Privacy Policy

Last updated: 4 April 2026

This Privacy Policy explains how 42Desk ("42Desk", "we", "us", or "our") collects, uses, stores, and protects personal data in connection with the 42Desk platform ("Service"). It applies to Operators (businesses and their staff who subscribe to the Service) and, where 42Desk processes personal data of End Users on behalf of an Operator, that processing is governed by a separate Data Processing Agreement.

This policy is issued in compliance with Regulation (EU) 2016/679 (General Data Protection Regulation, "GDPR"), Directive 2002/58/EC (ePrivacy Directive), and Regulation (EU) 2024/1689 (EU Artificial Intelligence Act).

1. Data Controller

The data controller for personal data processed in connection with Operator accounts and platform operations is 42Desk. For enquiries regarding this policy or to exercise your rights, contact our privacy team at privacy@42desk.com.

Where Operators use the Service to process personal data of their own End Users (for example, call recordings or transcripts), the Operator is the data controller for that processing and 42Desk acts as data processor. End Users with questions about how their personal data is handled by an AI Agent should contact the relevant Operator directly.

2. Personal Data We Collect

2.1 Account and Registration Data

Name, email address, job title, organisation name, and authentication credentials when an Operator registers for the Service or when team members are invited to an account.

2.2 Billing and Payment Data

Billing address and payment method details. Payment card data is processed exclusively by our payment processor (Stripe) and is never stored on 42Desk systems. We retain transaction records and invoices for tax and legal compliance purposes.

2.3 Platform Usage Data

Log data including IP addresses, browser or client type, access timestamps, pages visited, and feature usage patterns. This data is used for security monitoring, abuse prevention, and service improvement.

2.4 Call and Interaction Data (Processed on Behalf of Operators)

When an Operator deploys an AI Agent, call metadata (origin number, duration, timestamps, call outcome), call transcripts, and optionally call recordings may be generated and stored on the Platform. This data relates to End Users and is processed by 42Desk as a data processor acting on the Operator's instructions. Operators control retention settings for this data from their dashboard. Inbound caller telephone numbers (CLI/ANI) transmitted to the Platform constitute personal data and are collected as part of call metadata. Operators should be aware that callers may voluntarily disclose health, financial, or other sensitive information during a call. Where such disclosures occur, the resulting transcript may contain special category data within the meaning of GDPR Article 9. Operators deploying AI Agents in contexts where such disclosures are foreseeable are responsible for ensuring an appropriate legal basis for processing that data and for configuring their agents accordingly.

2.5 Support and Communications Data

Correspondence and support tickets submitted to 42Desk, including contact details and the content of communications.

3. AI Processing — Special Disclosure

3.1 How AI Agents Process Personal Data

AI Agents deployed through the Platform are powered by generative artificial intelligence large language models (LLMs) provided by third-party AI suppliers, currently including ElevenLabs, Inc. for voice synthesis and conversational AI. When an End User speaks to an AI Agent, their voice, speech content, and call context are transmitted to these AI suppliers for real-time processing. Personal data transmitted to AI suppliers is processed under data processing agreements that comply with GDPR transfer requirements.

3.2 AI Output Is Not Guaranteed Accurate

AI Agents may produce responses that are inaccurate, incomplete, or misleading. Personal data mentioned in a conversation may be misinterpreted or reproduced incorrectly by the AI system. 42Desk does not represent that AI Agents will handle personal information flawlessly. Operators are responsible for implementing appropriate safeguards, including human review processes, to mitigate the risk of AI errors affecting End Users.

3.3 EU AI Act Transparency

In accordance with Article 50 of Regulation (EU) 2024/1689 (EU AI Act), interactions with AI Agents must be disclosed as such to End Users. 42Desk provides disclosure tooling to Operators for this purpose. 42Desk does not use AI Agent interaction data to train its own AI models without Operator consent.

4. Lawful Basis for Processing

We process personal data on the following legal bases under GDPR Article 6:

• Contract (Art. 6(1)(b)): Processing necessary to perform our contract with Operators, including account management, service delivery, and billing.
• Legitimate interests (Art. 6(1)(f)): Platform security, fraud prevention, service improvement, and analytics, where our interests are not overridden by the rights of data subjects.
• Legal obligation (Art. 6(1)(c)): Tax record-keeping, responding to lawful requests from authorities, and compliance with other statutory obligations.
• Consent (Art. 6(1)(a)): Where we send optional marketing communications to Operators or their staff. Consent may be withdrawn at any time.

For End User call data processed on behalf of Operators, the lawful basis is determined by the Operator as data controller. 42Desk recommends that Operators obtain explicit consent from End Users for call recording and AI processing, where required by applicable law.

5. How We Use Personal Data

• Provisioning, operating, and supporting the Service.
• Processing payments and managing billing accounts.
• Sending transactional communications (account notices, invoices, security alerts).
• Monitoring platform security, detecting fraud and abuse.
• Complying with legal and regulatory obligations.
• Improving the Platform through aggregated, anonymised analytics (never using identifiable End User data without Operator authorisation).
• Responding to support requests.

We do not sell, rent, or trade personal data to third parties for marketing purposes.

6. Third-Party Processors and Recipients

We share personal data with the following categories of third-party processors, each engaged under GDPR-compliant data processing agreements:

• Cloud infrastructure (Google Cloud Platform): Platform hosting, database, and authentication services. Data is stored in the EU (europe-west1 region).
• AI voice processing and transcription (ElevenLabs): Voice synthesis, conversational AI, and speech-to-text transcription for AI Agent interactions. Call audio is transmitted to ElevenLabs for real-time inference and transcription. Transcripts generated from call audio are processed under ElevenLabs' data processing agreement with 42Desk, which complies with GDPR transfer requirements.
• Telephony (Telnyx): Inbound and outbound call routing, number management, and telephony infrastructure.
• Payment processing (Stripe): Subscription billing and payment card processing. Stripe is an independent data controller for payment data under its own privacy policy.
• Authentication (Firebase / Google): User authentication and identity management.

We do not transfer personal data to third parties outside the European Economic Area (EEA) except where standard contractual clauses (SCCs) or other appropriate transfer safeguards approved under GDPR Chapter V are in place. ElevenLabs and Telnyx are US-based entities engaged under SCCs.

7. Data Retention

• Account data: Retained for the duration of the Operator's active account and deleted within 90 days of account closure, subject to legal hold obligations.
• Billing records: Retained for 7 years to comply with tax and accounting obligations.
• Call transcripts and recordings: Retention period is configured by the Operator in the dashboard. The default is 12 months. Operators may delete this data at any time.
• Platform logs: Retained for up to 12 months for security and operational purposes.
• Support communications: Retained for up to 3 years from the date of last contact.

8. Data Security

42Desk implements technical and organisational security measures appropriate to the risk, including encryption of data in transit (TLS 1.2+) and at rest, encryption of sensitive credentials stored on the Platform using Fernet symmetric encryption, access controls and role-based permissions, regular security assessments, and incident response procedures. In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority within 72 hours as required by GDPR Article 33.

9. Your Rights Under GDPR

As a data subject, you have the following rights under GDPR, which you may exercise at any time by contacting us at privacy@42desk.com:

• Right of access (Art. 15): Obtain confirmation of whether we process your personal data and a copy of that data.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17): Request deletion of your personal data where it is no longer necessary, or where you withdraw consent, subject to our legal retention obligations.
• Right to restriction of processing (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests at any time.
• Right not to be subject to solely automated decisions (Art. 22): Not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you.
• Right to withdraw consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

We will respond to requests within one calendar month. If your request is complex or numerous, this period may be extended by a further two months, in which case we will inform you within the initial month. We will not charge a fee for requests unless they are manifestly unfounded or excessive.

You also have the right to lodge a complaint with your national data protection authority. In Portugal, the competent authority is the Comissão Nacional de Proteção de Dados (CNPD) (www.cnpd.pt).

10. Cookies and Tracking Technologies

The 42Desk website and application use strictly necessary cookies required for authentication and session management. We do not use third-party advertising or tracking cookies. Analytics data, where collected, is aggregated and anonymised. You may control cookie settings through your browser preferences; disabling essential cookies may affect functionality.

11. Children's Data

The Service is not directed to individuals under the age of 18. 42Desk does not knowingly collect personal data from minors. Operators deploying AI Agents in contexts where interactions with minors are possible must ensure appropriate safeguards and parental or guardian consent mechanisms are in place.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be notified to Operators by email or prominent notice on the Platform at least fourteen (14) days before taking effect. The current version is always available at 42desk.com/privacy. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

13. Contact

For all privacy-related enquiries, requests to exercise your rights, or to report a potential data breach:

Email: privacy@42desk.com
Supervisory authority: CNPD — Comissão Nacional de Proteção de Dados, www.cnpd.pt