Last updated on 19 Feb 2026
Note: This is an English-language convenience translation. The legally binding version for the DACH region (Germany, Austria, Switzerland) is the German-language Datenschutzerklärung available at hanc.ai/de/privacy.
The data controller within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter “GDPR”) is:
Good Point GmbH Liechtensteinstraße 63/10 1090 Vienna, Austria Company Register No.: FN 618845t (Commercial Court of Vienna) VAT ID: ATU80258169 Email: legal@hanc.ai Web: hanc.ai
For questions regarding data protection, to exercise your rights as a data subject, or for complaints, please contact:
Email: datenschutz@hanc.ai Mail: Good Point GmbH, Attn: Data Protection, Liechtensteinstraße 63/10, 1090 Vienna, Austria
This Privacy Policy applies to:
a) the website hanc.ai (hereinafter “Website”) b) the platform app.hanc.ai (hereinafter “Platform”) c) all related services, APIs, and integrations of the Hanc.AI AI voice agent platform
This Privacy Policy informs you about which personal data we collect, for what purposes we process it, on which legal basis the processing is carried out, to whom data is disclosed, and what rights you have.
The processing of personal data is carried out in compliance with the following legal provisions:
a) Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) b) Austrian Data Protection Act (DSG 2018) — applicable as the primary national law c) German Federal Data Protection Act (BDSG) — applicable to users located in Germany d) German Telecommunications Digital Services Data Protection Act (TDDDG) — in particular § 25 regarding cookies and similar technologies e) Swiss Federal Act on Data Protection (FADP, SR 235.1) — applicable to users located in Switzerland f) Regulation (EU) 2024/1689 (EU AI Act) — in particular Art. 50 (transparency obligations for AI systems) g) California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA) — applicable to California residents (see § 10.9) h) UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021, “PDPL”) — applicable to users in the United Arab Emirates (see § 10.10)
We collect personal data only to the extent necessary for the purposes described in this Privacy Policy (Art. 5(1)(b) and (c) GDPR). Data processing is purpose-bound; processing for other purposes does not take place unless further processing is compatible with the original purpose (Art. 6(4) GDPR) or you have consented.
Personal data is stored only for as long as necessary to achieve the respective processing purpose or as required by statutory retention obligations. The specific retention periods are set out in § 9 of this Privacy Policy.
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration (Art. 32 GDPR). Further details are provided in § 11 of this Privacy Policy.
When you access our Website, the web server automatically records the following data in server log files:
Legal basis: Art. 6(1)(f) GDPR (legitimate interest). The legitimate interest consists in ensuring the trouble-free operation of the Website, detecting and defending against attacks, and statistical analysis of access behavior.
Retention period: 30 days; log files are automatically deleted thereafter.
When you contact us via email, the following data is processed:
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries).
Retention period: Correspondence is stored for the duration of the business relationship and beyond in accordance with statutory retention obligations (§ 9).
If you subscribe to our newsletter, the following data is processed:
The newsletter is sent via Brevo (Sendinblue SAS), 55 rue d’Amsterdam, 75008 Paris, France. Brevo is an EU-based company; no third-country transfer takes place. Servers are located in the EU (France/Germany).
Legal basis: Art. 6(1)(a) GDPR (consent). You may withdraw your consent at any time by using the unsubscribe link in each newsletter email or by contacting us at datenschutz@hanc.ai.
Retention period: Until withdrawal of consent (unsubscription). After unsubscription, your email address is retained on a suppression list to prevent re-sending.
If we offer an online appointment booking feature on our Website, the following data is processed:
Appointment booking is provided via HubSpot Ireland Ltd, 2 Dawson Street, Dublin D02 Y448, Ireland. Further details on HubSpot are set out in § 7.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures).
Retention period: For the duration of the business relationship; contacts that do not result in a business relationship are deleted after 12 months.
If you apply for a position with us (via email or an application portal), we process:
Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures); in Germany additionally § 26 BDSG.
Retention period: In the event of rejection, application documents are deleted no later than six (6) months after conclusion of the application process, unless longer retention is required due to legal proceedings. If you consent to inclusion in our talent pool: until withdrawal, maximum two (2) years.
When you register on our Platform, we collect:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention period: For the duration of the contractual relationship plus the export period (30 days after contract termination pursuant to § 10.4 of the Terms of Service) and statutory retention periods.
The core function of the Platform is the deployment of AI-powered voice agents for phone calls. The following data is processed:
a) Audio data:
b) Transcripts and summaries:
c) Metadata:
d) Technical data:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract). The processing of data of callers (the customer’s end users) is carried out within the framework of data processing on behalf pursuant to Art. 28 GDPR; the customer is the data controller in this regard.
AI Disclosure pursuant to EU AI Act: In accordance with Art. 50(1) of Regulation (EU) 2024/1689 (EU AI Act), callers are informed at the beginning of each phone call that they are interacting with an AI-powered voice agent. This disclosure is provided in the respective language of the conversation. Further details are set out in § 5.1.
Retention period:
No use for model improvement: Call data (audio, transcripts, summaries) is not used for improving, training, or further developing AI models. Processing is carried out exclusively for the purpose of providing the contractually agreed services.
When using the embeddable voice widget on the customer’s website, the following data is processed:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) or Art. 6(1)(f) GDPR (legitimate interest of the customer in providing customer service).
When using the administration dashboard, the following data is collected:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in security and traceability).
Retention period: Audit logs are retained for the duration of the contractual relationship plus statutory retention periods.
For payment processing, we use Stripe Technology Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, D02 H210, Ireland. The following data is transmitted to Stripe:
Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Note: Credit card data and IBANs are collected and processed directly by Stripe (PCI DSS Level 1 certified). We do not have access to complete payment data.
Retention period: Invoicing data in accordance with statutory retention periods (§ 9).
For managing the customer relationship and for communication, we use:
a) HubSpot Ireland Ltd (CRM):
b) Brevo / Sendinblue SAS (email communication):
Legal basis: Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient customer communication).
Where the customer activates the calendar integration, the Platform enables connection to Google Calendar via the Google Calendar API (OAuth 2.0). This serves the automatic creation, modification, and deletion of appointments made by the AI voice agents.
a) Authentication credentials:
b) Calendar data (read and write):
c) Processing purposes: Data retrieved and created via the Google Calendar API is used exclusively for the following purposes:
d) Storage and disclosure:
e) Compliance with the Google API Services User Data Policy: The use of data received through the Google Calendar API is subject to the Google API Services User Data Policy, including the Limited Use Requirements. Specifically:
f) Revocation and deletion:
Legal basis: Art. 6(1)(a) GDPR (consent) — The integration is actively enabled by the customer and requires explicit OAuth consent from the calendar owner.
In-product notice: Upon the initial connection to Google Calendar, the user is presented with a privacy notice informing them about the scope of data access, the processing purposes, and the option to revoke access.
Hanc.AI deploys AI-powered voice agents that interact with natural persons by telephone. Pursuant to Art. 50(1) of Regulation (EU) 2024/1689 (EU AI Act), there is an obligation to disclose to natural persons that they are interacting with an AI system.
Implementation: a) At the beginning of each phone call, a clear and understandable notice is provided informing the caller that they are speaking with an AI-powered voice agent. b) The notice is provided in the respective language of the conversation. c) The Platform provides standard AI disclosure announcements in all supported languages. d) The customer is responsible for activating and correctly configuring the AI disclosure.
The processing of voice data is carried out using the following technologies and providers:
a) Speech-to-Text (STT) — speech recognition: The conversion of spoken language to text is performed by AI models provided by:
b) Large Language Model (LLM) — language processing: The content processing of call data is performed by AI language models provided by:
c) Text-to-Speech (TTS) — speech synthesis: The conversion of text to spoken language is performed by:
Data protection measures for AI processing:
The Platform does not make automated individual decisions within the meaning of Art. 22(1) GDPR that produce legal effects concerning data subjects or similarly significantly affect them. The AI voice agents support business processes (e.g., appointment scheduling, information services) but do not make autonomous decisions with legal relevance.
The Platform is not intended for the processing of special categories of personal data within the meaning of Art. 9 GDPR (e.g., health data, biometric data, data concerning political opinions, religious affiliation, or sexual orientation).
Should such data be disclosed by callers during phone calls, the responsibility for the lawfulness of processing and the collection of the necessary consent pursuant to Art. 9(2) GDPR lies with the customer.
We use cookies and similar technologies (e.g., local storage, session storage) on our Website and Platform. Cookies are small text files stored on your device.
The legal basis for the use of cookies depends on their function:
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
session_id | hanc.ai | Session management, authentication | Session |
csrf_token | hanc.ai | Cross-Site Request Forgery protection | Session |
cookie_consent | hanc.ai | Storage of your cookie preferences | 12 months |
locale | hanc.ai | Storage of language preference | 12 months |
For the analysis of usage behavior, we use PostHog Inc. (2261 Market Street #4008, San Francisco, CA 94114, USA). PostHog is operated on a European server location (EU hosting).
| Cookie Name | Provider | Purpose | Duration |
|---|---|---|---|
ph_* | PostHog | Usage analytics, page views, feature usage | 12 months |
distinct_id | PostHog | Pseudonymized user identification | 12 months |
Legal basis: Art. 6(1)(a) GDPR (consent). PostHog cookies are only set with your consent.
Data processed:
Opt-out: You may withdraw your consent at any time via our cookie settings.
We currently do not use marketing or advertising cookies. Should we implement marketing cookies in the future, we will update this Privacy Policy accordingly and obtain your prior consent.
You may change your cookie settings at any time via the cookie banner on our Website or withdraw your consent. In addition, you may delete cookies in your browser settings at any time or generally prevent their storage. Please note that disabling strictly necessary cookies may limit the functionality of the Website and Platform.
Personal data is disclosed to the following categories of recipients, insofar as this is necessary for the stated purposes:
a) Data processors (Art. 28 GDPR): Service providers that process data on our behalf and according to our instructions (see Section 7.2) b) Payment service providers: For the processing of payment transactions (Stripe) c) Authorities: Where we are legally required to disclose data (e.g., tax authorities, supervisory authorities, courts) d) Advisors: Lawyers, tax advisors, and auditors in the course of their mandate, insofar as this is necessary for the protection of our legitimate interests
We use the following sub-processors to provide our services:
| No. | Company | Address | Purpose | Transfer Mechanism | Server Location |
|---|---|---|---|---|---|
| 1 | Microsoft Ireland Operations Limited (Microsoft Corporation) | One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland | Cloud hosting (Azure), LLM, speech-to-text, text-to-speech | EU-US DPF / SCC | EU — Data does not leave the European region through use of the EU Data Boundary. |
| 2 | LiveKit Inc. | 4285 Payne Avenue, Suite 9154, San Jose, CA 95157, USA | Real-time voice/WebRTC infrastructure, virtual call rooms | EU SCC | EU — Data does not leave the European region through Region Pinning configuration. |
| 3 | Twilio Ireland Limited (Twilio Inc.) | 25-28 North Wall Quay, D01 H104, Dublin, Ireland | Telephony (SIP/PSTN) | EU-US DPF / Twilio BCR / SCC | EU — Data does not leave the European region through use of the Ireland region. |
| 4 | ElevenLabs Inc. | 169 Madison Ave #2484, New York, NY 10016, USA | Text-to-speech, speech-to-text (optional) | EU-US DPF / SCC | EU (BE) — Zero Data Retention after audio generation. |
| 5 | Cartesia AI, Inc. | 1766 18th Street, Suite 1200, San Francisco, CA 94103, USA | Speech-to-text, text-to-speech (optional) | GDPR / SCC | Optional — most privacy-friendly setting is selected. |
| 6 | PostHog Inc. | 2261 Market Street #4008, San Francisco, CA 94114, USA | Usage analytics, business intelligence | EU-US DPF / SCC | EU — European server location is used. |
| 7 | HubSpot Ireland Ltd (HubSpot Inc.) | 2 Dawson Street, Dublin D02 Y448, Ireland | CRM & marketing cloud infrastructure | EU-US DPF / SCC | EU (DE) |
| 8 | Brevo (Sendinblue SAS) | 55 rue d’Amsterdam, 75008 Paris, France | Transactional emails, marketing emails | — (EU company) | EU (FR/DE) — No third-country transfer. |
| 9 | Stripe Technology Europe Limited (Stripe Inc.) | 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, D02 H210, Ireland | Payment processing | EU-US DPF / SCC | EU (IE) + USA |
| 10 | SIP Provider | (depends on customer configuration) | Telephony connection (PSTN), phone number provisioning | — | EU (DE/AT) — Exclusively EU-based providers. |
| 11 | Google Ireland Limited (Google LLC) | Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland | Google Calendar API (appointment management) | EU-US DPF / SCC | EU — Data is processed within the European region. |
We select the most privacy-friendly settings for all sub-processors and prefer server locations within the EU.
Changes to the sub-processor list are communicated to affected customers at least 30 days in advance by email (cf. Section A.6 of the DPA in our Terms of Service).
Where personal data is transferred to recipients in the United States of America, this is carried out on the basis of the adequacy decision of the European Commission on the EU-US Data Privacy Framework (DPF) pursuant to Art. 45(3) GDPR (Implementing Decision (EU) 2023/1795), provided the respective recipient holds a valid DPF certification.
The following sub-processors are certified under the DPF:
Alternatively, or where no DPF certification is held, data transfers are carried out on the basis of the EU Standard Contractual Clauses (SCC) pursuant to Commission Implementing Decision (EU) 2021/914 (Art. 46(2)(c) GDPR).
This applies in particular to:
In addition to contractual guarantees, we implement the following technical and organizational safeguards:
a) Region Pinning: Where technically possible, data is processed exclusively in European data centers (LiveKit, PostHog, Microsoft Azure EU region) b) Zero Data Retention: For STT/TTS providers, audio data is not permanently stored after real-time processing (ElevenLabs, Azure AI) c) EU Data Boundary: Microsoft Azure provides the EU Data Boundary assurance, ensuring EU customer data does not leave the European region d) Encryption: All data transfers are TLS-encrypted (minimum TLS 1.2)
| Provider | Country | Primary Transfer Mechanism | Additional Safeguards |
|---|---|---|---|
| Microsoft Corporation | USA | EU-US DPF | EU Data Boundary, Azure EU region |
| LiveKit Inc. | USA | EU SCC | Region Pinning (EU) |
| Twilio Inc. | USA | EU-US DPF + Twilio BCR | Ireland region |
| ElevenLabs Inc. | USA | EU-US DPF | Zero Data Retention, EU location (BE) |
| Cartesia AI, Inc. | USA | SCC | Most privacy-friendly configuration |
| PostHog Inc. | USA | EU-US DPF | EU hosting |
| HubSpot Inc. | USA | EU-US DPF | EU location (DE) |
| Stripe Inc. | USA | EU-US DPF | EU contractual entity (Ireland) |
| Google LLC | USA | EU-US DPF | EU contractual entity (Ireland), Google Workspace EU Data Residency |
Note for Swiss users: The transfer of personal data to recipients in third countries also complies with the requirements of the Swiss Federal Act on Data Protection (FADP, SR 235.1). The Federal Data Protection and Information Commissioner (FDPIC) has recognized EU/EEA states as countries with an adequate level of data protection. For transfers to the USA, the safeguards described above apply accordingly.
Personal data is deleted as soon as the purpose of processing ceases and no statutory retention obligations prevent deletion. The relevant statutory retention periods arise in particular from:
| Data Category | Retention Period | Legal Basis / Rationale |
|---|---|---|
| Audio data (call recordings) | 90 days | Contract performance; shorter configuration by customer possible |
| Transcripts and summaries | Contract duration + 30-day export period | Contract performance (§ 10.4 ToS) |
| Call metadata | Contract duration + statutory retention period | § 132 BAO / § 147 AO |
| Account data (registration) | Contract duration + 30-day export period | Contract performance (§ 10.4 ToS) |
| Invoicing data | 7 years from end of fiscal year | § 132(1) BAO / § 147 AO |
| Payment data (Stripe) | At Stripe: per PCI DSS; invoicing data: 7 years | PCI DSS + § 132 BAO |
| Server log files | 30 days | Legitimate interest (security) |
| Audit logs (dashboard) | Contract duration + statutory retention period | § 132 BAO + security |
| Newsletter data | Until withdrawal (unsubscription) | Consent (Art. 6(1)(a)) |
| Job applications | 6 months after conclusion of the process | Pre-contractual measures / § 26 BDSG |
| Cookie data (necessary) | Session or max. 12 months | Legitimate interest |
| Cookie data (analytics) | Max. 12 months | Consent |
| Appointment booking data | 12 months (if no business relationship) | Pre-contractual measures |
| Email correspondence | Contract duration + 7 years | § 132 BAO |
| Google Calendar OAuth tokens | Until deactivation of integration | Consent (Art. 6(1)(a)) |
You have the following rights regarding your personal data. To exercise these rights, please contact datenschutz@hanc.ai.
You have the right to obtain confirmation as to whether personal data concerning you is being processed. If so, you have the right to access such data and the information listed in Art. 15(1) GDPR.
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay. Taking into account the purposes of processing, you have the right to have incomplete personal data completed.
You have the right to obtain the erasure of personal data concerning you where one of the grounds set out in Art. 17(1) GDPR applies. The right to erasure does not apply where processing is necessary for compliance with a legal obligation (e.g., statutory retention periods) or for the establishment, exercise, or defense of legal claims.
You have the right to obtain the restriction of processing where one of the conditions set out in Art. 18(1) GDPR applies, in particular where you contest the accuracy of the data or the processing is unlawful.
You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used, and machine-readable format. You have the right to transmit that data to another controller.
For Platform users, we provide an export function in the dashboard that enables data export in CSV and JSON formats.
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Art. 6(1)(f) GDPR (legitimate interest).
In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.
Where processing is based on your consent (Art. 6(1)(a) GDPR), you have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
You have the right to lodge a complaint with a data protection supervisory authority if you consider that the processing of your personal data infringes the GDPR.
Competent supervisory authorities:
Austria: Austrian Data Protection Authority (Datenschutzbehörde) Barichgasse 40-42 1030 Vienna Tel.: +43 1 52 152-0 Email: dsb@dsb.gv.at Web: www.dsb.gv.at
Germany: The competent supervisory authority depends on the federal state of the data subject. An overview of the state data protection commissioners is available at www.bfdi.bund.de.
Switzerland: Federal Data Protection and Information Commissioner (FDPIC) Feldeggweg 1 3003 Bern Tel.: +41 58 462 43 95 Web: www.edoeb.admin.ch
If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code §§ 1798.100 et seq.
Categories of personal information collected: We collect the categories of personal information described in §§ 3 and 4 of this Privacy Policy, including identifiers, commercial information, internet or network activity, and professional or employment-related information.
Purposes: The purposes for which personal information is collected and used are described in the respective sections of this Privacy Policy.
Sale or sharing of personal information: We do not sell your personal information within the meaning of the CCPA/CPRA. We do not share your personal information for cross-context behavioral advertising.
Your rights under CCPA/CPRA: a) Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you. b) Right to delete: You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions. c) Right to correct: You have the right to request that we correct inaccurate personal information. d) Right to opt-out of sale/sharing: As we do not sell or share personal information, this right is not applicable. e) Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise your CCPA/CPRA rights, please contact us at datenschutz@hanc.ai. We will verify your identity before processing your request.
If you are located in the United Arab Emirates, the processing of your personal data is also subject to the UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021, “PDPL”) and its implementing regulations.
Your rights under the PDPL: a) Right to access your personal data b) Right to rectification of inaccurate data c) Right to erasure (right to be forgotten) under specific conditions d) Right to restrict processing e) Right to data portability f) Right to object to processing
Data transfers: Transfers of personal data outside the UAE are carried out in compliance with Art. 22 PDPL, based on adequate safeguards including the EU Standard Contractual Clauses and the EU-US Data Privacy Framework as described in § 8.
Supervisory authority: UAE Data Office (established pursuant to Federal Decree-Law No. 44/2021).
To exercise your rights under the PDPL, please contact us at datenschutz@hanc.ai.
We implement the following technical measures to protect your personal data:
a) Encryption: All data transfers are carried out via TLS-encrypted connections (minimum TLS 1.2). Data is also encrypted at rest (Encryption at Rest). b) Access control: Multi-factor authentication (MFA) for all internal systems and administrative access. c) Authorization control: Role-based access control (RBAC) following the principle of least privilege. d) Separation control: Logical separation of data of different customers (multi-tenancy architecture). e) Backup: Regular, encrypted data backups (daily) with redundant infrastructure. f) Monitoring: Continuous monitoring of systems for security incidents and unauthorized access.
a) Regular training of all employees in data protection and information security b) Confidentiality obligations for all employees and contractors c) Documented Information Security Management System (ISMS) d) Regular security assessments and penetration tests e) Incident response plan for data breaches (notification to customers within 24 hours)
Our infrastructure is operated on Microsoft Azure. The deployed data centers are certified according to the following standards:
We review and update this Privacy Policy regularly, in particular when changes occur to our data processing operations, when new technologies or service providers are implemented, or when the legal framework changes.
Material changes are communicated to registered users by email. The current version is always available at hanc.ai/privacy.
| Version | Date | Change |
|---|---|---|
| 1.0 | February 10, 2026 | Initial publication |
For questions regarding data protection or to exercise your rights as a data subject:
Privacy inquiries: Email: datenschutz@hanc.ai
General inquiries: Email: legal@hanc.ai
Postal address: Good Point GmbH Attn: Data Protection Liechtensteinstraße 63/10 1090 Vienna, Austria
Good Point GmbH Liechtensteinstraße 63/10 1090 Vienna, Austria FN 618845t | VAT: ATU80258169 Email: datenschutz@hanc.ai Web: hanc.ai
Date: February 19, 2026 — Version 1.0 This Privacy Policy supersedes all prior versions.