Cualify.
OutboundInboundBookingCollectionsPricingSecurityBlog
Sign inStart a pilot

Cualify Field Notes

Building India's AI calling stack — in public.

One short essay every other Friday on voice AI, Indian SMB GTM, and what we ship. No spam. Unsubscribe in one click.

Cualify.

AI calling agency for Indian SMBs. Multilingual voice agents, INR billing, DPDP-ready from day one.

Built in Mumbai · Stored in Mumbai

Product

  • Outbound sales
  • Inbound support
  • Appointment booking
  • Collections
  • Voice library
  • Docs

Company

  • Pricing
  • Cualify vs Bolna
  • Changelog
  • Security
  • Blog
  • About
  • Contact

Legal

  • Terms of service
  • Privacy policy
  • Data Processing
  • Acceptable Use
  • 15-day refund

Compliance

  • DPDP Act 2023
  • TRAI / DLT
  • 99.5% SLA
  • Sub-processors
  • Customer KYC
  • Contact DPO

© 2026 Cualify Technologies. All rights reserved.

[email protected]·[email protected]·+91 80 0000 0000

Legal · Effective 6 May 2026

Privacy Policy

How we collect, use, store, and protect personal data — written for the Digital Personal Data Protection Act, 2023.

On this page

  1. 1. Who we are
  2. 2. What we collect
  3. 3. Lawful basis under the DPDP Act 2023
  4. 4. Where your data is stored
  5. 5. Sharing with sub-processors
  6. 6. Your rights as a Data Principal
  7. 7. Retention
  8. 8. Security measures
  9. 9. Breach notification
  10. 10. Cookies and similar technologies
  11. 11. Children
  12. 12. Changes to this Policy
  13. 13. Contact the Data Protection Officer

Last updated 3 June 2026

Plain English

We act as a Data Fiduciary for our own customer relationships and as a Data Processor for the calls you run on Cualify. Your end-recipients' personal data is yours; we hold it on your instruction. Everything is stored in Mumbai, encrypted at rest and in transit, and never sold to third parties. You can exercise DPDP rights (access, correction, erasure, grievance) by emailing the DPO.

1. Who we are

Cualify Technologies LLP is the Data Fiduciary for personal data we collect about you (our Customer) and our Data Processor role applies to personal data of your end-recipients processed through the Services. Our registered office is in Mumbai, Maharashtra, India.

Our Data Protection Officer is contactable at [email protected] for any privacy concern, DPDP rights request, or grievance.

2. What we collect

When you use Cualify as a Customer, we collect:

  • Account data — name, work email, phone, organisation name, billing address, GSTIN, PAN where required for tax invoicing
  • Authentication data — login session tokens (via Clerk), MFA factors
  • Usage data — campaigns, call records, transcripts, recordings, credits debited, dashboard interactions
  • Telemetry — IP address, device type, error logs, product analytics events (cookieless)

When your AI agent makes a call to an end-recipient, we process on your behalf:

  • Phone number and any contact metadata you provided
  • Voice recording and transcript of the call
  • Captured consent (the disclosure played in the first five seconds, plus the recipient's response)
  • Call outcome, intent labels, and sentiment indicators

3. Lawful basis under the DPDP Act 2023

We process Customer personal data on the lawful basis of performance of contract (running your account, delivering the Services). We process end-recipient personal data on the lawful basis of consent — captured and stored by you, the Data Fiduciary. You represent that valid consent has been collected before any number is dialed through Cualify.

4. Where your data is stored

  • Postgres database (account, billing, ledger, campaigns) — Mumbai (ap-south-1)
  • Voice recordings + transcripts — Mumbai object storage, AES-256 at rest
  • Email transactional logs (Resend) — EU region; only delivery metadata, not call content
  • Product analytics (PostHog) — EU region; cookieless, no PII
  • Backup snapshots — Mumbai region only, retained for 30 days

No call content, contact lists, or recordings leave Indian soil.

5. Sharing with sub-processors

We share data only with the sub-processors listed at /security#sub-processors. Each sub-processor is bound by contract to the same protection standards as this Policy. We do not sell personal data, ever.

6. Your rights as a Data Principal

Under the DPDP Act 2023, you have the right to:

  • Access — confirm whether we hold your personal data and obtain a copy
  • Correction — fix inaccurate data
  • Erasure — request deletion when the data is no longer necessary
  • Withdraw consent — stop processing where consent is the basis
  • Grievance redressal — escalate to the DPO if a request is not handled correctly
  • Nominate — designate another person to exercise your rights in case of incapacity

Submit any of the above through the in-app DSR inbox (Settings → Privacy) or by emailing [email protected]. We respond within 30 days. If you are dissatisfied with our response, you may complain to the Data Protection Board of India.

7. Retention

  • Recordings — default 90 days, configurable per plan up to 1 year (Scale)
  • Transcripts — same window as recordings, plus 30 days for redacted backup copies
  • Account data — for the lifetime of the account, plus 7 years for tax compliance under Indian law
  • Telemetry and error logs — 90 days, then aggregated

8. Security measures

  • Encryption at rest — AES-256 (Postgres, recordings, transcripts)
  • Encryption in transit — TLS 1.3 on every connection
  • Multi-tenant isolation — Postgres Row-Level Security with org-scoped predicates verified by automated tests
  • Access controls — SSO + MFA mandatory for all staff; role-based access to production data; quarterly access reviews
  • Audit trail — all admin actions logged immutably; reviewed monthly
  • Penetration testing — annual third-party pentest once revenue exceeds ₹10 lakh MRR

9. Breach notification

Our 72-hour commitment

We notify affected Customers within 72 hours of confirmed detection of any personal-data breach affecting their account, with details of scope, impact, and mitigation. We also report to the Data Protection Board of India as required by the DPDP Act 2023.

10. Cookies and similar technologies

We use only essential cookies for authentication and security. We do not use advertising or third-party tracking cookies. Product analytics is cookieless via fingerprint hashing with a daily salt.

11. Children

Cualify is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe we have, contact the DPO and we will erase it.

12. Changes to this Policy

We update this Policy when laws, sub-processors, or material practices change. Material updates are emailed at least 30 days before the effective date. Earlier versions are available at /legal/privacy/archive on request.

13. Contact the Data Protection Officer

Email: [email protected]. Postal mail: Data Protection Officer, Cualify Technologies LLP, Mumbai, Maharashtra, India. We acknowledge within 48 hours and respond within 30 days.

Related documents

  • Data Processing Agreement
  • Terms of Service

Have a question?

General queries — [email protected]. Privacy and DPDP rights — [email protected]. Abuse reports — [email protected].