Nolloe - Privacy Policy

Last updated 20 September 2025

We run inbound AI that handles calls and emails and hands clean context to your team. We collect only what we need to run and improve the Service. You control your Customer Data; we process it for you. We use reasonable security, keep data only as long as needed, honor legal rights (GDPR/CPRA, etc.), and do not sell personal information. You can request access, deletion, opt out of marketing, and more.

1) Who We Are

Nolloe, Inc. (“Nolloe,” “we,” “us”) provides inbound AI agents and related tools. This Privacy Policy explains how we collect, use, disclose, and protect Personal Data when you visit our sites, use our dashboards/APIs, or interact with our agents.

2) Scope & Roles

  • For Customer Data you submit to the Service (contacts, calls/recordings/transcripts, emails, tickets, CRM fields), we act as a processor/service provider to you. Your separate agreement with us (and our DPA) governs.
  • For Nolloe sites/accounts/marketing (our own analytics, billing records, sign-up info), we act as a controller/business.

3) Information We Collect

A. You Provide: account details (name, email, phone, company), billing/payment info (handled by our payment processor/Merchant of Record), playbooks/prompts, and support requests.

B. Through the Service: call audio and transcripts, email content, attachments, tickets, metadata (timing, routing, agent decisions), connection details (IP, browser/OS, device IDs), event logs, and diagnostic telemetry.

C. Cookies/Tags: we may use cookies, local storage, beacons, pixels (e.g., analytics/attribution like Meta Pixel or server-side Conversions API) to measure usage and improve experience. Cookie choices may affect functionality.

D. From Integrations: data we obtain from your connected systems (telephony, CRM, helpdesk, analytics, ads), strictly to provide the Service.

4) How We Use Data

  • Provide, maintain, secure, and troubleshoot the Service;
  • Transcribe, summarize, classify, route, and respond via AI models;
  • Measure reply speed, deflection, bookings, and handoff quality;
  • Improve quality and safety (e.g., abuse, fraud, DNC/consent checks);
  • Provide support, trainings, and announcements;
  • Analyze usage and develop new features;
  • Comply with law, enforce terms, and protect rights;
  • Create aggregated/de-identified insights (never to re-identify).

We do not sell Personal Data. We may show case studies/metrics, but only with appropriate permissions or de-identification.

5) Legal Bases (EEA/UK)

Where GDPR/UK GDPR applies, we rely on: (i) contract necessity (to provide the Service), (ii) legitimate interests (quality, security, analytics), (iii) consent (where required, e.g., marketing or recording), and (iv) legal obligation.

6) Sharing

We share Personal Data with:

  • Processors/Sub-processors (cloud hosting, model providers, carriers, relays, analytics, payments);
  • Enterprise customers (your employer) regarding your account usage on enterprise plans;
  • Legal and safety recipients when required by law or to protect rights;
  • Corporate transaction parties (mergers, acquisitions) under standard safeguards.

We require recipients to protect data and use it only for the intended purpose.

7) International Transfers

We may transfer data to the United States and other countries. Where required, we use Standard Contractual Clauses (SCCs) and the UK Addendum for cross-border transfers.

8) Retention

We retain Personal Data only as long as necessary for the purposes above, then delete or de-identify it. Default retention periods may be configured by you (e.g., for recordings and logs). Backups may persist for limited periods.

9) Security

We implement reasonable administrative, technical, and physical safeguards (encryption in transit, restricted access, logging, key management, and secure development practices). No system is 100% secure; report security incidents to security@nolloe.com.

10) Your Rights

EEA/UK: access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.

US (CA/CO/CT/VA/UT and others): know/access, delete, correct, portability, limit use/disclosure of sensitive data, and opt out of targeted advertising or “sale/share.” We honor Global Privacy Control (GPC) signals where required.

How to exercise: email privacy@nolloe.com with your request and region. We will verify and respond as required by law.

11) Marketing; Opt-Outs

You can opt out of marketing emails via the unsubscribe link. For SMS, reply STOP. You can manage cookies via our cookie banner or browser settings. Service and transactional notices will still be sent where necessary.

12) Children

The Service is not for children under 18, and we do not knowingly collect children’s data.

13) Cookies & Tracking Summary

We may use necessary, functional, analytics, and advertising cookies. See our Cookie Notice for categories, retention, and partners. Some measurement (e.g., server-side CAPI) occurs without client-side cookies.

14) Do Not Track; GPC

We do not respond to browser Do Not Track signals but will honor Global Privacy Control (GPC) signals where legally required to treat as an opt-out of sale/share.

15) Changes to this Policy

We may update this Policy. Material changes will be posted or notified. Continued use after the effective date means you accept the changes.

16) Contact

Nolloe, Inc.
Attn: Privacy
[Insert Address]
Email: privacy@nolloe.com / dpo@nolloe.com

Addenda (Summaries)

A) Data Processing Addendum (DPA)

  • Roles: You = Controller/Business; Nolloe = Processor/Service Provider.
  • Purpose limitation: we process Customer Data only to provide the Service.
  • Sub-processors: listed publicly; notice for changes; right to object for reasonable grounds.
  • Security: administrative/technical safeguards; encryption in transit; access controls; logging; vulnerability management.
  • Breach notice: without undue delay and no later than 72 hours after confirmation.
  • Assistance: data subject requests, DPIAs, and consultations.
  • Return/deletion: at termination or upon request, subject to backups and law.
  • Transfers: SCCs/UK Addendum where required.

B) Business Associate Addendum (BAA)

  • Scope: only when you are a Covered Entity/Business Associate and send PHI.
  • Permitted uses: as required to provide the Service; minimum necessary.
  • Safeguards: HIPAA-aligned administrative, physical, technical safeguards.
  • Incident reporting: prompt notice of Security Incidents and Breaches; cooperation on mitigation.
  • Subcontractors: bound by HIPAA-compliant terms.
  • Termination: return or destroy PHI upon termination where feasible.

Implementation Notes

  1. Replace YOUR-DOMAIN, addresses, and emails.
  2. Link a public Sub-processors page and Cookie Notice.
  3. Add a “Do Not Sell/Share My Personal Information” link (for CPRA) and honor GPC.
  4. If you handle PHI, sign the BAA before ingesting PHI.
  5. Add an Arbitration Opt-Out email inbox and workflow.
  6. Configure recording disclosures and consent capture per state/country.
  7. Keep an internal DNC and consent log.