Privacy Policy
TheReach.ai Last updated: 3 April 2026
1. Controller Identity
The data controller for personal data processed through TheReach.ai is:
SORIN-CONSTANTIN CIORNEI ul. Szlak 77, room 222 31-153 Kraków, Poland NIP: 6793214413 | REGON: 388510134
Contact for data protection matters: privacy@thereach.ai
2. Scope
This Privacy Policy applies to:
- Clients ("Clients") who subscribe to and operate the TheReach.ai platform
- End users ("End Users") — guests, tenants, customers, and callers who interact with an AI agent deployed by a Client
If you are a caller or chat user contacting a business that uses TheReach.ai, the business (our Client) is the party who has deployed the service to handle your enquiry. We process your data on their behalf as a data processor, as described in Section 9.
3. Data We Collect
3.1 Client Account Data
- Name, email address, billing address
- Payment information (processed by Stripe — we do not store card numbers)
- Business details (company name, address, phone number)
- Login credentials (password stored as a bcrypt hash — never in plaintext)
3.2 Property and Configuration Data
- Business name, address, operating hours
- Knowledge base content (FAQs, access codes, property information) entered by the Client
- AI agent settings (greeting messages, escalation rules, voice preferences)
3.3 Voice Call Data — IMPORTANT NOTICE
We record, transcribe, and store voice calls handled by TheReach.ai.
When an End User calls a phone number operated through TheReach.ai:
- The call audio is processed in real time by an AI model (Google Gemini or xAI Grok) to generate a spoken response
- A transcript of the conversation is generated and stored
- An AI-generated summary and outcome classification are stored
- Metadata is stored: caller phone number, called number, call start/end time, duration
Callers are informed of AI processing by a mandatory disclosure message played at the start of every call: "This call is handled by an AI assistant. It may be recorded and transcribed." Clients are contractually required to ensure this disclosure is in place and not disabled.
3.4 Chat and WhatsApp Data
- Text messages exchanged with the AI agent
- Lead capture data voluntarily provided by the End User (name, email, phone number)
- Session identifiers, timestamps
3.5 Technical and Usage Data
- IP addresses, browser type, device type (for dashboard access)
- API request logs, error logs
- Usage metrics (call volume, duration, response times)
4. Legal Basis for Processing (GDPR Article 6)
| Processing activity | Legal basis |
|---|---|
| Client account management | Art. 6(1)(b) — performance of a contract |
| Billing and payment | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (VAT records) |
| Voice call transcription and storage | Art. 6(1)(f) — legitimate interests of the Client (service delivery, quality assurance); or Art. 6(1)(b) where the call is part of a service contract with the End User |
| AI model processing of audio | Art. 6(1)(f) — legitimate interests; disclosed in advance to callers |
| Chat and lead data | Art. 6(1)(f) — legitimate interests; or Art. 6(1)(a) — consent where explicitly obtained |
| Security logging | Art. 6(1)(f) — legitimate interests in platform security |
Where processing relies on legitimate interests, we have conducted a balancing test and concluded our interests do not override the rights of individuals, given the transparency measures (call disclosure, this policy) in place.
5. How We Use Your Data
- To provide, operate, and improve the TheReach.ai service
- To generate AI responses on behalf of the Client's business
- To store call logs and transcripts accessible to the Client via the dashboard
- To send transactional communications (invoices, service alerts)
- To detect fraud, abuse, and security incidents
- To comply with legal obligations
We do not sell personal data to third parties. We do not use End User call or chat data to train our own AI models.
6. Data Retention
| Data type | Retention period |
|---|---|
| Client account data | Duration of subscription + 5 years (tax records) |
| Call transcripts and recordings | 90 days by default; configurable per Client (minimum 7 days, maximum 2 years) |
| Chat logs | 90 days by default; configurable per Client |
| Billing records | 5 years (Polish accounting law requirement) |
| Security and access logs | 12 months |
| Deleted account data | Purged within 30 days of account closure |
Clients may request earlier deletion of End User data via the dashboard or by contacting privacy@thereach.ai.
7. International Data Transfers
TheReach.ai uses infrastructure hosted within the European Union (Fly.io, Paris/CDG region). AI model processing is performed by:
- Google LLC (Gemini API) — data processed under Google's EU Standard Contractual Clauses and Data Processing Agreement
- xAI Corp (Grok API, where selected) — data processed under xAI's Data Processing Agreement; xAI is a US-based company; transfers are covered by Standard Contractual Clauses
Where data is transferred outside the EEA, we ensure appropriate safeguards are in place under GDPR Chapter V.
8. Sub-processors
| Sub-processor | Role | Location |
|---|---|---|
| Fly.io | Application hosting, database | EU (Paris) |
| Google LLC | AI voice/text processing (Gemini) | US (SCCs in place) |
| xAI Corp | AI voice/text processing (Grok, optional) | US (SCCs in place) |
| Telnyx LLC | Telephony, phone number provisioning | US/EU (SCCs in place) |
| Stripe Inc | Payment processing | US/EU (SCCs in place) |
| Sentry (Functional Software) | Error monitoring | US (SCCs in place) |
9. Client Responsibilities as Data Controllers
When a Client deploys TheReach.ai to interact with their customers:
- The Client is the data controller for their End Users' data
- SORIN-CONSTANTIN CIORNEI acts as a data processor on the Client's behalf
- Clients must have a lawful basis to collect and process their End Users' data
- Clients must ensure their End Users are informed about AI call handling (the platform provides a default disclosure; Clients must not disable it)
- Clients must enter into our Data Processing Agreement (DPA), available on request at privacy@thereach.ai
- Clients are responsible for configuring appropriate data retention periods for their jurisdiction
10. Your Rights Under GDPR
If you are an End User (caller, chat user) whose data has been processed:
You have the right to:
- Access — request a copy of data held about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion ("right to be forgotten")
- Restriction — request we limit processing in certain circumstances
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
To exercise these rights, contact the Client (the business whose service you called or chatted with), as they are the data controller for your data. If you cannot identify or reach the Client, contact us at privacy@thereach.ai and we will assist.
You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warsaw, Poland www.uodo.gov.pl
11. Security
We implement appropriate technical and organisational measures including:
- TLS encryption in transit for all data
- Encrypted database storage at rest
- Bcrypt password hashing
- JWT-based session authentication with short expiry
- Access controls limiting data access to authorised personnel
- Regular security monitoring via error tracking
12. Cookies
The TheReach.ai dashboard uses session cookies for authentication. No advertising or tracking cookies are used. The embedded chat widget uses a session identifier stored in browser memory (not persistent cookies) to maintain conversation continuity.
13. Changes to This Policy
We will notify Clients by email at least 14 days before any material change to this policy. Continued use of the service after the effective date constitutes acceptance.
14. Contact
SORIN-CONSTANTIN CIORNEI ul. Szlak 77, room 222, 31-153 Kraków, Poland privacy@thereach.ai