Effective Date: 14 March 2026 Last Updated: 14 March 2026 1. Introduction This Privacy Policy describes how Vantoris ("we", "us", "the Company") collects, uses, discloses, stores and protects personal data in connection with our services, including but not limited to: website development, AI-powered call agents, small business applications, and other automation services for businesses (collectively, "Services"). This Policy applies to personal data we process when we act as controller and to processing we perform as processor on behalf of our business customers. 2. Data Controller / Contact Details Data Controller: Vantoris Registered name: Vantoris Registered address: Groeneweg 17, 9320 Aalst, Belgium Company registration number: 1034970303 Primary contact email: support@vantorissystems.com Privacy enquiries: support@vantorissystems.com 3. Scope and Roles A. As controller: We determine purposes and means for personal data collected for our own sales, marketing, account management, billing and support. B. As processor: When we provide Services (e.g., AI call agents) on behalf of a business customer, that customer is generally the controller of personal data about its end-users and we act as processor under a Data Processing Agreement (DPA) or equivalent contract. We will process such data only on documented instructions from the customer. 4. Categories of Personal Data Processed We collect and process categories of personal data including (as applicable): 4.1 Account / customer data: - Company name, contact person name, business email, business phone, billing address - Billing and invoicing data 4.2 Authentication and login: - Username, password hashes, account identifiers 4.3 Payment data: - Payment transaction metadata (we do not store raw card numbers unless using a payment provider that does; see Section 10) 4.4 Communications & support: - Emails, support tickets, chat transcripts, call logs created in support interactions 4.5 Technical & usage data: - IP address, browser type/version, device identifiers, operating system, pages visited, timestamps, error logs, cookies and analytics data 4.6 Call and voice data (AI Agents): - Caller phone numbers, call audio/recordings, speech-to-text transcripts, appointment details, lead-qualification data and metadata generated during calls 4.7 Derived / aggregated data: - Usage metrics, anonymised/aggregated analytics used for service improvement (not reasonably re-identifiable) 5. Sources of Personal Data - Directly from customers (account sign-up, onboarding, support) - From end-users of our customers (calls to AI agents; customers supply call flows) - Automatically collected from website and application usage (cookies, logs) - From third-party providers and partners (payment processors, analytics providers) 6. Purposes of Processing and Legal Bases (EU/UK) We process personal data for these primary purposes and legal bases: 6.1 To perform contracts with customers (Art. 6(1)(b) GDPR) - Provision, hosting, maintenance and support of Services - Account administration, billing, and enforcing contractual obligations 6.2 For legitimate interests (Art. 6(1)(f) GDPR), balanced against data subject rights: - Security, fraud prevention and abuse detection - Service improvement, product development and analytics - Communicating important updates and operational notices 6.3 To comply with legal obligations (Art. 6(1)(c) GDPR) - Accounting, tax and record-keeping requirements (examples: retention of invoices) 6.4 Where consent is required (Art. 6(1)(a) GDPR) - Marketing communications and certain non-essential cookies (consent is requested and recorded) - Any special categories of personal data will only be processed with explicit consent unless another lawful basis applies. 7. Processing of Call Data & AI Processing 7.1 Call recordings and transcripts: Calls routed through our AI agents may be recorded, transcribed and processed by automated systems to provide services (e.g., lead qualification, appointment booking, conversation routing). These operations may involve automated speech recognition, natural language processing and model-based inferences. 7.2 Controller/processor roles: Typically the customer (business) is the controller for call data concerning its own clients; Vantoris acts as processor and processes such data only according to customer instructions and contractual DPA. 7.3 Notice to call participants: Customers must ensure that they inform their callers as required by applicable law (e.g., that calls may be recorded and processed). We will, on request, help supply required notice text. 7.4 Automated decision-making / profiling: Where automated profiling or automated decision-making occurs in a way that produces legal effects or similarly significantly affects the data subject, individuals have rights to object, obtain human intervention and request explanations. Data subjects should contact their controller (the relevant business customer) to exercise these rights; we will assist as required. 8. Recipients and Sub-Processors We disclose personal data to categories of recipients including: - Service providers and subprocessors who perform services on our behalf (hosting, telephony, AI processing, database services, email, analytics, payments). Examples include Retell AI, Twilio, Supabase, Hostinger, Google Workspace and payment providers such as Wise or others engaged by us or our customers. - Professional advisers, auditors and regulatory authorities where required by law. - Potential acquirers or investors in the context of a business transaction (subject to confidentiality and, where applicable, data transfer safeguards). A current list of subprocessors is available on request; we maintain written agreements with subprocessors requiring them to implement appropriate technical and organisational measures and to process data only as instructed. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Mobile opt-in data and consent will not be shared with any third parties, except with subcontractors and service providers strictly required to deliver the requested communication services. 9. International Transfers Where personal data is transferred outside the EEA/UK to countries without an adequacy decision, we implement appropriate safeguards such as: - Standard Contractual Clauses (SCCs) adopted by the European Commission - Data Processing Agreements containing binding contractual obligations - Additional technical and organisational measures where required For transfers to subprocessors in the United States or other jurisdictions, we will rely on SCCs and risk assessments and will make information available to customers upon request. 10. Payments and Financial Data We use third-party payment processors to handle payment transactions. We do not usually store full payment card data ourselves; this is handled by PCI-compliant payment providers. Payment processors will process payment data under their own privacy terms. We may retain transaction metadata (transaction ID, amount, date) for accounting purposes. 11. Retention Periods We retain personal data only as long as necessary for the purposes listed and to comply with legal, accounting or contractual obligations. Typical retention periods (examples; may be adjusted for specific contracts): - Call recordings and transcripts generated by AI agents: retained for 30 days by default, unless customer requests a different retention period by contract (shorter or longer as lawful and agreed). - Customer account data and service records: duration of the contractual relationship + 12 months. - Billing, invoices and accounting records: 7 years (or as required by local law). - Support interactions and emails: 2 years from last interaction unless longer retention is required for dispute resolution. - Technical logs and security logs: 6–12 months (subject to operational needs). We regularly review retention periods and securely delete or anonymise data when no longer required. 12. Data Security We implement appropriate technical and organisational measures to protect personal data, including: - Access control and role-based access - Encryption in transit (TLS) and at rest where feasible - Network and infrastructure security, monitoring and logging - Regular backups and disaster recovery processes - Vendor/subprocessor security assessments and contractual obligations Despite these measures, no system is completely secure. We will notify supervisory authorities and affected data subjects of a personal data breach when required by applicable law. 13. Data Subject Rights (EU/UK) Data subjects covered by EU/UK data protection laws have rights including: - Right of access to personal data - Right to rectification - Right to erasure ("right to be forgotten") where legal grounds exist - Right to restrict processing - Right to data portability (where processing is based on consent or contract and processing is by automated means) - Right to object to processing (including for direct marketing and profiling based on legitimate interests) - Right to withdraw consent where processing is based on consent - Right to lodge a complaint with a supervisory authority Requests should be sent to support@vantorissystems.com. We may require identity verification and will respond within statutory timeframes (generally one month; may be extended as allowed by law). 14. Children Our Services are directed at businesses and are not intended for individuals under 16. We do not knowingly collect personal data from minors; if we become aware of such data, we will delete it unless retention is required by law. 15. Cookies and Tracking We use cookies and similar technologies on our websites for functionality, security, analytics and marketing. Non-essential cookies are only set after obtaining consent where required by law. Detailed cookie information is provided in our Cookie Policy and via the cookie banner on our website. 16. DPA, B2B customers and Controller-to-Processor obligations For business customers who provide us with personal data about their customers, we enter into a Data Processing Agreement (DPA) that sets out: - Processing instructions and purposes - Subprocessor use and subprocessors list and notice mechanisms - Security measures, confidentiality and data breach cooperation - Assistance with data subject rights Customers may request a copy of the standard DPA or a negotiated DPA prior to contracting. 17. Third-Party Links and Services Our websites or products may contain links to third-party sites and services. This Policy does not cover third-party practices; we encourage reading the privacy notices of any linked sites. 18. Changes to This Privacy Policy We may update this Policy to reflect changes to our practices, legal requirements or Services. We will publish the revised Policy with a new "Last Updated" date. Where required by law, we will provide additional notices. 19. How to Contact Us For privacy enquiries, data subject requests, or to request the current list of subprocessors or a DPA: Email: support@vantorissystems.com Address: Groeneweg 17, 9320 Aalst, Belgium 20. Supervisory Authority If you are located in the EU or UK, you have the right to file a complaint with a competent supervisory authority (for Belgium: the Data Protection Authority/Gegevensbeschermingsautoriteit). 21. Miscellaneous - Legal basis references in this Policy refer to the GDPR (Regulation (EU) 2016/679) and applicable national legislation and equivalents under UK law where applicable. - This Policy is written in clear language. Where translations exist, the English version prevails unless otherwise stated. END OF PRIVACY POLICY