Privacy Policy

OLISE is operated by Olise Technologies LLC (“the Company”), with registered office at Tampa, Florida — address TBD pending sunbiz filing, Tampa, FL, USA. OLISE is the trading name of the AI phone-operator product.

This Policy covers our marketing website, dashboard application, mobile-responsive experience, public APIs, and the AI voice operator that handles inbound and outbound calls on behalf of our business customers (each, a “Customer”).

Two roles, two contexts. When you visit our marketing site or sign up for an account, OLISE is the data controller of your personal data. When a Customer’s end-customer calls a phone number powered by OLISE and we process the call on the Customer’s behalf, OLISE is a data processor and the Customer is the controller. The processor relationship is governed by our Data Processing Addendum.

We collect only information needed to provide and improve the Service.

• Provide the Service. Authenticate users, route calls, generate transcripts, deliver responses through the AI operator, sync with connected calendars and inboxes, send transactional emails (receipts, invitations, password resets).
• Improve the Service. Aggregate, anonymized analytics on feature usage, latency, and error rates. We do not use Customer data to identify or profile end-callers for purposes outside the Service.
• AI model training — explicit position. We do not use Customer data, transcripts, audio, or end-caller content to train, fine-tune, or otherwise improve any general-purpose AI model, ours or any third party’s. Sub-processor LLM and STT/TTS providers are contractually bound to the same position via zero-retention or no-training endpoints where available.
• Communications. Transactional messages are sent on the legal basis of contract performance. Marketing messages are sent only with opt-in consent and you can opt out at any time via the link in the footer of every marketing email.
• Security and fraud prevention. Detect abuse, enforce rate limits, investigate incidents, comply with legal process.
• Legal compliance. Tax, accounting, anti-money-laundering, telecom, and consumer-protection obligations applicable to us.

Article 6(1) GDPR requires a lawful basis for every processing activity. We rely on the following:

We do not sell personal information and we do not share it for cross-context behavioral advertising. We share information only as described below:

• Sub-processors. Vetted infrastructure and AI providers (LLM, telephony, TTS, STT, hosting, analytics, email). The complete list and DPAs are published at /subprocessors. We give 30 days’ notice before adding or replacing a sub-processor and customers may object on reasonable grounds.
• Service providers. Auditors, lawyers, accountants, and other advisors bound by confidentiality.
• Legal authorities. When required by lawfully-issued process, court order, or to protect the rights, property, or safety of OLISE, our users, or the public. We challenge overbroad requests and notify Customers when legally permitted.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of assets, personal information may be transferred subject to standard confidentiality protections and continued application of this Policy.
• With your consent. Any other sharing requires your explicit, informed, revocable consent.

Our primary infrastructure is hosted in the United States (Vercel and Supabase us-east-1). When personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to the United States or to other countries outside those territories, we rely on the following safeguards:

• EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor) or Module 3 (processor-to-processor) as appropriate.
• EU-US Data Privacy Framework (DPF). Where our US sub-processors are DPF-certified, we rely on the Framework as supplementary basis.
• UK International Data Transfer Addendum to the EU SCCs and the Swiss FDPIC recognized version of the SCCs.
• Supplementary technical measures — TLS 1.2+ in transit, AES-256 at rest, encrypted secrets management — to address Schrems II concerns about access by public authorities.

We keep personal data only for as long as needed to provide the Service or as required by law.

When retention expires, data is deleted from production systems within 24 hours and purged from backups within the rolling backup window.

If you are in the EEA, the UK, or Switzerland you have the following rights, free of charge, exercisable at privacy@olise.ai or through self-service tools where indicated:

• Access. Receive a machine-readable export of your account data — self-service via /settings/account or the API endpoint GET /api/me/export.
• Rectification. Correct inaccurate or incomplete data in your account profile or by emailing us.
• Erasure (“right to be forgotten”). Self-service deletion via POST /api/me/erase. Some records may be retained on legal grounds (tax, audit, anti-fraud); we minimize what is retained and delete the rest within 30 days.
• Portability. Same JSON export as the access right; structured, commonly used, machine-readable.
• Restriction of processing. Ask us to pause processing while a dispute is resolved.
• Object. Object to processing based on legitimate interests or for direct marketing.
• Lodge a complaint with your supervisory authority. EEA residents can find theirs at edpb.europa.eu. UK residents: ICO.
• Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

We respond within 30 days; complex requests may extend to 90 days with notice.

California residents have the rights below. To exercise them, email privacy@olise.ai or call [toll-free privacy line — pending]. You may use an authorized agent.

• Right to know what personal information we collect, the sources, the purposes, and the categories of recipients.
• Right to delete personal information collected from you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. We do not sell personal information and we do not share it for cross-context behavioral advertising. Nothing to opt out of, but the choice link is available below for transparency.
• Right to limit use of sensitive personal information — we use sensitive PI (e.g., precise geolocation, account credentials) only for the disclosed business purposes permitted under §7027 of the CPRA regulations.
• Right to non-discrimination — exercising any of the above will not result in denial of service, different prices, or reduced quality.

Do Not Sell or Share My Personal Information. (We do not, but the link exists for compliance and transparency.)

The Service is not directed to and not intended for children. We do not knowingly collect personal information from anyone under 16 (GDPR threshold) or under 13 (COPPA threshold in the United States). If you believe a child has submitted personal information to us, please email privacy@olise.ai and we will delete it.

We take security seriously and have invested heavily in defense-in-depth.

• Encryption in transit: TLS 1.2+ everywhere, HSTS preloaded.
• Encryption at rest: AES-256 for database, encrypted backups, AES-256-GCM for OAuth refresh tokens.
• Postgres Row-Level Security on every tenant table — strict multi-tenant isolation.
• Least-privilege IAM, hardware-key MFA for production access, SSO for staff.
• Continuous vulnerability scanning, dependency review, SAST in CI.
• Documented incident-response runbook and 72-hour breach-notification process.
• SOC 2 Type II readiness program in progress.

Full details: /security. Report a vulnerability: security@olise.ai.

OLISE is an AI phone operator. Several jurisdictions impose specific transparency rules on AI systems, and we exceed those requirements as a matter of design.

• Disclosure of AI to callers. At the start of every call, the assistant identifies itself as an AI assistant, in compliance with California SB 1001 (Bot Disclosure Law) and the EU AI Act’s Article 50 transparency obligation.
• No automated decision-making with legal or significant effect. The AI does not deny services, assign credit limits, or make legal determinations on its own. Material decisions are escalated to a human.
• Human review on request. Callers can ask to be transferred to a human at any time and the assistant must comply.
• Training opt-out. No Customer or end-caller content is used to train general AI models (see Section 3).

Calls handled by OLISE may be recorded and transcribed for service delivery, quality assurance, and security. The Customer is responsible for ensuring compliance with applicable wiretap laws in its jurisdiction.

• Two-party consent jurisdictions (including California, Florida, Illinois, Maryland, Massachusetts, Pennsylvania, Washington, and most EU member states) require all parties to consent to recording. OLISE plays a recording disclosure at call start by default in two-party-consent regions.
• One-party consent jurisdictions still receive the disclosure as a transparency best practice.
• Caller opt-out. A caller who objects to recording can request to stop the recording or to be transferred to a human; the assistant complies.

We will post any material changes on this page and update the “Last updated” date at the top. For significant changes, we will provide notice by email to account holders at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the revised Policy.

• Privacy questions: privacy@olise.ai
• Data Protection Officer: dpo@olise.ai [formal DPO designation pending]
• EU representative (Art. 27 GDPR): [appointment pending]
• UK representative (Art. 27 UK GDPR): [appointment pending]
• Mailing address: Olise Technologies LLC, Tampa, Florida — address TBD pending sunbiz filing, Tampa, FL, USA