Privacy Policy

1. About NOURIX

NOURIX is an AI-powered phone assistant for trade businesses (electricians, plumbers, roofers, painters, HVAC, etc.). When a customer calls, our AI voice agent answers the phone, holds a natural conversation in German, collects relevant information, and can book appointments. The business owner receives a structured summary of each call. This service is operated by Joshua Christl (Einzelunternehmen), Schlierseestraße 54, 81539 Munich, Germany.

2. Information We Collect

Information You Provide (Business Owners):

• Account details: name, email address, business name, phone number
• Business information: services offered, business hours, FAQs
• Payment data processed through Stripe (we do not store card details)
• Google Calendar data when you connect your calendar (appointment sync)

Information Collected During Phone Calls (Callers):

• Caller phone number (transmitted via telephony)
• Conversation transcript (speech-to-text conversion of the call)
• Information shared during the call: name, phone number, address, job description
• Appointment details if a booking is made
• Call metadata: duration, timestamps, call status

Automatically Collected Information:

• Technical details including IP address and browser type when using the dashboard
• Session data and language preferences

3. Server Logfiles

When you visit our website or dashboard, our hosting provider (Microsoft Azure, Germany West Central) automatically records the following data in server logfiles:

• IP address of the requesting device
• Date and time of the request
• Requested URL and referrer URL
• Browser and operating system
• Volume of data transferred

Legal basis: Art. 6(1)(f) GDPR - legitimate interest in the secure and stable provision of our service.

Retention: Logfiles are automatically deleted after 30 days.

4. Legal Bases for Processing

We process personal data on the following legal bases under Art. 6(1) GDPR:

• Art. 6(1)(a) GDPR - Consent: Umami analytics and other non-essential tracking; the optional Google Calendar integration; any opt-in marketing communications.
• Art. 6(1)(b) GDPR - Contract performance: Creating and operating your NOURIX account, handling inbound calls on your assigned number, generating call summaries, syncing appointments, and processing payments via Stripe.
• Art. 6(1)(c) GDPR - Legal obligation: Retaining billing and accounting records as required by German tax law (§§ 147 AO, 257 HGB).
• Art. 6(1)(f) GDPR - Legitimate interest: Technical logging, fraud and abuse prevention, transactional notifications (e.g. new-call emails to the business owner), and service improvement.
• Art. 28 GDPR - Processing on behalf of the customer: All personal data collected during inbound calls is processed on behalf of the business customer under a Data Processing Agreement - see section 6.

5. How We Use Your Information

• Providing the AI phone assistant service (answering calls, booking appointments)
• Generating call summaries and delivering them to the business owner
• Syncing appointments to your Google Calendar (when connected)
• Processing payments via Stripe
• Sending transactional emails (call notifications, account updates) via Brevo
• Displaying call history, statistics, and appointments in the dashboard
• Analyzing website usage via Umami Analytics (with your consent)
• Improving the service and providing customer support
• Meeting legal obligations

6. Role as Processor (Art. 28 GDPR)

For the core voice assistant service, NOURIX acts as a processor (Auftragsverarbeiter) on behalf of our business customers under Art. 28 GDPR. Specifically:

• The business customer (e.g. the electrician, plumber, or other trade business) is the controller for all data generated during calls placed to their dedicated NOURIX number - including caller phone numbers, transcripts, lead information, and call metadata.
• NOURIX processes that data only on the documented instructions of the customer and within the scope of the Data Processing Agreement (DPA / AVV) that each customer enters into with us before the service goes live.
• Callers wishing to exercise GDPR rights (Art. 15–22) in connection with a specific call should contact the business customer who operates the phone number. NOURIX will support the customer in responding to such requests.

For data that you provide to us directly as a business customer (your account, billing, dashboard usage), NOURIX is itself the controller. That processing is described in sections 2–5 and 9–15.

7. Sub-Processors

We do not sell personal data. We engage the following sub-processors strictly for the provision of the NOURIX service:

Data may also be disclosed when legally required or necessary for rights protection.

8. Voice Calls and AI Transparency

NOURIX uses artificial intelligence to conduct phone conversations. In compliance with the EU AI Act and GDPR transparency requirements, callers are informed at the beginning of each call that they are speaking with an AI assistant.

Call routing: Inbound calls arrive via Twilio (telephony provider, Region IE1 / Dublin, Ireland), which opens a real-time WebSocket connection to ElevenLabs (AI provider) for speech recognition, conversation, and voice synthesis. Telephony metadata and call routing are processed exclusively in the EU; audio is processed on ElevenLabs servers in the USA.

Zero Data Retention: With ElevenLabs' Zero Data Retention setting enabled, no audio recordings, transcripts, or personal data are stored by ElevenLabs after the call ends. All processing occurs in volatile memory only.

Transcripts in our system: Call transcripts (text only, no audio files) are stored in our database (Azure, EU) to provide the business owner with call summaries and history via the dashboard.

9. Data Security

• All data in transit is encrypted via TLS/SSL
• Database connections use SSL encryption
• Authentication via industry-standard JWT tokens and OAuth 2.0
• Webhook calls from ElevenLabs and Stripe are verified via HMAC signatures
• Each business has isolated credentials for their voice agent
• Payment data is handled by PCI-compliant processors (Stripe)

However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

10. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR/DSGVO), you have the following rights:

• Right of Access (Art. 15) - Request information about your stored personal data
• Right to Rectification (Art. 16) - Request correction of inaccurate data
• Right to Erasure (Art. 17) - Request deletion of your personal data
• Right to Restrict Processing (Art. 18) - Request limitation of data processing
• Right to Data Portability (Art. 20) - Request transfer of your data in a machine-readable format
• Right to Object (Art. 21) - Object to processing of your personal data
• Right to Withdraw Consent (Art. 7(3)) - Withdraw consent at any time

To exercise any of these rights, contact us at hallo@nourix.eu.

You also have the right to lodge a complaint with a supervisory authority. The competent authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

11. Data Retention

We retain personal data only as long as necessary for the purposes described above:

12. Data Storage Locations

• Application server: Azure Container Apps, Germany West Central (Frankfurt)
• Database: Azure PostgreSQL, France Central (Paris)
• Authentication: Microsoft Entra External ID, Germany
• Voice processing: ElevenLabs, USA (Zero Data Retention - no data stored after call)
• Telephony: Twilio Ireland Limited, Ireland (Dublin) — Region IE1, call routing and phone numbers
• Payments: Stripe, EU/USA (PCI DSS Level 1)
• Email: Brevo, France (Paris)
• Frontend hosting: GitLab Pages, USA (static files only, no personal data)
• Website analytics: Umami Software, Inc., Germany (Frankfurt) — EU region, consent-gated, cookieless

13. Cookies and Tracking

Essential cookies (no consent required): We use strictly necessary cookies for authentication (session token) and language preference storage. These cookies are essential for the service to function and cannot be disabled. Legal basis: Art. 6(1)(f) GDPR.

Analytics tracking (consent required): We use Umami Analytics, a privacy-focused, cookieless analytics tool, to understand how visitors use our website. Umami does not set tracking cookies and does not collect personal data such as names, email addresses, or precise locations. The analytics script is only loaded after you give explicit consent via the cookie banner. You can withdraw your consent at any time. Legal basis: Art. 6(1)(a) GDPR, § 25 TDDDG.

14. International Data Transfers

Some of our sub-processors (Stripe, Google, ElevenLabs, GitLab) are based in or transfer personal data to the USA. These transfers are safeguarded by the EU-US Data Privacy Framework (DPF) for sub-processors that are DPF-certified (Stripe, Google) and by EU Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR. Should any of these transfer mechanisms cease to be valid, we will promptly adopt suitable replacement safeguards and inform affected customers. For ElevenLabs specifically, the Zero Data Retention setting ensures that no personal data is persisted on US servers after processing. Twilio is contracted with Twilio Ireland Limited and operated in the IE1 (Dublin) region, so no third-country transfer takes place on the telephony layer. Umami Analytics is operated in the EU region (Germany / Frankfurt); analytics data is stored exclusively in the EU.

15. Google User Data (Calendar Integration)

When a business customer enables the optional Google Calendar integration, NOURIX accesses, uses, stores, and shares Google user data as described below. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes requested

Only the minimum scopes necessary for the appointment booking feature:

• auth/calendar.events - to create appointment events on the business owner's primary calendar
• auth/calendar.events.freebusy - to read free/busy windows so the AI agent does not double-book over the existing schedule

What Google user data we access

• Free/busy time intervals on the business owner's primary calendar (start time, end time, "busy" flag - no event titles, attendees, descriptions, or any other event content)
• Calendar event IDs we created ourselves, so we can later update or delete events at the customer's request

How we use Google user data

Exclusively to:

• Propose available appointment slots during inbound phone calls
• Create appointment events when the caller confirms a booking
• Update or cancel those events if the caller calls back to reschedule or cancel

With whom we share, transfer, or disclose Google user data

• Microsoft Azure (hosting, Germany / France) - calendar event IDs and appointment metadata are stored on our Azure-hosted PostgreSQL database to power the dashboard and appointment lifecycle.
• Brevo (transactional email, France) - appointment confirmation and update emails sent to the business owner (and, if the caller opts in, to the caller) include appointment details such as date, time, address, and customer name.

We do not transfer Google user data to any other third party. Specifically:

• We do not share Google user data with ElevenLabs or any other AI / LLM provider. The voice agent never receives raw calendar content; the backend reads free/busy and returns only a list of available time windows to the agent.
• We do not use Google user data to develop, improve, or train generalized AI / ML models - ours or anyone else's.
• We do not sell Google user data, share it for advertising purposes, or disclose it to data brokers.
• We disclose Google user data only when legally required (e.g. court order) or strictly necessary to provide a feature the user explicitly requested.

Storage of OAuth tokens

OAuth refresh tokens received from Google are stored encrypted at rest in our EU-region database (Azure PostgreSQL, France Central). Tokens are deleted immediately when a customer disconnects the Google Calendar integration via the dashboard, and we additionally call Google's token revocation endpoint to invalidate them at Google.

Revocation

Customers can disconnect the integration at any time at nourix.eu/dashboard/account, or revoke access directly at myaccount.google.com/permissions.

16. Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service after changes constitutes acceptance of the updated policy.