ThunderPhone Privacy Policy

Last updated: November 7, 2025 • Version: PP-2025-11-07

Autophonix, LLC d/b/a ThunderPhone (“ThunderPhone,” “we,” “us”) provides an AI-assisted telephony platform. This Privacy Policy explains what we collect, how we use and share it, and your rights. It applies to our website, product, and related services (the “Service”).

If you use ThunderPhone through a business account, our Terms of Service govern your use, and our Data Processing Addendum describes our processor commitments when we handle Customer Personal Data on your organization’s instructions.

When we process Customer Content (e.g., call audio/recordings/transcripts) for a business customer, we act as a processor under our DPA and your organization is the controller.

Who we are & how to contact us

Controller (website/account/billing)

Autophonix, LLC d/b/a ThunderPhone

505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA

Email: privacy@thunderphone.com

Security: security@thunderphone.com

Legal: legal@thunderphone.com

EU Representative (GDPR Art. 27)

Rickert Rechtsanwaltsgesellschaft mbH — Autophonix LLC

Colmantstraße 15, 53115 Bonn, Germany

art-27-rep-autophonix@rickert.law

UK Representative (UK GDPR Art. 27)

Rickert Services UK Ltd — Autophonix LLC

PO Box 1487, Peterborough, PE1 9XX, United Kingdom

art-27-rep-autophonix@rickert-services.uk

What we collect

A) You provide

Account details: name, email, phone, company, role; workspace settings.
Payment details via Stripe (we receive tokens/identifiers—we do not store full card numbers).
Support tickets, feedback, and communications.

B) Collected automatically

Device/technical data: IP address, device/browser type, event logs.
Service usage and call metadata: numbers dialed/received, timestamps, duration, routing, diagnostics.
Cookies: essential cookies for login/session and security. (If we add analytics/ads cookies later, we’ll update this policy and honor required consent/opt-out.)

C) Optional: recordings & transcripts (workspace-controlled)

If your admin enables recording or transcription, we process call audio and derived transcripts to provide those features.
We do not intentionally collect special categories of data; customers should avoid including them in Customer Content.

How we use data (purposes)

Provide, maintain, and improve the Service; route calls; provide optional recording/transcription.
Billing and account management (including per-minute usage charges).
Security, fraud/abuse prevention, DNC/TCPA compliance tooling.
Troubleshooting, quality assurance, product analytics (aggregated/de-identified where possible).
Legal compliance and to enforce our Terms.

Recording/transcription responsibilities. Customers are responsible for providing legally required notices/consents (e.g., one-party/two-party consent) before enabling recording or transcription.

Legal bases (GDPR/UK GDPR)

We rely on contract (to provide the Service), legitimate interests (security, abuse prevention, product improvement), consent where required (e.g., for recording notices—managed by the customer), and legal obligations (e.g., tax/audit).

How we share data

Subprocessors (service providers). We use vetted providers to host and operate the Service (e.g., GCP, LiveKit, Deepgram, Stripe, GitHub, ngrok). See the live list at Subprocessors.
Legal/compliance. To comply with law or protect rights, safety, or the Service.
Business transfers. In connection with a merger, acquisition, or reorganization (we will notify where required).
We do not sell or share personal information as defined by the California CPRA, and we do not use personal information for cross-context behavioral advertising.

International transfers

We are U.S.-based and may transfer data internationally. For EEA/UK data, we rely on the EU Standard Contractual Clauses (SCCs) and the UK Addendum with our subprocessors. See our DPA for details.

Retention

We keep data only as long as needed for the purposes above or as required by law.
Account & billing data: for the life of the account and for tax/audit after closure.
Call recordings/transcripts (if enabled): retained per your workspace settings (default 30 days, configurable by your admin).
Technical logs/diagnostics: typically ~13 months, unless needed longer for security/legal reasons.

Your rights

Depending on your location, you may have rights to access, correct, delete, port, or object/restrict processing of your personal data.

How to exercise: Contact privacy@thunderphone.com (or your admin for data we process on their behalf).

EEA/UK: You can also contact our EU/UK representatives (above) and lodge a complaint with your local supervisory authority.
California: You may request access, deletion, and correction; we do not sell/share data; we do not use or disclose sensitive personal information to infer characteristics. You may use an authorized agent with proof of authority.

We will verify requests and respond within the time required by applicable law.

Security

We use industry-standard technical and organizational measures. See our Security Overview. If we learn of a Security Incident, we will notify affected customers without undue delay and within 72 hours of awareness where required.

Children

The Service is not directed to children under 13 (or the age defined by local law). We do not knowingly collect personal data from children. If you believe a child provided data, contact privacy@thunderphone.com.

Changes to this policy

We may update this policy from time to time. We’ll post the new version here and update the “Last updated” date. If changes are material, we’ll provide additional notice (e.g., email or in-product).

Contact us

Autophonix, LLC d/b/a ThunderPhone
505 Montgomery St. Suite 1100 #1019, San Francisco, CA 94111, USA

privacy@thunderphone.com • security@thunderphone.com • legal@thunderphone.com