Trust

Data & compliance

Your calls are client-confidential business. Here is exactly what we record, where it lives, who can hear it, and how you stay compliant — in plain English.

What we record and why

CallTrace records and transcribes calls made to your tracking numbers, and calls we place back to your enquiries, for one purpose: so your firm can see which marketing produces real cases and help your team handle enquiries well. That is a legitimate business purpose under UK GDPR; the lawful basis is typically legitimate interests, documented in your record of processing.

You must tell callers that calls are recorded. We provide the exact wording for your website, and the greeting on returned calls announces the connection. If you prefer, we can add a recording notice to your inbound greeting as well.

Where your data lives

Call recordings are stored encrypted with our telephony provider (Twilio). Transcripts, AI summaries and call metadata are stored encrypted in our database (Upstash). Transcription is performed by Deepgram and AI analysis by Anthropic; audio and transcripts are processed by these sub-processors to provide the service and are not used to train their models under our agreements.

A full, current list of sub-processors is available on request, and a data processing agreement is available for every client.

Who can access recordings and transcripts

Only the named users on your CallTrace account can play recordings or read transcripts for your organisation. Access is login-protected and organisation-scoped: no client can ever see another client’s calls. Recording links shared into your CRM are signed and unguessable.

Our operations staff access customer data only for support you request, or to keep the service running, and never disclose call content.

Retention and deletion

Recordings and transcripts are kept while your account is active so you can revisit any call. Ask us for an automatic retention period — for example, delete after 12 months — and we will enforce it for your organisation. You can delete any individual recording, transcript or call record instantly, at any time, yourself.

When you leave CallTrace, you receive a data export and we delete your call data on request.

International transfers and your rights

Some of our sub-processors (Twilio, Deepgram, Anthropic) process data in the United States. These transfers are covered by the UK International Data Transfer Agreement / Addendum and standard contractual clauses in our agreements with them, as required by Articles 44–49 UK GDPR.

Data-subject requests: if a caller exercises their rights (access, erasure, objection), tell us and we will locate, export or delete their recordings and transcripts within the statutory timescale. A signed data processing agreement is available for every client before you send us a single call — ask and we will send it the same day.

For solicitors specifically

We built CallTrace for law firms first, so this is designed in: enquiry calls are new-client intake, not privileged advice — but we treat every call as confidential regardless. Recording intake calls is compatible with your SRA obligations when callers are informed and access is controlled — which is exactly how CallTrace is configured out of the box. If a recorded call becomes a client matter, you can delete the recording or export it into your matter file. We recommend firms note call recording in their privacy notice and client-care materials; we provide template wording.

Nothing on this page is legal advice; your COLP and data-protection officer should review your recording notice, as they would any processor.

Security

Encryption in transit everywhere; encrypted storage at rest with our providers; per-organisation access controls; signed, expiring links for shared media; audit trail of call activity. Payment cards are handled entirely by Stripe and never touch our systems.

Questions about any of this? Ring 0118 230 4651 — yes, that call is recorded, and we’ll tell you so when we pick up.