Skip to main content

Privacy Policy

Last updated: May 12, 2026

1. Introduction

TRULNK LLC ("TRULNK," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI voice agent platform ("Service").

This policy applies to information we collect from our customers (businesses that use our Service) and from callers who interact with our AI agents on behalf of those customers.

2. Information We Collect

2.1 Customer Account Information

When you register for our Service, we collect:

  • Business name
  • Email address
  • Billing and payment information (processed securely by Stripe)
  • Account credentials (password is encrypted)

2.2 Agent Configuration Data

To customize your AI agent, we store:

  • Agent name, voice selection, and personality settings
  • Greeting messages and custom instructions
  • Business hours and scheduling preferences
  • Knowledge base documents and FAQs you upload
  • Calendar integration tokens (encrypted)

2.3 Call Data

When calls are processed through our Service, we collect and store:

  • Call recordings (audio files)
  • Voicemail recordings (when the AI agent is temporarily unavailable)
  • Call transcripts (text version of conversations)
  • Caller phone numbers
  • Call metadata (date, time, duration)
  • AI-generated call summaries
  • Sentiment analysis results

2.4 Automatically Collected Information

When you access our dashboard, we automatically collect:

  • IP address and device information
  • Browser type and operating system
  • Pages visited and features used
  • Date and time of access
  • Cookies and similar technologies (see Section 11)

3. How We Use Your Information

We use your information for the following purposes:

  • Provide the Service: Process calls, generate AI responses, record and transcribe conversations
  • Account Management: Create and manage your account, process payments, provide customer support
  • Service Improvement: Analyze usage patterns and enhance features
  • Communications: Send service updates, security alerts, and administrative messages
  • Security: Detect and prevent fraud, abuse, or unauthorized access
  • Legal Compliance: Comply with applicable laws, regulations, and legal requests

4. Data Sharing and Disclosure

We do not sell your personal data. We may share your information only in the following circumstances:

4.1 Service Providers (Subprocessors)

We use the following third-party service providers (subprocessors) to operate the Service. Each subprocessor is contractually obligated under a Data Processing Agreement (or equivalent) to protect your data and use it only for specified purposes:

  • Twilio — Telephony, call routing, phone number provisioning, and SMS delivery
  • Twilio Verify — SMS-based two-factor authentication (one-time codes)
  • Stripe — Payment processing, subscription billing, and webhook delivery for billing events
  • Supabase — Database, authentication, and file storage (US data centers)
  • Vercel — Web application hosting, edge functions, and privacy-focused analytics
  • Cloudflare — DNS, edge network, DDoS protection, secure tunnel to our AI backend, and bot challenge (Turnstile)
  • Resend — Transactional email delivery (account, billing, and security notifications)
  • Sentry — Application error and performance monitoring
  • Better Stack — Uptime monitoring, public status page, and incident management
  • Backblaze B2 — Encrypted off-site backups of database, call recordings, and transcripts (data is age-encrypted client-side before transmission to B2)

AI processing infrastructure: Our AI voice agents run on hardware that TRULNK owns and operates, located in a colocation facility in the United States. Call audio is processed on this infrastructure and is not transmitted to third-party large language model providers such as OpenAI, Anthropic, or Google. See Section 8 for more detail on AI data handling.

Data is primarily stored and processed in United States data centers. We will update this list if we add or change subprocessors. Material changes to our subprocessor list will be communicated to customers in advance where required by applicable data protection law.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or legal process, or to:

  • Comply with legal obligations
  • Protect our rights, property, or safety
  • Prevent fraud or illegal activity
  • Respond to government requests

4.3 Business Transfers

If TRULNK is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

5. Data Retention

We give you control over how long your call data is stored:

  • Call recordings and transcripts: Retained according to the retention period you configure in your account settings. You can adjust this at any time from your dashboard.
  • Call metadata and summaries: Duration of your account
  • Account information: Until account deletion, plus up to 7 years for legal/tax purposes
  • Abandoned trial accounts: If your free trial expires and you do not add a payment method, your account moves through a 30-day total retention window: 15 days during which you can still reactivate and recover all data, then 15 days of suspension during which your data is retained but access is blocked, then permanent deletion. Your phone number is released when the suspension takes effect (around day 15) so we are not charging Twilio for an inactive line; reactivation after that point re-provisions a new number.
  • Cancelled paid accounts: If you cancel a paid subscription, your account data (AI agents, call history, transcripts, recordings, uploaded knowledge base documents, and integrations) is retained for 30 days so you can reactivate without losing anything. We email you a 7-day notice before deletion. After 30 days the data is permanently deleted and cannot be recovered. Stripe invoice records are retained separately by Stripe for tax purposes.
  • Billing records: 7 years for tax and accounting compliance

Important: You are responsible for downloading call recordings and transcripts before they expire if you need to retain them longer.

6. Data Security

TRULNK operates an information security program aligned with SOC 2 Type II Common Criteria. We are not currently SOC 2 certified — formal audit is on our post-launch roadmap — but our controls reflect that framework. Specific measures include:

  • Encryption in transit: TLS 1.2 minimum with HSTS enforced (HTTP Strict Transport Security)
  • Encryption at rest: AES-256 for the database and object storage; AES-256-GCM for integration access tokens (e.g., calendar and CRM tokens)
  • Multi-factor authentication: SMS-based MFA is required for all customer accounts; verified at every sign-in
  • Password handling: Passwords are hashed and never stored in recoverable form. No one — including TRULNK staff — can view your password.
  • Authorization: Row-level security (RLS) policies in our database, scoped to each customer organization; admin operations require step-up MFA
  • Audit logging: Privileged actions are recorded in an append-only audit log with retention for forensic review
  • Off-site encrypted backups: Daily/weekly age-encrypted backups of the database and call recordings to a separate cloud provider (Backblaze B2), with restore testing
  • Continuous monitoring: Host-based intrusion detection, file integrity monitoring, and CVE tracking across our infrastructure (Wazuh SIEM)
  • Vulnerability management: Automated dependency scanning (Dependabot, npm audit) with security updates applied promptly
  • Endpoint security: Operator workstations protected by EDR and full-disk encryption; production servers hardened to CIS benchmarks with SSH key-only access
  • Network isolation: Backend AI infrastructure reachable only via authenticated Cloudflare Tunnel; no public ingress to compute

However, no method of transmission over the internet or system of storage is 100% secure. While we strive to protect your data using the controls above, we cannot guarantee absolute security.

7. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of your personal data
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Receive your data in a portable format
  • Restriction: Request limitation on processing
  • Objection: Object to certain processing activities
  • Opt-out: Opt out of marketing communications

To exercise these rights, contact us at privacy@trulnk.com. We will respond within 30 days (or sooner as required by applicable law).

8. Caller Data, AI, and Your Responsibility

Your call data is not sent to third-party large language model providers.The AI models powering TRULNK voice agents run on infrastructure that TRULNK owns and operates in a United States colocation facility. Call audio, transcripts, and caller inputs are processed on this infrastructure and are not transmitted to providers such as OpenAI, Anthropic, Google, AWS Bedrock, or any other third-party LLM service. This is a deliberate architectural choice to keep customer call data inside our own security perimeter rather than expanding the trust boundary to additional AI vendors.

We do not train or fine-tune AI models on your call recordings, transcripts, or caller data. Our AI models are pre-trained and their weights are never modified using your data. Your AI agent uses the information you provide — such as knowledge base documents, custom instructions, and business details — as contextual input at the time of each call, but this information is not used to retrain, fine-tune, or otherwise modify the underlying AI models. Call recordings and transcripts are stored solely for your review and are never used to train or improve AI models.

As a TRULNK customer, you are the data controller for information collected from your callers. This means:

  • You are responsible for providing privacy notices to your callers
  • You must handle data access, correction, and deletion requests from your callers
  • You must comply with applicable privacy laws for your callers' data
  • You should include appropriate disclosures about AI and call recording

TRULNK acts as a data processor for caller data, processing it only on your behalf to provide the Service.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: What personal information we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal information
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt-Out: Opt out of the sale or sharing of personal information
  • Right to Non-Discrimination: Not receive discriminatory treatment for exercising your rights

We do not sell or share your personal information as defined under the CCPA/CPRA.

To exercise your California privacy rights, contact us at privacy@trulnk.com.

10. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR):

10.1 Legal Basis for Processing

We process your personal data based on:

  • Contract: Processing necessary to provide the Service you requested
  • Legitimate Interests: Improving our Service, security, and fraud prevention
  • Legal Obligation: Compliance with applicable laws
  • Consent: Where you have provided explicit consent

10.2 Your GDPR Rights

In addition to the rights listed in Section 7, you have the right to:

  • Withdraw consent at any time (where processing is based on consent)
  • Lodge a complaint with your local data protection authority

10.3 International Data Transfers

Your data is stored and processed in the United States. By using our Service, you acknowledge and consent to the transfer of your data to the United States, which may have different data protection laws than your country of residence. Where required by applicable law, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for such transfers.

11. Cookies and Tracking Technologies

We use cookies and similar technologies to:

  • Essential Cookies: Authenticate your session and maintain security
  • Preference Cookies: Remember your settings and preferences
  • Analytics: We use Vercel Analytics to understand how you use our Service and to improve it. Vercel Analytics is privacy-focused and does not use cookies for tracking

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Service.

Do Not Track: We do not currently respond to Do Not Track (DNT) browser signals, as there is no industry-standard interpretation of this signal for web applications.

12. Children's Privacy

Our Service is intended for business use and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will delete it promptly. If you believe we have collected information from a child, please contact us at privacy@trulnk.com.

13. Healthcare and HIPAA Notice

TRULNK is not HIPAA-compliant. We do not execute Business Associate Agreements ("BAAs") as defined under the Health Insurance Portability and Accountability Act ("HIPAA"). The Service is not designed for, and must not be used to, create, receive, maintain, or transmit Protected Health Information ("PHI") as defined by 45 CFR §160.103.

Covered entities and business associates under HIPAA should not use TRULNK to process, store, or transmit PHI. By using TRULNK, you represent that your use will not involve PHI.

14. SMS Authentication Services

Phone Number Collection for SMS

When you create a TRULNK account, we collect your mobile phone number for the purpose of sending SMS authentication codes. This phone number is used exclusively for account security verification via two-factor authentication (2FA). We also collect SMS delivery status information and your opt-in/opt-out preferences.

SMS Consent and Enrollment

During account registration at voice.trulnk.com/signup, you must check a dedicated checkbox labeled "I agree to receive SMS verification codes from TRULNK. Msg & data rates may apply. Reply STOP to opt out." The checkbox is not pre-selected — affirmative consent is required to complete signup. The consent timestamp is recorded in your account. You may update your phone number at any time from your account settings under Two-Factor Authentication.

Message Frequency and Purpose

SMS messages are sent only when you initiate a sign-in attempt or perform a security-sensitive account action (such as changing your password or adding a new device). Each message contains a one-time verification code that expires within approximately 10 minutes of being sent. Message frequency depends on your sign-in activity. You will never receive unsolicited marketing messages via SMS — TRULNK uses SMS exclusively for security-related authentication. SMS authentication is delivered through Twilio Verify, a service operated by Twilio Inc.

SMS Opt-Out

You can update your phone number at any time by navigating to your account settings and selecting "Change phone number" under Two-Factor Authentication. To opt out of all TRULNK SMS communications, contact privacy@trulnk.com with the subject "SMS OPT-OUT." You may also reply STOP to any TRULNK SMS message to opt out.

Carrier Charges

Message and data rates may apply. TRULNK does not charge for authentication SMS messages, but your mobile carrier may apply standard messaging rates. Contact your carrier for details about your SMS plan.

SMS Support

For questions about SMS authentication, opt-out requests, or SMS delivery issues, contact us at privacy@trulnk.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service at least 30 days before the changes take effect. The "Last updated" date at the top indicates when changes were made.

Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

TRULNK LLC
P.O. Box 631
Roswell, GA 30077
Email: privacy@trulnk.com

For data protection inquiries from the EEA, you may also contact your local data protection authority.

Privacy Policy | TRULNK