Data Processing Agreement

Last updated: 26 April 2026 · Governed by UK GDPR Article 28

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

Controller

You, the customer, being the individual or business that has signed up to use MissedCallAI ("Controller", "you").

Processor

Rijas Panthayil Baby Suresh, trading as MissedCallAI, of G/1 - 7 Townhead Terrace, Paisley, PA1 2AU, United Kingdom ("Processor", "we", "us"). Contact: rijas@missedcallai.co.uk

This DPA forms part of the Terms of Service between you and MissedCallAI and applies wherever we process personal data on your behalf. By using the service, you agree to the terms of this DPA.

2. Definitions

UK GDPR

The UK General Data Protection Regulation as retained in UK law by the European Union (Withdrawal) Act 2018, together with the Data Protection Act 2018.

Personal data

Any information relating to an identified or identifiable natural person, as defined in UK GDPR Article 4(1).

Processing

Any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, or deletion.

Data subject

An individual whose personal data is processed — in this context, callers who contact your business number.

Sub-processor

A third party engaged by the Processor to carry out processing activities on behalf of the Controller.

3. Details of processing

Subject matterThe operation of an AI-powered missed call handling service on behalf of UK tradespeople.
DurationFor the duration of your active subscription, plus any retention periods specified in section 6 of this DPA.
Nature of processingReceiving inbound telephone calls, generating AI voice responses, recording calls, producing call summaries, and transmitting SMS notifications to you.
PurposeTo answer missed calls on your behalf, collect caller enquiries, and notify you with a summary — enabling you to follow up with potential customers.
Categories of personal dataCaller phone numbers, voice recordings, call summaries (which may contain names, addresses, job descriptions, or other information disclosed by callers), and call metadata (timestamp, duration).
Categories of data subjectsMembers of the public who telephone your business number and are connected to the MissedCallAI service.

4. Processor obligations

In accordance with UK GDPR Article 28, we agree to the following obligations:

Process only on instructions

We will process personal data only on your documented instructions, including as set out in this DPA and our Terms of Service. We will inform you if we believe an instruction infringes UK GDPR.

Confidentiality

We will ensure that all personnel authorised to process personal data are bound by appropriate obligations of confidentiality.

Security

We will implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure, including encrypted data transmission (TLS) and row-level security on our database.

Sub-processors

We will not engage new sub-processors without informing you. Our current sub-processors are listed in section 5. By accepting this DPA, you grant general authorisation for the use of those sub-processors.

Data subject rights

We will assist you, where reasonably possible and given the nature of the processing, to fulfil your obligations to respond to data subject rights requests under UK GDPR.

Breach notification

We will notify you without undue delay upon becoming aware of a personal data breach affecting data we process on your behalf, to enable you to meet your notification obligations under UK GDPR Article 33.

Data protection impact assessments

We will provide reasonable assistance to you in carrying out data protection impact assessments where required under UK GDPR Article 35.

Deletion or return

Upon termination of the service, we will delete all personal data processed on your behalf within 90 days, unless we are required to retain it by applicable law.

Audit

We will make available all information reasonably necessary to demonstrate compliance with this DPA and permit audits conducted by you or your authorised representative, on reasonable notice and at your cost.

5. Sub-processors

You authorise us to engage the following sub-processors. Each is bound by contractual data protection obligations no less protective than those in this DPA. Where sub-processors are located outside the UK, transfers are made under appropriate safeguards (Standard Contractual Clauses or equivalent UK IDTA mechanisms).

Supabase UK/EU region

Database storage and authentication

No international transfer — EU/UK region only

Privacy policy →

Twilio USA

Phone number provisioning, call routing, SMS delivery

UK → USA under SCCs

Privacy policy →

Vapi USA

AI voice assistant, call handling, call recordings

UK → USA under SCCs

Privacy policy →

Stripe USA

Payment processing and subscription management

UK → USA under SCCs

Privacy policy →

Vercel USA

Application hosting

UK → USA under SCCs

Privacy policy →

Resend USA

Transactional email delivery

UK → USA under SCCs

Privacy policy →

We will provide at least 14 days' notice before engaging any new sub-processor. You may object to a new sub-processor within that period by contacting us at rijas@missedcallai.co.uk. If you object and we cannot accommodate your objection, you may terminate your subscription without penalty.

6. Retention and deletion

Call recordingsDeleted 90 days after the date of the call
Call summaries and metadataDeleted 12 months after the date of the call
Account dataDeleted within 90 days of subscription termination
Payment recordsRetained for 7 years to comply with UK financial regulations

7. Controller obligations

As the Controller, you agree to:

  • Ensure you have a lawful basis for processing caller personal data through the MissedCallAI service.
  • Ensure callers are made aware that their calls may be answered by an AI assistant and that calls may be recorded — the MissedCallAI system provides an automated disclosure at the start of each call, which satisfies this requirement.
  • Not instruct us to process personal data in a manner that would breach UK GDPR or any other applicable law.
  • Promptly inform us of any data subject rights requests relating to data we process on your behalf.
  • Ensure your use of call summary data and recordings complies with applicable data protection law.

8. International transfers

Some of our sub-processors are located in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved under the UK International Data Transfer Agreement (IDTA) framework.

By using MissedCallAI, you acknowledge and agree to these international transfers as necessary for the delivery of the service.

9. Liability

Each party shall be liable for damages caused by processing that infringes UK GDPR where it has failed to comply with its obligations under this DPA or applicable law. The Processor shall not be liable for damages caused by processing carried out on the Controller's instructions where those instructions were unlawful.

Our total liability under this DPA is subject to the limitation of liability clause in our Terms of Service.

10. Governing law

This DPA is governed by the laws of Scotland and is subject to the jurisdiction of the courts of Scotland. It supplements and forms part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service on matters of data protection, this DPA shall prevail.

11. Contact

For any questions about this DPA or to exercise your rights, contact us at rijas@missedcallai.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.