Effective Date: March 9, 2026
Table of Contents
This Privacy Policy ("Policy") describes how CallPastNow ("we," "us," or "our") collects, uses, discloses, and otherwise processes your personal information when you use the CallPastNow application (the "App") on web, iOS, and Android platforms. For purposes of this Policy, "Personal Information" (also referred to as "Personal Data" under applicable law) means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
CallPastNow is the data controller responsible for your Personal Information as described in this Policy. This Policy applies solely to the App and does not govern any other websites, products, or services operated by us. Our marketing website is subject to a separate privacy policy.
By accessing or using the App, you acknowledge that you have read and understood this Policy. Where we rely on your consent as the legal basis for processing, we will obtain your consent at the point of data collection. You may withdraw your consent at any time as described in Section 9 below.
We do NOT sell your Personal Information, and we do not share it for cross-context behavioral advertising. We collect only what is necessary to provide and improve the service.
We collect Personal Information in three ways: information you provide directly, information collected automatically, and information received from third parties.
Account Information. When you create an account, we collect your email address and/or phone number for authentication purposes. Passkey credentials, if configured, are generated and stored on your device and are never transmitted to our servers. Lawful basis: Contract performance (GDPR Art. 6(1)(b)).
Profile Information. You may choose to provide your first name, last name, company, biographical information, and a profile image. Lawful basis: Contract performance (GDPR Art. 6(1)(b)).
Contact Information. Names, relationship metadata, uploaded voice recordings and audio files, photos, and contextual notes you provide about your contacts. Lawful basis: Contract performance (GDPR Art. 6(1)(b)); Consent for voice data (GDPR Art. 6(1)(a)).
Payment Information. Subscription selections, minutes balance, and purchase history identifiers. We do not directly collect or store your payment card details. All payment card information is processed by our PCI-DSS Level 1 certified payment processor (web), Apple App Store (iOS), or Google Play Store (Android). Lawful basis: Contract performance (GDPR Art. 6(1)(b)).
Communications. If you contact us for support or other inquiries, we collect the content and metadata of those communications. Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)).
Usage Data. We collect analytics events such as page views, feature interactions, and call metrics to understand how the App is used. For users detected as being in the European Union, analytics operate in cookieless mode without persistent identifiers. Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)).
Device and Technical Data. Platform (web, iOS, or Android), browser type and version, operating system, device locale, and approximate location derived from IP address (used solely for regulatory compliance, such as determining applicable privacy laws). Lawful basis: Legitimate interests (GDPR Art. 6(1)(f)); Legal obligation (GDPR Art. 6(1)(c)).
Call Metadata. Call logs including timestamps, duration, and participant identifiers. We do not record or store the content of your calls. Lawful basis: Contract performance (GDPR Art. 6(1)(b)).
We may receive limited information from third-party platform providers (such as Apple App Store or Google Play Store) in connection with subscription management and purchase verification. We do not purchase Personal Information from data brokers or other third-party sources.
We use your Personal Information only for the purposes described below. We do not process your Personal Information for purposes that are materially different from those disclosed here without providing you with notice and, where required, obtaining your consent.
Service Delivery. To provide the core App functionality, including AI voice calls, contact management, call logging, and account management. Lawful basis: Contract performance.
Authentication and Security. To verify your identity, maintain the security of your account, and detect and prevent fraud, abuse, and unauthorized access. Lawful basis: Contract performance; Legitimate interests.
Payment Processing. To manage subscriptions, process minutes purchases, and maintain billing records through our payment partners. Lawful basis: Contract performance.
Communications. To send you transactional messages (such as call alerts and account notifications) and, on mobile devices, push notifications through our cloud notification service. Lawful basis: Contract performance; Legitimate interests.
Analytics and Improvement. To understand how the App is used so we can improve features, diagnose technical issues, and enhance the user experience. We conduct a legitimate interest balancing test for all analytics processing and limit collection to data that is strictly necessary for improvement purposes. Lawful basis: Legitimate interests.
Legal Compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests. Lawful basis: Legal obligation.
We do not use your Personal Information for automated decision-making or profiling that produces legal or similarly significant effects.
CallPastNow enables you to upload voice recordings to create AI-generated voice models for your contacts. Voice recordings may constitute biometric data under certain jurisdictions (including the Illinois Biometric Information Privacy Act). By uploading voice recordings, you represent that you have obtained all necessary consents from the individuals whose voices are recorded, where required by applicable law.
Collection and Storage. Voice recordings you upload are stored on our cloud infrastructure in the United States. Recordings are encrypted at rest and in transit.
Processing. Your voice recordings are transmitted to our voice synthesis provider solely for the purpose of generating AI voice models used during real-time calls. Our voice synthesis provider processes recordings as a data processor under our instructions and pursuant to a data processing agreement.
Real-Time Communication. Voice calls are facilitated through our real-time communications provider using encrypted peer-to-peer audio streaming. Call audio is not recorded or stored by us or our provider.
No Secondary Use. We do not use your voice recordings or derived voice models for any purpose other than providing the service to you. We do not use your voice data to train general-purpose AI models, and we do not sell, license, or share your voice data with third parties for their own purposes.
Ownership and Deletion. You retain ownership of your voice data. Voice recordings and associated AI voice models are deleted when you delete the corresponding contact or your account. Upon deletion, we direct our voice synthesis provider to delete associated models within 30 days.
Your Responsibility. You are solely responsible for ensuring you have lawful authority to upload voice recordings of third parties. This includes obtaining informed consent from the individual whose voice is recorded, where required by applicable biometric privacy laws, two-party consent recording statutes, or other relevant regulations.
We engage third-party service providers to help us operate the App. These providers process Personal Information on our behalf (as "data processors" under GDPR or "service providers" under CCPA/CPRA) and are contractually obligated to use your information only as instructed by us and to maintain appropriate security measures. We have executed data processing agreements with all processors that handle Personal Information.
| Category of Provider | Data Processed | Purpose |
|---|---|---|
| Cloud Infrastructure | All categories of Personal Information described in Section 2 | Hosting, data storage, compute, and push notification delivery. Infrastructure is located in the United States. |
| Voice Synthesis Provider | Voice recordings, derived voice models | Creating AI voice models from uploaded recordings for use during real-time calls. |
| Real-Time Communications Provider | Audio streams during active calls | Facilitating encrypted real-time voice communication between you and the AI voice model. |
| Analytics Provider | Usage events, user identifiers (email, name), device and technical data | Product analytics and feature improvement. EU users operate in cookieless mode. |
| PCI-DSS Level 1 Certified Payment Processor | Payment and subscription data (web transactions) | Processing payment card transactions and managing web-based subscriptions. |
| Apple App Store / Google Play Store | Subscription and purchase data (mobile transactions) | Processing in-app purchases and managing mobile subscriptions. |
You have the right to be informed of any changes to our sub-processors that handle your Personal Information. If we engage a new sub-processor, we will update this Policy and, where required by law, provide advance notice.
We do not share your Personal Information with third parties for their own marketing or commercial purposes. We may disclose Personal Information if required by law, regulation, legal process, or governmental request, or to protect our rights, property, or safety, or the rights, property, or safety of others.
We use cookies and similar technologies to operate and secure the App in accordance with the ePrivacy Directive (Directive 2002/58/EC) and applicable local implementations. Below is a description of the categories of technologies we use and their purposes.
| Category | Purpose | Duration |
|---|---|---|
| Strictly Necessary (Authentication) | Secure session management, identity verification, and request authentication. These cookies are essential for the App to function and cannot be disabled. | 7–30 days |
| Strictly Necessary (Regional Compliance) | Determining your approximate region to apply the correct privacy controls (e.g., enabling cookieless analytics for EU users). | 24 hours |
| Analytics (Non-EU Users Only) | Understanding how the App is used to improve features and diagnose issues. These cookies are set only for users outside the EU/EEA. EU/EEA users operate in cookieless mode with no persistent identifiers. | Per provider defaults |
We do not use advertising cookies, social media tracking pixels, or any third-party cookies for marketing or behavioral advertising purposes.
On mobile devices, authentication credentials are stored using platform-native secure storage mechanisms that employ hardware-backed encryption. App preferences are stored using on-device encrypted storage. No browser cookies are used in the mobile application.
We implement appropriate technical and organizational measures designed to protect your Personal Information against unauthorized access, alteration, disclosure, or destruction. These measures include:
Encryption in Transit. All data transmitted between your device and our servers is encrypted using industry-standard transport layer security.
Encryption at Rest. Data stored on our cloud infrastructure is encrypted at rest using provider-managed encryption keys.
Secure Session Management. On the web, authentication credentials are stored in secure, script-inaccessible storage to prevent common web-based attacks. On mobile, credentials are stored in platform-native secure storage with hardware-backed encryption.
Device-Bound Credentials. Where supported, cryptographic credentials are generated and stored on your device and never leave it. Only the corresponding public key is stored on our servers.
Access Controls. We restrict access to Personal Information to authorized personnel who need it to perform their job functions, subject to contractual confidentiality obligations.
Your Personal Information is stored on cloud infrastructure located in the United States. For information about international data transfers, see Section 11 (GDPR).
Breach Notification. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.
While we strive to protect your Personal Information, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
We retain your Personal Information only for as long as is necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table summarizes our retention periods and the legal justification for each:
| Data Type | Retention Period | Justification |
|---|---|---|
| Account data (email, phone, profile) | Until you delete your account | Necessary for ongoing service provision |
| Voice recordings & AI voice models | Until you delete the corresponding contact or your account | Necessary for service functionality; retained with your consent |
| Call logs and metadata | Until you delete your account | Part of core service functionality |
| Payment and billing records | As required by applicable tax and financial regulations (typically 7 years) | Legal obligation |
| Analytics data | Aggregated and anonymized within 24 months | Legitimate interests in service improvement |
| Support communications | Up to 3 years after resolution | Legitimate interests in quality assurance and dispute resolution |
Upon account deletion, we will delete or anonymize your Personal Information within 30 days, except where retention is required by law. Backup copies are purged within 90 days of account deletion. We direct our third-party processors to delete your data within their own retention schedules, which do not exceed 30 days after receiving our deletion instruction.
Depending on your jurisdiction, you may have the following rights with respect to your Personal Information. To exercise any of these rights, please contact us at privacy@callpastnow.com.
Right of Access. You may request a copy of the Personal Information we hold about you, including the categories of data, the purposes of processing, and the categories of recipients to whom your data has been disclosed.
Right to Rectification. You may request correction of inaccurate or incomplete Personal Information.
Right to Erasure. You may request deletion of your Personal Information, subject to certain legal exceptions (such as data required for legal compliance or the exercise or defense of legal claims).
Right to Data Portability. You may request an export of your Personal Information in a structured, commonly used, and machine-readable format.
Right to Restrict Processing. You may request that we limit the processing of your Personal Information under certain circumstances, such as when you contest the accuracy of the data.
Right to Object. You may object to the processing of your Personal Information where we rely on legitimate interests as the legal basis. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent. Where we rely on consent as the legal basis, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.
To protect your privacy, we will verify your identity before fulfilling any rights request. Verification may require you to confirm your email address or authenticate through the App. You may designate an authorized agent to submit requests on your behalf; we may require the agent to provide proof of authorization and may still verify your identity directly.
We will respond to verified requests within the timeframes required by applicable law: 30 days for GDPR requests (extendable by up to 60 days for complex requests), and 45 days for CCPA/CPRA requests (extendable by up to 45 additional days). If we cannot fulfill your request, we will provide a written explanation of the reasons.
Right to Appeal. If we deny your privacy rights request, you have the right to appeal the decision. To appeal, contact us at privacy@callpastnow.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within the timeframe required by applicable law.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). This section provides the required "Notice at Collection" disclosures.
We collect the following categories of Personal Information as defined by the CCPA (Cal. Civ. Code § 1798.140(v)):
Identifiers — Email address, phone number, account identifiers, IP address.
Commercial Information — Subscription status, purchase history, minutes balance.
Internet or Other Electronic Network Activity — Usage analytics, feature interactions, device and browser information.
Audio, Electronic, or Similar Information — Voice recordings you upload for AI voice model creation.
Inferences — We do not create consumer profiles or draw inferences from collected data.
Sensitive Personal Information — Account login credentials (email/phone with verification code). We do not use sensitive Personal Information for purposes beyond those permitted under CPRA § 1798.121.
Right to Know. You have the right to know what Personal Information we collect, the sources from which it is collected, the business purposes for collection, the categories of third parties with whom it is shared, and the specific pieces of Personal Information we have collected about you.
Right to Delete. You have the right to request deletion of your Personal Information, subject to certain legal exceptions.
Right to Correct. You have the right to request correction of inaccurate Personal Information.
Right to Opt Out of Sale/Sharing. We do not sell your Personal Information, and we do not share your Personal Information for cross-context behavioral advertising as defined by the CCPA/CPRA.
Right to Limit Use of Sensitive Personal Information. We do not use or disclose your Sensitive Personal Information for purposes other than those permitted under CPRA § 1798.121.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing or quality of service for exercising your rights.
Under California Civil Code § 1798.83, California residents may request information about our disclosure of Personal Information to third parties for their direct marketing purposes. We do not disclose Personal Information to third parties for their direct marketing purposes.
If you are located in the European Union, European Economic Area, or the United Kingdom, the following additional provisions apply under the General Data Protection Regulation (GDPR) and the UK GDPR.
CallPastNow is the data controller responsible for processing your Personal Data as described in this Policy. We do not currently have a designated Data Protection Officer (DPO). For privacy-related inquiries, please contact privacy@callpastnow.com.
We process your Personal Data only where we have a lawful basis under GDPR Article 6. The specific lawful basis for each category of processing is identified in Sections 2 and 3 above. In summary:
Contract Performance (Art. 6(1)(b)): Processing necessary to provide the App and fulfill our agreement with you — including account management, service delivery, and payment processing.
Legitimate Interests (Art. 6(1)(f)): Processing for analytics, security, fraud prevention, and service improvement. We conduct balancing tests to ensure our interests do not override your fundamental rights and freedoms.
Consent (Art. 6(1)(a)): Processing of voice recordings and biometric data, where required by applicable law. You may withdraw consent at any time.
Legal Obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax record retention and regulatory compliance.
EU/EEA users automatically operate in cookieless analytics mode. Our analytics provider does not use cookies or persistent identifiers for EU-based users. This approach minimizes the processing of Personal Data while allowing us to understand aggregate usage patterns.
Your Personal Data is processed on infrastructure located in the United States. We implement appropriate safeguards for international data transfers as required by GDPR Chapter V, including Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical and organizational measures where necessary.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you, as described in GDPR Article 22.
You have the right to lodge a complaint with your local supervisory authority if you believe that our processing of your Personal Data violates applicable data protection law. A list of EU supervisory authorities is available at edpb.europa.eu. For UK residents, you may contact the Information Commissioner's Office (ICO).
CallPastNow is not directed at children and is not intended for use by anyone under the age of 13 (or such higher age as may be required by applicable law in your jurisdiction). We comply with the U.S. Children's Online Privacy Protection Act (COPPA) and GDPR Article 8 regarding the processing of children's data.
We do not knowingly collect Personal Information from children under the age of 13. In jurisdictions where GDPR applies, we do not knowingly collect Personal Data from individuals below the applicable age of digital consent (which varies by EU/EEA member state, generally between 13 and 16 years of age).
If we become aware that we have inadvertently collected Personal Information from a child under the applicable minimum age without verified parental consent, we will take steps to delete the information as promptly as possible. If you believe that we have collected information from a child in violation of applicable law, please contact us immediately at privacy@callpastnow.com.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. Changes are categorized as follows:
Material Changes. Changes that materially affect how we collect, use, or share your Personal Information (e.g., introducing new categories of data collection, new purposes for processing, or new third-party data sharing). For material changes, we will provide at least 30 days' advance notice through the App and, where required by applicable law, obtain your consent before the changes take effect.
Non-Material Changes. Minor updates such as clarifications, formatting improvements, or corrections that do not substantively affect your rights. Non-material changes take effect upon posting.
The "Effective Date" at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically. Your continued use of the App after changes take effect constitutes acceptance of the revised Policy, except where consent is required by law.
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about our data practices, please contact us:
Privacy inquiries and rights requests: privacy@callpastnow.com
General support: support@callpastnow.com
If you are located in the EU/EEA or the UK, you also have the right to contact your local data protection supervisory authority. Contact information for EU supervisory authorities is available from the European Data Protection Board. UK residents may contact the Information Commissioner's Office at ico.org.uk.
We aim to resolve all privacy-related complaints and disputes in a timely manner. If you are unsatisfied with our response, you may pursue your complaint through the applicable regulatory or judicial channels.