Privacy Policy

For India · Last updated: June 27, 2026

WebCallHub (“we”, “us”) is operated by HSG IT Services Oy (Helsinki, Finland) and HSG IT USA LLC (Austin, Texas, USA). This policy explains what personal data we collect from customers and website visitors in India, why, how we use it, and your rights under India’s Digital Personal Data Protection Act, 2023 (DPDP Act), as well as the EU GDPR and the California CCPA where they apply.

Short version: We collect the minimum data needed to run the click-to-call service: your account info, plus call metadata and (optionally) audio/transcripts for calls placed through your site, and billing details to invoice you in rupees. We do not sell personal data. You can request export or deletion at any time.

1. Who Is Responsible (Data Fiduciary / Controller)

For account holders (our customers): WebCallHub is the Data Fiduciary (controller) for your account data.
For website visitors who use a customer’s call widget: the customer (website owner) is the Data Fiduciary; WebCallHub acts as a Data Processor on the customer’s behalf.

Grievance / data-protection contact: [email protected] (see section 11).

2. Data We Collect

2.1 Account data (you, the customer)

Name, email, company, role.
Billing details and invoices issued in INR. Card details are handled by our payment provider — we do not store card numbers.
Authentication data (password hash, SSO tokens, session cookies).
Dashboard activity logs (which admin actions you took and when).

2.2 Call data (when a visitor uses the widget)

Call metadata: timestamp, duration, caller identifiers, agent assignment, call outcome.
The visitor’s name and/or phone/email, if they entered them in the widget form.
IP address (used for routing, TURN/STUN selection, and abuse prevention).
Audio stream: only during the call — relayed, not stored, unless you enable recording.
Transcript: only when transcription is enabled for the call (optional feature).

2.3 Website and cookies

Strictly-necessary cookies for login and CSRF protection.
Privacy-respecting, cookieless analytics (Plausible) for aggregate traffic.
With your consent, Google Analytics 4 (disabled by default via Google Consent Mode; only set after you click “Accept”). We do not use it for advertising or ad personalisation.

3. Why We Use the Data

Purpose	Data	Basis
Providing the Service	Account data, call metadata, audio	Performance of contract
Billing and accounting	Billing details	Contract & legal obligation
Abuse prevention, security	IP, activity logs	Legitimate use / legitimate interest
Optional recording / transcription	Audio, transcript	Consent
Product improvement (aggregate)	Anonymised usage data	Legitimate use
Marketing emails to customers	Email	Consent; opt-out anytime

Under the DPDP Act, we process your personal data on the basis of your consent or for legitimate uses permitted by the Act. Where we rely on consent, you may withdraw it at any time (this does not affect processing already carried out).

4. Where Your Data Is Stored

Primary production data is hosted within the European Union (Helsinki region). Backups and selected sub-processors may operate in other countries, including the United States, under appropriate safeguards (EU–US Data Privacy Framework or Standard Contractual Clauses). Cross-border transfer is carried out in line with the DPDP Act and applicable transfer rules.

5. Sub-processors

We use a small set of vetted sub-processors: cloud hosting (Hetzner, Cloudflare), transactional email, payment processing (PCI-compliant provider, Stripe), and optional speech-to-text. Business and Enterprise customers can request the current list and a Data Processing Addendum at [email protected].

6. How Long We Keep Data

Account data: for the life of the account, plus up to 90 days after cancellation, then deleted or anonymised.
Call metadata: 12 months by default, configurable per customer.
Call recordings / transcripts: only if you enable the feature; kept for the retention window you choose (default 30 days).
Billing records: kept for the period required by applicable tax and accounting law.

7. Your Rights (DPDP Act 2023)

As a Data Principal in India, you have the right to:

Access a summary of the personal data we process about you.
Correct, complete, update or erase your personal data.
Withdraw consent at any time.
Nominate another person to exercise your rights in case of death or incapacity.
Grievance redressal — raise a complaint with us, and escalate to the Data Protection Board of India if unresolved.

Where GDPR or CCPA apply, you also have the corresponding rights (access, portability, restriction, objection). We do not sell personal information. To exercise any right, email [email protected]; we respond within statutory timelines.

8. Security

Traffic is protected in transit with TLS 1.2+. Call audio is relayed over DTLS-SRTP (encrypted WebRTC). Passwords are hashed with a modern algorithm (bcrypt/argon2). Access to production systems is restricted and audited. We maintain reasonable security safeguards as required by the DPDP Act and will notify affected users and the Data Protection Board of any personal data breach as required.

9. Children

The Service is not directed to children under 18. Consistent with the DPDP Act, we do not knowingly process the personal data of children without verifiable parental consent, and we do not undertake tracking, behavioural monitoring, or targeted advertising directed at children.

10. Changes to This Policy

We will post material changes on this page and, for account holders, send a notice by email at least 14 days before they take effect.

11. Contact & Grievance Redressal

Email: [email protected]
HSG IT Services Oy — Helsinki, Finland
HSG IT USA LLC — Austin, Texas, USA

For grievances relating to the processing of your personal data, write to the address above with “DPDP Grievance” in the subject line. If you are not satisfied with our response, you may approach the Data Protection Board of India.