GDPR-Compliant Cloud Telephony for Businesses
Our browser-based cloud telephony is designed to be GDPR-compliant and is exclusively aimed at business customers. The processing of personal data is based on clear legal grounds, with defined responsibilities and documented technical and organizational measures.
Data Processing & Server Locations
Depending on the target region, routing, and phone number, call data and metadata may be processed in different data centers. This may also include processing outside the European Union.
In such cases, data transfers are exclusively based on appropriate safeguards in accordance with Art. 46 GDPR, in particular through the conclusion of Standard Contractual Clauses (SCCs) with our infrastructure partners.
Data Processing Agreement & Legal Basis
For the use of our B2B cloud telephony, we conclude a Data Processing Agreement (DPA) with our customers in accordance with Art. 28 GDPR. This regulates the purpose, scope, and duration of data processing as well as the obligations of all parties involved.
Our infrastructure partners (e.g., carriers and network operators) are exclusively engaged as sub-processors and are contractually obligated to comply with GDPR.
Technical & Organizational Measures (TOMs)
To protect your data, we have implemented comprehensive technical and organizational measures:
🔐 Encryption
Transport and, where technically possible, end-to-end encryption for signaling and media streams.
🔑 Access Controls
Strict role and permission concepts for internal systems and customer access.
📊 Monitoring & Logging
Continuous monitoring of systems and logging of security-relevant events.
Anti-Fraud & Abuse Protection
To protect our customers, we use automated mechanisms to detect anomalies, unusual usage patterns, and potential abuse. These include limits, warning systems, and manual reviews in case of irregularities.
These measures serve your security and prevent unauthorized use of your account as well as financial damage from toll fraud and other fraud attempts.
Data Retention & Deletion Periods
Call metadata (date, time, duration, phone numbers) are stored for billing purposes and automatically deleted after 6 months. Call contents are not recorded or stored.
Account data (name, email, payment information) are stored for the duration of the business relationship. After account termination, deletion occurs in accordance with legal retention requirements (e.g., HGB, AO).
Your Rights as a User
Under GDPR, you have the following rights regarding your personal data:
- Access to your stored data (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data ("Right to be Forgotten", Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Data portability (Art. 20 GDPR)
- Object to processing (Art. 21 GDPR)
- Complaint to the supervisory authority (Art. 77 GDPR)
To exercise your rights, please contact us at: datenschutz@fluffycall.de
Transparency & Accountability
We place great emphasis on transparency towards our customers. Data flows, sub-processors, and security measures are documented in a comprehensible manner. Upon request, we provide further information, including:
- List of sub-processors
- Detailed description of TOMs
- Copy of Standard Contractual Clauses (SCCs)
- Information on data transfers outside the EU