Legal
Privacy Policy
Last updated: 09 April 2026 · Applicable law: UK GDPR & Data Protection Act 2018
1. Who We Are
Rapid Reception Ltd ("Rapid Reception", "we", "us", "our") operates the AI receptionist platform at rapidreception.co.uk. We are committed to protecting personal data and operating in full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For questions about this policy or to exercise your rights, contact our team at: privacy@rapidreception.co.uk
2. Controller vs. Processor — Important Distinction
Rapid Reception operates in two distinct capacities under UK GDPR, and it is important to understand the difference:
Rapid Reception as Data Controller
When we collect and process personal data about our Contractors (i.e. the businesses who subscribe to Rapid Reception), we act as the Data Controller. This includes account registration information, billing data, and correspondence.
Rapid Reception as Data Processor
When our platform processes personal data about a Contractor's customers (i.e. members of the public who call a Contractor's number), Rapid Reception acts as a Data Processor on behalf of the Contractor, who is the Data Controller for that data.
Contractors are solely responsible for ensuring they have a lawful basis under UK GDPR for processing their customers' personal data via our platform, and for providing appropriate privacy notices to those customers.
A Data Processing Agreement (DPA) governing this processor relationship is incorporated into and forms part of our Terms of Service.
3. What Personal Data We Collect
3a. Data We Collect About Contractors (as Controller)
- Account information: Full name, business name, email address, password (hashed), telephone number.
- Billing information: Subscription status and billing history. We do not store full card details — all payment data is held securely by Stripe, Inc. under their own privacy policy.
- Configuration data: AI system prompts, business knowledge base content, and forwarding numbers you configure in your dashboard.
- Usage data: Log data, IP addresses, browser type, pages visited, and timestamps generated by your use of our platform.
- Communications: Any emails or support messages you send to us.
3b. Data We Process About Contractor Customers (as Processor)
- Caller telephone numbers: The inbound phone number of individuals who call the Contractor's forwarded number.
- Voice recordings: Audio recordings of calls handled by the Rapid Reception AI agent.
- Call transcripts: Text transcriptions generated from voice recordings.
- Lead data: Names, contact details, and job requirements shared by callers during the AI conversation and displayed in the Contractor's dashboard.
4. How We Use Your Data & Our Lawful Basis
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Providing and managing your subscription | Contract (Art. 6(1)(b)) |
| Processing subscription payments via Stripe | Contract (Art. 6(1)(b)) |
| Sending service and billing notifications | Contract (Art. 6(1)(b)) |
| Delivering the AI receptionist service | Contract (Art. 6(1)(b)) |
| Improving our platform and AI models | Legitimate Interests (Art. 6(1)(f)) |
| Complying with legal and regulatory obligations | Legal Obligation (Art. 6(1)(c)) |
| Sending marketing communications (opted-in only) | Consent (Art. 6(1)(a)) |
5. Sub-Processors
As a Data Processor acting on behalf of Contractors, we engage the following sub-processors to deliver our Service. By accepting our Terms of Service, Contractors provide general authorisation for us to engage these sub-processors.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Twilio Inc. | Telephone number provisioning, call routing, voice recording, and SMS delivery. Caller phone numbers and voice recordings are transmitted through Twilio's infrastructure. | USA (with UK/EU data transfer safeguards) |
| OpenAI, LLC | AI language model processing. Call transcripts and conversation content are sent to OpenAI's API to generate AI responses. OpenAI processes this data under our enterprise agreement and does not use it to train its models. | USA (with UK/EU data transfer safeguards) |
| Stripe, Inc. | Payment processing and subscription management for Contractor billing data. | USA (with UK/EU data transfer safeguards) |
Where sub-processors are based outside the UK, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or an adequacy decision) in accordance with UK GDPR Chapter V.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law.
| Data Type | Retention Period |
|---|---|
| Contractor account data | Duration of subscription + 6 years (for legal/tax compliance) |
| Billing records | 7 years (HMRC requirements) |
| Call recordings (voice audio) | 90 days from date of call, then permanently deleted |
| Call transcripts & lead logs | 12 months from date of call, then permanently deleted |
| Usage & log data | 90 days |
Contractors may request early deletion of call recordings and transcripts from within their dashboard or by contacting us.
7. Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following circumstances:
- Sub-processors: As described in Section 5 above, solely for the purpose of delivering the Service.
- Legal obligations: Where required to do so by law, court order, or regulatory authority (e.g. the ICO, HMRC, or law enforcement).
- Business transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you in advance where required by law.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These measures include:
- Encryption of data in transit (TLS) and at rest.
- Access controls limiting staff access to personal data on a need-to-know basis.
- Regular security reviews of our platform and third-party sub-processors.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO in accordance with our obligations under UK GDPR Article 33.
9. Your Rights Under UK GDPR
As a Data Subject (Contractor), you have the following rights:
- Right of Access (Article 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Article 16): Request correction of inaccurate or incomplete data.
- Right to Erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations.
- Right to Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
- Right to Data Portability (Article 20): Receive your data in a structured, machine-readable format.
- Right to Object (Article 21): Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.
To exercise any of these rights, contact us at privacy@rapidreception.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Cookies
Our website uses essential cookies required for authentication and session management. We may also use analytics cookies (e.g. to understand how visitors use our site). Where non-essential cookies are used, we will obtain your consent in accordance with the Privacy and Electronic Communications Regulations (PECR).
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by email or by posting a prominent notice on our website. The "Last updated" date at the top of this page will always reflect the most recent version.
12. Contact Us
For any privacy-related queries, data subject requests, or to report a concern:
Rapid Reception Ltd
Email: privacy@rapidreception.co.uk
Website: rapidreception.co.uk