Privacy Policy

Effective 2026-05-17

EcomTech ("we", "us") operates the Call AI App mobile application and the https://callmessage.ecomtechbd.com website (collectively, the "Service"). This policy explains what information we collect, how we use it, and the choices you have.

1. Information we collect

Account & profile

• Mobile number — used as your login identifier (verified by SMS one-time code).
• Display name — what other users and AI agents address you by.
• Device push tokens (APNs / VoIP) — required to deliver inbound call and message notifications.

Phone numbers you rent

• The phone numbers you purchase, their country, and rental cycle.
• Records of calls and messages routed through those numbers (caller/recipient, start time, duration, cost). Required for billing and legal/compliance reasons.

Calls & messages

• Call metadata (caller, recipient, time, duration, cost) is stored.
• Voicemail audio — when a caller leaves voicemail, the audio is stored on our servers and retained while you remain a customer (you can delete individual voicemails any time).
• SMS content sent or received through your rented number is stored so you can view threads in the app.
• AI Agent calls — when AI Agent mode is on for a number, the inbound call's audio is processed by OpenAI's Realtime API. We also save a recording of the call (audio), the resulting transcript, and our derived call summary so you can review and audit how the AI handled the call. You can delete an AI call (recording + transcript) at any time from the app.

Wallet & payments

• Top-up amounts, transaction history, and the last 4 digits of cards used (Stripe handles full card data — we never see or store full card numbers).

Device permissions

• Microphone — required for placing voice calls.
• Contacts (optional) — if granted, used to display contact names next to phone numbers in your call history and message threads. Contact data stays on your device; we do not upload your address book.
• Camera — may be requested by the Stripe SDK if you choose to scan a credit card while adding a payment method. Images stay local; only the resulting tokenized card data is sent to Stripe. The camera is not used for calls or messaging.
• Photo Library — may be requested only if you choose to pick a profile picture for your account. Photos stay on your device unless you explicitly attach one.
• Face ID / Touch ID — may be requested when you confirm a wallet top-up, so payments cannot be made without your consent. Biometric data never leaves your device (handled by Apple's Secure Enclave).
• Push Notifications — for delivering call invitations and message alerts.
• App Tracking (iOS) — optional. If iOS asks "Allow Call AI App to track your activity across other companies' apps and websites?" and you tap Allow, the app shares an anonymous Apple advertising identifier (IDFA) with Meta so they can attribute installs and purchases to ads you may have seen. If you tap Ask App Not to Track (or never see the prompt), no IDFA is shared and attribution falls back to Apple's aggregate-only SKAdNetwork. You may change this at any time via iOS Settings → Privacy & Security → Tracking. Declining costs you nothing — every app feature works identically.

Marketing & ad-attribution events (Meta)

So we can tell which of our marketing campaigns actually deliver paying customers (and stop wasting money on the ones that don't), we use the Meta / Facebook Audience Network SDK to send a small set of event signals when:

• The app is installed and launched for the first time.
• You complete sign-up (verifying your mobile number).
• You sign in to an existing account.
• You top up your wallet (the dollar amount is included).
• You rent a phone number (the rental price and country code are included).

What is not sent to Meta: your phone number, name, email, contacts, call records, voicemail audio, transcripts, SMS content, card details, or any other identifier that could identify you on its own. The SDK is configured with FacebookAdvertiserIDCollectionEnabled = false by default, so the Apple advertising identifier (IDFA) is only included if you explicitly grant App Tracking permission (see above).

2. How we use information

• To provide the Service: route calls and messages, deliver notifications, deduct usage from your wallet, and prevent abuse.
• To respond to support tickets and security/abuse reports.
• To detect and block fraud, toll abuse, and policy violations (see Section 5).
• To comply with legal obligations (e.g. lawful requests from competent authorities).

3. Service providers we share data with

The Service uses the following third parties, strictly to deliver the features you use. Each operates under their own privacy policy.

• Twilio — telephony carrier. Handles call signalling, audio transport, SMS delivery, and voicemail recording. Required for the core service.
• OpenAI — only when AI Agent mode is enabled. Inbound call audio is streamed to OpenAI's Realtime API for the duration of the call. The resulting transcript is stored by us. OpenAI's terms govern their handling of that data.
• Stripe — wallet top-ups. Payment card data flows directly from your device to Stripe via their SDK; we receive only a token + last 4 / brand.
• Apple Push Notification service (APNs) — push delivery.
• Meta Platforms (Facebook Audience Network) — used only to measure the effectiveness of our own marketing campaigns. We send the event signals listed under Marketing & ad-attribution events above; we do not share call, message, contact, or payment-card data with Meta. See Meta's Privacy Policy.
• Hosting infrastructure — our backend runs on dedicated servers in the European Union; data at rest lives there.

We do not sell or rent your data. The only advertising-related sharing we perform is the limited Meta-attribution events described above, and you can disable it at any time via iOS Settings → Privacy & Security → Tracking → Call AI App.

4. Data retention

• Account data: kept while your account is active.
• Call metadata, transcripts, voicemail, SMS history: kept while you remain a customer; deleted within 30 days of account deletion.
• Transactions / receipts: retained for 7 years for accounting and tax-compliance reasons even after account deletion.
• You can delete your account from Settings → Delete Account at any time. Deletion is irreversible.

5. Security & abuse prevention

• All transport between the app and our backend is encrypted with TLS.
• Auth tokens are stored in the iOS Keychain.
• Per-user daily spend caps and a fraud detector automatically suspend accounts exhibiting patterns associated with toll-fraud or robocalling.
• Suspended accounts may be re-suspended at the phone-number level after deletion to prevent re-registration.

6. Your rights

You may, at any time:

• Access, edit, or export the data you've put into the Service from inside the app.
• Delete your account (Settings → Delete Account).
• Withdraw permission for Microphone, Contacts, Camera, or Push at the iOS level via Settings → Call AI App.
• Email us at support@ecomtechbd.com with any privacy question or to request a manual export of your data.

7. Children

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

8. Changes to this policy

We may update this policy as the Service evolves. Material changes will be communicated in the app and via the email address on file (if any). Continued use after a change constitutes acceptance.

9. Contact

EcomTech
Email: support@ecomtechbd.com