Legal
Privacy Policy
Effective date: July 15, 2026
This Privacy Policy explains how CallBro (legal entity details to be provided before launch) (“CallBro,” “we,” “us”) processes personal information in connection with the CallBro desktop application and support correspondence. Contact us at info@callbro.ai.
This policy describes the current local-first product. It does not promise legal compliance in every jurisdiction. Before launch, counsel must review the controller identity, address, applicable representative or DPO details, recording-consent design, regional availability controls, vendors, and production configuration.
1. Local-first processing
CallBro is designed to operate without a CallBro account and without a CallBro-hosted backend for your core content. Your selected local Vault may contain transcripts, notes, enhanced notes, task and memory files, metadata, and any audio file you choose to import or save there. Your local operating system, disk encryption, file permissions, backups, and any sync location you choose protect that Vault; CallBro does not encrypt Vault files at the application layer.
During a live recording, audio is processed in memory by the selected transcription path. When local transcription is selected, audio is processed on your device. If you choose a cloud transcription provider, such as Soniox, audio and related data are sent directly to that provider. Imported audio may be copied into your Vault if you choose to retain it.
2. Information we process
- Content and local files: audio, transcripts, notes, summaries, tasks, memory, attachments, and file metadata that you create, import, or retain in your Vault.
- Settings and credentials: preferences, Vault locations, application settings, API keys for providers you configure, and local MCP credentials. In the current app, certain secrets and tokens are stored in the application data directory and are not encrypted at rest by CallBro.
- Third-party integration data: information you send to an ASR, LLM, agent, or external MCP provider that you choose to configure. Depending on the feature, this can include audio, transcripts, notes, prompts, or tool requests.
- Desktop app telemetry: anonymized or pseudonymous product-usage and diagnostic data used to understand and improve the CallBro desktop application. Production releases enable PostHog analytics by default in the app. Users will be able to disable this telemetry in the application settings. If enabled, telemetry may include app version, platform, feature and lifecycle events, and interaction data; session-replay and report-content behavior must be reviewed against the production configuration before release.
- Website analytics (callbro.ai): when you visit our marketing website, we may use Google Analytics and PostHog (EU cloud) to understand how the site is used. Depending on your cookie preferences, this may include page views, download-button clicks, pseudonymous identifiers, device and browser information, and IP or network metadata. PostHog may also record anonymized session replays with inputs and on-page text masked by default. Website analytics is separate from desktop-app telemetry and can be disabled or withdrawn at any time through the Cookies control in the site footer.
- Network and technical data: IP address, device and network information, and request metadata that third-party providers or update/download hosts necessarily receive when you connect to them.
- Support correspondence: your name, email address, and the information you send to info@callbro.ai.
3. Website analytics
Our marketing website at callbro.ai uses optional analytics cookies and similar technologies through Google Analytics and PostHog hosted in the EU. Until you make a cookie choice, analytics cookies may be enabled by default on the website. You can reject non-essential cookies, change your preferences, or withdraw consent at any time using the Cookies link in the site footer.
When enabled, website analytics may collect page views, download-button interactions, pseudonymous identifiers, browser and device information, and IP or network metadata needed to operate the service. PostHog session replay may record how visitors interact with the site; inputs and on-page text are masked by default in our configuration. We do not use website analytics for cross-context behavioral advertising.
4. Sources, purposes, and legal bases
We receive information directly from you, from your use of the application, and from providers you choose to connect. We process it to provide local application functions at your direction; maintain, secure, troubleshoot, and improve the Software; respond to support requests; meet legal obligations; and protect users and CallBro from fraud, abuse, or security threats.
Where GDPR or UK data-protection law applies, our legal bases are: performance of a contract or steps at your request; our legitimate interests in operating, securing, supporting, and improving the Software, balanced against your rights; your consent where required, including for optional processing; and compliance with legal obligations. You may withdraw consent at any time, without affecting processing before withdrawal.
5. Recipients and disclosures
We disclose information only as needed for the purposes above: to providers you choose to configure; to analytics providers when telemetry is enabled; to release, update, model-download, and support providers; to professional advisers and authorities where legally required; and as part of a corporate transaction, subject to applicable law.
CallBro does not sell personal information and does not share personal information for cross-context behavioral advertising. We do not claim that no third party receives information: a configured provider, enabled analytics service, or user-selected Vault sync/backup service may receive data according to its own terms and policies.
6. Retention
Local Vault content remains on your device or chosen storage location until you delete it, subject to your backups and sync settings. Credentials and preferences remain locally until you remove them or uninstall/delete application data. We retain support correspondence and CallBro-controlled telemetry only for as long as reasonably necessary for the purposes described above, including support, security, legal, and accounting needs. Production retention settings will be documented before release where they apply.
7. International transfers
Your selected providers, analytics service, and download/update services may process information outside your country. Where legally required for CallBro-controlled transfers, we will use an appropriate transfer mechanism and supplementary safeguards. Before CallBro offers any cloud sync, CallBro-hosted cloud ASR, or CallBro-hosted cloud LLM, it will publish applicable data-processing terms, transfer information, and a current subprocessor list.
8. Your rights
Depending on where you live, you may have rights to request access, correction, deletion, restriction, objection, portability, or information about processing; to withdraw consent; and to complain to a data-protection authority. Because local Vault content is generally controlled by you, you can directly access, export, change, or delete it from your device. For CallBro-controlled data, contact info@callbro.ai. We may ask for information to verify your request and will respond as required by law.
If you are in the EEA or UK, you may also complain to your local supervisory authority. EU/UK representative and DPO information, if required, will be added before launch.
9. Automated processing
CallBro may use automated transcription and AI-assisted features to generate text, summaries, or suggestions. These outputs can be inaccurate and are not decisions producing legal or similarly significant effects about you. Review outputs before relying on or sharing them.
10. Security
CallBro uses measures designed to protect the application, including local-only App-MCP binding, bearer-token authentication for that local service, path-confinement checks, signed updates where supported, and credential redaction in logs. These measures do not eliminate risk. Local files and certain application settings are not encrypted by CallBro at rest, and any process or person with access to your device or selected storage may be able to access them. Keep your device protected, review third-party services before enabling them, and protect local MCP credentials like passwords.
11. California and other US notices
Notice at collection. We collect the categories described in Section 2 for the purposes described in Section 3. These may include identifiers (such as support contact details and device or online identifiers), internet or network activity, application usage information, audio or other electronic information you choose to process, and inferences or outputs generated by the Software. The exact categories depend on the production release, settings, and integrations you use.
Last 12 months. In the 12 months preceding publication, CallBro’s production practices must be verified against this policy before release. The local-first product is designed to process core content on your device; CallBro does not sell personal information or share it for cross-context behavioral advertising. If enabled, analytics and support services may receive the categories stated above to operate and improve the product.
Anyone may request to know, access, correct, or delete personal information that CallBro holds by emailing info@callbro.ai. Authorized agents may submit requests where permitted by law and subject to verification. This does not limit any additional rights available under applicable law.
12. Changes and contact
We may update this policy when our practices, product, or legal requirements change. We will publish the revised effective date here and, for material changes, provide additional notice where appropriate. Version 1.2 — effective July 15, 2026.
For privacy questions or requests, contact info@callbro.ai.