VokaroVokaroVokaro
Home ServicesReal EstateDental PracticesDermatologyMedical PracticesAccountantsPhysical TherapyOrthopedicsAuto RepairView all industries
FeaturesIntegrationsPricing
Phone ProblemsCost ComparisonKnowledgeROI CalculatorReachability CheckBlogFAQ
Updated

GDPR and AI Telephony: What You Need to Know

Is an AI phone assistant compliant with data privacy regulations? Yes, when set up correctly.

An AI phone assistant is GDPR-compliant when three conditions are met: 1) Voice data is processed on European servers (no transfer to the US). 2) Processing is based on a legal basis (legitimate interest or consent). 3) Callers are informed about AI-assisted processing. At Vokaro, all voice data is processed exclusively on EU servers (Hetzner, Nuremberg, Germany). Speech recognition runs through Deepgram's EU endpoint. No audio content is permanently stored or used for AI training.

The Three Pillars of GDPR Compliance

For a GDPR-compliant AI phone assistant, three areas must be covered:

  • Data processing in the EU: Speech recognition (STT), language understanding (LLM), and speech generation (TTS) must run on EU servers. No US servers, no reliance on contested data transfer frameworks.
  • Legal basis: Processing of voice data can be based on Article 6(1)(b) GDPR (contract performance) or (f) (legitimate interest). Explicit consent is not required in most cases.
  • Transparency obligation: Callers must know that an AI is handling the conversation. This can be done through a brief notice at the beginning of the call.

How Vokaro Ensures Data Privacy

Vokaro was built from the ground up with European data privacy requirements in mind. Every technical decision considers GDPR compliance:

  • Server location: Hetzner Cloud, data centers in Nuremberg/Falkenstein, Germany. All data stays within the EU.
  • Speech recognition: Deepgram Nova-3 via the EU endpoint (eu-api.deepgram.com). No audio content is stored.
  • Speech generation: Cartesia Sonic-3 with EU-compatible hosting. No permanent storage of generated speech.
  • Media server: LiveKit Cloud with EU region. Audio streams are processed in real time and not recorded.
  • Data Processing Agreement (DPA): DPAs in accordance with Article 28 GDPR are in place for all sub-processors.

What Data Is Processed?

Transparency is important to us. The following data is processed during a call:

  • Audio stream: Processed in real time (STT) and not permanently stored.
  • Transcript: Recognized words are used for conversation flow. Optionally storable as a call summary.
  • Appointment bookings: Name, preferred time slot, and contact details are transferred to your calendar system.
  • Call summary: A brief summary of the inquiry is sent to you via email/SMS.
  • Phone number: Stored for callback identification and spam protection.

Common Data Privacy Concerns

The most important questions we hear from privacy-conscious businesses:

  • Is audio content used for AI training? No. Neither Vokaro nor any sub-processors use your conversation data to train AI models.
  • What happens in case of a data breach? Vokaro has an incident response procedure in accordance with Articles 33/34 GDPR. Affected parties are notified within 72 hours.
  • Do I need a Data Protection Impact Assessment (DPIA)? In most cases, no, since no special category data (Article 9 GDPR) is systematically processed. Exception: Medical practices that record health information over the phone.

Related Articles

How does an AI phone assistant work?Setup GuidePrivacy Policy

FAQ

Do I need to inform callers that they're speaking with an AI?

It's recommended to provide a brief notice. Vokaro can say at the start of the call: 'You're speaking with the AI assistant of [Your Company].' This fulfills the transparency obligation and builds trust. There's no strict legal requirement, but it's considered best practice.

Can callers request deletion of their data?

Yes, in accordance with Article 17 GDPR (right to erasure). Since Vokaro does not permanently store audio streams, there is typically no audio data to delete. Call summaries and appointment bookings can be deleted on request.

Is the system compliant for medical practices?

Yes, with certain considerations. Health data (Article 9 GDPR) requires enhanced protection. Vokaro is configured so that medical details are not stored in plain text. The assistant records appointment requests and general inquiries without asking about diagnoses or symptoms.

GDPR-Compliant. Made in Europe.

EU servers. EU processing. No data transfers to the US.

Call now

No obligation · GDPR compliant · Made in Germany