Hello AI – Privacy Policy

Version 1.1

1. Data Controller

Botne Oy (marketing name Sorwi), Business ID 2769229-7
Phone: +358454904443
Email: support@sorwi.fi

This Privacy Policy explains how Botne Oy / Sorwi ("we", "our") processes personal data in the Hello AI app and related services (the "service"). Applicable data protection law: the EU General Data Protection Regulation (GDPR, 2016/679) and the Finnish Data Protection Act (1050/2018), as well as other applicable Finnish law.

2. Scope – Consumer and Business Use

The service is intended for both private individuals (consumer, B2C) and business customers (B2B). This policy describes processing of personal data in both contexts:

• Consumer use (B2C): The data subject is a private individual using the service for personal purposes.
• Business use (B2B): Data subjects include the business customer's contact persons, employees whose numbers are managed in the service and any other party to a call.

In business use, the business customer may act as the GDPR controller for its employees' personal data, and we then generally act as a GDPR processor for the business customer. Detailed roles may be agreed in a written data processing agreement (DPA).

3. Information We Collect

When you use the service, we may collect and process the following information:

• Phone Number: Required for registration and authentication. An SMS is sent to verify your phone number.
• Verification SMS Content: During registration and phone number verification, we may process the contents of a single verification SMS for verification purposes only.
• Call Metadata: Caller ID, call duration, timestamps and call history for service functionality.
• Real-Time Transcripts and Audio During Calls: The app may open a connection to a backend server during calls to enable real-time transcription and AI interaction. By default, this processing is not stored permanently (see section 6).
• Call Summaries: Short summaries of calls may be produced for service functionality. By default, summaries are not stored permanently (see section 6).
• Email Address (Optional): If provided, a summary of the call may be sent to your email.
• Device Information: Model, operating system version and device identifiers for debugging and service improvement.
• SIM and Phone State Information: To detect device telephony state (including the SIM slot) and route calls correctly. The Hello AI subscription is per phone number; multi-SIM is not used to manage more than one subscription.
• Subscription and Payment-Related Information: Subscription tier, subscription status and subscription reference – no payment instrument data, which is handled by Google Play or another payment channel.
• Company Account Basics (B2B): Company name, Business ID, contact person name, address and phone number for account setup and contract management.
• Billing Details (B2B): Billing or finance contact email, e-invoicing address and operator, OVT ID and purchase reference.
• Per-Number Settings (B2B): Company-linked phone numbers, labels and summary delivery email addresses.
• AI Profiles and Prompts: Per-number prompts, welcome messages and instruction texts that define service behavior.

4. Legal Bases for Processing (GDPR Art. 6)

We process personal data on the following legal bases under GDPR Art. 6(1):

• Performance of a contract (6.1.b): Account creation, phone number verification, providing the service, delivering summaries, managing business accounts and invoicing.
• Legal obligation (6.1.c): E.g. Finnish accounting law, tax law and consumer protection-related retention requirements.
• Legitimate interest (6.1.f): Maintaining service security, preventing misuse, fixing errors, developing the service, handling support requests and operational logging. We have balanced our legitimate interest against the rights of the user.
• Consent (6.1.a): Voluntary features such as enabling call recording on Plus/Business tiers (see section 6) and providing an email address for summary delivery. Consent can be withdrawn at any time.

We do not intentionally process special categories of personal data under GDPR Art. 9. If you process such data via calls through the service, you remain responsible for the legal basis for that processing.

5. Purposes of Processing

We use the collected information to:

• verify your identity during registration and verify your phone number;
• enable real-time call transcription and AI interaction;
• generate and send a summary of a call to your email (if provided);
• provide full dialer functionality;
• administer company accounts, user roles, number listings and related settings;
• prepare and deliver invoices and retain contract and purchase references;
• provide support, communicate incidents and meet accounting and reporting obligations;
• support call routing on the device (including the SIM slot used for outgoing calls);
• improve app functionality and performance;
• comply with legal and regulatory requirements.

6. Call Recording – Off by Default

By default, Hello AI does not store call audio, transcripts or summaries permanently. Real-time processing during a call is necessary to deliver the service, but temporary data is discarded after the call ends.

On Plus and Business subscription tiers, the user can separately enable a call recording feature in the app settings. After this opt-in, the audio, transcript and/or summary of subsequent calls may be stored permanently so that the user can review them later. The legal basis for storage is the user's explicit consent (GDPR 6.1.a) and performance of a contract (6.1.b) to the extent the recording is part of the chosen subscription tier.

Retention and location of stored recordings:

• Audio (WAV): Stored in DigitalOcean Spaces (Frankfurt, EU/EEA).
• Transcript and summary: Stored in our database (EU/EEA).
• Retention: Stored as long as the account is active and the recording feature is enabled. You can delete individual recordings or request deletion of all recordings at any time. On account deletion, recordings are deleted as described in section 13.

If you record calls, you are responsible for informing the other party where required by applicable law and for obtaining any necessary consents. This is particularly relevant for business use, customer calls, employee calls and marketing calls.

7. AI Participation in Calls (Transparency)

The service may use AI in call handling, transcription and summary generation. The other party to a call may interact with an AI system, for example when the service answers calls on the user's behalf or produces synthetic speech.

The EU AI Act may require, in certain situations, that the other party be informed of AI involvement. It is the user's responsibility to ensure such notice (see section 8 of the Terms of Service). We do not make automated legal or similarly significant decisions about individuals based on individual calls (see section 11).

8. Android App Permissions

To function as a complete dialer replacement, our application relies on Android's calling framework, which requires certain permissions. This allows the app to manage calls, contacts and function as the primary phone application.

Note that many of the permissions described are required for dialer functionality, not specifically for Hello AI's AI features. Android mandates them for any application that functions as a dialer.

Install-Time Permissions

Granted automatically upon installation:

• POST_NOTIFICATIONS: Displays call notifications.
• USE_FULL_SCREEN_INTENT: Shows calls on the lock screen.
• FOREGROUND_SERVICE & FOREGROUND_SERVICE_SPECIAL_USE: Manages calls in the background.
• WAKE_LOCK: Keeps the screen active during calls.
• VIBRATE: Vibrates for incoming calls.
• READ_SYNC_SETTINGS: Syncs contact information.
• CONFIGURE_PHONE_ACCOUNT: Supports VoIP and multi-SIM.

Runtime Permissions

You may be prompted to grant these:

Essential Permissions

• CALL_PHONE: Make phone calls.
• READ_PHONE_STATE: Monitor SIM selection and call state.
• ANSWER_PHONE_CALLS: Answer incoming calls.
• MANAGE_OWN_CALLS: Manage active calls.

Communication Permissions

• SEND_SMS & RECEIVE_SMS: Send, receive and process the registration-related verification SMS for phone number verification.

Audio Permissions

• RECORD_AUDIO: Use the microphone during calls.
• MODIFY_AUDIO_SETTINGS: Control audio routing and volume.

Contact and Call Log Permissions (Optional but recommended)

• READ_CONTACTS & WRITE_CONTACTS: Access and manage contacts.
• READ_CALL_LOG & WRITE_CALL_LOG: Access and update call history.

Storage Permissions

• READ_EXTERNAL_STORAGE & WRITE_EXTERNAL_STORAGE: Access contact photos and ringtones.
• READ_MEDIA_IMAGES: Access contact photos.

Camera and Flashlight Permissions (Optional)

• CAMERA & FLASHLIGHT: Flash notifications for incoming calls and future video calling.

Special Permission

• SYSTEM_ALERT_WINDOW: Display incoming calls over other apps.

9. Data Storage and Security

What We Store on Our Servers

• Account Information: Phone number, email address (if provided) and account settings.
• Call Metadata: Call history, timestamps and call-related information.
• Device Information: For app functionality and debugging.
• Company and Billing Information (B2B): For contract and invoicing purposes.
• Per-Number Settings: Linked numbers, labels, summary email addresses and AI prompts.
• Call Recordings (only when the user opts in on Plus/Business tiers): Audio, transcript and summary as described in section 6.

What We Do Not Store (Default)

• Call audio: Audio is processed in real time during the call and not stored permanently unless the user has explicitly enabled recording (section 6).
• Real-time transcripts: Processed temporarily during calls and not stored permanently in the default state.

Data Retention

• Active accounts: Data is retained while the account is active and as long as needed to provide the service.
• Inactive accounts: Personal data is not currently deleted automatically solely because of inactivity, but we periodically review necessity. You can request deletion at any time (see section 13).
• Account deletion: Personal data is permanently deleted within 30 days of receiving the deletion request, except for data required by law (e.g. accounting records, generally 6 years).
• Call recordings: Retained as long as the subscription tier and the user's chosen setting require; the user can delete individual recordings at any time.

Security Measures

• We use industry-standard technical and organisational safeguards (e.g. encrypted transport, access control, logging).
• All data transmission takes place over encrypted channels.
• Access to personal data is restricted to authorised personnel only.

10. Third-Party Services and Data Transfers

We use third-party service providers in the following categories:

• Telephony and carrier services – technical delivery of calls.
• SMS verification services – phone number verification.
• Email delivery services – delivering summaries and notifications.
• Speech-to-text services – real-time transcription.
• Text-to-speech services – voice synthesis.
• AI models – conversational AI and text processing.
• Cloud infrastructure and storage – temporary and (on Plus/Business tiers) permanent storage.
• Account management and billing (B2B) – contract and billing support.

A more specific list of current providers is available on request from support@sorwi.fi.

Location of processing and storage: Processing and storage are conducted primarily within the EU/EEA. For example, call recordings are stored in EU/EEA cloud storage in Frankfurt.

Possible transfers outside the EU/EEA: Some third-party services may operate or transfer data outside the EU/EEA (e.g. certain providers connected to the United States). Such transfers rely on safeguards under Chapter V of the GDPR, including European Commission-approved Standard Contractual Clauses (SCCs), an adequacy decision (such as the EU–US Data Privacy Framework) or another lawful basis under the GDPR. More detailed information on third-country transfers is available on request.

Restrictions on data use: We require that third parties process personal data only to provide the service and do not sell or use it for their own purposes contrary to law.

11. Automated Decision-Making and Profiling

We do not make decisions about you based solely on automated processing that would produce legal effects or similarly significantly affect you within the meaning of GDPR Art. 22. The service may use AI classification and content generation as part of its technical operation (e.g. caller identification, summary), but such functions are not automated decisions within the meaning of GDPR Art. 22.

12. Your Rights as a Data Subject

You have the following rights under the GDPR and Finnish Data Protection Act regarding your personal data:

• Right of access: The right to obtain information about what data is processed about you.
• Right to rectification: The right to request correction of inaccurate or incomplete data.
• Right to erasure: The right to request deletion when there is no lawful basis for continued processing.
• Right to restriction: The right to request restriction of processing in certain situations.
• Right to object: The right to object to processing based on legitimate interest.
• Right to portability: The right to receive your data in a machine-readable format where processing is based on consent or contract.
• Right to withdraw consent: You can withdraw consent (e.g. call recording, email provision) at any time, without affecting the lawfulness of processing before the withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority in Finland is the Office of the Data Protection Ombudsman (tietosuoja.fi/en, +358 29 566 6700, tietosuoja@om.fi).

To exercise your rights, send a request to support@sorwi.fi. We will verify the requester's identity using appropriate means.

13. Account Deletion

Requesting Account Deletion

You have the right to request deletion of your Hello AI account at any time:

1. Use the account deletion page at annoying.fi/account/delete, or
2. Email support@sorwi.fi with your phone number.

What Will Be Deleted

The following data is permanently deleted within 30 days of the request:

• Phone number and account information.
• Email address and related preferences.
• Call metadata.
• Device information.
• App settings.
• Registration and authentication information.
• Call recordings (audio, transcripts, summaries) where applicable.
• Company and billing data (B2B), unless law requires longer retention.

What May Be Retained After Deletion

• Accounting records and invoicing data for the period required by Finnish accounting law (generally 6 years).
• Data required by law or other legal obligations.
• Data needed to establish, exercise or defend legal claims.

Other User Choices

• You may choose not to provide an email address, in which case you will not receive call summaries by email.
• You may disable AI interaction features by changing your phone's default dialer app.
• You may revoke granted Android permissions from your device settings.
• On Plus/Business tiers, you may turn call recording on or off at any time.

Note: Contacts stored locally on your device are not affected by account deletion, because they are stored on your device and managed by your operating system.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Updated policies receive a new version number. Material changes are announced via the app, email or other communication channels. We use the same version mechanism as the Terms of Service, and a material change may require re-acceptance.

15. Contact Us

• Data controller: Botne Oy (Sorwi), Business ID 2769229-7
• Email: support@sorwi.fi
• Phone: +358454904443
• Account deletion: annoying.fi/account/delete or support@sorwi.fi
• App name: Hello AI

Version: 1.1