Privacy Policy

Last updated: 2026-04-28. Effective from: 2026-04-25.

1. Who We Are

The Service is operated by ФОП Даценко А.В. (A.V. Datsenko, sole proprietor registered in Ukraine), РНОКПП 3339403456 ("CallPing", "we", "us", "our"). Mailing address: Plytkova str. 65/106, Kharkiv, Kharkivska oblast, 61047, Ukraine. For privacy matters, write to [email protected] or [email protected] marked "Privacy request"; full contact details are in §14. The Service is reachable at callping.app and its subdomains.

For the purposes of the EU/UK General Data Protection Regulation (GDPR), CallPing acts as a data controller for account-level personal data (e.g., your email and login records) and as a data processor for the webhook payloads and phone numbers you submit through the Service for routing.

For the purposes of the Law of Ukraine "On the Protection of Personal Data" (Закон України «Про захист персональних даних»), CallPing is the data owner (володілець персональних даних) for account-level data and a data processor (розпорядник) for webhook payload content submitted through the Service.

2. What Data We Collect

2.1 Data you provide directly

Account data — email address, password (stored as a PBKDF2 hash, never in plaintext), display name (optional), phone number(s) you configure as alerting destinations (E.164 format).
Organization data — organization name, optional timezone, team-member email addresses (when you invite them).
TOTP/2FA data — if you enable two-factor authentication, we store your TOTP secret. The QR code containing this secret is generated client-side; the secret is never sent to a third-party rendering service.
Support correspondence — any email or message you send us (delivered via Resend, our transactional email provider, and routed to our support workflow).

2.2 Data we collect automatically

Webhook payloads — the body and metadata of any HTTP request you direct to your webhook endpoints. We parse these payloads to extract severity and message content for routing. Payloads are stored in the incoming_requests table.

Webhook payload content is submitted by you and processed by CallPing solely to operate the Service on your behalf. For the content of your webhook payloads, CallPing acts as a data processor; you are the data controller. You are responsible for the lawful basis for any personal data included in the payloads you send to CallPing (for example, an end-user's name appearing in an incident description routed through the Service). We strongly recommend avoiding the inclusion of personal data, credentials, secrets, or sensitive information in webhook payloads wherever the underlying alert can be conveyed without it; payloads should describe the type of incident, not enumerate affected individuals.

Recipient phone numbers (GDPR Article 14 indirect collection). Where you (the Customer) configure CallPing to call a phone number that does not belong to you, the recipient of the call is an indirect Data Subject from CallPing's perspective. CallPing processes that recipient's phone number under Article 6(1)(b) (performance of contract — placing the alert call you authorised) and Article 6(1)(f) (legitimate interest — billing reconciliation, fraud prevention, abuse handling). The source of the phone number is you, the Customer, who represents under Terms §8 that you have a lawful basis and any required consent (TCPA / ePrivacy / CASL / CRTC) to direct the Service to call that number. Because CallPing has no direct relationship with the recipient, the Article 14 individual-notification obligation is engaged but is treated as disproportionate effort under Article 14(5)(b) — CallPing relies on the Customer's representation to satisfy the substantive lawfulness condition, and on this Privacy Policy as the publicly-available description of the processing per Article 14(5)(b). Recipients who become aware that they were called by CallPing on a Customer's behalf may exercise their rights under §8 of this Policy by contacting [email protected]; we will route the request to the relevant Customer where appropriate.

Call logs — for every call we attempt on your behalf, we store: the destination phone number (E.164), call status (initiated, placed, answered, no-answer, failed, etc.), call duration, the PBX server that handled the call, the SIP trunk used, and the underlying ARI response codes for diagnostics.

No call audio is recorded. CallPing does not record, store, or have access to the audio content of any phone call placed through the Service. Calls are placed via third-party SIP trunks (see §5) and the only call data we retain is the metadata listed above. If this ever changes, this Policy will be updated and existing users will be notified before any audio recording is enabled.

Authentication metadata — IP address, user-agent string, and last-seen timestamp for each active session, recorded in the sessions table.
Audit log — user-facing actions that affect account or organization state (organization switching, joining/leaving an organization, project deletion, phone-number toggling, and similar). Stored in the audit_log table.

2.3 Data we do not collect, and how payment data is handled

No third-party analytics, tracking pixels, advertising networks, heatmap providers, or session-replay tools. As of the current version of this Policy, CallPing does not deploy any such tooling in the core application. If we ever introduce any of these (for example, to support conversion measurement, billing analytics, or fraud prevention), this Policy and the Cookie Policy will be updated before the tool is deployed, and active users will be notified by email or in-app banner with a reasonable opportunity to review the change.
Payment data — handled by Paddle.com Inc., our merchant of record. Paid subscriptions are processed by Paddle.com Inc. ("Paddle"), which acts as the merchant of record for the transaction (see Paddle's Privacy Policy). When you subscribe to a Paid Plan or start a free trial that captures a payment method:

- Your full payment-card details (card number, CVV, full expiry) are collected and processed by Paddle, not by CallPing. CallPing does not store, view, or otherwise have access to your full payment card details. - Paddle provides CallPing with limited transactional metadata for invoicing, fraud-prevention, tax determination, and dispute-handling purposes, including: the last 4 digits of the card number, expiry month/year, card brand (e.g., Visa, Mastercard), billing country, billing postal code, VAT/tax ID (where applicable), subscription status, and transaction identifiers issued by Paddle. - As Paddle is the merchant of record, Paddle is the contractual counterparty for the payment, handles VAT/sales-tax collection in 30+ jurisdictions, and is the entity that issues invoices and processes refunds. Paddle is an independent data controller for the payment data it processes; CallPing is the controller for the limited metadata Paddle returns to us. The relationship is structured as independent controllers rather than joint controllers under GDPR Article 26 because each party determines the purposes and means of its own processing independently: Paddle processes payment data to fulfil its merchant-of-record obligations, and CallPing processes the limited metadata it receives to manage the subscription relationship. Where future circumstances change the nature of this relationship, this Policy will be updated accordingly.

We do not collect government-issued ID numbers, full financial account numbers (beyond the card metadata noted above), health data, biometric data, or other special-category personal data under GDPR Article 9.

3. How We Use Your Data

We use your data to:

Operate the Service — authenticate you, evaluate your routing rules, deliver phone calls to the destinations you configure, and display call history and status to you.
Maintain security and prevent abuse — detect suspicious sign-in patterns, enforce rate limits and per-phone cooldowns, block emergency-services and premium-rate numbers, and investigate AUP violations.
Communicate with you — send transactional email (account verification, password reset, security notices), respond to support requests, and (rarely) notify you of material changes to the Service.
Comply with legal obligations — preserve records or respond to lawful requests from competent authorities where required, including but not limited to tax authorities (such as the Ukrainian State Tax Service / ДПС), financial-intelligence units, telecommunications regulators, and law enforcement, in Ukraine or in any other jurisdiction in which we operate or in which the data is held.

We do not sell your personal data and we do not share it for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and equivalent U.S. state privacy laws. We do not share your data with advertisers and we do not use it for advertising or profiling.

4. Legal Basis for Processing (GDPR / UK GDPR)

We process your personal data on the following legal bases:

Performance of a contract (Article 6(1)(b)) — processing necessary to provide the Service to you, including authentication, routing, and call delivery.
Legitimate interests (Article 6(1)(f)) — processing necessary for fraud prevention, abuse detection, security monitoring, product diagnostics, and storage of call_logs for billing reconciliation, support, and dispute handling. We have conducted a Legitimate Interests Assessment (LIA) for these activities, which is available on request to [email protected].
Legal obligation (Article 6(1)(c)) — processing required to comply with applicable law or lawful authority requests, including Ukrainian tax-record retention obligations and applicable telecommunications law.
Consent (Article 6(1)(a)) — where you have explicitly opted in (e.g., for any future analytics or marketing communications, none of which exist today).

5. Data Location and International Transfers

CallPing runs on Cloudflare's global edge network. Specifically:

The application logic runs in Cloudflare Workers, which execute in data centers worldwide depending on the user's network location.
Persistent data is stored in Cloudflare D1 (SQLite). D1 has a regional primary location; replicas may exist closer to the edge.
Caches, rate limits, and short-lived state are stored in Cloudflare KV, distributed globally.
Call delivery is performed by third-party SIP trunk providers — currently including, but not limited to, Zadarma, Intertelecom, Twilio, and Telnyx — each operating in their own respective regions. The phone number you direct us to call is sent to the SIP trunk that handles the call. The current sub-processor list is maintained in §6 below; if a provider is added, removed, or substituted, this Policy's §6 will be updated accordingly.

Cross-border transfers. If you access the Service from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border transfer restrictions, your data may be transferred to and processed in countries other than your own. Where required for an EU/UK transfer, we rely on the following transfer mechanisms with each recipient:

Cloudflare, Inc. (US) — Cloudflare's published Data Processing Addendum incorporates the EU Standard Contractual Clauses (Module 2 / Module 3 as applicable) and the UK International Data Transfer Addendum. Cloudflare is also self-certified under the EU-US Data Privacy Framework (DPF).
Resend (US) — Resend's published Data Processing Addendum incorporates the EU SCCs.
Twilio (US) — Twilio is self-certified under the EU-US Data Privacy Framework; SCCs are also available in Twilio's published DPA.
Telnyx (US) — Telnyx publishes a DPA incorporating the EU SCCs.
Paddle.com Inc. (UK / international) — Paddle's published DPA covers the EU SCCs and UK IDTA. As Paddle is an independent controller for payment data (see §2.3), Paddle relies on its own published transfer mechanisms for that processing.
Zadarma (Cyprus / international) and Intertelecom (Ukraine) — receive only Ukrainian (+380) call destinations. The PBX selection layer enforces this constraint at call time: each PBX trunk carries a route_countries allowlist, and Zadarma + Intertelecom are restricted to ["+380"] only — see src/services/pbx-registry.ts (pbxAcceptsPhone filter inside getHealthyPbx) and the corresponding tests in src/services/pbx-registry.test.ts. EU-resident phone numbers are routed exclusively through Twilio (US, EU SCCs Module 2 + EU-US Data Privacy Framework) and Telnyx (US, EU SCCs in published DPA). As a result, no EU/UK personal data flows through Zadarma or Intertelecom in normal operation, and the GDPR Article 28(3) requirement of a written sub-processor agreement is not engaged with respect to EU/UK personal data and those trunks because no such data reaches them. We are nevertheless pursuing executed Data Processing Addenda with Zadarma and Intertelecom as a belt-and-braces backstop covering Ukrainian-resident call recipients.

6. Sharing With Third Parties (Sub-Processors and Independent Controllers)

We share limited personal data with the following categories of recipients, only as necessary to operate the Service:

Service	Provider	Country	Purpose	Data Shared
Workers / D1 / KV / Queues / Pages	Cloudflare, Inc.	USA	Infrastructure, edge compute, database, caching, static hosting	Webhook payloads, user account data, call metadata, session data
Asterisk PBX (self-hosted)	Immido (ФОП Даценко А.В.)	EU (PBX-1/2), USA (PBX-3), USA/EU (PBX-4), Korea (PBX-5)	Outbound call delivery	Destination phone number, call-control metadata
PBX cloud hosting (PBX-1/2)	Oracle Cloud Infrastructure	EU regions	VPS hosting for PBX-1 and PBX-2	Destination phone number, call-control metadata in transit
PBX cloud hosting (PBX-3)	Amazon Web Services	USA (us-east-1)	VPS hosting for PBX-3	Destination phone number, call-control metadata in transit
PBX cloud hosting (PBX-4)	Google Cloud Platform	USA (us-east1)	VPS hosting for PBX-4	Destination phone number, call-control metadata in transit
PBX cloud hosting (PBX-5)	Microsoft Azure	Korea Central	VPS hosting for PBX-5	Destination phone number, call-control metadata in transit
SIP trunk — EU/UA calls	Zadarma Ltd	Estonia (EU)	SIP trunk for EU and Ukrainian destination numbers	Destination phone number
SIP trunk — US calls	Twilio Inc.	USA	SIP trunk for US destination numbers	Destination phone number
SIP trunk — backup	Telnyx LLC	USA	SIP trunk (backup / failover)	Destination phone number
SIP trunk — UA calls	PJSC Intertelecom	Ukraine — no EU adequacy decision; covered by contractual safeguards and architectural +380-only geo-fence (see §5)	SIP trunk for Ukrainian destination numbers only	Destination phone number
Transactional email	Resend Inc.	USA	Account verification, password reset, support notifications	Email address, display name
Payment processing	Paddle.com Market Ltd	UK / Ireland (independent controller)	Merchant of record, VAT, invoicing, refunds — independent data controller for payment data (see §2.3)	Billing data, email address; CallPing receives only limited transactional metadata (see §2.3)
Internal support workflow (optional)	Airtable Inc.	USA	Support ticket triage and workflow	Email address, support message content
Lawful authorities	Competent regulators / courts	Various	Response to valid legal process	As required by applicable law

Cloudflare, Oracle Cloud, AWS, Google Cloud, and Microsoft Azure each publish a Data Processing Addendum incorporating EU Standard Contractual Clauses (Module 2 where applicable); Cloudflare, Twilio, and Oracle Cloud are additionally self-certified under the EU-US Data Privacy Framework. Resend and Telnyx publish DPAs incorporating EU SCCs. Zadarma publishes a DPA applicable under EU law. Paddle operates under its published DPA covering EU SCCs and UK IDTA; Paddle is an independent data controller for the payment data it processes at checkout. Airtable publishes a DPA incorporating EU SCCs and is self-certified under the EU-US Data Privacy Framework.

We do not sell, rent, or otherwise share your personal data for advertising or marketing purposes.

7. Data Retention

Data category	Retention
Account data (email, password hash, phones)	Retained while your account is active. Deleted on account closure, subject to backup-cycle delays.
Webhook payloads (`incoming_requests`)	90 days from the date the payload is received, then automatically purged. You may request earlier deletion of a specific payload via [email protected]; the standard data-export tool also returns your stored payloads in machine-readable form.
Call logs (`call_logs`)	12 months of granular per-call records (request ID, status, duration, PBX, trunk) from the call-initiation timestamp, then automatically purged. Aggregate billing records (per-month per-org call counts and total minutes) are retained by Paddle as merchant of record on Paddle's own systems for the period required by Paddle's policy. For Ukrainian tax purposes, ФОП Даценко А.В. retains primary documents and tax records (Paddle payout statements + UAH-conversion calculations) for the 1,095 days (3 years) required by Article 44.3 of the Tax Code of Ukraine; the 12-month CallPing-side window applies only to the granular operational per-call data, not to the tax-record total. Enterprise customers may negotiate longer retention as part of their contract.
Audit log (`audit_log`)	Rows older than 90 days are deleted by an automated cron job.
Sessions (`sessions`)	Active sessions persist up to 24 hours by default, or 7 days if "Stay logged in" is selected, with a hard cap of 90 days based on the session's creation timestamp.
Status check history (`status_checks`)	Retained for the public uptime page; aggregated over time.

Backups and replicas may persist data for short periods after deletion to support disaster recovery.

The retention periods above are enforced by an automated cron job that runs every 5 minutes; once a record crosses the stated cutoff it is removed within the next cron pass. The retention periods are the maximum any single record will be retained absent a specific legal hold; on a verified deletion request via [email protected], records belonging to the requester are removed without waiting for the routine cutoff.

8. Your Rights

Under GDPR / UK GDPR, if you are in the EU/UK or your data is processed in connection with EU/UK activities, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your personal data, subject to legal retention requirements.
Restriction — request that we limit processing in certain circumstances.
Portability — receive your data in a machine-readable format.
Object — object to processing based on legitimate interests.
Object to direct marketing — absolute right (GDPR Art. 21(2)). No balancing test applies. CallPing currently conducts no direct-marketing communications, but this right subsists and you may exercise it at any time at [email protected].
Withdraw consent — where processing is based on your consent.
Lodge a complaint with your local data-protection supervisory authority (for EU users, the supervisory authority of your country of residence; for UK users, the Information Commissioner's Office (ICO) at ico.org.uk).

Under the Law of Ukraine "On the Protection of Personal Data", if you are located in Ukraine, you have the right to access, correct, and delete your personal data and to limit its processing. The supervisory authority in Ukraine is the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини) at ombudsman.gov.ua.

Under CCPA / CPRA, if you are a California resident, you have the right to:

Know what personal information we collect, use, disclose, and (if applicable) sell or share.
Delete your personal information, subject to permitted exceptions.
Opt out of the sale or sharing of personal information. CallPing does not sell or share personal information for cross-context behavioral advertising.
Correct inaccurate personal information.
Limit the use of sensitive personal information. We do not collect sensitive personal information as defined by CPRA in the ordinary course of operating the Service.
Non-discrimination — we will not discriminate against you for exercising your rights.

How to exercise these rights. Email [email protected] (or [email protected] marked "Privacy request"). We will:

Acknowledge receipt within 5 business days.
Verify your identity before fulfilling any rights request — we may ask you to confirm details we already hold (e.g., email of record, organization slug, recent login timestamp). For deletion or data-portability requests, identity verification is mandatory.
Respond substantively within 30 days (under GDPR / UK GDPR / Ukrainian law) or 45 days (under CCPA / CPRA), extendable by a further 60 days for complex or numerous requests, in which case we will notify you of the extension and the reasons.
Provide our response in writing, in the same language as your request where reasonably practicable, otherwise in English.

We may decline a request that is manifestly unfounded, excessive, or where applicable law permits or requires us to retain the data (for example, tax-record retention obligations).

9. Cookies and Local Storage

See the Cookie Policy for details. In summary:

CallPing's own cookies and local storage. We set strictly-necessary authentication cookies (__Host-cp_session, __Host-cp_admin_session) and a small number of functional localStorage keys (see Cookie Policy) for UX state. We do not set CallPing-controlled tracking cookies. You may opt out of the cache:* localStorage entries by emailing [email protected]; we will honour the request within 5 business days. A richer in-product opt-out toggle is queued for v1.3. The cp_cookie_consent localStorage key currently records only your acknowledgement of the Cookie Policy notice; if non-strictly-necessary cookie categories are introduced in future, that key will be expanded to record per-category consent choices under GDPR Art. 6(1)(a).
Paddle checkout cookies. When you initiate a Paid Plan subscription, the checkout flow is hosted by Paddle (typically on pay.paddle.com or, where configured, a CallPing-branded subdomain such as checkout.callping.app). Paddle sets first-party cookies on the checkout domain for payment-session continuity, fraud prevention, and PCI-DSS compliance. These cookies are strictly necessary for completing a payment and cannot be opted out of without the checkout failing. See Paddle's Cookie Policy for the current list. Paddle is an independent data controller for these cookies; under EU ePrivacy rules (Article 5(3) of the ePrivacy Directive) and UK PECR, CallPing's cookie banner is not required to surface Paddle's checkout cookies as a separate consent category because Paddle's checkout is hosted on Paddle's own controlled domain, the user navigates there voluntarily, and Paddle operates its own consent and notice mechanisms for that flow.

10. Children

CallPing is not intended for users under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Security Measures

We protect your data using:

TLS encryption for all data in transit.
Cloudflare D1 at-rest encryption for stored data.
PBKDF2 for password hashing (no salted plaintext, no reversible encoding).
Custom HMAC-SHA256 JWTs stored in HttpOnly cookies, with CSRF protection.
Optional TOTP-based two-factor authentication with brute-force protection (5-attempt limit, time-step tolerance ±1).
Step-up reauthentication required for destructive operations (password change, member removal, project deletion, phone-number changes, etc.).
Rate limiting on authentication, refresh, password reset, email change, and team-mutation endpoints.
Phone-number safety net that blocks emergency-service, premium-rate, toll-free, and short-code numbers across 30+ countries.
Audit logging for sensitive actions.

We require our sub-processors — including SIP trunk providers, Cloudflare, Resend, Paddle, and Airtable — to maintain appropriate technical and organisational security measures under their respective contractual agreements with us (typically covered in each provider's Data Processing Addendum and security addenda). We monitor sub-processor security advisories and breach notifications and will incorporate vendor-side incidents into our own breach-handling under §12 where they affect personal data we have entrusted to that sub-processor.

For additional detail, see the Security page.

12. Data Breach Notification

If we become aware of a data breach affecting your personal data, we will:

Conduct an initial impact assessment within 24 hours of detection (internal target).
Notify the competent supervisory authority within 72 hours of becoming aware, where required by GDPR Article 33.
Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34) or where applicable law otherwise requires.

Relevant supervisory authorities for notification include:

For users in EU member states — the lead supervisory authority of the member state in which the affected users are located, or the relevant EU Member State Data Protection Authority.
For users in the United Kingdom — the Information Commissioner's Office (ICO) at ico.org.uk.
For users in Ukraine — the Ukrainian Parliament Commissioner for Human Rights at ombudsman.gov.ua.
For US state-level breaches — notifications under each applicable state's breach-notification statute (Cal. Civ. Code §1798.82 et seq., NY Gen. Bus. Law §899-aa, and equivalents) where the affected user is resident in that state.

We coordinate with our sub-processors (Cloudflare, Resend, Paddle, SIP trunk providers, Airtable) on incidents originating with them; sub-processors are contractually required to notify CallPing without undue delay so we can meet our own notification deadlines.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date and, for material changes, notify active users by email or in-app notice. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

14. Contact

Operator and contact details.

Legal entity: ФОП Даценко А.В. (A.V. Datsenko, sole proprietor registered in Ukraine)
Taxpayer identifier: РНОКПП 3339403456
Country of registration: Ukraine
Mailing address: Plytkova str. 65/106, Kharkiv, Kharkivska oblast, 61047, Ukraine
Data-protection contact: Anton Datsenko ([email protected]) acts as the named individual responsible for data-protection matters and is the point of contact for regulatory inquiries and data-subject requests.
Privacy contact (preferred): [email protected]
General contact: [email protected] — mark "Privacy request" for privacy-specific inquiries
Security reports: [email protected]

Data Protection Officer. No formal DPO has been appointed. We have assessed CallPing's processing under GDPR Article 37 (criteria: public-authority status, large-scale regular and systematic monitoring of data subjects, large-scale processing of special-category data) and concluded that none of the mandatory triggers apply at the current scale. The assessment is documented internally and is available on request to [email protected]. The privacy contact addresses listed above are the equivalent point of contact for data-protection inquiries.