GDPR & Data Processing
Last updated: 2 March 2026
1. Overview
Longworths Holdings UK Limited (trading as VoxConnect) is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines our approach to data protection, the roles and responsibilities of the parties involved, and the safeguards we have in place.
2. Controller and Processor Roles
2.1 When VoxConnect Is the Data Controller
VoxConnect acts as the data controller for personal data we collect directly, including:
- Account registration and profile data
- Billing and payment information
- Platform usage analytics
- Communications between you and VoxConnect (support, marketing)
2.2 When VoxConnect Is the Data Processor
VoxConnect acts as a data processor on your behalf when processing data through your AI voice agents, including:
- Call recordings and transcriptions
- Caller/recipient personal data (phone numbers, names, conversation content)
- Knowledge base documents you upload
- AI interaction logs from your configured agents
As the data controller for your end users' data, you are responsible for ensuring you have a lawful basis for processing, providing appropriate privacy notices, and responding to data subject requests.
3. Data Processing Agreement
By using the VoxConnect Service, you agree to the following data processing terms, which form part of your agreement with us under Article 28 UK GDPR:
3.1 Processing Instructions
We process personal data only on your documented instructions, which are defined by your configuration of the Service (agent settings, recording preferences, retention periods). We will not process data for any other purpose.
3.2 Confidentiality
All personnel with access to personal data are bound by confidentiality obligations. Access is restricted to those who need it to provide the Service.
3.3 Security Measures
We implement appropriate technical and organisational security measures as required by Article 32 UK GDPR, including:
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest (AES-256-GCM for sensitive data)
- Access controls: Role-based access control, multi-tenant isolation at the database level, SSO/SAML support
- Monitoring: Application logging, infrastructure monitoring, and alerting
- Resilience: Automated backups, redundant infrastructure, disaster recovery procedures
- Testing: Regular security assessments and vulnerability management
3.4 Sub-Processors
We use the following categories of sub-processors. We will notify you of material changes to this list:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Cloud hosting provider | Infrastructure and data storage | UK/EEA |
| Stripe | Payment processing | UK/US (UK adequacy) |
| GoCardless | Direct debit payment processing | UK |
| Twilio | SIP trunking, phone number provisioning, PSTN connectivity | US (UK adequacy / SCCs) |
| LiveKit | Real-time voice infrastructure and SIP bridge | US (UK adequacy / SCCs) |
| OpenAI (platform default) | LLM and text-to-speech for AI agents | US (UK adequacy / SCCs) |
| Deepgram (platform default) | Speech-to-text for call transcription | US (UK adequacy / SCCs) |
Note on AI model providers: When you configure your AI agents with third-party LLM, TTS, or STT providers using your own API keys, these are your sub-processors, not ours. You are responsible for ensuring appropriate data processing agreements are in place with those providers.
3.5 Data Subject Rights
We will assist you in fulfilling your obligations to respond to data subject requests (access, rectification, erasure, portability, restriction, objection). We provide tools within the Service to help you manage and export data. For requests we cannot fulfil through the platform, contact us and we will provide reasonable assistance.
3.6 Breach Notification
We will notify you without undue delay (and in any event within 48 hours) upon becoming aware of a personal data breach affecting your data. Our notification will include:
- The nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
3.7 Data Deletion
Upon termination of your subscription, we will delete or return all personal data within 30 days, unless retention is required by law. You may export your data at any time during your subscription.
3.8 Audit Rights
You have the right to audit our compliance with these data processing terms. We will provide reasonable cooperation with audits, subject to reasonable notice and confidentiality requirements.
4. Data Protection Impact Assessment (DPIA)
We have conducted a Data Protection Impact Assessment for the VoxConnect platform as required by Article 35 UK GDPR. We recommend that you also conduct your own DPIA before deploying AI voice agents, particularly if you are:
- Processing personal data at scale through automated calling
- Recording and transcribing calls
- Using AI to make decisions that may affect individuals
- Processing special category data (health information, etc.)
5. Lawful Basis Guidance for Platform Users
As a VoxConnect user, you need to establish a lawful basis for processing personal data through your AI agents. Common lawful bases include:
- Consent (Article 6(1)(a)): Required for automated marketing calls under PECR. Must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not constitute valid consent.
- Performance of a contract (Article 6(1)(b)): Appropriate for handling customer service calls, appointment booking, or order management.
- Legitimate interests (Article 6(1)(f)): May be appropriate for business-to-business communications or service notifications, subject to a documented balancing test.
6. Records of Processing Activities
We maintain records of processing activities as required by Article 30 UK GDPR. We recommend that you also maintain your own records documenting:
- The purposes of processing through VoxConnect
- Categories of data subjects and personal data processed
- Recipients of personal data (including AI model providers)
- International transfers
- Retention periods
- Security measures
7. Contact Our Data Protection Team
For data protection inquiries, DPIA support, or to request our full Data Processing Agreement:
- Email: privacy@voxconnect.io