1.Scope & Definitions
This Privacy Policy applies to Bukkii Phone, operated by Bukkii Inc. ("we," "us," "our") at phone.bukkii.ai, the Bukkii Phone mobile apps (iOS / Android), and our desktop apps. It does not cover other Bukkii products such as bukkii.ai unless those products link directly to this policy.
Throughout this document:
- "You" or "Customer" means the business or individual that creates a Bukkii Phone account. "You" sometimes also means callers and recipients who interact with that account.
- "PHI" means Protected Health Information under HIPAA. PHI is only collected when you sign a Business Associate Agreement with us — see our HIPAA page.
- "Personal information" means any data that identifies, relates to, or can reasonably be linked to an individual.
2.Information We Collect
2.1 Information you give us directly
- Account details — name, email, password, business name, role, time zone.
- Payment information — billing address and last four digits of your card. Full card numbers are handled by Stripe and never stored on our servers.
- Onboarding information — industry, team size, business hours, AI Assistant configuration choices.
- Support communications — emails, chat transcripts, screenshots you share with our team.
2.2 Information from your use of the service
- Call data — phone numbers (yours and the other party's), timestamps, duration, direction, route taken, and (if you enable recording) audio recordings and AI-generated transcripts.
- SMS & voicemail — message bodies, attachments, voicemail audio, and AI summaries.
- AI Assistant interactions — what callers said to the AI, what the AI said back, decisions taken (book appointment, transfer, etc.), and structured data extracted (names, services requested, dates).
- Calendar & integration data — appointment slots, calendar event metadata, and information from connected services (Google Calendar, Square, Zapier) — only what is necessary to perform the connection you authorized.
- Device & usage data — IP address, browser type, OS, app version, page views, feature usage, error logs.
2.3 Cookies & similar technologies
We use a small number of cookies for session authentication and product analytics. We do not run third-party advertising trackers. You can clear cookies anytime from your browser; clearing them will sign you out.
3.How We Use Your Information
We use the information above to:
- Provide the phone service — route calls, deliver SMS, run the AI Assistant, sync calendars.
- Bill you and prevent fraud.
- Send service notices (downtime, security alerts, policy updates) and product communications you've opted into.
- Improve the product — diagnose bugs, measure feature adoption, and identify abuse.
- Comply with legal obligations and respond to lawful government requests.
We do not sell or rent personal information to advertisers, data brokers, or any third party. We do not use call recordings, SMS, or AI conversations to train public AI models.
4.How We Share Information
We share data only with parties listed below — each under a written agreement that requires the same level of protection we provide:
| Recipient | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS) | Compute, storage, encryption | All operational data, encrypted |
| Twilio | Telephony & SMS delivery | Phone numbers, message bodies, call signaling |
| Azure OpenAI Service | AI Assistant inference (HIPAA-eligible) | Conversation context only — not retained for training |
| Stripe | Payment processing | Billing email, card token, transaction amount |
| Google Calendar | Optional calendar sync | Only if you connect — appointment events you authorize |
A complete and current list lives at phone.bukkii.ai/subprocessors. We give 30 days advance notice before adding any new subprocessor that handles personal data.
We may also share information when required by law (subpoena, court order, government request) or to protect the rights, safety, or property of Bukkii, our users, or the public — and we will push back on overbroad requests where lawful.
5.AI Assistant & Call Handling
Our AI Assistant processes voice and text from incoming calls and messages to answer, transfer, or book appointments. Specifically:
- Audio & transcripts are sent to a HIPAA-eligible AI provider (Azure OpenAI Service) for the duration of the call only. They are not retained by the provider for model training.
- Recordings default to OFF. When turned on, they are stored encrypted and visible only to your team. We will play a "this call may be recorded" announcement if your account is configured to do so.
- Caller consent — you are responsible for obtaining caller consent where required by your state or country (one-party / two-party consent rules). Bukkii provides the announcement tool; the legal obligation rests with you.
- Opt-out — if you do not want a specific call to be processed by AI, route that number to a human or to voicemail in your dashboard.
6.Data Retention
| Data type | Default retention | Configurable? |
|---|---|---|
| Account information | Life of account + 30 days | — |
| Call recordings & transcripts | 90 days | Yes (7–365 days) |
| SMS & MMS content | 2 years | Yes |
| Voicemails | 90 days | Yes |
| Call detail records (CDR) | 7 years | No (regulatory) |
| Audit logs (PHI access) | 6 years | No (HIPAA) |
| Encrypted backups | 35 days rolling | — |
When you cancel your account, we keep data for 30 days to allow recovery, then permanently delete it from production systems within 30 days and from backups within 90 days. Audit logs and tax records are kept longer where required by law.
7.Your Rights
Depending on where you live, you may have rights including:
- Access — receive a copy of your personal information.
- Correction — fix inaccurate data.
- Deletion — have your data erased (with limited exceptions for legal records).
- Portability — export your data in a machine-readable format (CSV / JSON / MP3).
- Objection — opt out of certain processing.
- Non-discrimination — we will not penalize you for exercising any of these rights.
To exercise a right, email [email protected] or use the in-app Settings → Data & Privacy page. We will respond within 30 days. We may need to verify your identity first to protect against fraudulent requests.
California residents have rights under the CCPA / CPRA. EU and UK residents have rights under GDPR. Specific request forms and disclosures are at phone.bukkii.ai/privacy/regional.
8.Security
We protect your data with industry-standard practices:
- Encryption — AES-256 at rest, TLS 1.3 in transit.
- Access control — role-based permissions, mandatory 2FA for admins, SSO available on Business plans.
- Audit logging — every PHI access logged with user, IP, and timestamp.
- Independent audits — SOC 2 Type II annually; ISO 27001 in progress.
- Vulnerability management — continuous scanning, quarterly penetration tests, public bug bounty.
No system is bulletproof. If a breach affects you, we will notify you without unreasonable delay — within 60 days of discovery for HIPAA-covered data — at the security contact you provided.
9.Children's Privacy
Bukkii Phone is a B2B service and is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided us information, contact us and we will delete it.
10.International Users
Bukkii Phone is operated from the United States. By using the service, you understand that your information is stored and processed in U.S.-based AWS regions (us-east-1, us-west-2). We do not transfer personal data outside HIPAA-eligible U.S. infrastructure for processing.
If you are a covered entity in a jurisdiction with stricter data residency requirements (e.g. EU, Canada PHIPA, Vietnam PDPL), contact our compliance team before signing up — we may not be able to serve your use case today.
11.Changes to This Policy
We may update this policy from time to time. When we make a material change (something that meaningfully affects your rights), we will notify you by email or in-app banner at least 30 days before it takes effect. Older versions are archived at phone.bukkii.ai/privacy/history.
12.Contact Us
Privacy team
Questions about this policy, a privacy concern, or a request for your data: