Sub-Processors
LucroVox uses the following third-party sub-processors to deliver our AI voice agent platform. Each sub-processor is bound by a Data Processing Agreement (DPA) that meets the requirements of UK GDPR, the EU General Data Protection Regulation, and applicable international transfer safeguards (Standard Contractual Clauses or equivalent).
Change notification: We will notify customers at least 30 days before adding a new sub-processor or materially changing the scope of an existing one. Customers who object may terminate their DPA by contacting privacy@lucrovox.com within the notice period.
Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location | Category |
|---|---|---|---|---|
| Twilio Inc. | Telephony infrastructure, phone number provisioning, call routing, media streaming | Caller phone number, call audio (real-time stream only, not stored), call metadata (duration, timestamps). No audio recordings are created. | US, UK, EU | Core |
| OpenAI | AI inference for real-time voice conversation (Realtime API), system prompt generation | Call audio (streamed in real-time, not stored by OpenAI), AI-generated conversation transcripts (processed in real-time, not retained by OpenAI per API DPA). LucroVox stores transcripts for up to 3 months. | US | Core |
| Supabase Inc. | Primary database, user authentication, row-level security, real-time subscriptions | Customer account data, lead records, call logs, transcripts, partner data, authentication tokens | US, EU | Infrastructure |
| Stripe Inc. | Payment processing, subscription billing, invoicing, customer payment portal | Customer name, email, billing address, payment method tokens (card details handled by Stripe, never touch LucroVox servers) | US, UK, EU | Payments |
| Twilio SendGrid | Transactional email delivery (welcome emails, lead notifications, onboarding, partner communications) | Recipient email address, email subject, email body content (lead details, appointment confirmations) | US | Communications |
| Netlify Inc. | Web application hosting, CDN, edge functions, SSL/TLS | HTTP request logs (IP address, user agent, URL), static assets. No application data stored. | Global (CDN) | Infrastructure |
| Render Inc. | Voice engine application hosting (WebSocket server for real-time AI conversations) | Application logs (anonymised), runtime environment. Call audio is streamed through, not persisted. | US | Infrastructure |
| Cloudflare Inc. | DNS, DDoS protection, Turnstile CAPTCHA (bot detection on forms) | HTTP request metadata (IP, headers), CAPTCHA challenge tokens. No application data stored. | Global (CDN) | Infrastructure |
Transfer Safeguards
Where personal data is transferred outside the UK or EEA, LucroVox ensures that appropriate safeguards are in place. All US-based sub-processors listed above are bound by Standard Contractual Clauses (SCCs) as part of their DPA terms, and where applicable, are certified under the EU-US Data Privacy Framework.
Data Retention by Sub-Processors
Sub-processors retain data only as long as necessary to provide their service. LucroVox's own retention policy (detailed in our UK Privacy Notice and US Privacy Policy) governs how long we instruct sub-processors to retain data on our behalf. Upon account termination, we instruct all sub-processors to delete customer data within 30 days unless a longer retention period is required by law.
Questions
For questions about our sub-processors, data processing practices, or to exercise your data rights, contact:
LucroVox Data Protection
Email: privacy@lucrovox.com
UK Contact: LucroVox UK, Wimbledon, London, United Kingdom