Privacy Policy
How Flireo B.V. collects, processes, and protects personal data in connection with the HMS Sovereign Voice AI Platform.
Last updated: March 2026
This Privacy Policy describes how Flireo B.V. ("HMS Sovereign", "we", "us", or "our") collects, processes, and protects personal data in connection with the HMS Sovereign Voice AI Platform.
HMS Sovereign is a business-to-business (B2B) platform. We provide voice AI infrastructure to businesses (our "Customers"). The callers who interact with AI assistants built on HMS Sovereign are the end users of our Customers, not of HMS Sovereign directly. This distinction is important for understanding who is responsible for what under data protection law.
1. Controller and Contact
Data Controller (Platform Services)
Flireo B.V. Leeuwenbrug 89A 7411 TH Deventer Nederland KvK: 92548806
Contact: support@flireo.com
For all privacy-related questions, data subject requests, or to report a data breach, please contact us at support@flireo.com.
2. Scope
This policy covers:
- Platform users: Individuals who create an account and use the HMS Sovereign dashboard
- End-user call data: Voice call data processed on behalf of our Customers (see Section 5)
HMS Sovereign acts as:
- Data Controller for account data, billing data, and platform usage
- Data Processor for call data (audio, transcripts, recordings) processed on behalf of Customers
3. Data We Collect
3.1 Account Data (Controller)
When you register and use the HMS Sovereign dashboard:
| Data | Purpose | Legal Basis |
|---|---|---|
| Email address | Account authentication, notifications | Contract (Art. 6(1)(b) GDPR) |
| Name | Account identification | Contract (Art. 6(1)(b) GDPR) |
| Organization name | Account management | Contract (Art. 6(1)(b) GDPR) |
| Billing address | Invoicing and tax compliance | Legal obligation (Art. 6(1)(c) GDPR) |
| Payment information | Payment processing via Stripe | Contract (Art. 6(1)(b) GDPR) |
| API keys (BYOK) | Stored encrypted in Vault | Contract (Art. 6(1)(b) GDPR) |
| Usage logs | Billing, fraud prevention, platform improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
3.2 Call Data (Processor)
When callers interact with AI assistants built on HMS Sovereign, the following data may be processed on behalf of the Customer:
| Data | Description |
|---|---|
| Voice audio | Caller's speech, used for speech-to-text transcription |
| Transcripts | Text transcription of the conversation |
| Call recordings | Audio recording of the full call (if enabled by Customer) |
| Phone numbers | Caller and recipient phone numbers |
| Call metadata | Duration, timestamps, end reason, assistant used |
| Structured analysis | Post-call AI-generated analysis (if configured by Customer) |
Customers control what data is collected through their assistant configuration. Customers can disable recording and transcript storage entirely using GDPR Mode (see Section 8).
3.3 Technical Data
| Data | Purpose |
|---|---|
| IP addresses | Security, fraud prevention |
| Browser/device info | Dashboard functionality |
| Error and performance data | Platform reliability (via Sentry) |
| Dashboard usage patterns | Product improvement |
4. How We Use Your Data
Platform Accounts
- Providing, maintaining, and improving the HMS Sovereign platform
- Processing payments and managing billing
- Sending transactional emails (account confirmations, invoices, alerts)
- Responding to support requests
- Detecting and preventing abuse or fraud
- Complying with legal obligations
Call Data (on behalf of Customers)
We process call data strictly according to Customer instructions. Customers determine the purposes and means of processing call data. We act as a data processor under Art. 28 GDPR for this data.
5. Our Role as Data Processor
For voice call data, HMS Sovereign acts as a data processor under Art. 28 GDPR. Our Customers are the data controllers for their callers' data. This means:
- Customers are responsible for having a lawful basis for processing caller data
- Customers must provide appropriate privacy notices to their callers
- HMS Sovereign processes call data only according to Customer configuration
- Customers can use the Recording Consent feature to obtain explicit caller consent before any processing begins
- Customers can enable GDPR Mode to prevent transcript and recording storage
We offer a Data Processing Agreement (DPA) to all Customers. Contact support@flireo.com to request one.
6. Data Sharing and Subprocessors
We share data with the following categories of third parties:
6.1 Infrastructure and Platform
| Subprocessor | Role | Location | Data Processed |
|---|---|---|---|
| Hetzner Online GmbH | Server hosting | Germany π©πͺ | All platform data |
| Supabase (self-hosted) | Database | Germany π©πͺ (our servers) | Account data, call records |
6.2 AI Providers (BYOK β Customer's own keys)
When Customers configure their own API keys (BYOK), their call data is sent to the AI providers they have chosen. HMS Sovereign does not control these providers' data practices. Customers are responsible for their own DPAs with these providers.
Common providers include:
| Provider | Role | HQ |
|---|---|---|
| OpenAI | Language Model (LLM) | United States πΊπΈ |
| Mistral AI | Language Model (LLM) / STT | France π«π· |
| Deepgram | Speech-to-Text (STT) | United States πΊπΈ |
| ElevenLabs | Text-to-Speech (TTS) / STT | United States πΊπΈ |
| Gladia | Speech-to-Text (STT) | France π«π· |
| xAI | Realtime speech-to-speech | United States πΊπΈ |
| Inworld | Text-to-Speech (TTS) | United States πΊπΈ |
When no BYOK keys are configured, HMS Sovereign uses local AI models running on our own EU-hosted servers (Piper TTS, Whisper STT, vLLM).
6.3 Platform Services
| Subprocessor | Role | Location | Data Processed |
|---|---|---|---|
| Stripe | Payment processing | United States / Ireland | Billing data |
| Vercel | Dashboard hosting | United States (EU datacenter) | Dashboard traffic |
| Sentry | Error monitoring | United States (EU datacenter) | Error data, stack traces |
| Upstash | Redis caching / rate limiting | United States / EU | Session data, rate limit counters |
| Deepgram | STT tokens for web calls | United States | Audio (web calls only) |
| Resend | Transactional email | United States | Email addresses |
| LiveKit | WebRTC signaling | Depends on setup | Call signaling data |
6.4 Transfers Outside the EU
Several subprocessors are based in the United States. For these transfers, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
Customers who require all data to remain within the EU can configure the EU Stack (Gladia + Mistral + Local TTS) or deploy HMS Sovereign fully on-premise. See our EU Data Sovereignty documentation.
7. Data Retention
Account Data
| Data | Retention Period |
|---|---|
| Account information | Duration of account + 2 years after deletion |
| Billing records and invoices | 7 years (legal obligation) |
| API keys (BYOK) | Until deleted by Customer |
Call Data
| Data | Default Retention |
|---|---|
| Call recordings | 90 days |
| Transcripts | 90 days |
| Call metadata (duration, timestamps) | 2 years |
| Usage logs (billing) | 2 years |
Customers may request earlier deletion by contacting support@flireo.com. When GDPR Mode is enabled, recordings and transcripts are never stored and there is no retention period to apply.
8. Privacy Features
Recording Consent (DTMF Opt-In)
HMS Sovereign offers a built-in consent flow. When enabled by a Customer, callers must press 1 to agree before any AI processing or recording begins. If the caller presses 2 or does not respond, the call ends and no data is processed. See our Privacy & Compliance Features documentation.
GDPR Mode
Customers can enable GDPR Mode per assistant. When active, no transcript, recording, or call summary is stored. Only billing metadata (duration, timestamps) is retained. The end-of-call webhook is sent with a minimal payload containing no conversation content.
9. Your Rights (GDPR)
If you are an individual whose data is processed by HMS Sovereign as a data controller (i.e., you are a dashboard user), you have the following rights under the GDPR:
| Right | Description |
|---|---|
| Access (Art. 15) | Request a copy of your personal data |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your personal data |
| Restriction (Art. 18) | Restrict how we process your data |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent |
To exercise any of these rights, contact us at support@flireo.com.
Callers (end users of our Customers' AI assistants) should direct their requests to the Customer whose assistant they interacted with, as that Customer is the data controller for their call data.
You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
10. Security
We implement appropriate technical and organizational measures to protect personal data, including:
- Encryption of data at rest and in transit (TLS 1.2+)
- API keys stored in encrypted Vault (not in plaintext in the database)
- Access controls and authentication requirements
- Error monitoring with PII scrubbing (Sentry configured with
send_default_pii=False) - Regular dependency security audits
To report a security vulnerability or data breach, contact support@flireo.com.
11. Cookies and Tracking
The HMS Sovereign dashboard uses:
- Functional cookies: Required for authentication and session management
- Error tracking: Sentry for platform reliability (no advertising tracking)
We do not use advertising cookies or sell data to third parties.
12. Children
HMS Sovereign is a B2B platform intended for business use. We do not knowingly collect personal data from individuals under the age of 16.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify Customers of material changes via email or a notice in the dashboard. The "last updated" date at the top of this policy reflects the most recent revision.
14. Contact
For all privacy-related questions, requests, or concerns:
Flireo B.V. Leeuwenbrug 89A, 7411 TH Deventer, Nederland KvK: 92548806 support@flireo.com
We aim to respond to all requests within 30 days.
EU Data Sovereignty
EU-hosted voice AI with strong data residency guarantees, processing and storing data exclusively within the European Union.
Voice Selection Psychology
How voice selection impacts caller behavior and why slightly robotic voices can outperform natural voices in transactional use cases.