GDPR & Data Protection
Last updated: 8 July 2026
This notice explains how AutoDebtor approaches the UK GDPR and EU GDPR. It expands on our Privacy Policy and should be read alongside it and our Terms of Service.
1. Controller and processor roles
AutoDebtor processes personal data in two capacities:
- Controller — for personal data about our own customers and their account users (for example, the email address and organisation details used to register and operate an account).
- Processor — for the personal data about your customers and contacts (the "debtors") that you upload and instruct us to process. You are the controller of that data and determine the purposes and means of its processing; we act on your documented instructions.
2. When we act as your processor
As processor of debtor data, we commit to:
- Process debtor data only to provide the Service and on your documented instructions (including operating the calls you schedule);
- Ensure personnel with access are bound by confidentiality;
- Apply appropriate technical and organisational security measures (see our Security page);
- Engage sub-processors only as described below, and impose data-protection obligations on them;
- Assist you, taking into account the nature of processing, with data-subject requests and with your own security, breach-notification, and impact-assessment obligations; and
- Delete or return debtor data at the end of the relationship, subject to any legal retention requirements.
You are responsible for establishing a lawful basis for the processing you instruct — including contacting the phone numbers you upload with an automated/AI voice agent — and for providing any notices and honouring any objections or withdrawals of consent required in your jurisdiction.
3. Sub-processors
We use the following sub-processors to deliver the Service. Each processes personal data only for its specific function:
| Sub-processor | Purpose |
|---|---|
| Supabase | Managed database and authentication |
| Cloudflare | Hosting, CDN, and edge/serverless compute (including the streaming call worker) |
| Twilio | Telephony — placing calls and carrying live call audio |
| Deepgram | Speech-to-text transcription |
| Cartesia | Text-to-speech synthesis of the agent voice |
| OpenAI | Language-model reasoning that drives the conversation |
| Resend | Transactional email delivery |
| Stripe | Payment processing and subscription management |
4. International transfers
Some of our sub-processors may process personal data outside the UK and the European Economic Area. Where personal data is transferred internationally, it must be protected by an appropriate safeguard under UK/EU data-protection law (for example, an adequacy decision, the UK International Data Transfer Agreement, or EU Standard Contractual Clauses). The precise mechanism and each provider's processing locations are confirmed on request.
5. Data-subject rights
Individuals have rights over their personal data, including the rights of access, rectification, erasure, restriction, portability, and objection, and rights relating to automated decision-making.
- Account users: where we are the controller, you can exercise these rights by contacting us at
[email protected]. Much of your account data can also be viewed and updated directly in the dashboard. - Debtors / data subjects in uploaded data: where we are the processor, requests should be directed to the relevant AutoDebtor customer (the controller). If we receive such a request directly, we will refer it to that customer and assist them as required.
6. Automated calling and AI
The Service uses an AI voice agent to conduct collection calls and to derive structured outcomes from the conversation. Where you use this feature, you are responsible for meeting any transparency requirements toward the individuals called and for any rules in your jurisdiction on automated or AI-generated calls and on solely-automated decisions. Outcomes generated by the agent are intended to support your credit-control process and should be reviewed by you.
7. Data Processing Agreement
If you require a Data Processing Agreement (DPA) covering our processing of debtor data on your behalf, please contact us at [email protected].
8. Complaints
If you have concerns about how personal data is handled, please contact us first at [email protected]. You also have the right to lodge a complaint with a supervisory authority — in the UK, the Information Commissioner's Office (ICO).