GDPR Compliance

Last updated: October 24, 2025

Akol is committed to GDPR compliance and protecting the rights of individuals in the European Economic Area (EEA). This page outlines our GDPR practices and your rights.

🇪🇺

European Data Protection

Fully compliant with the General Data Protection Regulation (GDPR)

Our Role Under GDPR

As Data Controller

We act as a data controller for information we collect directly from you, such as account registration data, billing information, and communications with us.

As Data Processor

We act as a data processor for call data and customer information processed through our Service on your behalf, according to your instructions and our DPA.

Legal Bases for Processing

We process personal data based on the following legal grounds:

Contract Performance

Processing necessary to provide our Service

Legitimate Interests

Improving our services, security, and fraud prevention

Consent

Marketing communications and optional features

Legal Obligations

Compliance with applicable laws

Your Rights Under GDPR

If you are in the EEA, you have the following rights regarding your personal data:

Right of Access

Request a copy of the personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete personal data

Right to Erasure

Request deletion of your personal data ("right to be forgotten")

Right to Restrict Processing

Request that we limit how we use your personal data

Right to Data Portability

Request your data in a structured, machine-readable format

Right to Object

Object to processing based on legitimate interests or for direct marketing

Automated Decision Rights

Rights regarding automated decision-making and profiling

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer. We will respond to your request within 30 days.

Email DPO

[email protected]

International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards:

Standard Contractual Clauses approved by the European Commission

Adequacy decisions where applicable

Binding Corporate Rules for group companies

Data Processing Agreement

For customers processing EEA personal data, we offer a Data Processing Agreement (DPA) that includes:

Standard Contractual Clauses

Technical and organizational security measures

Sub-processor list and notification process

Data breach notification procedures

Audit rights

To request our DPA, please contact [email protected]

Sub-Processors

We use the following categories of sub-processors. A complete list is available upon request.

Provider	Category	Region
AWS	Cloud Infrastructure	Global
Google Cloud	Cloud Infrastructure	Global
Stripe	Payment Processing	US/EU
Twilio	Communications	Global

Data Retention

After termination of your account, data is retained according to the following schedule:

Account data

30 days after deletion

Call recordings

30 days (or configured)

Backups

90 days

Anonymized analytics

Indefinite

Security Measures

Technical & Organizational Measures

Encryption at rest and in transit

Access controls and authentication

Regular security assessments

Employee training and confidentiality

Incident response procedures

Data Protection Officer

Our Data Protection Officer can be contacted at: