Phone StackPhone Stack

Privacy Policy

Last updated: May 16, 2026

1. Introduction

Phone Stack Corp. ("Phone Stack," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI cold calling platform, website, and related services (collectively, the "Service").

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, phone number, and billing information. This information is necessary to provide our Service.

Contact Data

You may upload contact lists containing names, phone numbers, email addresses, company names, and other business information for use in your calling campaigns. You are responsible for ensuring you have the right to use this contact data for outbound calling.

Call Recordings and Transcripts

Our Service records phone calls made through the platform. These recordings are transcribed and analyzed by AI to generate call summaries, sentiment analysis, and campaign analytics. Call recordings are stored securely and retained according to the retention schedule described below.

Usage Data

We automatically collect information about how you use our Service, including pages visited, features used, campaign configurations, and performance metrics. We use cookies and similar technologies for analytics and to improve the Service.

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process your calling campaigns and generate analytics
  • Train and improve our AI models (using aggregated, de-identified data only)
  • Send you service-related communications
  • Process payments and manage your subscription
  • Comply with legal obligations, including TCPA and DNC regulations
  • Detect and prevent fraud, abuse, and security incidents

4. Call Recording and TCPA Compliance

Phone Stack records all calls made through the platform for quality assurance, compliance, and analytics purposes. Our Service automatically provides appropriate disclosures regarding call recording as required by applicable state and federal law. You are responsible for complying with all applicable telemarketing laws, including the Telephone Consumer Protection Act (TCPA) and state-specific regulations.

5. Data Retention

We retain your data as follows:

  • Account data: Retained for the duration of your account plus 30 days after deletion
  • Call recordings: Retained for 90 days by default, configurable up to 1 year
  • Call transcripts and summaries: Retained for the duration of your account
  • Contact data: Retained for the duration of your account, deleted within 30 days of account closure
  • Analytics data: Retained in aggregated, de-identified form indefinitely

6. Data Sharing and Sub-Processors

We do not sell your personal information. We may share your data with:

  • Service providers: Third-party services that help us operate the Service (see list below)
  • Legal compliance: When required by law, subpoena, or legal process
  • Business transfers: In connection with a merger, acquisition, or sale of assets

The following third-party service providers ("sub-processors") may receive or process your data in the course of delivering the Service:

  • Google Cloud Platform / Firebase (Google LLC) — cloud hosting, database, authentication, and serverless compute
  • Twilio (Twilio Inc.) — telephony infrastructure for placing and receiving phone calls
  • Stripe (Stripe Inc.) — payment processing and subscription billing
  • Resend (Resend Inc.) — transactional email delivery (account notifications, support emails)
  • Google Gemini (Google LLC) — real-time conversational AI voice agent (see Section 7)
  • Anthropic Claude (Anthropic PBC) — post-call analysis and AI-assisted scoring (see Section 7)
  • Deepgram (Deepgram Inc.) — speech-to-text transcription (see Section 7)
  • Vercel (Vercel Inc.) — web application hosting and edge delivery
  • Google Analytics (GA4) (Google LLC) — website analytics (see Section 12)
  • Microsoft Clarity (Microsoft Corporation) — website analytics and session replay (see Section 12)

All sub-processors are contractually bound to use your data only as necessary to provide their respective services and to maintain appropriate security measures. We may update this list as we add or change providers; material changes will be reflected in this Privacy Policy.

7. AI Services and Third-Party AI Providers

Phone Stack uses the following third-party artificial intelligence services to power its core calling, transcription, and analytics features:

  • Google Gemini (Google LLC) — powers our real-time conversational AI voice agent that conducts phone calls on your behalf. Audio from calls is streamed to Google Gemini for speech understanding and response generation.
  • Anthropic Claude (Anthropic PBC) — used for post-call analysis, including call summarization, sentiment analysis, action-item extraction, and AI-assisted call scoring and training recommendations.
  • Deepgram (Deepgram Inc.) — provides speech-to-text transcription of call recordings for generating written transcripts and enabling keyword search across your calls.

When you use the Service, call audio and related data are transmitted to these providers solely to deliver the features described above. Each provider processes data under its own terms of service and privacy policy. Phone Stack does not permit these providers to use your data to train their general-purpose AI models.

7.1 AI Provider Data Retention

Data transmitted to our AI providers is processed in real time or near-real time and is not retained by those providers beyond what is necessary to complete the processing request, except as follows:

  • Google Gemini: Call audio is streamed in real time and is not stored by Google after the session ends. Google may retain usage metadata (such as token counts and error logs) in accordance with its Cloud Data Processing terms.
  • Anthropic Claude: Call transcripts and summaries are sent via API for analysis and are not retained by Anthropic after the response is returned, per Anthropic's commercial API data policy.
  • Deepgram: Audio is processed for transcription and is not stored by Deepgram after the transcript is returned, per Deepgram's data processing agreement.

Phone Stack retains the outputs of AI processing (transcripts, summaries, scores) in accordance with the retention schedule in Section 5 above.

7.2 AI-Generated Content

Calls conducted by Phone Stack are performed by artificial intelligence, not human agents. AI-generated speech, summaries, scores, and recommendations may contain errors or inaccuracies. You should review AI-generated outputs before relying on them for business decisions. Phone Stack does not guarantee the accuracy, completeness, or reliability of any AI-generated content.

We may update the AI services we use as technology evolves. Material changes to the providers listed above will be reflected in this Privacy Policy. For any questions about our use of AI services, contact us at privacy@phonestack.com.

8. Data Security

We implement industry-standard security measures to protect your data, including encryption in transit (TLS 1.3) and at rest (AES-256), access controls, audit logging, and regular security assessments. However, no method of transmission or storage is 100% secure.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Delete your data
  • Export your data in a portable format
  • Opt out of certain data processing activities

To exercise these rights, contact us at privacy@phonestack.com.

10. Google User Data (Gmail & Google Calendar)

Phone Stack offers optional integrations that allow you to connect your Google account so the Service can send emails on your behalf and schedule calendar events as part of your calling workflows. When you connect your Google account, Phone Stack accesses your Google user data only with your explicit consent via Google's OAuth 2.0 flow.

10.1 Scopes We Request and Why

  • https://www.googleapis.com/auth/gmail.send — used solely to send emails from your connected Gmail account (for example, meeting confirmations, follow-ups, and callback confirmations triggered by your AI call agent). We do not read, modify, delete, or otherwise access your inbox, drafts, labels, or any other Gmail content.
  • https://www.googleapis.com/auth/calendar.events — used to create calendar events (such as booked meetings) on the calendar you authorize. We only create or modify events created by Phone Stack.
  • https://www.googleapis.com/auth/calendar.freebusy — used to check your availability before proposing meeting times to your prospects. We only access busy/free windows, not event details.
  • https://www.googleapis.com/auth/userinfo.email — used to identify which Google account you have connected.

10.2 How We Store and Protect Google User Data

OAuth tokens (access tokens and refresh tokens) issued by Google are stored encrypted at rest in our Firestore database and are transmitted over TLS 1.3. Tokens are used only by our backend to perform the actions you authorize and are never exposed to client-side code or third parties. You may revoke Phone Stack's access at any time from your Google Account permissions page or by disconnecting the integration from your Phone Stack Settings.

10.3 Limited Use Disclosure

Phone Stack's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. Specifically, Phone Stack:

  • Uses Google user data only to provide or improve user-facing features that are prominent in the Phone Stack user interface (sending emails you triggered, scheduling meetings you booked, and checking availability you authorized);
  • Does not transfer Google user data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice;
  • Does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • Does not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized; and
  • Does not use Google user data to develop, improve, or train generalized AI and/or machine learning models. Any AI features that reference your data are scoped to your own account.

10.4 Deletion of Google User Data

You may disconnect Google from Phone Stack at any time in Settings → Integrations. Upon disconnection, we immediately revoke the associated refresh token with Google and delete the stored OAuth credentials from our database within 24 hours. To request deletion of any residual data associated with your Google account, email privacy@phonestack.com.

11. Microsoft User Data (Outlook Mail & Microsoft 365 Calendar)

Phone Stack offers optional integrations that allow you to connect your Microsoft account (personal Microsoft accounts or Microsoft 365 / Entra ID work or school accounts) so the Service can send emails on your behalf through Outlook and schedule calendar events in Microsoft 365 Calendar as part of your calling workflows. When you connect your Microsoft account, Phone Stack accesses your Microsoft user data only with your explicit consent via the Microsoft identity platform OAuth 2.0 flow (Microsoft Entra ID), and only to perform the actions you authorize.

11.1 Scopes We Request and Why

  • Mail.Send — used solely to send emails from your connected Outlook / Microsoft 365 mailbox (for example, meeting confirmations, follow-ups, and callback confirmations triggered by your AI call agent). We do not read, modify, delete, move, or otherwise access your inbox, drafts, folders, attachments, or any other mail content.
  • Calendars.ReadWrite — used to create calendar events (such as booked meetings) on the calendar you authorize and to check your availability before proposing meeting times to your prospects. We only create or modify events created by Phone Stack; we do not read, modify, or delete events that were not created by Phone Stack, except to read busy/free windows needed to schedule around them.
  • User.Read — used to identify which Microsoft account you have connected (display name, email address, and object ID) so that we can show it in your Phone Stack Settings.
  • offline_access — used to obtain a refresh token so Phone Stack can continue performing the actions you authorized (sending emails, creating events) without requiring you to sign in again for each action.

11.2 How We Store and Protect Microsoft User Data

OAuth tokens (access tokens and refresh tokens) issued by the Microsoft identity platform are stored encrypted at rest in our Firestore database and are transmitted over TLS 1.3. Tokens are used only by our backend to perform the actions you authorized and are never exposed to client-side code or third parties. You may revoke Phone Stack's access at any time from your Microsoft account applications & consents page (personal accounts) or from the My Apps portal (work or school accounts), or by disconnecting the integration from your Phone Stack Settings.

11.3 Limited Use of Microsoft User Data

Phone Stack's use of information received from Microsoft Graph and other Microsoft APIs adheres to the Microsoft APIs Terms of Use, the Microsoft Services Agreement, and applicable requirements for apps verified through the Microsoft Cloud Partner Program and the Microsoft 365 App Compliance Program. Specifically, Phone Stack:

  • Uses Microsoft user data only to provide or improve user-facing features that are prominent in the Phone Stack user interface (sending emails you triggered, scheduling meetings you booked, and checking availability you authorized);
  • Does not transfer Microsoft user data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with user notice;
  • Does not use Microsoft user data for serving advertisements, including retargeting, personalized, or interest-based advertising;
  • Does not sell or rent Microsoft user data under any circumstances;
  • Does not allow humans to read Microsoft user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized; and
  • Does not use Microsoft user data to develop, improve, or train generalized AI and/or machine learning models. Any AI features that reference your data are scoped to your own account.

11.4 Deletion of Microsoft User Data

You may disconnect Microsoft from Phone Stack at any time in Settings → Integrations. Upon disconnection, we immediately revoke the associated refresh token with Microsoft and delete the stored OAuth credentials from our database within 24 hours. To request deletion of any residual data associated with your Microsoft account, email privacy@phonestack.com. Phone Stack does not retain copies of Outlook messages we send on your behalf beyond the metadata required to display your own send history inside Phone Stack (recipient, subject, timestamp, and delivery status).

11.5 Tenant Administrator Consent

If you are a Microsoft 365 tenant administrator granting Phone Stack access on behalf of your organization, you represent that you have the authority to do so and that your organization's users have been notified as required by your internal policies. Administrators may revoke consent for the entire tenant at any time via the Microsoft Entra admin center under Enterprise applications → Phone Stack → Permissions.

12. API Access and MCP Integrations

Phone Stack provides a REST API and a Model Context Protocol (MCP) server that allow authorized third-party AI assistants to interact with your account on your behalf.

12.1 Data Shared via API and MCP

When you authorize a third-party application (such as Claude or ChatGPT) via the MCP server, the following data may be returned in tool responses:

  • Contact phone numbers (E.164 format), names, email addresses, and company names
  • Custom fields you have defined on contacts
  • Call transcripts (truncated to 50,000 characters)
  • AI-extracted structured data from calls
  • Call dispositions, durations, and metadata
  • Agent profile names and configurations

12.2 MCP Server Data Handling

The Phone Stack MCP server (hosted at phonestack-mcp.fly.dev) acts as a stateless proxy between AI assistants and the Phone Stack API. It:

  • Stores your API key encrypted at rest, resolved from an OAuth token
  • Does not log or persist tool call contents (request bodies or responses)
  • Does not train AI models on data passing through it
  • Does not share your data with any party other than the Phone Stack API
  • Transmits all data over HTTPS (TLS 1.3)

12.3 Revoking MCP Access

You may revoke access at any time by deleting or rotating your API key in Settings → API. This immediately invalidates all active MCP sessions using that key. OAuth tokens issued by the MCP server expire after 30 days if not revoked earlier.

13. Cookies and Analytics

We use cookies and similar technologies for analytics, session management, and to improve your experience. The following analytics services are active on our website:

  • Google Analytics 4 (GA4) — collects anonymized usage data including pages visited, session duration, referral source, and conversion events (such as sign-ups and subscription purchases). GA4 may set cookies including _ga and _ga_*. Data is processed by Google LLC in accordance with Google's Privacy Policy. We use GA4's IP anonymization feature.
  • Microsoft Clarity — collects anonymized behavioral analytics including click heatmaps, scroll depth, and session recordings to help us understand how users interact with our website. Clarity may set cookies including _clck and _clsk. Session recordings automatically mask sensitive input fields. Data is processed by Microsoft Corporation in accordance with Microsoft's Privacy Statement.

You can control cookie preferences through your browser settings. Disabling cookies may affect your experience but will not prevent you from using the Service.

14. Children's Privacy

Our Service is not directed to individuals under 18. We do not knowingly collect information from children.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date.

16. Contact Us

If you have questions about this Privacy Policy, contact us at:

Phone Stack Corp.
Email: privacy@phonestack.com
San Francisco, CA, United States