Privacy Policy
Last updated: January 9, 2026
Table of Contents
1. Controller & Contact
Controller responsible for data processing under GDPR:
FluffyCall
Email: service@fluffycall.com
(Full company details will be added upon business registration)
Website: https://fluffycall.com
Data Protection Officer: For privacy questions, please contact: service@fluffycall.com
2. Basics of Data Processing
2.1 Scope: We process personal data of our users only to the extent necessary to provide the software platform FluffyCall.
2.2 Transparency: This Privacy Policy comprehensively informs you about what data we collect, how we use it, and what rights you have.
2.3 VoIP Service: FluffyCall provides a cloud-based software platform through which telecommunications services from external providers can be used. We do not provide our own telecommunications services. Processing of telecommunications data is exclusively performed by the VoIP provider Telnyx.
3. Legal Basis
The processing of your personal data is based on the following legal bases of the GDPR:
| Legal Basis | Purpose |
|---|---|
| Art. 6 (1) lit. b GDPR (Contract performance) |
Registration, provision of service, billing, invoicing |
| Art. 6 (1) lit. c GDPR (Legal obligation) |
Storage of invoices (10-year retention obligation), fulfillment of tax obligations |
| Art. 6 (1) lit. f GDPR (Legitimate interest) |
Fraud prevention, system security, defense against attacks, service improvement |
| Art. 6 (1) lit. a GDPR (Consent) |
Cookies, Google Analytics (activated only after consent via Consent Management Tool) |
4. Registration & Account Data
4.1 Data Collected During Registration
Registration is required to use FluffyCall. We collect the following data:
| Data | Purpose | Required |
|---|---|---|
| Company Name | Identification, invoicing | Yes |
| Legal Form (LLC, Corp, etc.) | Legal classification, invoicing | Yes |
| Country | Tax classification, invoicing | Yes |
| Company Email Address | Login, communication, invoice delivery (no free email providers allowed) | Yes |
| First & Last Name (Contact Person) | Contact person identification | Yes |
| Role/Position | Contact person assignment | Yes |
| VAT ID | Tax billing, reverse charge for EU foreign countries | One of the two required* |
| Commercial Register Number | Commercial identification, verification of B2B status | One of the two required* |
| Password (encrypted with bcrypt) | Authentication | Yes |
| B2B Status (Confirmation) | Confirmation of commercial use (tax relevant) | Yes |
| IP Address (at registration) | Security, fraud prevention, abuse prevention | Automatic |
* To verify your business status, you must provide EITHER the VAT ID OR the Commercial Register Number. At least one of these is mandatory.
Legal Basis: Art. 6 (1) lit. b GDPR (Contract performance)
4.2 Password Security
Passwords are hashed with bcrypt and never stored in plain text. Even we have no access to your password.
5. Telephony & Connection Data
5.1 No Recording of Call Content
5.2 Stored Connection Data (Metadata)
For each call made through FluffyCall, the following connection data is stored:
| Data | Purpose |
|---|---|
| Called phone number | Billing, call history |
| Date & time | Billing, traceability |
| Call duration | Per-minute billing |
| Costs | Billing, transparency |
| Destination country/region | Price calculation, call history |
| Call status (successful/failed) | Support, quality assurance |
| Caller number (technical) | Technical assignment, fraud prevention |
| User ID (internal) | Assignment to your account, billing |
| Unique Call ID (Telnyx) | Technical tracking, support, dispute resolution |
Legal Basis: Art. 6 (1) lit. b GDPR (Contract performance - billing)
5.3 Telecommunications Data
FluffyCall uses VoIP services from Telnyx LLC. Telnyx is subject to telecommunications laws. These laws contain special protective provisions for telecommunications data.
We commit to:
- Using telecommunications data only for billing purposes
- Not sharing connection data with third parties (except our VoIP provider Telnyx)
- Not creating profiles of your usage behavior
- Deleting data after retention period expires
- Art. 6 (1) lit. b GDPR: Contract performance (billing, invoicing)
- Art. 6 (1) lit. c GDPR: Legal obligation (Retention is carried out for the legally required duration in accordance with applicable telecommunications and data protection regulations (currently telecommunications law § 100 - traffic data))
- Art. 6 (1) lit. f GDPR: Legitimate interest (fraud prevention, dispute resolution)
5.4 Storage & Retention
Retention Period: Connection data is stored in accordance with legal requirements (currently generally 6 months after the call) and then automatically deleted.
Legal Basis:
Automatic Deletion: Deletion occurs automatically after expiration of the respective retention period.
Right of Access: You can view your call history in the dashboard at any time and export it as a CSV file.
Data Processor: Connection data is processed by Telnyx LLC (USA) as a technical service provider. However, data storage takes place on EU servers in Germany (see section 6.1).
6. Processors & Third Countries
To provide FluffyCall, we use external service providers (processors). We have concluded Data Processing Agreements (DPAs) in accordance with Art. 28 GDPR with all service providers.
6.1 Telnyx LLC (VoIP Infrastructure)
| Aspect | Details |
|---|---|
| Purpose | Provision of VoIP infrastructure for outbound calls |
| Data Storage | Germany (EU Data Residency) |
| Provider | Telnyx LLC, 311 W Superior St #500, Chicago, IL 60654, USA |
| Processed Data | Called phone number, call duration, timestamp, technical connection metadata |
| Legal Basis | Art. 6(1)(b) GDPR (contract performance) |
| Data Processing | Data Processing Addendum (DPA) with EU Standard Contractual Clauses (SCCs) |
| Retention Period | According to legal and tax requirements |
| More Information | https://telnyx.com/privacy-policy https://telnyx.com/legal/data-processing-addendum |
6.2 Stripe (Payment Processing)
| Aspect | Details |
|---|---|
| Purpose | Processing credit card payments |
| Location | Stripe Payments Europe Ltd. (Ireland) & Stripe Inc. (USA) |
| Processed Data | Payment data (credit card data is stored ONLY by Stripe, not by FluffyCall) |
| Legal Basis Third Country | EU Commission Standard Contractual Clauses (Art. 46 GDPR) |
| Website | https://stripe.com/privacy |
Important: FluffyCall does NOT store credit card data. Payment data is processed and stored exclusively by Stripe.
6.3 Hetzner Online GmbH (Hosting)
| Aspect | Details |
|---|---|
| Purpose | Hosting of FluffyCall platform and database |
| Location | Germany (data center in Falkenstein) |
| Processed Data | All data stored on FluffyCall (account, call history, etc.) |
| Legal Basis | Data Processing Agreement pursuant to Art. 28 GDPR |
| Website | https://www.hetzner.com/legal/privacy-policy |
7. Retention Periods
We delete your data as soon as the purpose of storage ceases and no legal retention obligations exist.
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account data (email, password) | Until account deletion + 30 days | Contract performance |
| Call history (connection data) | 6 months after call | Billing purposes (telecommunications law) |
| Invoices | 10 years from invoice date | Tax retention obligation |
| Login logs (IP addresses) | 30 days | Security, fraud prevention |
| Google Analytics data | 14 months | Consent (can be revoked) |
7.1 Deletion After Account Deletion
Upon deletion of your account, your data is handled as follows:
- Account data (email, password): Deleted after 30 days
- Call history: Deleted after 6 months (if not older)
- Invoices: Retained for 10 years (legal obligation)
- Remaining credit: Expires without compensation
8. Cookies & Tracking
8.1 Necessary Cookies
FluffyCall uses technically necessary cookies to ensure platform functionality:
| Cookie | Purpose | Lifetime |
|---|---|---|
| session_id | Session management (login status) | Session (until logout) |
| auth_token | Authentication | 7 days |
Legal Basis: Art. 6 (1) lit. f GDPR (legitimate interest - technical necessity)
8.2 Google Analytics
FluffyCall uses Google Analytics 4, a web analytics service by Google Ireland Limited ("Google"). Google Analytics is only used after prior consent via our Consent Management Tool.
Purpose: Analysis of user behavior to improve the website
Collected Data:
- Page views
- Session duration
- Device information (browser, operating system)
- Anonymized IP addresses
Legal Basis: Art. 6 (1) lit. a GDPR (Consent - if given)
Third Country Transfer: Google Analytics may transfer data to the USA (Standard Contractual Clauses)
Opt-Out: You can disable Google Analytics: Google Analytics Opt-Out
More Information: Google Privacy Policy
9. Data Security
We implement extensive technical and organizational measures to protect your data from unauthorized access, loss or misuse:
9.1 Technical Measures
- SSL/TLS Encryption: All data transmissions are encrypted (HTTPS)
- Password Hashing: Passwords are hashed with bcrypt (not in plain text)
- Access Control: Strict access restrictions on servers and databases
- Firewall & Rate Limiting: Protection against unauthorized access and DDoS attacks
- Regular Backups: Daily encrypted backups
- Fraud Protection: Automatic detection of suspicious activities
9.2 Organizational Measures
- Access to customer data only for authorized personnel
- Obligation of all employees to confidentiality
- Regular security updates
- Incident response plan for data breaches
10. Your Rights
You have the following rights regarding your personal data:
10.1 Right of Access (Art. 15 GDPR)
You can request information about the data we store at any time.
10.2 Right to Rectification (Art. 16 GDPR)
You can request correction of inaccurate data.
10.3 Right to Erasure (Art. 17 GDPR)
You can request deletion of your data, unless legal retention obligations exist (e.g. invoices).
10.4 Right to Data Portability (Art. 20 GDPR)
You can export your call history as a CSV file.
10.5 Right to Object (Art. 21 GDPR)
You can object to the processing of your data on grounds relating to your particular situation.
10.6 Right to Restriction of Processing (Art. 18 GDPR)
You can request restriction of the processing of your data.
10.7 Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority.
Relevant Supervisory Authority:
[Your country's data protection authority - e.g. for Germany:]
Website: https://www.bfdi.bund.de
10.8 Exercising Your Rights
To exercise your rights, please contact us at:
Email: service@fluffycall.com
Subject: "Privacy Request"
We will process your request within 30 days.
11. Changes to Privacy Policy
11.1 Adjustments: We reserve the right to adapt this Privacy Policy to reflect changes in law or changes to our services.
11.2 Notification: We will inform you by email about substantial changes.
11.3 Current Version: The current version is always available at https://fluffycall.com/en/privacy.html.