phone.systemsby ODYGY

Legal

Privacy Notice

Last updated: 23 April 2026

This Privacy Notice explains how ODYGY SRL("Odygy", "we", "us") processes personal data when you visit our website, create an account, or use the phone.systems™ cloud business phone service. It applies to all customers, end users and visitors worldwide and is aligned with Regulation (EU) 2016/679 ("GDPR") and Romanian data-protection law.

1. Who we are

The data controller responsible for your personal data is:

ODYGY SRL
Str. Aurel Vlaicu 2, Bl. 5A, Et. 7, Ap. 28
330005 Cluj-Napoca, Cluj
Romania
CUI: 48766682Reg. Com.: J12/3844/2023EUID: ROONRC.J12/3844/2023Established: 2023-09-12
Data-protection enquiries: support@odygy.com

2. Personal data we process

Depending on how you interact with us, we may process:

Account & identity data

  • Full name, business name, job title
  • Email address, phone number, billing address
  • Authentication credentials (hashed passwords, 2FA tokens)
  • For business customers: VAT number, company registration details

Service & usage data

  • IP address, device identifiers, browser and OS information
  • Product telemetry (pages viewed, features used, errors encountered)
  • Configuration data (PBX objects, call flows, user directory)

Communications content & metadata

  • Call Detail Records (CDRs): calling and called numbers, timestamps, duration, direction, routing information
  • Voicemail and, where enabled by the customer, call recordings and transcripts
  • Chat / messaging content exchanged through in-product support

Billing & financial data

  • Subscription plan, invoices, payment method metadata (we do not store full card numbers — payments are handled by PCI-DSS-certified processors)
  • Taxation data required by Romanian and EU law

3. Purposes & legal bases

We process the above data on the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR) — creating and administering your account, providing the phone.systems service, routing calls, billing, customer support.
  • Legal obligation (Art. 6(1)(c)) — issuing invoices, keeping accounting records, responding to lawful requests from telecom regulators, tax authorities or law-enforcement bodies.
  • Legitimate interests (Art. 6(1)(f)) — securing our platform, preventing fraud and toll abuse, improving service quality, aggregated analytics, direct marketing to existing business customers of closely related services.
  • Consent (Art. 6(1)(a)) — optional AI features (call summary, sentiment analysis, transcription), marketing emails to non-customers, non-essential cookies. You may withdraw consent at any time.

4. Call metadata, recordings & AI features

When you use phone.systems to make or receive calls, signalling and media transit our infrastructure and the carrier networks we interconnect with. As part of normal telecom operations we process Call Detail Records for routing, rating and invoicing.

Call recording and AI-powered features (full transcript, call summary, sentiment analysis, talk-to-listen ratio, key topics) are off by default and are only enabled when the account administrator activates them. When enabled:

  • The customer (your employer / the account holder) is the controller of the recording content and is responsible for informing call participants where required by applicable law.
  • Odygy acts as a processor under Art. 28 GDPR and processes the content strictly on the customer's documented instructions.
  • Audio processed for AI features is not used to train third-party foundation models and is deleted from the AI pipeline after analysis.

5. Sharing & sub-processors

We do not sell personal data. We share it only with vetted partners who are contractually bound to confidentiality and data-protection obligations, including:

  • Telecommunications carriers & SIP interconnect partners required to complete your calls.
  • Cloud infrastructure providers hosting our platform within the European Economic Area.
  • Payment processors for subscription billing.
  • Analytics, monitoring and support tooling used to operate the service reliably.
  • Professional advisors (auditors, lawyers, tax consultants) where strictly necessary.
  • Authorities where we are legally required to do so.

An up-to-date list of sub-processors is available on request at support@odygy.com.

6. International transfers

We primarily store and process data in the European Union. Where a sub-processor is located outside the EU/EEA, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where appropriate, supplementary technical measures such as encryption in transit and at rest.

7. Retention

We keep personal data only for as long as we need it:

  • Account data — for the duration of your subscription plus up to 24 months after termination, unless a longer period is required by law.
  • CDRs and billing data — up to 3 years, or longer where required by telecom or tax legislation.
  • Recordings & transcripts — according to the retention window configured by the customer; we do not retain this content longer than instructed.
  • Support tickets — up to 24 months after closure.
  • Accounting records — 10 years as required by Romanian fiscal law.

8. Your rights under the GDPR

You have the right to:

  • Access your personal data and request a copy;
  • Rectify inaccurate or incomplete data;
  • Request erasure where legally applicable;
  • Restrict or object to certain processing;
  • Receive your data in a portable format;
  • Withdraw consent at any time without affecting past processing;
  • Lodge a complaint with a supervisory authority. In Romania this is the National Supervisory Authority for Personal Data Processing (ANSPDCP, dataprotection.ro).

To exercise any of these rights, contact support@odygy.com. We will respond within 30 days.

9. Cookies & tracking

Our website uses a minimal set of strictly necessary cookies and, with your consent, analytics cookies to understand how visitors use the site. You can manage your preferences at any time via the cookie banner. No advertising or cross-site tracking cookies are used.

10. Security

We maintain organisational and technical measures appropriate to the risk, including: encryption in transit (TLS, SRTP), encryption at rest, role-based access control, hardened infrastructure with continuous monitoring, independent penetration testing, and a written incident-response plan. Regardless of the measures taken, no system is 100% secure; we will notify affected users and the relevant authority in line with Art. 33 and 34 GDPR where applicable.

11. Children

phone.systems is a business-to-business service. It is not directed at children under 16 and we do not knowingly collect their data. If you believe we have, please contact us so we can delete it.

12. Changes to this notice

We may update this Privacy Notice from time to time. Material changes will be communicated through the product and/or by email. The "last updated" date at the top of this page always reflects the current version.

13. Contact us

For any question about this notice, your personal data, or to exercise your rights, reach us at:

ODYGY SRL
Str. Aurel Vlaicu 2, Bl. 5A, Et. 7, Ap. 28
330005 Cluj-Napoca, Cluj
Romania
support@odygy.com