following:

We do not currently use cookies or third-party tracking technologies on the Talkif platform.

14.2 Third-Party Cookies

We do not currently use third-party cookies. If this changes, we will provide a separate Cookie Policy and implement a cookie consent mechanism in compliance with the ePrivacy Directive and applicable local laws.

15. Children's Privacy

The Talkif Service is not directed to, and is not intended for use by, individuals under the age of:

• 16 years in the European Economic Area (or the age specified by the applicable EU member state, which may be as low as 13)
• 13 years in the United States (in compliance with the Children's Online Privacy Protection Act, "COPPA")
• 18 years in Turkey (or the age specified by applicable KVKK guidance)

We do not knowingly collect personal data from children below these age thresholds. If we become aware that we have inadvertently collected personal data from a child, we will take prompt steps to delete such data.

If you are a parent or guardian and believe your child has provided personal data to Talkif, please contact us at privacy@talkif.ai.

16. Data Processing Agreement (B2B Customers)

When Talkif processes personal data on behalf of a business customer (User) -- for example, when a User uploads a contact list and initiates calls to those contacts -- Talkif acts as a data processor under GDPR (or equivalent role under other laws), and the User acts as the data controller.

In such cases:

• Talkif processes Call Recipient data solely on the User's instructions and for the purposes of providing the Service.
• Users must have a lawful basis for processing Call Recipient data and must have obtained any required consents.
• A Data Processing Agreement ("DPA") governs Talkif's processing of personal data on behalf of the User, in accordance with GDPR Article 28.

Business customers may request a copy of our DPA by contacting legal@talkif.ai.

17. Links to Third-Party Services

The Service may contain links to or integrations with third-party websites and services (e.g., Stripe payment portal, Google OAuth consent screen). We are not responsible for the privacy practices of these third parties. We encourage you to review their respective privacy policies:

• Twilio: https://www.twilio.com/legal/privacy
• Stripe: https://stripe.com/privacy
• Anthropic: https://www.anthropic.com/privacy
• OpenAI: https://openai.com/policies/privacy-policy/
• Google: https://policies.google.com/privacy
• xAI: https://x.ai/legal/privacy-policy
• ElevenLabs: https://elevenlabs.io/privacy-policy
• Cartesia: https://cartesia.ai/legal/privacy.html
• Deepgram: https://deepgram.com/privacy
• Soniox: https://soniox.com/policies/privacy-policy
• Resend: https://resend.com/legal/privacy-policy
• Sentry: https://sentry.io/privacy/
• AWS: https://aws.amazon.com/privacy/

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes:

• We will update the "Last Updated" date at the top of this Policy.
• We will notify Users via email and/or a prominent notice within the Service at least 30 days before the changes take effect.
• Where required by law, we will obtain your consent to material changes.

Your continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes. If you do not agree with the revised Policy, you must stop using the Service and may request account deletion.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:

20. Jurisdiction-Specific Provisions

20.1 European Economic Area, United Kingdom, and Switzerland

• Legal basis: We process personal data under the legal bases described in Sections 3 and 4 of this Policy.
• Data transfers: See Section 7.
• Supervisory authority: See Section 10.
• Retention: See Section 8.

20.2 California, United States

• CCPA/CPRA rights: See Section 11.
• We do not sell or share personal information as defined by the CCPA/CPRA.

20.3 Turkey

• KVKK rights: See Section 12.

Appendix A: Legal Basis Summary Table (GDPR)

Legitimate Interest Assessment: Where we rely on legitimate interest as a legal basis, we have conducted a balancing test to ensure our interests do not override the fundamental rights and freedoms of data subjects. Records of these assessments are available upon request.

Appendix B: Glossary