EMOR VoiceBack to home
Legal · Privacy Policy

Privacy Policy

Last updated · May 27, 2026

EMOR AI, LLC (“EMOR,” “we,” “us,” or “our”) operates the EMOR Voice platform at emorvoice.com(the “Service”) and related services. EMOR Voice is one of several products operated by EMOR AI, LLC; the parent company website is emorai.com. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service, including when your callers (“end callers”) interact with an AI receptionist powered by EMOR.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, business name, phone number, and billing information. Authentication is handled by Clerk; payment processing is handled by Stripe. We do not have access to or store payment card numbers — Stripe tokenizes and stores them on its own infrastructure.

1.2 Business Configuration

You provide business details such as hours of operation, service descriptions, appointment types, and AI receptionist instructions. This information is used solely to configure your AI receptionist.

1.3 Call & Conversation Data

When end callers interact with your AI receptionist, we process the following:

  • Voice audio:Real-time audio is streamed through Twilio and processed by our speech providers (OpenAI and/or ElevenLabs) to perform speech-to-text, generate responses, and synthesize the AI’s voice. Audio is processed in real time and is not permanently stored by EMOR unless you have explicitly enabled call recording (see Section 5).
  • Call metadata: Caller phone number, call duration, timestamps, routing information, and call disposition are logged for analytics, billing, and compliance.
  • Transcripts: Conversation transcripts are generated and stored on every AI-handled call so you can review calls in your dashboard and so the Service can analyze quality and identify knowledge gaps. Because transcripts are stored on every AI-handled call, the Service plays an audible disclosure to the caller before connecting the AI (see Section 4).
  • Caller facts:When enabled on Professional and Enterprise plans, short text snippets extracted from prior conversations (e.g. “prefers afternoon appointments”) may be stored on a per-business, per-caller basis to make returning callers feel remembered. You can review, edit, pin, or delete these in your dashboard.

1.4 SMS Messages

When your AI receptionist sends SMS messages (e.g., appointment confirmations, follow-ups), message content, recipient phone numbers, and delivery status are logged. SMS is transmitted via Twilio’s messaging platform. Recipients may opt out of SMS at any time by replying STOP.

1.5 Lead & Booking Data

Information collected from end callers — such as name, phone number, email, and appointment details — is stored as leads and bookings in your account and is visible only to you. As described in Section 5, lead and booking records are retained while your account is active and deleted on the schedule set out there.

1.6 Voice Cloning Data

Voice cloning is an optional feature you may enable. If you choose to use it, you upload audio samples of a voice you are authorized to use (your own voice, an employee’s voice with their written consent, or a voice you have a license to). These samples are transmitted to ElevenLabs for voice model creation. You may create up to 5 custom voice clones per account. You represent and warrant that you have obtained all necessary written consents from anyone whose voice you clone, including any consents required under biometric privacy laws (see Section 11). EMOR does not independently verify the existence of such consent at the time of upload and does not retain copies of consent documentation; you remain solely responsible for obtaining, retaining, and producing those consents upon request from the individual whose voice has been cloned or from any regulator. EMOR does not create voice clones from end-caller audio.

1.7 Business Lookup Data

During onboarding, you may search for your business to auto-populate details. This search is processed through Google Places API, which receives your business name and location query. Google processes this data under its own privacy policy. We do not store your search queries; only the business information you confirm is saved.

1.8 Usage & Analytics

We collect aggregated usage data including call volumes, feature usage, and performance metrics to operate the Service and provide you with dashboard analytics.

1.9 Cookies & Web Tracking

Our website and dashboard use a small number of cookies and similar technologies for authentication, security, preferences, and aggregate analytics. We do not use cookies for cross-site behavioral advertising. Full details, including categories and your choices, are in our Cookie Policy.

2. How We Use Your Information

We use collected information to:

  • Operate and maintain your AI receptionist
  • Process voice calls and generate AI responses
  • Send SMS messages on your behalf
  • Capture leads and manage bookings
  • Provide dashboard analytics and call logs
  • Improve yourreceptionist over time. After each AI-handled call, the Service submits the call transcript to OpenAI’s gpt-4o-mini model to extract (a) a one-line summary and stated intent for your call log, (b) short caller-facts that personalize the next call with the same caller, and (c) lead-quality signals and knowledge-gap candidates for your review. Separately, on a weekly cadence, an aggregated roll-up of your period’s calls is submitted to Anthropic’s Claude Haiku model to produce the prose narrative and action items shown on your AI Insights dashboard. The output of both passes is written to your tenant database, is used solely to suggest improvements to your receptionist, is never combined with data from any other customer, and is never used to train any AI model. You may opt out of post-call analysis at any time from Settings → Privacy & data in your dashboard, or by contacting legal@emorai.com.
  • Process payments and manage your subscription
  • Send transactional emails (account confirmations, billing receipts, service notices)
  • Comply with legal obligations and prevent fraud

AI training:EMOR does not use customer data, end-caller audio, transcripts, lead information, or knowledge-base content to train general-purpose AI models, and does not provide such data to any third party for the purpose of training general-purpose AI models. As of the “Last updated” date of this Policy, OpenAI does not use API data sent through its Realtime API or its standard Chat Completions API to train its general-purpose models, in accordance with its API Data Usage Policies, and retains API request and response data for up to thirty (30) days for the limited purpose of abuse monitoring before deletion. Anthropicsimilarly does not train its Claude models on customer content submitted through its API, in accordance with Anthropic’s Commercial Terms of Service, and retains API request and response data for up to thirty (30) days for trust-and-safety review before deletion. Each of OpenAI’s and Anthropic’s practices are governed by their own published policies at the URLs above, which they may revise from time to time; those URLs are the authoritative source for their current terms, and we will update this Policy to reflect material changes of which we become aware. EMOR does not enable any data-storage feature on either API. Customers requiring a zero-retention configuration may request that EMOR pursue enterprise Zero Data Retention agreements with OpenAI and/or Anthropic by contacting legal@emorai.com. Improvements derived from your account data — for example, knowledge-base suggestions surfaced from questions your AI was unable to answer — remain isolated to your account and are never used to inform other customers’ receptionists. Cross-business learning is limited to fully anonymized industry templates (for example, the typical booking categories used by auto-repair shops) and never includes identifiable end-caller content.

Marketing communications: We may send occasional product updates and marketing emails to account holders. You can unsubscribe at any time using the link in any such email. We do not send marketing communications to end callers.

Automated decision-making:Your AI receptionist scores and qualifies leads (e.g. “hot,” “cold”) as a decision-support aid. These scores are not legally or similarly significant decisions and are reviewable by you in the dashboard. You make all final decisions about how to follow up with leads. Where required by law (e.g. GDPR Article 22), end callers may request human review by contacting the business they called.

3. How Your Data Moves Through Our System

We do not sell your personal information.We disclose data only to the categories of service providers (“Subprocessors”) described in Section 3.5, solely to operate the Service. This Section describes, for each principal category of data, the systems through which it transits, where it is stored, and the role each Subprocessor performs. The full, current list of Subprocessors with privacy-policy and data-processing-agreement links is published at emorvoice.com/subprocessors.

3.1 Call Audio, Transcripts, and Post-Call Analysis

When an end caller dials your business number, the call data follows the path below:

  • 1. Inbound audio → Twilio → Railway. Twilio receives the call and routes it to the EMOR voice runtime, which is hosted on Railway in the United States, over an authenticated WebSocket. Twilio retains the audio only as required to transmit the call and, if recording is enabled in your dashboard, to provide the recording for the retention window stated in Section 5. Railway processes audio in transit only — audio is not persisted on Railway compute beyond the lifetime of the call.
  • 2. Audio → OpenAI Realtime API.The voice runtime streams caller audio in real time to OpenAI’s Realtime API to perform speech-to-text and generate conversational responses. OpenAI processes this audio under its API Data Usage Policy, does not use it to train its general-purpose models, and retains it for up to thirty (30) days for abuse-monitoring purposes before deletion. EMOR does not enable any data-storage feature of the Realtime API.
  • 3. Response text → ElevenLabs (premium-voice add-on only). For accounts on the premium-voice add-on, the voice runtime transmits the generated response text to ElevenLabs for text-to-speech synthesis. ElevenLabs returns synthesized audio in real time and does not retain the response text or the synthesized audio after delivery. For accounts not on the add-on, no data is transmitted to ElevenLabs; OpenAI synthesizes the response audio.
  • 4. Synthesized audio → caller. The response audio is streamed back to the caller through Twilio.
  • 5. Metadata and transcript → Supabase. Throughout the call, EMOR writes call metadata (caller phone number, duration, timestamps, disposition) and the running transcript to your tenant database hosted at Supabase. If recording is enabled, the recording URL is stored in your tenant database and the underlying audio is retained at Twilio for the retention window in Section 5.
  • 6a. Per-call post-processing → OpenAI (gpt-4o-mini).Immediately after the call ends, EMOR submits the transcript to OpenAI’s gpt-4o-mini model to extract a one-line summary, the stated intent, short caller-facts that personalize the next call, lead-quality signals, and knowledge-gap candidates. The output is written to your tenant database, is used solely to suggest improvements to your receptionist, and is never combined with data from any other customer.
  • 6b. Weekly insights aggregation → Anthropic (Claude Haiku).Once per week, an aggregated roll-up of your period’s calls is submitted to Anthropic’s Claude Haiku model to produce the prose narrative and action items shown on your AI Insights dashboard. The output is written to your tenant database and is never combined with data from any other customer. You may opt out of all post-call analysis (both 6a and 6b) at any time from Settings → Privacy & data in your dashboard, or by contacting legal@emorai.com.

3.2 SMS Messages

  • Outbound SMS.Messages originated by your AI receptionist (for example, appointment confirmations and follow-ups) are composed by EMOR and submitted to Twilio’s Messaging Service for delivery under EMOR’s A2P 10DLC brand registration on your behalf. Twilio routes the message to the recipient carrier and reports delivery status back to EMOR.
  • Inbound SMS.Replies from end callers are received by Twilio and forwarded to EMOR for opt-out handling, intent classification, and, where you have configured it, conversational AI reply generation by Anthropic’s Claude Haiku model.
  • Storage. Message content, delivery status, and opt-in / opt-out events are written to your tenant database at Supabase. Message bodies are redacted on the schedule stated in Section 5; opt-out records are retained for the longer period described in Section 5 to satisfy TCPA recordkeeping requirements.

3.3 Leads and Bookings

  • Capture. Information collected during AI calls or submitted through your public opt-in page is written directly to your tenant database at Supabase as a lead or booking record. This data is visible only to you and to users you authorize.
  • Google Calendar sync.Where you have connected a Google Calendar via OAuth, EMOR transmits booking details (summary, start and end time, attendee email) to the Google Calendar API. Google Calendar processes this data under Google’s privacy policy.
  • iCal feed subscription. Where you have enabled iCal feed subscription, blackout dates and bookings are exposed as a read-only feed at a token-protected URL, which your calendar application polls on its own schedule.
  • Retention. Leads and bookings are retained while your account is active and are subject to the deletion schedule in Section 5.

3.4 Billing and Account Data

  • Account credentials.Email address, password hash, and session tokens are managed by Clerk under Clerk’s privacy policy. EMOR does not store passwords.
  • Billing.Subscription billing, payment-method tokenization, and invoicing are handled by Stripe under Stripe’s privacy policy. EMOR does not store payment card numbers; only the Stripe customer and subscription identifiers are written to your tenant database.
  • Usage counters. Aggregated usage counters (minutes used, SMS sent, bookings created, etc.) are written to your tenant database at Supabase for the purposes of billing and dashboard display.

3.5 Subprocessors

EMOR engages the following Subprocessors to perform the functions described in Sections 3.1 through 3.4 and, in the case of the two marketing-site analytics providers, the consent-gated website analytics described in our Cookie Policy. Each Subprocessor processes data under its own privacy policy and a Data Processing Agreement with EMOR.

  • Twilio: Voice call routing, phone number provisioning, and SMS delivery
  • Twilio SendGrid: Transactional email delivery
  • OpenAI: Real-time voice-call processing — speech-to-text, conversational response generation during the live call, and synthesized response audio for accounts not on the premium-voice add-on. Also per-call post-processing — summary, intent, caller-facts, lead-quality scoring, and learning-signal extraction via the gpt-4o-mini model.
  • Anthropic: Text-based language-model inference — weekly AI Insights aggregation, AI replies to inbound SMS, knowledge-base assistance, dashboard assistant, lead action suggestions, and content generation (template drafting, pronunciation suggestions, rule conflict checking)
  • ElevenLabs: Speech synthesis and voice cloning, available only to tenants who enable the premium-voice add-on
  • Clerk: User authentication and identity management
  • Stripe: Payment processing and subscription management
  • Supabase: Database hosting and data storage
  • Vercel: Dashboard and marketing-site hosting, serverless function execution, and CDN
  • Railway: Hosting and execution of the EMOR voice runtime — the service that bridges Twilio media streams to and from AI inference providers during live calls
  • Sentry: Error tracking and performance monitoring
  • Upstash: Distributed rate limiting and abuse protection (IP addresses and request counters; no message content, call audio, or transcripts)
  • Google (Places API): Business lookup during onboarding
  • Google (Calendar API): Checking availability on owner-connected Google Calendars so the Service can avoid double-booking. Active only when the owner connects a calendar via OAuth.
  • Google (Analytics 4): Aggregate traffic analytics on the public EMOR Voice marketing website. Loaded only for visitors who accept analytics cookies, and never on the signed-in dashboard or any tenant-facing surface. Processes marketing-site visitor data only — not tenant, call, SMS, lead, or billing data. See our Cookie Policy.
  • Microsoft (Clarity): Marketing-website product analytics, including heatmaps and session replay of marketing-page visits. Loaded only for visitors who accept analytics cookies, and never on the signed-in dashboard or any tenant-facing surface. Processes marketing-site visitor data only. See our Cookie Policy.

By using the Service, you acknowledge and consent to the processing of your account, call, SMS, lead, and billing data by the Subprocessors listed above for the purposes described in this Section 3 and under each Subprocessor’s own privacy policy. We may also disclose information if required by law, subpoena, or to protect the rights and safety of EMOR and its users.

Third-party policies may change. Each Subprocessor processes data under its own privacy policy and Data Processing Agreement, linked above and on our public Subprocessors page. The descriptions in this Section 3 and on the Subprocessors page summarize each Subprocessor’s practices as of the “Last updated” date of this Policy. Subprocessors may update their own policies independently of EMOR, and we do not control their content. The current published policy at each Subprocessor’s linked URL is the authoritative source for how that Subprocessor handles data, and we encourage you to review those policies directly when current detail matters. We will revise this Policy to reflect material changes of which we become aware and, where required by your contract or applicable law, will provide advance notice as set out in Section 3.6.

3.6 Notice of Subprocessor Changes

We will provide at least thirty (30) days’ advance notice before adding a new Subprocessor to the list in Section 3.5, via email to account administrators and an update to the public Subprocessors page. Customers with a signed Data Processing Agreement may object in writing during the notice period.

4. End-Caller Privacy & Consent

People who call your business and reach the AI receptionist (“end callers”) are not EMOR’s customers — they are your customers. EMOR processes end-caller information on your behalf as a service provider / data processor. You are the controller of that data and are responsible for its lawful collection.

4.1 AI Disclosure

EMOR’s default greeting templates identify the AI receptionist as an AI assistant at the start of each call, in line with disclosure best practices and state laws (such as California Senate Bill 1001) that require commercial bots to proactively identify themselves. The greeting is configurable, so you remain responsible for keeping the AI self-identification in your customized greeting where required by the law of the jurisdictions in which you operate. The dashboard surfaces a warning when a saved greeting does not appear to include an AI disclosure.

4.2 Call Recording & Transcription Disclosure

Before the AI engages with the caller, the Service plays an audible disclosure that the call may be recorded or transcribed for quality and training purposes. This disclosure fires on every AI-handled call because transcripts are stored on every call regardless of whether full audio recording is enabled. Continuing the call after this notice constitutes consent to the disclosed processing under the law of the United States and most U.S. states, including states that require all-party consent for the recording or interception of oral communications (e.g., California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Vermont, and Washington). End callers who do not consent should hang up before providing any further information.

You remain responsible for any additional disclosures, consents, or opt-outs required by your jurisdiction or industry, and for customizing the AI receptionist’s greeting if your jurisdiction requires specific recording-disclosure language.

4.3 SMS Consent & Compliance

SMS messages are sent via Twilio on your behalf using your dedicated business phone number. Messages are transactional in nature (appointment confirmations, follow-ups, directions) and are sent only to callers who have interacted with your business.

  • Recipients can opt out at any time by replying STOP to any message. Opt-outs are tracked automatically and honored immediately.
  • Recipients can opt back in by replying START.
  • Message frequency varies based on caller interaction. Standard message and data rates may apply.
  • You are responsible for ensuring your use of SMS complies with the TCPA, CAN-SPAM, A2P 10DLC requirements, and applicable telecom regulations.

4.4 Email Communications

Follow-up emails (appointment confirmations, intake forms) are sent via Twilio SendGrid on your behalf. Recipients may unsubscribe from non-transactional emails at any time.

4.5 End-Caller Rights Pathway

If you are an end caller and want to access, correct, or delete information collected during your call with an AI receptionist, please contact the business you called — they control that data and decide how long to retain it. If the business is unresponsive or cannot be reached, you may contact us at legal@emorai.com and we will facilitate the request with the business.

5. Data Retention

We retain your account data for as long as your account is active. The following automated retention policies apply:

  • Call recordings (when enabled): Retention varies by plan — Demo: 7 days; Starter: 90 days; Professional and Enterprise: 365 days. Recording URLs are automatically expired and the underlying recordings deleted at the end of the retention window. Call recording is off by default and must be explicitly enabled in your dashboard.
  • Call transcripts: Transcripts are automatically cleared after 12 months.
  • Caller facts: Per-caller text snippets used to personalize returning-caller experiences are subject to a 12-month age-decay sweep unless you pin them, and may be deleted at any time from your dashboard.
  • Lead & booking records: Retained while your account is active. You may delete individual leads or bookings from the dashboard at any time. Account-wide lead and booking records are deleted on cancellation as described below.
  • SMS and email message bodies: Message content is redacted after 12 months. Metadata (delivery status, timestamps) is retained for analytics and compliance.
  • Cancelled accounts: If you cancel your subscription, your account enters a 60-day dormant state during which your operational data, configuration, and assigned phone number are retained so you can reactivate by resubscribing. If you do not reactivate within 60 days, your account is automatically scheduled for permanent deletion following a further 30-day grace window during which you may cancel the deletion and resume service. Backups are purged on a rolling 30-day cycle thereafter.
  • Billing records: Retained for up to 7 years after account closure to satisfy tax, accounting, and audit obligations under applicable law.
  • Consent records: Records of SMS and email opt-in and opt-out events are retained for up to 4 years to satisfy TCPA, CTIA, and similar telecommunications recordkeeping requirements.

6. Data Security & Breach Notification

EMOR’s security posture is built around four principles: encrypt everything in flight and at rest, isolate every tenant at the database row, push payments and credentials to dedicated providers, and minimize the data we hold to what the Service needs. The specific controls described below reflect the architecture of the Service as of the “Last updated” date of this Policy.

6.1 Encryption

  • In transit. All traffic between end callers, your dashboard, the EMOR voice runtime, and our Subprocessors is encrypted using TLS 1.2 or higher. The Twilio media-stream connection that carries live call audio to the EMOR voice runtime is an authenticated WebSocket secured with TLS.
  • At rest. Customer data stored in Supabase Postgres, including call transcripts, leads, bookings, SMS message bodies, and configuration, is encrypted at rest using AES-256. Call recordings stored at Twilio (when recording is enabled) and voice models stored at ElevenLabs (when the premium-voice add-on is enabled) are encrypted at rest by those providers under their own published practices.

6.2 Tenant Isolation

Every tenant-scoped table in the EMOR database carries a tenant_idcolumn and is protected by Postgres row-level security (RLS) policies that scope reads and writes to the authenticated tenant. The Supabase anonymous key used by the dashboard cannot bypass RLS. The Supabase service-role key, which can bypass RLS, is held only on EMOR’s server-side runtimes (Vercel serverless functions and the Railway voice runtime) and is never exposed to the browser.

6.3 Authentication and Access Control

  • Account authentication. User accounts are managed by Clerk. EMOR does not store passwords; password hashes and session tokens are held by Clerk under its own security program. Multi-factor authentication is available to every account holder through Clerk.
  • Administrative access.Access to production systems by EMOR personnel is restricted to authorized administrators with multi-factor authentication enabled on upstream providers (Supabase, Vercel, Railway, Twilio, Stripe, Clerk). Administrative actions are logged in those providers’ audit trails.

6.4 Payment Security

Subscription billing is handled by Stripe. Payment card numbers, CVCs, and bank account details never touch EMOR systems; the card-input form is hosted by Stripe and tokenizes payment methods directly to Stripe’s PCI DSS Level 1 environment. EMOR stores only the Stripe customer and subscription identifiers needed to bill your account.

6.5 Abuse Protection and Monitoring

  • Rate limiting.Public and authenticated API endpoints, voice-call origination, and SMS sending are protected by distributed rate limits using Upstash to prevent brute-force, scraping, and platform-abuse scenarios. Rate limiters see IP addresses and request counters only — never message content, transcripts, or call audio.
  • Error and performance monitoring. The dashboard and voice runtime emit error and performance telemetry to Sentry. Sentry retains telemetry under its own privacy policy.

6.6 Subprocessor Security Commitments

Each Subprocessor listed in Section 3.5 processes EMOR data under a Data Processing Agreement that contractually requires appropriate technical and organizational measures. We select Subprocessors that publish their own third-party assurance (for example, SOC 2 Type II for Twilio, OpenAI, Anthropic, Supabase, Vercel, Clerk, and Stripe; PCI DSS Level 1 for Stripe). Customers may request a copy of EMOR’s Subprocessor security summary by contacting legal@emorai.com.

6.7 Compliance Program

EMOR does not currently hold a SOC 2 or ISO 27001 attestation. Customers requiring formal third-party security attestations should plan engagement timing accordingly. For enterprise engagements, EMOR will provide a written security questionnaire response, a list of Subprocessor attestations, and (under mutual NDA) details of our internal security practices on request.

6.8 Limits on Security Assurance

Despite the controls described above, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security against every possible threat. We continuously evolve our controls as the threat landscape changes.

6.9 Breach Notification

If we become aware of a personal-data breach affecting your account or the end-caller data we process for you, we will notify you without undue delay and, in any event, within 72 hours of becoming aware of the breach to the extent feasible. Our notice will include the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take to address it. Notice will be delivered to the email address on file for your account administrators; for customers with a signed Data Processing Agreement, notice will also follow the channels specified there.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate information
  • Delete your account and associated data
  • Export your data in a portable format
  • Opt out of non-essential communications
  • Withdraw consent for processing where consent is the legal basis
  • Restrict or object to certain processing activities
  • Lodge a complaint with a supervisory authority

To exercise any of these rights, contact us at legal@emorai.com. We respond to verified requests within 45 days where required by law (CCPA/CPRA), and otherwise within a reasonable time. We may need to verify your identity before fulfilling certain requests.

8. GDPR / UK GDPR (European Users)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and UK GDPR apply to your personal data. EMOR acts as a data processorfor end-caller data (your customers’ information collected during AI calls), and as a data controller for your own account data.

Lawful basis for processing: Performance of contract (operating the Service for you), legitimate interests (security, fraud prevention, product improvement), legal obligation, and consent (where required, e.g. for marketing communications).

Data transfers outside the EEA / UK: EMOR is based in the United States, and our processors may also process data outside the EEA. Such transfers rely on Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, and other safeguards as applicable.

Automated decision-making (Article 22): Lead qualification scores produced by your AI receptionist are decision-support outputs, not solely automated decisions producing legal or similarly significant effects. End callers may request human review of any decision affecting them by contacting the business they called or, if unresolved, by contacting us.

EU/UK Representative: EMOR does not currently maintain an establishment in the EEA or UK. Where Article 27 of the GDPR or UK GDPR applies, EMOR will appoint a Representative and list the contact details on this page. Until then, EU/UK data subjects may exercise their rights by contacting legal@emorai.com.

Data Processing Agreements (DPAs) are available on request — contact legal@emorai.com.

9. CCPA / CPRA (California Users)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you additional rights:

  • Right to know what personal information we collect, use, and disclose
  • Right to delete personal information we have collected from you
  • Right to correct inaccurate personal information
  • Right to opt out of the sale or sharing of personal information
  • Right to limit the use and disclosure of Sensitive Personal Information (see below)
  • Right to non-discrimination for exercising these rights

EMOR does not sell your personal information. We do not share personal information with third parties for cross-context behavioral advertising.

Sensitive Personal Information (SPI):Under the CPRA, certain categories of personal information are designated as sensitive. The SPI we may process includes voice audio (during real-time call processing), account credentials (managed by Clerk), and, where you choose to enter it into your business configuration, information about your business location. We use SPI only for the purposes of operating the Service, providing security, preventing fraud, and complying with law — never for inferring characteristics about consumers and never for advertising. You may submit a “Limit the Use of My Sensitive Personal Information” request by contacting legal@emorai.com.

We respond to verified California consumer requests within 45 days (extendable by another 45 days where reasonably necessary, with notice). Categories of personal information we collect are described in Section 1 above. We retain each category only as long as needed for the purposes described in Section 5.

10. Other U.S. State Privacy Laws

Several U.S. states have enacted comprehensive privacy laws beyond CCPA/CPRA, including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Florida (FDBR), Delaware, New Hampshire, New Jersey, Kentucky, Maryland, Minnesota, Rhode Island, and Nebraska. If you reside in any of these states, you have rights similar to those described in Section 9 above — generally including the right to access, correct, delete, port, and opt out of targeted advertising or the sale of personal data. We do not engage in targeted advertising or sell personal data. To exercise any state-law rights, contact us at legal@emorai.com.

11. Biometric Information

We are aware that voice may qualify as “biometric information” or a “biometric identifier” under laws such as the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and similar laws in Washington, New York, Maryland, and elsewhere.

End-caller voice: EMOR does not create, retain, or use voiceprints, voice templates, or other biometric identifiers from end-caller audio. Voice audio is processed in real time by our speech providers solely to perform speech-to-text and to generate spoken responses, and is not retained as a biometric template by EMOR. We do not use end-caller voice to identify, recognize, or distinguish callers; returning-caller recognition is performed using the inbound phone number, not voice.

Voice cloning (optional, customer-initiated): If you choose to use the voice cloning feature, you upload audio samples of a voice you are authorized to use and we transmit those samples to ElevenLabs for voice model creation. Before uploading any voice that is not your own, you must obtain a written release from the individual whose voice is being cloned that satisfies any applicable biometric privacy law, including specific written consent in compliance with the Illinois Biometric Information Privacy Act (BIPA) where the individual is located in Illinois, the Texas Capture or Use of Biometric Identifier Act (CUBI) where the individual is located in Texas, and Washington RCW 19.375 where the individual is located in Washington. You represent and warrant that you have obtained all such consents prior to uploading any sample, and that you will retain documentation of those consents for the period required by applicable law and produce it upon request from the individual whose voice has been cloned or from any regulator. EMOR does not independently verify the existence of consent at the time of upload and does not retain copies of consent documentation; EMOR acts only as a conduit transmitting your authorized samples to ElevenLabs for the purpose of creating the voice model you have requested. You may delete a voice clone from your account at any time, which will initiate deletion of the underlying samples and model from ElevenLabs. We do not use uploaded voice samples for any purpose other than creating and operating the voice clone you have authorized.

12. HIPAA & Health Information

The Service is not HIPAA-compliant by default. Customers in healthcare or other regulated industries who route Protected Health Information (PHI) — as defined by the Health Insurance Portability and Accountability Act — through the Service must execute a Business Associate Agreement (BAA) with EMOR before doing so. Without a signed BAA, you must not use the Service to collect, store, or transmit PHI, and you are solely responsible for preventing end callers from disclosing PHI to your AI receptionist (for example, by configuring your greeting and AI instructions to avoid soliciting PHI). To request a BAA, contact legal@emorai.com.

13. International Data Transfers

Your information may be processed and stored in the United States and other countries where our service providers operate. By using the Service, you consent to such transfers. Where required, we use Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms.

14. Children’s Privacy

The Service is a B2B platform sold to businesses. Account holders must be 18 or older. We do not knowingly create accounts for individuals under 18.

End callers of any age may interact with an AI receptionist deployed by one of our customers — for example, a tutoring center, dental office, or after-school program. EMOR does not knowingly solicit or collect personal information directly from children under 13, and customers in industries likely to receive calls from children should configure their AI receptionist accordingly (for example, by routing minor callers to a human or by avoiding the collection of names and contact details). If you believe a child has provided personal information through the Service, contact us at legal@emorai.com and we will work with the relevant business customer to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the Service at least 30 days before they take effect. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

EMOR AI, LLC
563 NW 31st Avenue
Gainesville, FL 32609
Phone: (305) 582-0181
Email: legal@emorai.com