ReachAll

    Reachall Solutions Private Limited — Privacy Policy

    Effective date: 15 August 2025

    Company:

    Reachall Solutions Private Limited ("Reachall", "we", "us", "our")
    Registered address: 132 A, S P Mukherjee Road, Kolkata, West Bengal, India

    Scope & Purpose

    This Privacy Policy describes how Reachall collects, uses, stores, discloses, and protects Personal Data in connection with our AI voice agents platform and related services (the "Services"). This Policy applies to business customers (B2B) and their end users when Reachall processes Personal Data on behalf of customers. It also describes Reachall's practices when it acts as a Controller for its own personnel, vendor, or marketing data.

    Consent to Privacy Policy

    By signing up for or logging into our Services, you automatically consent to this Privacy Policy.

    Your registration or login constitutes your acknowledgment that you have read, understood, and agree to be bound by the terms of this Privacy Policy. This includes your consent to our collection, use, processing, and disclosure of your Personal Data as described herein.

    If you do not agree with any terms of this Privacy Policy, please do not sign up for or use our Services. You may withdraw your consent at any time by contacting us at ashish@reachall.ai, though this may affect your ability to use certain features of our Services.

    1. Key Definitions

    • "Personal Data": Any information relating to an identified or identifiable natural person.
    • "Special Category Data / Sensitive Personal Data": Data that reveals health information and other categories that require extra protection.
    • "PHI (Protected Health Information)": As defined by HIPAA — health information that identifies an individual.
    • "Controller": The party that determines the purposes and means of processing Personal Data.
    • "Processor": The party that processes Personal Data on behalf of a Controller.
    • "Subprocessor": A third-party engaged by Reachall to process data on our behalf.

    2. Nature of Our Processing

    • Reachall primarily acts as a Processor for Customers that use the Services to operate AI voice agents.
    • Reachall may act as a Controller for its own HR, vendor, marketing, or corporate data.

    3. Categories of Personal Data Processed

    Examples of data Reachall may process while providing the Services:

    • Audio recordings of calls and voice interactions.
    • Transcripts and derived text produced by speech-to-text processing.
    • Call metadata: phone numbers, call timestamps, duration, routing, call quality metrics, agent identifiers.
    • Input captured during interactions: names, account numbers, addresses, health-related details (only if supplied by Customer or caller).
    • Logs, diagnostic data, and telemetry used for service performance and debugging.

    3.1. Personal Data Collected

    Examples of data Reachall may collect while providing the Services:

    • Name, Email, Phone numbers
    • Address, City, State, Zip Code

    4. Lawful Basis & Purpose (GDPR)

    • When Reachall processes Personal Data as Processor, the Customer is the Controller and determines lawful bases under GDPR (e.g., performance of a contract, legal obligation, legitimate interest, or consent where required).
    • For Reachall's own processing (Controller), lawful bases include contractual necessity, legal obligations, legitimate interests, and consent where required.

    5. Health Data & HIPAA

    • Reachall may process PHI only where the Customer specifically instructs us and after both parties execute a Business Associate Agreement (BAA).
    • Prior to processing PHI, Reachall requires a signed BAA which sets forth permitted uses, safeguards, breach obligations, and other HIPAA-specific terms.
    • Technical and organizational safeguards for PHI include access controls, encryption in transit and at rest, audit trails, logging, and personnel training.

    6. Security & SOC 2 Controls

    • Reachall designs, implements, and maintains administrative, technical, and physical safeguards aligned with AICPA Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) and industry best practices.
    • Controls include: multi-factor authentication, role-based access control, encryption (TLS in transit; AES-256 or equivalent at rest where applicable), vulnerability management, secure development lifecycle, monitoring & logging, incident response, and personnel security measures.
    • Customers may request Reachall's SOC 2 report under a signed NDA.

    7. Subprocessors & Third-Party Services

    • Reachall engages subprocessors (cloud providers, telephony carriers, speech-to-text vendors, analytics providers, storage providers) to deliver the Services.
    • We conduct due diligence and contractually require subprocessors to maintain appropriate security controls and only process data on Reachall's documented instructions.
    • Reachall maintains a current list of subprocessors. Customers may request this list via ashish@reachall.ai.

    8. International Transfers

    • Data may be processed or stored in India and other jurisdictions where subprocessors operate.
    • For transfers from the EEA/UK or other restricted jurisdictions, Reachall will rely on appropriate safeguards (e.g., Standard Contractual Clauses, other lawful transfer mechanisms) and implement contractual and technical protections.

    9. Data Retention & Deletion

    • Retention periods are defined by the Customer in the Order Form or DPA. Absent Customer instructions, Reachall retains recordings and transcripts for 12 months by default.
    • Customers can request data export, deletion, or anonymization. Reachall will comply with authenticated requests from Customers according to contractual timelines.

    10. Data Subject Rights (GDPR & Similar)

    • When acting as Processor, Reachall will assist Customers (Controllers) in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) as required by applicable law.
    • Requests from data subjects should be directed to the Customer (Controller). For Reachall's Controller processing (e.g., employee data), data subjects may contact ashish@reachall.ai to exercise rights.

    11. Breach Notification

    • Reachall will notify affected Customers without undue delay after becoming aware of a security incident affecting Customer Data and will provide reasonable information to support regulatory notifications.
    • Assistance will be provided to Customers for notifications required under GDPR (e.g., supervisory authority notification within 72 hours where applicable) and HIPAA breach obligations where relevant.

    12. Legal Requests & Disclosure

    Reachall will comply with valid legal requests (court orders, subpoenas) for disclosure of data but will push back where legally permitted and will notify the Customer of compelled disclosures unless legally prohibited.

    13. Cookies & Tracking Technologies

    Our web interfaces may use cookies and similar technologies. Necessary cookies required for operation do not require consent; analytics or marketing cookies require consent where applicable.

    14. Changes to This Policy

    Reachall may update this Policy. Material changes that affect Customer data processing will be communicated to Customers via email and the Service dashboard at least 30 days prior to the change where feasible.

    15. Contact & Controller/Processor Notices

    Reachall Solutions Private Limited

    Registered address: 132 A, S P Mukherjee Road, Kolkata, West Bengal, India

    Privacy & Data Protection contact: Ashish Garg

    If you are a Customer and need our DPA, BAA, SOC 2 report, or subprocessors list, please contact: ashish@reachall.ai