Privacy Policy
Last updated: 8 July 2026
This Privacy Policy explains how AutoDebtor ("AutoDebtor", "we", "us") collects, uses, shares, and protects personal data when you use our website at autodebtor.com and our credit-control platform (the "Service"). It should be read together with our Terms of Service, our GDPR notice (which sets out data-protection roles and your rights), and our Security statement.
1. Two roles: your data and your customers' data
AutoDebtor is a business-to-business tool. It handles personal data in two distinct capacities:
- As a controller — for the personal data of the people who create and administer an AutoDebtor account (our direct customers and their users). We decide how and why this data is processed.
- As a processor — for the personal data about your customers and contacts (the "debtors") that you upload and instruct us to process on your behalf. You remain the controller of that data. Our respective responsibilities are described in the GDPR notice.
2. Personal data we process
2.1 Account data (we are the controller)
- Authentication details — your email address and a password. Authentication is handled by Supabase Auth; passwords are stored by Supabase as salted hashes and are never visible to us in plaintext.
- Organisation profile & settings — your organisation name, the caller identity you configure (e.g. the name and department your calls are made under), your accounts-receivable ("call summary") email address, working hours, timezone, and similar operational settings.
- Verification & password-reset codes — six-digit codes are generated for email verification and password resets. They are stored only as keyed hashes, are single-use, and expire after a short period.
- Billing data — if you subscribe to a paid plan or buy minute top-ups, our payments processor (Stripe) creates a customer and subscription record. We store the resulting Stripe customer/subscription identifiers and your plan, quota, and usage status. We do not receive or store full card numbers (see section 4).
2.2 Debtor and invoice data (you are the controller; we are the processor)
When you upload your ledger or add customers, we process the data you provide, which typically includes:
- Your customers' business/contact names and customer references;
- Telephone numbers and email addresses used to contact them;
- Country and timezone;
- Invoice details — invoice numbers, amounts, currencies, due dates, and any custom fields you include in an import; and
- Notes and any other information you choose to add.
You are responsible for having a lawful basis to upload this data and to instruct automated calls to the numbers you provide.
2.3 Call data
To place automated collection calls, the Service processes call audio in real time through our telephony and voice sub-processors (see section 3). During and after a call we generate and store a text transcript of the conversation, together with structured outcomes (for example a promise-to-pay date, a payment window, a dispute, a documentation request, a call-back request, or a "wrong number" result), call status and timing metadata, and any items the customer raised that were logged for review. We store the audio we synthesise for the call greeting on a short-lived, per-call basis; we do not build a general store of recorded call audio. Telephony and speech providers process live audio to connect and transcribe the call under their own terms.
3. How we use personal data, and our legal bases
| Purpose | Data used | Legal basis (UK/EU GDPR) |
|---|---|---|
| Create and secure your account; authenticate you; verify your email; reset passwords | Account data | Performance of a contract; our legitimate interest in securing the Service |
| Provide the Service — schedule and place calls, run the conversation, record outcomes, send you post-call summary emails | Account data; debtor & invoice data; call data | Performance of a contract (with you). For debtor data we act on your documented instructions as processor |
| Take payment and manage subscriptions and usage quotas | Account and billing data | Performance of a contract |
| Operate, monitor, debug, and secure the platform (diagnostic logs and traces, rate limiting, abuse prevention) | Account data; call/operational metadata | Legitimate interests in a reliable, secure Service |
| Comply with legal obligations and handle disputes | As required | Legal obligation; legitimate interests |
We do not use your data or your debtors' data for advertising, and we do not sell personal data.
4. Sub-processors and third parties we share data with
We rely on a small number of infrastructure and service providers to run the Service. They process personal data only to provide their part of the Service, under their own terms and security measures. The current providers are:
| Provider | Function | Data involved |
|---|---|---|
| Supabase | Managed database and authentication | Account data; debtor, invoice and call data |
| Cloudflare | Application hosting, CDN, and edge/serverless compute (including the streaming call worker) | All data in transit; request/operational logs |
| Twilio | Telephony — placing the PSTN call and carrying call audio | Debtor phone numbers; live call audio; call metadata |
| Deepgram | Speech-to-text (transcription of the customer's speech) | Live call audio |
| Cartesia | Text-to-speech (the agent's voice) | The text the agent speaks |
| OpenAI | Large-language-model reasoning that drives the conversation | Conversation text and the relevant invoice/account context for the call |
| Resend | Transactional email delivery (verification, password reset, call summaries) | Recipient email address and message content |
| Stripe | Payment processing and subscription management | Billing contact and payment details (handled by Stripe) |
| Plausible Analytics | Privacy-friendly, cookieless website analytics (aggregate visit data only) | Aggregate usage statistics — no cookies, no cross-site tracking; data processed in the EU |
Payment card details are entered directly with Stripe and are not transmitted through or stored by AutoDebtor. Some providers may process data outside the UK/EEA; see the GDPR notice for international-transfer information. We may also disclose data where required by law or to protect our rights, and we may transfer data as part of a corporate transaction (e.g. a merger or acquisition), subject to this policy.
5. How long we keep data
We keep account, debtor, invoice, and call data for as long as your account is active and as needed to provide the Service. Debtor and invoice records, and their associated call transcripts and outcomes, remain available in your account until you delete them or close your account. Verification and reset codes are short-lived and expire automatically. We retain limited billing records where needed to meet legal and accounting obligations.
6. Your choices and rights
You can access and update most account and debtor data directly in the dashboard, and you can delete debtor and invoice records. Depending on where you live, you may have additional rights over personal data we hold about you as a controller (such as access, correction, deletion, restriction, portability, and objection). For debtor data, where we act as processor, requests from data subjects should be directed to the relevant AutoDebtor customer (the controller); we will assist that customer as described in the GDPR notice. To exercise your rights or ask a question, contact us at [email protected].
7. Cookies and local storage
AutoDebtor does not use advertising or third-party analytics cookies, and does not run cross-site tracking. To keep you signed in, our authentication provider stores session information in your browser's local storage; this is essential to the operation of the signed-in application. Clearing your browser storage will sign you out.
8. Children
The Service is a business tool and is not directed to children. We do not knowingly collect personal data from children.
9. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by notifying you.
10. Contact
Questions about this policy or our data practices can be sent to [email protected]. If you are in the UK or EEA and are not satisfied with our response, you may lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office).