Privacy Policy
Effective Date: May 22, 2026
Last Updated: May 22, 2026
This Privacy Policy explains how Rekva LLC ("Rekva," "we," "us," or "our") collects, uses, shares, and protects information when you use our AI voice agent platform available at rekva.ai (the "Service"). It also describes your rights regarding that information.
Our Service is a business-to-business (B2B) platform. Our direct customers are businesses ("Customers"). However, because the platform handles phone calls from consumers ("End Users") on behalf of those businesses, consumer privacy laws — including the California Consumer Privacy Act (CCPA) and certain provisions of the GDPR — apply to End User data we process.
If you have questions about this policy, contact us at [email protected].
1. Who We Are
Rekva LLC is a New Jersey single-member limited liability company that provides an AI-powered voice agent platform for appointment-based service businesses.
- Legal name: Rekva LLC
- Jurisdiction: New Jersey, USA
- General contact: [email protected]
- Privacy inquiries: [email protected]
- HIPAA inquiries: [email protected]
- Primary domain: rekva.ai
2. Information We Collect
2a. Account Data (from Customers)
When a business signs up for Rekva, we collect information needed to create and manage that account:
- Business name, address, and industry
- Contact person's name, email address, and phone number
- Billing information (processed by Stripe — we do not store raw card numbers)
- Account credentials (hashed passwords)
- Configuration data (phone numbers, calendar integrations, agent scripts)
2b. Call Data (from End Users)
When our AI voice agent handles a call on behalf of a Customer, we collect:
- Caller phone number
- Voice recording of the call
- Automated transcript of the conversation
- Appointment details (date, time, service type) extracted from the call
- Any information the caller provides during the call (e.g., name, reason for visit, preferences)
The AI voice agent ("Olivia") discloses at the opening of every call that the call may be recorded. End Users who do not wish to be recorded may hang up and call the business directly.
2c. Usage Data
We automatically collect technical information when the Service is used:
- IP addresses and general geographic region
- Browser type and operating system
- Pages viewed, clicks, and session duration on rekva.ai
- API request logs, system error logs, and performance metrics
2d. Cookies and Web Analytics
We use Cloudflare Web Analytics on rekva.ai, which is a privacy-focused analytics tool that does not use cookies, does not set client-side identifiers, and does not collect personally identifiable information (PII). We do not use third-party advertising cookies, tracking pixels, or behavioral ad targeting.
3. How We Use Information
We use the information we collect for the following purposes:
- Service delivery: Providing, operating, and maintaining the AI voice agent platform for our Customers.
- Call handling: Processing voice calls, generating transcripts, and booking or confirming appointments.
- Billing and payments: Processing subscription fees and overages through Stripe.
- Account management: Authenticating users, managing Customer accounts, and providing customer support.
- Fraud prevention and security: Detecting abuse, unauthorized access, and fraudulent activity.
- Product improvement: Analyzing aggregated, de-identified usage patterns to improve the accuracy and quality of the Service. We do not use individual End User call content to train AI models for third parties.
- Legal compliance: Complying with applicable laws, responding to lawful requests, and enforcing our agreements.
- Communications: Sending Customers transactional and service-related emails (billing receipts, alerts, updates).
4. Legal Bases for Processing
We process personal information under the following legal bases:
- Contract performance: Processing Customer account data, billing data, and call data necessary to deliver the Service under our Terms of Service.
- Legitimate interests: Processing usage data, security logs, and aggregated analytics to operate, secure, and improve the Service, where these interests are not overridden by individuals' rights.
- Consent: Recording End User phone calls, disclosed via verbal notice at the start of each call. End Users may hang up to decline recording.
- Legal obligation: Retaining records as required by applicable law (tax, financial, regulatory).
5. Call Recording Disclosure
Rekva's AI voice agent discloses at the start of every call that the call is being recorded. This disclosure satisfies the one-party consent requirement applicable in most US states and provides notice under two-party (all-party) consent states including California, Florida, Illinois, Maryland, Massachusetts, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington.
Because Rekva operates nationally and callers may be located in any state, we apply a multi-state notice-and-consent posture: every call receives an explicit recording disclosure before substantive conversation begins. Customers are responsible for ensuring that their use of the platform complies with any additional state-specific recording laws applicable to their industry or jurisdiction.
6. Sharing Information with Subprocessors
We do not sell personal information. We do not share personal information with third parties for their own marketing purposes. We share information only with the subprocessors listed below, each of which is contractually bound to use data solely to provide services to Rekva.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | CDN, DNS, DDoS protection, web analytics | US / Global |
| Stripe | Payment processing and billing | US |
| Google Workspace | Business email and administrative tools | US |
| Twilio | Telephony infrastructure, SMS delivery | US |
| Retell AI | Voice agent runtime platform | US |
| ElevenLabs | Voice synthesis (via Retell AI) | US |
| OpenAI / Anthropic | Large language model inference (via Retell AI) | US |
| Resend | Transactional email delivery — does not process PHI | US |
| Supabase | Database and backend infrastructure | US |
| Cal.com | Appointment scheduling infrastructure | US |
| Apollo.io | Sales prospecting — business contact data only, never End User PHI | US |
| Instantly.ai | Outbound sales email — business contact data only, never End User PHI | US |
We may also share information where required by law, court order, or governmental authority; to protect the safety and security of individuals; or in connection with a business transfer (merger, acquisition, or sale of assets), with appropriate confidentiality protections.
7. Data Retention
We retain different categories of data for different periods:
- Call recordings: 90 days from the date of the call (default). Customers may request shorter retention periods.
- Call transcripts: 1 year from the date of the call.
- Account data (Customer): For the duration of the Customer relationship, plus 7 years after account closure for tax, legal, and regulatory compliance purposes.
- Usage and log data: Up to 90 days for operational logs; aggregated metrics may be retained indefinitely in de-identified form.
- Billing records: 7 years as required by US tax law.
When retention periods expire, we securely delete or de-identify the relevant data. Customers may request early deletion of their data and their End Users' data, subject to legal hold requirements.
8. Security
We implement the following security measures to protect personal information:
- Encryption in transit: All data transmitted between users and our services uses TLS 1.2 or higher.
- Encryption at rest: Data stored in our databases (Supabase) is encrypted at rest using AES-256.
- Access controls: Access to personal data is limited to personnel who need it to perform their job functions. We use role-based access controls and require multi-factor authentication for administrative access.
- Subprocessor security inheritance: Our core subprocessors (including Cloudflare, Stripe, Google Workspace, Twilio, and Retell AI) maintain SOC 2 Type II or equivalent security certifications. Rekva itself does not currently hold independent SOC 2 certification.
- Breach response: In the event of a data breach, we will notify affected parties as required by applicable law.
No system is perfectly secure. We cannot guarantee absolute security, but we are committed to maintaining industry-standard protections.
9. Your California Privacy Rights (CCPA / CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know
You have the right to request information about the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete
You have the right to request deletion of personal information we have collected about you, subject to certain exceptions (e.g., legal obligations, ongoing service delivery).
Right to Correct
You have the right to request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing
We do not sell your personal information, and we do not share it for cross-context behavioral advertising. You do not need to opt out because we do not engage in these activities.
Right to Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights.
How to Submit a Request
Email [email protected] with "California Privacy Request" in the subject line. We will respond within 45 days. We may need to verify your identity before fulfilling certain requests.
Note for End Users: If you are a consumer who called a business that uses Rekva, we are processing your data as a service provider on behalf of that business. You should direct your requests to the business that operates the phone number you called. We will assist that business in fulfilling your rights as required.
10. Your Rights Under GDPR and UK GDPR
Although Rekva currently serves US-based customers only, we include this section in recognition of forward-looking compliance and any future expansion. If you are located in the European Economic Area (EEA) or United Kingdom, you may have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:
Data Subject Rights
- Access: Request a copy of the personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): Request deletion of your data, where no legal basis for continued retention applies.
- Data portability: Receive your data in a structured, machine-readable format.
- Restriction of processing: Request that we limit how we use your data in certain circumstances.
- Objection: Object to processing based on legitimate interests or for direct marketing purposes.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
Data Protection Officer
Rekva LLC does not currently have a designated Data Protection Officer. Privacy inquiries may be directed to [email protected].
Supervisory Authority
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with your national data protection supervisory authority (e.g., the ICO in the UK, or the relevant EU Member State authority).
International Data Transfers
Our subprocessors are primarily located in the United States. Where personal data originating from the EEA or UK is transferred to the US or other countries, we rely on appropriate transfer mechanisms, including Standard Contractual Clauses (SCCs) where applicable, to ensure an adequate level of protection.
11. Children's Privacy
The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will delete it promptly. If you believe a child under 13 has submitted personal information to us, please contact [email protected].
12. HIPAA
When our Customers are Covered Entities under the Health Insurance Portability and Accountability Act (HIPAA) — such as dental practices, medical offices, or other healthcare providers — Rekva acts as a Business Associate under HIPAA with respect to any Protected Health Information (PHI) processed through the Service.
We offer a Business Associate Agreement (BAA) to Covered Entity customers upon written request. Customers must request and execute a BAA before using the Service for any workflow that involves PHI. To request a BAA, email [email protected].
For more information about our HIPAA posture, subprocessors with BAAs, and Customer obligations, see our HIPAA Notice.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify Customers via email and update the "Last Updated" date at the top of this page. We encourage you to review this policy periodically.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy.
14. Contact Us
For questions, concerns, or requests related to this Privacy Policy:
- Email: [email protected]
- General: [email protected]
We aim to respond to all privacy inquiries within 30 days.