Privacy Policy

Last updated: April 24, 2026

Important: This Privacy Policy explains how we collect, use, and protect your personal data when you use our platform.

1. Who We Are

This Privacy Policy explains how Disfuse ("we," "us," "our") collects, uses, and protects your personal data when you use our platform Wasapia.

  • Company name: Disfuse
  • Address: Harju maakond, Tallinn, Tartu, mnt 67, 10115, Estonia
  • Contact: hello[a]wasapia.com (Modify [a] with @. This is to prevent spam bots.)
  • Role under GDPR: Data Processor (for client end-user data), Data Controller (for our own client account data).

1.1 Age Restrictions and Protection of Minors

Our platform is intended for business use. We do not impose age restrictions on account holders or end-users who interact with client-configured voice agents.

⚠️ Important for Clients:

Under GDPR Article 8, processing personal data of individuals under 16 years of age requires parental consent. THE CLIENT is solely responsible for ensuring compliance with child data protection laws, including obtaining appropriate parental consent when their voice agents interact with minors. We do not verify age and do not obtain parental consent on behalf of clients.

2. What Data We Collect

We process two categories of data:

a) Client Account Data (Controller role):

  • Name, email, billing details, login credentials.
  • Usage logs (access, configuration, error logs).

b) End-User Data from Call Transcripts (Processor role):

  • Transcript content (text only, no audio).
  • Metadata: phone number, date/time of call.

c) End-Customer Contact List Data (Processor role):

Clients may use the platform to create and manage their own contact lists containing their customers' information. This may include:

  • Name, phone number, email address.
  • Notes added by the client.
  • Any other personal data the client decides to input.

d) Voice Data and Biometric Considerations

Voice patterns processed during phone calls may be considered biometric data under certain jurisdictions:

  • Voice audio is processed in real-time by Twilio for speech-to-text transcription only
  • Voice recordings are NOT stored by us or Twilio
  • We do NOT perform voice recognition for identity verification purposes
  • We do NOT create voiceprints or biometric profiles
  • Voice data is used solely for transcription and AI-powered conversation

THE CLIENT's Responsibility: THE CLIENT is responsible for obtaining appropriate consent from end-users when processing voice data that may be considered biometric or special category data under applicable law (e.g., GDPR Article 9).

e) Post-Call Summary Notifications (Optional)

At THE CLIENT's discretion, we may send automated call summaries via:

  • Email – via MailerSend (EU)
  • Telegram – via Telegram Bot API (Dubai/Germany). Summary data is transmitted to Telegram's servers
  • WhatsApp (available on request) – via Meta's WhatsApp Business API (Ireland/US). Summary data is transmitted to Meta's servers
  • Custom webhooks – to THE CLIENT's own systems

When using Telegram or WhatsApp notifications, summary data (which may contain personal information from the call) is transmitted to these third-party platforms. These services have their own privacy policies and data processing terms.

3. How We Use Data

  • To provide the transcription service.
  • To maintain and improve the platform (e.g., error handling, security monitoring).
  • For billing, customer support, and legal compliance.
  • We do not sell or use personal data for advertising.

4. Legal Bases for Processing

We process personal data under:

  • Performance of a contract (Art. 6(1)(b) GDPR) – to provide our services.
  • Legal obligations (Art. 6(1)(c) GDPR).
  • Legitimate interests (Art. 6(1)(f) GDPR) – service improvement and security.

5. Data Sharing and International Transfers

We share data with the following third-party service providers:

5.1 OpenAI (Artificial Intelligence Processing)

We use OpenAI's GPT models to power conversational voice agents. When you receive or make calls:

  • Transcribed speech and conversation content is sent to OpenAI's API in real-time
  • Personal data (including names, phone numbers, emails if shared during calls) is processed by OpenAI
  • OpenAI processes the data to generate AI-powered natural language responses
  • OpenAI retains API data for 30 days for abuse and misuse monitoring purposes
  • OpenAI is headquartered in the United States and subject to US privacy laws
  • Data transfers to OpenAI are not currently protected by formal Data Processing Agreements (DPAs)
  • OpenAI's API data usage policy: https://openai.com/policies/api-data-usage-policies

5.2 Twilio (Telephony Infrastructure)

We use Twilio to handle phone call infrastructure:

  • Twilio receives and routes all phone calls
  • Twilio performs real-time speech-to-text transcription of voice audio
  • Twilio processes phone numbers, call duration, and conversation metadata
  • Voice audio is NOT stored – it is processed in real-time and discarded
  • Twilio is headquartered in the United States and subject to US privacy laws
  • Data transfers to Twilio are not currently protected by formal Data Processing Agreements (DPAs)
  • Twilio's privacy policy: https://www.twilio.com/legal/privacy

5.3 Other Sub-Processors

  • DigitalOcean (US/Germany) – Cloud hosting, database, and backups
  • Stripe (US/Ireland) – Payment processing
  • MailerSend (EU) – Transactional email delivery
  • BetterStack (EU) – System logging and monitoring (5-day retention)
  • Google Analytics (US) – Website usage analytics
  • Tidio (Poland) – Customer support chat widget

⚠️ Important Notice on International Data Transfers

Many of our service providers are located in the United States. While we implement reasonable security measures, we do not currently have formal Data Processing Agreements (DPAs) or Standard Contractual Clauses (SCCs) in place with all providers. This may present compliance risks under GDPR. By using our service, you acknowledge and accept these limitations.

6. Data Retention

We retain different types of data for varying periods:

Call Transcripts and Conversations

  • Transcripts are retained indefinitely until THE CLIENT manually deletes them via the platform
  • Important: We reserve the right to delete transcripts after 10 days from the call date without prior notice for operational or storage management reasons
  • If THE CLIENT's subscription expires or payment fails, transcripts may be deleted immediately (from the day following non-payment) without prior notice
  • THE CLIENT is responsible for exporting and backing up important conversation data

⚠️ Data Loss Warning: We are not responsible for data loss if transcripts are deleted due to non-payment or after 10 days of storage. Clients must regularly export important data. No recovery is possible after deletion.

Other Data Retention Periods

  • Session cache (Redis): Automatically expires after 1 hour
  • OpenAI processing: OpenAI retains API data for 30 days for abuse monitoring, then permanently deletes it
  • System logs: Retained for 5 days in BetterStack for security and debugging
  • Database backups: Retained for 7 days by DigitalOcean
  • Client account data: Retained while account is active, then up to 3 years for legal/accounting purposes
  • Billing records: Retained for up to 7 years as required by tax laws

THE CLIENT may request earlier deletion of their data by contacting us at hello@wasapia.com. Deletion requests are processed within 30 days, subject to legal retention obligations.

7. Your Rights

As an individual, you may exercise your GDPR rights:

  • Access: Request copies of your personal data
  • Rectification: Request correction of inaccurate data
  • Deletion: Request deletion of your data ("right to be forgotten")
  • Restriction: Request limitation of processing
  • Objection: Object to certain types of processing
  • Data portability: Receive your data in a machine-readable format

If we process data on behalf of a client (as Data Processor), rights requests should be directed to that client (the Data Controller). We will assist the client in fulfilling such requests. You may also lodge a complaint with your local Data Protection Authority (Estonia: Andmekaitse Inspektsioon).

7.1 Automated Decision Making and AI-Powered Agents

Our platform enables clients to create AI-powered voice agents that may:

  • Provide information and answers without human intervention
  • Execute actions (e.g., schedule appointments, process requests, call external APIs) based on client-defined configurations
  • Make recommendations or provide guidance

Important Notice (GDPR Article 22):

While our AI agents can execute automated actions, THE CLIENT (not Wasapia) is responsible for:

  • Configuring agents appropriately and ensuring they comply with data protection laws
  • Ensuring automated decisions do not produce legal effects or significantly affect individuals without proper safeguards
  • Providing human oversight and review mechanisms where required by law
  • Informing end-users about automated processing and their right to human intervention

AI-generated responses may contain errors or inaccuracies. We provide the technology platform; THE CLIENT determines how it is used.

If you interact with a client's AI voice agent and wish to contest an automated decision or request human review, please contact the client directly (the business you called). You have the right under GDPR Article 22 to not be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

8. Security

We apply technical and organizational measures to protect data against unauthorized access, loss, or misuse:

  • Encryption in transit: All data transmitted over networks uses TLS/HTTPS encryption
  • Encryption at rest: Database (MongoDB) is encrypted at rest
  • Access controls: Role-based access to systems and data
  • Backups: Automated daily backups retained for 7 days
  • Session management: Temporary session data expires after 1 hour
  • Monitoring: System logs retained for 5 days for security monitoring

Note: Temporary session cache (Redis) is not encrypted at rest but is isolated within our internal network and automatically expires.

8.1 Data Breach Notification

In the event of a personal data breach, we will:

  • Notify THE CLIENT within 72 hours of becoming aware of the breach
  • Notify affected individuals directly if the breach poses a high risk to their rights and freedoms
  • Report the breach to the Estonian Data Protection Authority (Andmekaitse Inspektsioon) as required by GDPR Article 33
  • Document all breaches, their effects, and remediation actions taken
  • Cooperate with THE CLIENT in fulfilling their own notification obligations

9. Contact

If you have questions about this Privacy Policy or wish to exercise your rights, contact us at:

📧 hello[a]wasapia.com (Modify [a] with @. This is to prevent spam bots.)

Legal Notice

1. Ownership of the Website and Platform

The website and platform Wasapia are owned and operated by:

Disfuse

Harju maakond, Tallinn, Tartu, mnt 67, 10115, Estonia

2. Purpose

This website provides information about our transcription services and access to the client platform.

3. Intellectual Property

All contents of the website (software, texts, graphics, logos, designs) are owned by Disfuse or licensed to it. Any unauthorized reproduction, distribution, or modification is prohibited.

4. Use of the Website

  • Users agree to use the website in accordance with applicable laws, good faith, and public order.
  • It is prohibited to introduce malicious software, attempt unauthorized access, or misuse the platform in any way.

5. Liability

  • Disfuse is not responsible for damages arising from misuse of the website or interruptions due to technical issues or force majeure.
  • Links to third-party sites are provided for convenience; we are not responsible for their content.

6. Governing Law and Jurisdiction

This Legal Notice is governed by the laws of Estonia. Any disputes shall be resolved before the courts of Tallinn, Estonia.

Contact Information

If you have questions about this Privacy Policy, please contact us at: hello[a]wasapia.com (Modify [a] with @. This is to prevent spam bots.)

Legal Notice: This Privacy Policy constitutes a legally binding agreement between you and Disfuse. Please read it carefully and contact us if you have any questions about your rights and our data processing practices.