I
Inna AI

Privacy Policy

Last updated: May 1, 2026

1. Who we are

Inna AI (“Inna”, “we”, “us”) is a multi-tenant SaaS platform that lets businesses run AI-powered voice and text agents on their own phone numbers, websites, and chat channels.

For most personal data we handle, we act as a data processoron behalf of our business customers (the “Customer” or “data controller”). For information we collect directly from our Customer's administrators (account email, billing details, login activity), we act as a controller.

2. What we collect

From end users (callers / chatters)

  • Voice audio from phone calls and browser voice sessions, transmitted in real time to our AI provider so the agent can listen and respond.
  • Transcripts of the conversation (what the caller said, what the agent replied), stored against the call record so our Customer can review the conversation.
  • Caller / sender identifiers such as a phone number, Telegram chat ID, Slack user, or website session, used to attribute the conversation to a contact.
  • Conversation metadata: timestamps, duration, channel, language, escalation outcome, tool calls.

From Customer administrators

  • Account email, full name, and password hash (never the password itself).
  • Company name, slug, billing plan, and usage counters.
  • API tokens and webhook secrets you create.
  • Access logs (IP, user agent, request path) for security and abuse prevention.

3. How we use it

  • To run the AI agent the Customer configured (lawful basis: contract).
  • To bill the Customer for usage (lawful basis: contract).
  • To detect and prevent abuse, fraud, and security incidents (lawful basis: legitimate interest).
  • To improve service quality through aggregated, anonymized analytics. We do not train AI models on Customer data.
  • To meet legal obligations (tax, accounting, lawful requests).

4. Sub-processors

To deliver the service we share data with:

  • Google (Gemini API) — generates the AI responses. Audio and text are sent in real time and not retained for training under our paid plan.
  • Twilio — carries the voice call and routes phone numbers.
  • Telegram, Slack, Instagram (where enabled by the Customer) — message delivery and webhooks.
  • Google Cloud Platform(Cloud Run, Cloud SQL, Memorystore Redis, Cloud Storage) — hosting and storage, located in the European Union (Frankfurt & Belgium regions).
  • Resend — transactional email (welcome, password reset, billing notices).

A current list of sub-processors is available on request from privacy@inna.ai.

5. Where we store data

All personal data is stored on Google Cloud Platform infrastructure located in the European Union. Backups are retained for up to 30 days. Database snapshots are encrypted at rest with Google-managed keys.

6. How long we keep it

  • Conversation transcripts & recordings: kept for the lifetime of the Customer's account, then deleted within 30 days of account deletion. Customers can also delete individual conversations from their dashboard.
  • Customer administrator accounts: kept until the account is deleted; personal data is then removed within 30 days, except where we are legally required to retain it (e.g. invoices).
  • Security logs: 90 days.

7. Your rights

If you are an end user (caller / chatter), please contact the business that owns the phone number or chat you interacted with — they are the data controller and must respond within 30 days. If you cannot reach them, write to us at privacy@inna.ai and we will forward your request.

If you are a Customer administrator, you have the right to access, correct, export, or delete your personal data via the dashboard or by emailing us.

8. Security

We protect data in transit with TLS 1.2+ everywhere, encrypt sensitive secrets (third-party tokens, webhook signing keys) at the application layer with AES-GCM, run database backups daily with point-in-time recovery, and isolate each tenant via row-level security in PostgreSQL. Despite our best efforts, no system is perfectly secure — please report vulnerabilities responsibly to security@inna.ai.

9. Children

The service is not directed to children under 16. If you believe a child has interacted with an Inna-powered agent, please contact the owning business so they can delete the data.

10. Changes to this policy

We will post material changes here at least 14 days before they take effect, and notify Customer administrators by email.

11. Contact

Questions or complaints: privacy@inna.ai.