Privacy Policy

1. Data controller

VOLANDOO SOLUTIONS SLU, NIF B44544914, with registered address at CALLE VERGE DEL PILAR, NUM 15, 46210 PICANYA - (VALENCIA), Spain, is the controller for personal data processed in Orbitali.

You can contact us at info@volandoo.com or info@orbitali.ai. For data protection matters, contact the Data Protection Officer at dpd@gesercos.es.

2. Data we process

We process the data necessary to operate an AI voice-agent platform for developers and businesses.

• Account and organization data: name, email, hashed password, sessions, roles, invitations, account status, and profile preferences.
• Technical and security data: IP addresses, user agent, session identifiers, authentication logs, encrypted or hashed API keys, and visible key prefixes.
• Agent configuration: names, language, voice, prompts, instructions, greetings, server URLs, headers, secrets, tools, parameter schemas, and error settings.
• Telephony and call data: caller and destination numbers, assigned numbers, Telnyx identifiers, call status, duration, timestamps, transcripts, messages, tool invocations, and related responses.
• Knowledge data: uploaded files, name, description, type, size, extracted text, chunks, and embeddings needed for semantic agent search.
• Usage and billing data: consumption, minutes, tokens, estimated costs, billing profile, legal or business name, tax identifier if provided, tax country, checkout sessions, and Stripe references.
• Support and communication data: messages sent by email, forms, support tickets, commercial requests, or conversations with our team.
• Observability data: performance metrics, errors, technical logs, and product events needed to maintain security, quality, and availability.

3. Purposes and legal basis

• Provide the contracted service, create accounts, authenticate users, and manage organizations, API keys, agents, calls, knowledge, usage, and billing.
• Process calls in real time, generate voice responses, execute configured tools, and deliver webhooks to the server you configure.
• Maintain security, prevent abuse, investigate failures, debug incidents, and protect the platform, our users, and third parties.
• Comply with legal, tax, accounting, regulatory obligations, and lawful requests from competent authorities.
• Respond to support, commercial, or legal requests.
• Improve Orbitali through technical and product analytics based on our legitimate interest, limited to what is necessary.

4. Calls, AI, and webhooks

Orbitali processes call audio, metadata, and conversational content to route calls, connect with real-time AI models, generate responses, create transcripts, record messages, and execute tools.

When you configure a server URL, Orbitali may send events such as assistant-request or tool-call to your backend. You are responsible for the legality of the data you receive, return, or choose to include in prompts, tool responses, and business logic.

You must ensure callers receive the notices and consents required for their data, voice, and conversational content to be processed by Orbitali and the necessary technical providers.

5. Providers and data disclosures

We do not sell personal data. We share data only when necessary to provide Orbitali, comply with law, or protect rights and safety.

• Telephony providers, such as Telnyx, for numbers, call connection, webhooks, and media streams.
• AI providers, such as Google Gemini, for real-time voice processing and, where applicable, auxiliary generation.
• Embedding providers, such as OpenAI, to convert document text or queries into search vectors.
• Payment and billing providers, such as Stripe, for payments, checkout, tax handling, and invoices.
• Hosting, database, storage, email, support, and observability providers, including OpenObserve when configured.
• Public authorities, courts, law enforcement, or third parties where legally required or necessary to defend rights.

6. International transfers

Some providers may process data outside the European Economic Area. When this happens, we apply the safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, or other valid mechanisms.

7. Retention

We retain data while the account is active or as long as needed to provide Orbitali, comply with legal obligations, resolve disputes, maintain security, prevent fraud, and defend claims. You may delete agents, documents, or other resources from the platform where the feature is available. Some records may be retained for applicable legal periods.

8. Security

We apply reasonable technical and organizational measures, including access controls, encryption or hashing of secrets where appropriate, environment separation, activity logging, and operational security practices. No internet-connected system can guarantee absolute security.

9. Your rights

You may request access, correction, deletion, objection, restriction, portability, and withdrawal of consent where applicable by contacting dpd@gesercos.es or info@orbitali.ai. You may also lodge a complaint with the Spanish Data Protection Agency if you believe processing does not comply with applicable law.

10. Children

Orbitali is intended for businesses, developers, and professionals. It is not intended for children under 16, and we do not knowingly collect children’s data to create user accounts.

11. Changes

We may update this policy to reflect product, provider, legal, or internal practice changes. We will publish the current version on this page and indicate the last updated date.