Privacy Policy - Outcraft AI
Effective Date: Feb 22, 2026
Legal Entity: MB Omera V. Nagevičiaus g. 3 LT-08237 Vilnius, Lithuania Company Code: 307358184
1. Introduction
Who we are
This Privacy Policy is issued by MB Omera (trading as Outcraft.ai), a company registered in Lithuania with company code 307358184, with registered address at V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania ("we," "us," "our," or "Outcraft.ai").
Purpose of this Privacy Policy
This Privacy Policy explains how Outcraft.ai collects, uses, and protects personal data when you use our services It applies to:
- Our clients (businesses that subscribe to our AI-powered voice communication platform)
- Client personnel (individuals who access and use our platform on behalf of our clients)
- Website visitors (individuals who visit our website)
- End users (individuals who interact with our AI voice assistants when called by our clients)
Our role under data protection law
We act in different capacities depending on the context:
As a data controller: For our own business purposes (e.g., managing client accounts, billing, marketing, website analytics), we act as a data controller.
As a data processor: When our clients use our platform to make calls and interact with individuals (end users), we process personal data on behalf of our clients. Our clients are responsible for ensuring they have a lawful basis (such as consent) for providing that data. Our clients are the data controllers for this processing.
Changes to this Privacy Policy
We may update this Privacy Policy from time to time. Updates will be posted with a new effective date. We encourage you to review this Privacy Policy periodically. If we make material changes, we will notify you by email (if you have provided your email address) or through a prominent notice on our website.
Scope and Jurisdiction
This Privacy Policy applies to individuals located in the European Union, United States, and other jurisdictions in which Outcraft AI operates.
Where specific provisions apply only to residents of certain jurisdictions (such as the European Economic Area or California), such provisions are identified separately.
2. Information We Collect
The personal data we collect depends on how you interact with us.
2.1 Data We Collect as Data Controller
From our clients and client personnel:
Account details (name, email, company, login credentials)
Billing and payment info (processed securely by third-party providers)
Job title, phone number, business address
Support inquiries and communications
Communication preferences (e.g., whether you wish to receive marketing emails)
From website visitors:
Automatically collected log data, device data, usage analytics, and cookies , including:
- IP address
- Browser type and version
- Operating system
- Referring URLs
- Pages visited and time spent on pages
- Device identifiers
Information you provide when contacting us:
When you contact us via email, contact forms, or live chat, we collect the information you provide, including your name, email address, and the content of your inquiry.
2.2 Data We Process as Data Processor (on behalf of our clients)
When our clients use our platform, we process the following categories of personal data on their behalf:
Leads/contacts uploaded by clients (names, emails, phone numbers, etc.)
Contact details: Names, email addresses, phone numbers, postal addresses
Voice data: Audio recordings of calls, call transcripts
Conversation content: Information shared during AI-powered voice calls
Call metadata: Call duration, timestamp, call outcome, caller ID, technical parameters
Customer identifiers: Customer IDs, order numbers, account references provided by our clients
Any other information our clients choose to upload or process through our platform
Important: For this data, our clients are the data controllers. They determine the purposes and means of processing. We process this data solely on their instructions. If you have questions about how your personal data is used by one of our clients, or wish to exercise your data protection rights, please contact the client directly.
2.3 Categories of Personal Information Collected (U.S. Disclosure)
For transparency purposes and in accordance with U.S. state privacy laws (including CCPA/CPRA), the table below outlines categories of personal information collected in the preceding 12 months:
| Category | Purpose | Header |
|---|---|---|
| Identifiers | Name, email, phone number | Account creation |
| Commercial information | Billing data | Payment processing |
| Internet activity | IP address, logs | Security |
| Audio information | Call recordings | Service functionality |
| Professional information | Job title | CRM usage |
3. Legal Basis for Processing and Purposes
3.1 When We Act as Data Controller
We process personal data on the following legal bases:
Contract performance (GDPR Article 6(1)(b)):
We use data to provide and maintain services and process payments and manage subscriptions . This includes:
- Creating and managing client accounts
- Providing access to our platform
- Processing billing and payments
- Providing customer support
- Communicating with you about your account and our services
Legitimate interests (GDPR Article 6(1)(f)):
We use data to improve performance and user experience and send account-related communications . Our legitimate interests include:
- Improving our platform and services
- Conducting analytics and research to understand how our services are used
- Detecting and preventing fraud, security threats, and technical issues
- Managing our business operations
- Defending legal claims
Consent (GDPR Article 6(1)(a)):
We send marketing updates (if opted in). We will only send marketing communications with your explicit consent. You can withdraw consent at any time by clicking "unsubscribe" in any marketing email or contacting us at will@outcraft.ai.
Legal obligation (GDPR Article 6(1)(c)):
We comply with legal obligations, such as:
- Retaining financial records for tax purposes
- Responding to lawful requests from authorities
- Complying with court orders
3.2 When We Act as Data Processor
When processing personal data on behalf of our clients, we do so solely on their documented instructions as set out in our Data Processing Agreement. The legal basis for this processing is determined by our clients (the data controllers).
4. Cookies and Similar Technologies
What are cookies?
Cookies are small text files stored on your device when you visit our website. They help us provide and improve our services.
Types of cookies we use
We use cookies for login sessions, analytics, and functionality .
Strictly necessary cookies: Essential for the website to function properly (e.g., authentication, security). These do not require consent under ePrivacy law.
Analytics cookies: Help us understand how visitors use our website (e.g., Google Analytics). These require consent.
Functionality cookies: Remember your preferences and settings. These require consent.
Marketing cookies: Track your browsing to deliver targeted advertising. We currently do not use marketing cookies.
Cookie consent and control
When you first visit our website, we will ask for your consent to use non-essential cookies via a cookie banner.
You can disable cookies in your browser, but some features may not work. You can manage cookie settings through:
- Your browser settings
- Our cookie consent banner (click "Cookie Settings" in the footer)
Third-party cookies
We use the following third-party services that may set cookies:
- Google Analytics: To analyse website traffic and usage patterns
- [Other services to be listed as applicable]
For more information about how these third parties use cookies, please see their respective privacy policies.
5. How We Share Personal Data
We do not sell, rent, or trade personal data.
We do not sell or share personal information as those terms are defined under applicable U.S. state privacy laws.
We may share data with service providers (hosting, payments, analytics, email delivery, AI providers l .
Service providers and sub-processors
We share personal data with trusted third-party service providers who assist us in operating our platform and business. These include:
Infrastructure and hosting:
- Amazon Web Services (AWS) - Cloud hosting in Germany (EU)
AI and voice processing:
- OpenAI - AI-based processing (transcription, natural language processing)
- VAPI AI - Voice AI processing
- Twilio - Telephony and messaging services
Security and performance:
- Cloudflare - Content delivery, DDoS protection, web application firewall
Payment processing:
- Stripe – Secure payment processing; Wise – International payment processing
Analytics:
- Google Analytics - Website analytics
Customer support and communication:
- Google Workspace – Internal business email communications. Customer-facing email communications are sent via customers' own email providers, integrated through the Outcraft AI platform.
All service providers are contractually bound to protect personal data and use it only for the purposes we specify. Where service providers are located outside the EU/EEA, we ensure appropriate safeguards are in place (see Section 7 - International Transfers).
Legal requirements
We may share data with legal authorities when required by law, including:
- To comply with legal obligations, court orders, or lawful requests from authorities
- To protect our rights, property, or safety, or that of our clients, users, or the public
- To detect, prevent, or address fraud, security, or technical issues
Business transfers
We may share data in connection with business transfers (e.g., mergers, acquisitions). If Outcraft.ai is involved in a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity. We will notify you of such a transfer and any choices you may have.
With your consent
We may share personal data with third parties where you have given us explicit consent to do so.
6. International Data Transfers
Where we store and process data
Data may be transferred outside the EU with safeguards such as Standard Contractual Clauses or compliance with frameworks like the EU-U.S. Data Privacy Framework .
Primary data storage: Customer personal data is hosted on Amazon Web Services (AWS) in Frankfurt, Germany (EU).
Transfers to third countries: Some of our service providers are located in, or process data in, countries outside the EU/EEA, including:
- United States: OpenAI, VAPI AI, Twilio, Google Analytics
Safeguards for international transfers
Where we transfer personal data outside the EU/EEA, we ensure appropriate safeguards are in place as required by GDPR Chapter V:
Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses with service providers in third countries.
UK International Data Transfer Addendum: For transfers from the UK, we use the UK IDTA where applicable.
EU-US Data Privacy Framework: Where service providers participate in the EU-US Data Privacy Framework, we rely on this adequacy mechanism.
7. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal obligations.
7.1 Data We Control
Account data is kept whilst active Specifically:
Client account data: Retained for the duration of the client relationship plus 2 years after account closure (to handle queries, disputes, and legal claims).
Billing and payment records: Retained for 10 years after the end of the financial year to which they relate (to comply with tax and accounting obligations).
Support communications: Retained for 3 years after the last interaction (to maintain service records and handle follow-up queries).
Usage analytics generally up to 24 months.
Website analytics and cookies: Retained for up to 24 months.
Marketing communications: Retained until you withdraw consent, unsubscribe or a term indicated in the consent has passed. In case of withdrawal, we retain a suppression record to honour your preferences.
7.2 Data We Process on Behalf of Clients
Leads' data is retained as directed by clients .
When acting as a processor, we retain data in accordance with our clients' instructions and our Data Processing Agreement.
8. Security Measures
We implement encryption, access controls, and secure hosting, but cannot guarantee 100% security .
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
Encryption:
- Data in transit: HTTPS with TLS 1.3
- Data at rest: AES-256 encryption via AWS-managed encryption
- Application-level encryption for sensitive fields (names, emails, phone numbers)
Access controls:
- Multi-factor authentication (MFA) mandatory for all personnel
- Role-based access control (RBAC) with least-privilege principles
- Regular access reviews and prompt revocation upon employee departure
Infrastructure security:
- Hosting on AWS in private Virtual Private Cloud (VPC)
- Databases not publicly accessible
- Web Application Firewall (WAF) via Cloudflare and AWS
- Containerised deployments (Docker)
Monitoring and incident response:
- Continuous monitoring using CloudWatch, Grafana, and uptime tools
- Security logging and alerting
- Logs retained for minimum 6 months
- Incident response procedures for data breaches
Vulnerability management:
- Automated dependency and vulnerability scanning
- Regular security updates and patching
- Container image scanning
Whilst we take appropriate measures to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.
9. Your Rights Under GDPR
Depending on your jurisdiction, you may have rights to :
9.1 Rights Applicable When We Are Data Controller
If we process your personal data as a data controller (e.g., as a client, client personnel, or website visitor), you have the following rights under the GDPR:
Right of access (Article 15):
Access your data . You can request a copy of the personal data we hold about you.
Right to rectification (Article 16):
Correct your data . You can ask us to correct inaccurate or incomplete data.
Right to erasure (Article 17):
Delete your data . You can request deletion of your personal data in certain circumstances (e.g., when it's no longer necessary, you withdraw consent, or you object to processing).
Right to restrict processing (Article 18):
Restrict processing . You can ask us to temporarily limit how we use your data whilst we verify accuracy or assess your objection.
Right to data portability (Article 20):
Data portability . You can request your data in a structured, machine-readable format and have it transferred to another controller.
Right to object (Article 21):
Object to processing . You can object to processing based on legitimate interests or for direct marketing purposes. We must stop processing unless we have compelling legitimate grounds that override your interests.
Right to withdraw consent (Article 7(3)):
Withdraw consent . Where processing is based on consent, you can withdraw it at any time. This will not affect the lawfulness of processing before withdrawal.
Right to lodge a complaint (Article 77):
File a complaint with a Data Protection Authority . You have the right to complain to your local supervisory authority if you believe we have not complied with data protection law.
Relevant supervisory authorities:
- Lithuania: State Data Protection Inspectorate (https://vdai.lrv.lt)
- Your country: Find your local authority at https://edpb.europa.eu/about-edpb/about-edpb/members_en
9.2 Rights Applicable When We Are Data Processor
If your personal data is processed by one of our clients using our platform (e.g., you were called by our client's AI agent), our client is the data controller. You should exercise your rights by contacting the client directly.
We will assist our clients in responding to data subject requests as required under our Data Processing Agreement.
9.3 California Privacy Rights
Additional Disclosures for California Residents
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:
- The right to know what personal information we collect
- The right to request deletion
- The right to correct inaccurate information
- The right to opt out of the sale or sharing of personal information
- The right to limit use of sensitive personal information
- The right to non-discrimination for exercising your rights
We do not sell personal information as defined under CCPA.
To exercise your rights, contact: will@outcraft.ai
How to exercise your rights
To exercise any of the above rights, please contact us at:
- Email: will@outcraft.ai
- Post: MB Omera, V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania
We will respond to your request within 1 month (extendable by 2 months for complex requests). We may ask you to verify your identity before processing your request.
10. Additional Rights for California Residents (CCPA)
California residents have rights to know, delete, and correct their data. We do not sell personal data. Contact us at will@outcraft.ai to exercise rights .
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
Right to know: You can request information about the categories and specific pieces of personal information we have collected, the sources, purposes, and categories of third parties with whom we share it.
Right to delete: You can request deletion of your personal information, subject to certain exceptions.
Right to correct: You can request correction of inaccurate personal information.
Right to opt-out of sale/sharing: We do not sell or share personal information for cross-context behavioural advertising.
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
If you are a California resident, you have the following additional rights:
- Right to Know
- Right to Delete
- Right to Correct
- Right to Opt-Out of Sale or Sharing
- Right to Limit Use of Sensitive Personal Information
- Right to Non-Discrimination
We do not sell or share personal information for cross-context behavioural advertising.
To exercise your rights, contact: will@outcraft.ai
11. Children's Privacy
Our services are designed for businesses and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children under 18 (or 16 in the EU, or the age of digital consent in your jurisdiction).
If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information as soon as possible.
If you believe we have collected information from a child, please contact us at will@outcraft.ai.
12. AI Transparency
Our platform uses artificial intelligence (AI) to power voice communication services. In accordance with the EU AI Act (Regulation (EU) 2024/1689), we provide the following information:
AI system disclosure: When individuals interact with our AI-powered voice agents (deployed by our clients), they are interacting with an AI system. Our clients are required to ensure individuals are informed they are speaking with AI.
No high-risk classification: Our AI system is not classified as "high-risk" under the AI Act Annex III. It does not make consequential automated decisions about individuals (e.g., concerning employment, credit, education, or access to essential services).
Prohibited practices: We do not use AI for prohibited purposes under AI Act Article 5, including subliminal manipulation, exploitation of vulnerabilities, social scoring, or real-time biometric identification in public spaces.
Voice data processing: Our AI processes voice data to transcribe speech, understand intent, and generate responses. This processing is performed by third-party AI providers under strict contractual terms prohibiting unauthorised use of data.
AI Interaction and Call Recording Disclosure
Our Services enable our clients to record and transcribe telephone calls using AI-powered technology.
When individuals interact with AI voice agents deployed by our clients, voice data may be recorded and processed.
Certain jurisdictions, including certain U.S. states, require one-party or all-party consent before recording calls.
Our clients are solely responsible for:
- Providing legally required notice
- Obtaining necessary consent
- Ensuring compliance with applicable telecommunications and call recording laws
Outcraft.ai does not independently initiate calls and acts solely as a service provider processing data on behalf of its clients.
13. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
MB Omera (trading as Outcraft.ai), V. Nagevičiaus g. 3, LT-08237 Vilnius, Lithuania, company code: 307358184
Email: will@outcraft.ai
Website: www.outcraft.ai