This Privacy Policy describes how Flireo B.V. ("HMS Sovereign", "we", "us", or "our") collects, processes, and protects personal data in connection with the HMS Sovereign Voice AI Platform.HMS Sovereign is a business-to-business (B2B) platform. We provide voice AI infrastructure to businesses (our "Customers"). The callers who interact with AI assistants built on HMS Sovereign are the end users of our Customers, not of HMS Sovereign directly. This distinction is important for understanding who is responsible for what under data protection law.
Data Controller (Platform Services)Flireo B.V.
Leeuwenbrug 89A
7411 TH Deventer
Nederland
KvK: 92548806For all privacy-related questions, data subject requests, or to report a data breach, please contact us at support@flireo.com.
2. Scope#
Platform users: Individuals who create an account and use the HMS Sovereign dashboard
End-user call data: Voice call data processed on behalf of our Customers (see Section 5)
Data Controller for account data, billing data, and platform usage
Data Processor for call data (audio, transcripts, recordings) processed on behalf of Customers
3. Data We Collect#
3.1 Account Data (Controller)#
When you register and use the HMS Sovereign dashboard:| Data | Purpose | Legal Basis |
|---|
| Email address | Account authentication, notifications | Contract (Art. 6(1)(b) GDPR) |
| Name | Account identification | Contract (Art. 6(1)(b) GDPR) |
| Organization name | Account management | Contract (Art. 6(1)(b) GDPR) |
| Billing address | Invoicing and tax compliance | Legal obligation (Art. 6(1)(c) GDPR) |
| Payment information | Payment processing via Stripe | Contract (Art. 6(1)(b) GDPR) |
| API keys (BYOK) | Stored encrypted in Vault | Contract (Art. 6(1)(b) GDPR) |
| Usage logs | Billing, fraud prevention, platform improvement | Legitimate interest (Art. 6(1)(f) GDPR) |
3.2 Call Data (Processor)#
When callers interact with AI assistants built on HMS Sovereign, the following data may be processed on behalf of the Customer:| Data | Description |
|---|
| Voice audio | Caller's speech, used for speech-to-text transcription |
| Transcripts | Text transcription of the conversation |
| Call recordings | Audio recording of the full call (if enabled by Customer) |
| Phone numbers | Caller and recipient phone numbers |
| Call metadata | Duration, timestamps, end reason, assistant used |
| Structured analysis | Post-call AI-generated analysis (if configured by Customer) |
Customers control what data is collected through their assistant configuration. Customers can disable recording and transcript storage entirely using GDPR Mode (see Section 8).3.3 Technical Data#
| Data | Purpose |
|---|
| IP addresses | Security, fraud prevention |
| Browser/device info | Dashboard functionality |
| Error and performance data | Platform reliability (via Sentry) |
| Dashboard usage patterns | Product improvement |
4. How We Use Your Data#
Providing, maintaining, and improving the HMS Sovereign platform
Processing payments and managing billing
Sending transactional emails (account confirmations, invoices, alerts)
Responding to support requests
Detecting and preventing abuse or fraud
Complying with legal obligations
Call Data (on behalf of Customers)#
We process call data strictly according to Customer instructions. Customers determine the purposes and means of processing call data. We act as a data processor under Art. 28 GDPR for this data.
5. Our Role as Data Processor#
For voice call data, HMS Sovereign acts as a data processor under Art. 28 GDPR. Our Customers are the data controllers for their callers' data. This means:Customers are responsible for having a lawful basis for processing caller data
Customers must provide appropriate privacy notices to their callers
HMS Sovereign processes call data only according to Customer configuration
Customers can use the Recording Consent feature to obtain explicit caller consent before any processing begins
Customers can enable GDPR Mode to prevent transcript and recording storage
6. Data Sharing and Subprocessors#
We share data with the following categories of third parties:| Subprocessor | Role | Location | Data Processed |
|---|
| Hetzner Online GmbH | Server hosting | Germany π©πͺ | All platform data |
| Supabase (self-hosted) | Database | Germany π©πͺ (our servers) | Account data, call records |
6.2 AI Providers (BYOK β Customer's own keys)#
When Customers configure their own API keys (BYOK), their call data is sent to the AI providers they have chosen. HMS Sovereign does not control these providers' data practices. Customers are responsible for their own DPAs with these providers.Common providers include:| Provider | Role | HQ |
|---|
| OpenAI | Language Model (LLM) | United States πΊπΈ |
| Mistral AI | Language Model (LLM) / STT | France π«π· |
| Deepgram | Speech-to-Text (STT) | United States πΊπΈ |
| ElevenLabs | Text-to-Speech (TTS) / STT | United States πΊπΈ |
| Gladia | Speech-to-Text (STT) | France π«π· |
| xAI | Realtime speech-to-speech | United States πΊπΈ |
| Inworld | Text-to-Speech (TTS) | United States πΊπΈ |
When no BYOK keys are configured, HMS Sovereign uses local AI models running on our own EU-hosted servers (Piper TTS, Whisper STT, vLLM).| Subprocessor | Role | Location | Data Processed |
|---|
| Stripe | Payment processing | United States / Ireland | Billing data |
| Vercel | Dashboard hosting | United States (EU datacenter) | Dashboard traffic |
| Sentry | Error monitoring | United States (EU datacenter) | Error data, stack traces |
| Upstash | Redis caching / rate limiting | United States / EU | Session data, rate limit counters |
| Deepgram | STT tokens for web calls | United States | Audio (web calls only) |
| Resend | Transactional email | United States | Email addresses |
| LiveKit | WebRTC signaling | Depends on setup | Call signaling data |
6.4 Transfers Outside the EU#
Several subprocessors are based in the United States. For these transfers, we rely on:Standard Contractual Clauses (SCCs) as approved by the European Commission
Adequacy decisions where applicable
7. Data Retention#
Account Data#
| Data | Retention Period |
|---|
| Account information | Duration of account + 2 years after deletion |
| Billing records and invoices | 7 years (legal obligation) |
| API keys (BYOK) | Until deleted by Customer |
Call Data#
| Data | Default Retention |
|---|
| Call recordings | 90 days |
| Transcripts | 90 days |
| Call metadata (duration, timestamps) | 2 years |
| Usage logs (billing) | 2 years |
Customers may request earlier deletion by contacting support@flireo.com. When GDPR Mode is enabled, recordings and transcripts are never stored and there is no retention period to apply.
8. Privacy Features#
Recording Consent (DTMF Opt-In)#
HMS Sovereign offers a built-in consent flow. When enabled by a Customer, callers must press 1 to agree before any AI processing or recording begins. If the caller presses 2 or does not respond, the call ends and no data is processed. See our Privacy & Compliance Features documentation.GDPR Mode#
Customers can enable GDPR Mode per assistant. When active, no transcript, recording, or call summary is stored. Only billing metadata (duration, timestamps) is retained. The end-of-call webhook is sent with a minimal payload containing no conversation content.
9. Your Rights (GDPR)#
If you are an individual whose data is processed by HMS Sovereign as a data controller (i.e., you are a dashboard user), you have the following rights under the GDPR:| Right | Description |
|---|
| Access (Art. 15) | Request a copy of your personal data |
| Rectification (Art. 16) | Correct inaccurate or incomplete data |
| Erasure (Art. 17) | Request deletion of your personal data |
| Restriction (Art. 18) | Restrict how we process your data |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest |
| Withdraw consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent |
Callers (end users of our Customers' AI assistants) should direct their requests to the Customer whose assistant they interacted with, as that Customer is the data controller for their call data.You also have the right to lodge a complaint with a supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
10. Security#
We implement appropriate technical and organizational measures to protect personal data, including:Encryption of data at rest and in transit (TLS 1.2+)
API keys stored in encrypted Vault (not in plaintext in the database)
Access controls and authentication requirements
Error monitoring with PII scrubbing (Sentry configured with send_default_pii=False)
Regular dependency security audits
11. Cookies and Tracking#
The HMS Sovereign dashboard uses:Functional cookies: Required for authentication and session management
Error tracking: Sentry for platform reliability (no advertising tracking)
12. Children#
HMS Sovereign is a B2B platform intended for business use. We do not knowingly collect personal data from individuals under the age of 16.
13. Changes to This Policy#
We may update this Privacy Policy from time to time. We will notify Customers of material changes via email or a notice in the dashboard. The "last updated" date at the top of this policy reflects the most recent revision.
For all privacy-related questions, requests, or concerns:We aim to respond to all requests within 30 days. Modified atΒ 2026-03-27 15:39:10
