Last Updated: 1 January 2026
1. Introduction
This Privacy Policy explains how XEROTECH LTD (“we”, “us”, “our”), trading as CallGPT, collects, uses, and protects your personal data when you use our AI-powered communication platform at callgpt.co.uk and web.callgpt.co.uk (the “Service”).
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
XEROTECH LTD 71-75 Shelton Street Covent Garden London, WC2H 9JQ United Kingdom
Company Registration No: 14474495 ICO Registration No: ZC065188
Contact: privacy@xerotech.io
3. Information We Collect
3.1 Information You Provide
| Data Type | Examples | Purpose |
|---|---|---|
| Account Information | Name, email address, password (hashed) | Create and manage your account |
| Payment Information | Processed by Stripe (we don’t store card details) | Process subscriptions and payments |
| Communication Content | Chat messages, prompts, uploaded files | Provide AI conversation services |
| Support Communications | Emails, support tickets | Respond to your enquiries |
3.2 Information Collected Automatically
| Data Type | Examples | Purpose |
|---|---|---|
| Usage Data | Features used, session duration, message counts | Improve service and enforce usage limits |
| Technical Data | IP address, browser type, device information | Security, troubleshooting, analytics |
| Cookies | Session cookies, preference cookies | Essential service functionality |
3.3 AI-Generated Content
When you use CallGPT, your prompts are processed by third-party AI providers (OpenAI, Anthropic, Google) to generate responses. We implement automatic privacy protection that strips sensitive information (such as National Insurance numbers, payment card numbers, and phone numbers) from messages before processing where technically feasible.
4. How We Use Your Information
We process your personal data based on the following legal bases under UK GDPR:
| Purpose | Legal Basis |
|---|---|
| Provide and maintain the Service | Contract performance |
| Process payments and subscriptions | Contract performance |
| Send service-related communications | Contract performance |
| Respond to support requests | Contract performance |
| Prevent fraud and abuse | Legitimate interests |
| Improve and develop the Service | Legitimate interests |
| Comply with legal obligations | Legal obligation |
| Send marketing communications (with consent) | Consent |
5. Data Sharing
We share your personal data with the following categories of recipients:
5.1 Service Providers
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Vercel Inc. | Website hosting | United States | Standard Contractual Clauses |
| MongoDB Inc. | Database hosting | Ireland (EU) | EU Adequate |
| Stripe Inc. | Payment processing | United States | EU-US Data Privacy Framework |
| OpenAI LLC | AI processing | United States | Standard Contractual Clauses |
| Anthropic PBC | AI processing | United States | Standard Contractual Clauses |
| Google LLC | AI processing | United States | EU-US Data Privacy Framework |
| Resend Inc. | Email delivery | United States | Standard Contractual Clauses |
5.2 Other Disclosures
We may also disclose your data:
- To comply with legal obligations or court orders
- To protect our rights, property, or safety
- In connection with a business transfer or merger (with prior notice)
We do not sell your personal data to third parties.
6. International Transfers
Some of our service providers are located outside the UK and European Economic Area (EEA). When we transfer your data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs): Approved contractual terms that provide adequate protection
- EU-US Data Privacy Framework: For US companies certified under this framework
- Adequacy Decisions: For countries the UK has deemed to provide adequate protection
7. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfil the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Chat messages and sessions | Duration of account + 30 days after deletion |
| Generated artifacts | Duration of account + 30 days after deletion |
| Payment records | 7 years (legal requirement) |
| Support communications | 3 years |
| Server logs | 90 days |
After these periods, data is securely deleted or anonymised.
8. Your Rights
Under UK GDPR, you have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Rectification | Request correction of inaccurate data |
| Erasure | Request deletion of your data (“right to be forgotten”) |
| Restriction | Request limitation of processing |
| Portability | Receive your data in a portable format |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw consent at any time (where consent is the legal basis) |
To exercise any of these rights, contact us at privacy@xerotech.io. We will respond within one month.
8.1 Account Deletion
You can delete your account and all associated data at any time through:
- Self-service: Dashboard → Settings → Delete Account
- Email request: privacy@xerotech.io
Upon deletion, we will:
- Remove your account and profile information
- Delete all chat sessions and messages
- Delete all generated artifacts
- Cancel any active subscriptions
- Retain only data required by law (e.g., payment records for 7 years)
9. Data Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest (AES-256)
- Secure password hashing
- Access controls and authentication
- Regular security assessments
- Incident response procedures
Our infrastructure providers maintain industry certifications including SOC 2 Type II and ISO 27001.
10. Children’s Privacy
CallGPT is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at privacy@xerotech.io.
11. Cookies
We use essential cookies to operate the Service and optional analytics cookies with your consent. For details, see our Cookie Policy.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes by:
- Posting a notice on our website
- Sending an email to your registered address
The “Last Updated” date at the top indicates when the policy was last revised.
13. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire, SK9 5AF
Website: https://ico.org.uk Telephone: 0303 123 1113
14. Contact Us
For any questions about this Privacy Policy or our data practices:
Email: privacy@xerotech.io Address: XEROTECH LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
XEROTECH LTD | Company No: 14474495 | ICO Registration: ZC065188