Privacy Policy
Last updated: July 2026 · Pilot version
HearBack (“we”, “us”) provides a service that places AI-assisted phone calls to sales leads who submit forms on WordPress websites operated by our customers (“site owners”). This policy explains, in plain English, what data we handle and why. It is a pilot-stage policy; we will expand it as the service grows, and we will not weaken it retroactively.
Data we process on behalf of site owners
When a visitor submits a form on a site running the HearBack plugin, the plugin sends us the information needed to place and document one phone call:
- Lead contact details — the name, phone number, and email address entered in the form.
- Form answers — the other fields the lead filled in (for example, budget or message), which the AI agent uses as context for the call.
- Submission context — the page URL, form name, the consent checkbox state and its wording, and the submitting IP address (used for abuse prevention).
We process this data as a service provider to the site owner, solely to place the call, qualify the lead, and report the results back to that site owner. We do not sell lead data, use it for advertising, or contact leads for any purpose other than the call the site owner configured.
Calls are recorded and transcribed
Calls placed by HearBack are transcribed, and audio may be recorded and retained by our voice-AI and telephony providers for a limited period, in order to produce the transcript, a written summary, and the lead's extracted answers. Transcripts and summaries are made available only to the site owner (in their WordPress dashboard and by email to their team). The AI agent identifies itself as an AI assistant at the start of each call.
Consent, and the site owner's responsibilities
HearBack only dials leads whose form submission included an affirmative consent (a checked consent box). Submissions without consent are logged as blocked and are never called.
The site owner — not HearBack — is the party with the direct relationship to the lead, and is responsible for complying with the telemarketing and consent laws that apply to them, including the TCPA in the United States and equivalent rules elsewhere: obtaining valid consent on their forms, using appropriate consent wording, and honoring do-not-call requests outside HearBack. HearBack additionally enforces calling hours (8 am–9 pm in the lead's local time) and maintains a per-site opt-out list; a lead who asks not to be called again during a call is opted out immediately and permanently for that site.
Service providers
We use a small number of infrastructure sub-processors to deliver the service: a telephony carrier (to provision phone numbers and connect calls), a voice-AI provider (to run the conversation and produce transcripts), cloud hosting and database providers, and an email delivery provider (to send call summaries to the site owner's team). Each receives only the data needed for its function.
Retention and deletion
- Lead records, transcripts, and summaries are retained so the site owner can review their call history.
- A lead's personal data can be erased on request by phone number. Leads may contact us directly, or the site owner may request deletion on their behalf. Erasure removes the lead's name, contact details, form answers, and transcript content; anonymized billing records are kept as required for accounting.
- Opt-out entries are retained (that is the point of an opt-out list).
Data belonging to site owners
For site owners themselves, we store the account email, site URL, wallet ledger and top-up records, phone number provisioning details, AI agent configuration, and — if calendar booking is enabled — an encrypted Google Calendar authorization used only to check availability and create events the owner asked for.
Security
API access is authenticated with per-site secret keys, calendar credentials are stored encrypted, and access to production data is limited to the operators of the service. No system is perfectly secure; if we become aware of a breach affecting personal data we will notify affected site owners without undue delay.
Your rights
Depending on where you live (for example under the GDPR), you may have rights to access, correct, delete, or restrict the processing of your personal data. Whether you are a lead who received a call or a site owner, write to us and we will act on your request or route it to the responsible site owner.
Contact
Questions, deletion requests, or complaints: trulocal.in@gmail.com.