Privacy Policy

Effective: 5 June 2026

1. Controller

The controller responsible for processing personal data on this website and within the fonea service is:

kraftscale GmbH
Aastrasse 8
8853 Lachen SZ
Switzerland

CHE-155.650.863
Email: privacy@fonea.ai

Managing Director: Semir Jahic

kraftscale GmbH is established in Switzerland. Switzerland is recognised by the European Commission and the United Kingdom as providing an adequate level of data protection. Where we process the personal data of individuals in the EU and the UK, we do so in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

2. Scope

This Privacy Policy applies to the website fonea.ai and all subpages, as well as to the fonea AI phone assistant service, which answers and processes incoming phone calls on behalf of our customers.

It is addressed to our customers (businesses using fonea), callers who interact with our AI phone assistant, and website visitors.

3. Data We Collect

3.1 Website Visitors

We use Plausible Analytics for website usage analysis. Plausible does not collect personal data, does not use cookies, and does not store IP addresses. Only aggregated, anonymous usage statistics are collected. Our website does not use tracking cookies or third-party advertising cookies.

3.2 Customers (Businesses Using fonea)

When registering for and using our service, we collect contact details (name, email address, phone number), company details (company name, address, VAT/registration number), billing data, configuration data (assistant settings, greetings, forwarding rules), and usage data (number of calls, call duration, usage statistics).

3.3 Callers (Persons Calling a fonea Customer)

When a person calls a business that uses fonea, the following data is processed: the caller's phone number (transmitted by the telephone network), the call transcription (spoken content converted to text in real time), an AI-generated call summary, and metadata (date, time, duration of the call).

3.4 Voice Recordings

By default, no voice recordings are stored. The audio signal is processed exclusively in real time (speech-to-text) and discarded immediately thereafter. No persistent audio storage takes place.

If a customer activates the optional call-recording feature, the caller is explicitly informed at the beginning of the call and asked for consent. Only upon explicit verbal consent is the call recorded. Recordings are stored encrypted and automatically deleted after the configured retention period.

4. Purposes of Processing

We process personal data to deliver the service (answering and processing calls, creating transcriptions and summaries, forwarding messages), to manage the customer relationship (contract management, invoicing, support), for technical operation (availability, security, troubleshooting, monitoring), and to comply with legal obligations.

5. Legal Basis (GDPR / UK GDPR)

Personal data is processed on the following legal bases under Art. 6 GDPR (and the equivalent provisions of the UK GDPR):

  • Performance of a contract (Art. 6(1)(b)): processing in the context of delivering the service to our customers and pre-contractual steps.
  • Legitimate interests (Art. 6(1)(f)): technical operation, security, troubleshooting, and the handling of inbound calls so that callers reach the business they contacted. Our legitimate interests are balanced against the rights and freedoms of data subjects.
  • Consent (Art. 6(1)(a)): explicit consent is obtained for the optional storage of voice recordings, and may be withdrawn at any time.
  • Legal obligation (Art. 6(1)(c)): where processing is required to comply with the law.

6. Special Categories of Data

6.1 Voice and Speech Processing

fonea processes audio signals exclusively on a transient basis — the audio is converted to text in real time and discarded immediately. No voiceprints are created and no voice recognition is used to identify callers. No biometric profiles are created or stored.

6.2 Potentially Sensitive Call Content

Calls to medical practices, law firms, or other businesses in regulated sectors may contain special-category data (e.g. health data within the meaning of Art. 9 GDPR). Our customers, as controllers, are responsible for ensuring an appropriate lawful basis under Art. 9 GDPR and compatibility with their professional secrecy obligations.

7. AI Processing and Transparency

fonea uses artificial intelligence to process calls: speech-to-text converts the audio to text in real time; a large language model (LLM) generates responses based on the customer's configured instructions; and text-to-speech renders responses as spoken language.

In line with the transparency obligation in Article 50 of the EU AI Act (Regulation (EU) 2024/1689), every caller is informed at the beginning of the call that they are speaking with an AI assistant. This disclosure is the first statement in every call and cannot be disabled.

No automated decisions producing legal or similarly significant effects within the meaning of Art. 22 GDPR are taken in respect of the caller. A transfer to a human is available at any time upon request.

8. Disclosure to Third Parties

We only disclose personal data to third parties (processors) where necessary to provide our service. A complete list of our sub-processors, with details on location and safeguards, is available at fonea.ai/subprocessors. We do not sell personal data and do not use it for advertising purposes.

9. International Data Transfers

9.1 Persistently Stored Data

All persistently stored data (customer data, transcriptions, call summaries, metadata) is stored exclusively in Switzerland. Switzerland benefits from an EU adequacy decision and is recognised by the UK as an adequate country, so transfers of EU/UK personal data to Switzerland do not require additional safeguards.

9.2 Transient Processing

For real-time call processing, data is processed transiently — without persistent storage — on servers in Germany (EU). The relevant providers are listed in our sub-processor list at fonea.ai/subprocessors.

9.3 Safeguards

Processing by our sub-processors takes place within Switzerland or the EU/EEA. Where any provider is established outside the EEA/UK, transfers are covered by an adequacy decision or by appropriate safeguards such as EU/UK Standard Contractual Clauses (Art. 46 GDPR). Data Processing Agreements are in place with all sub-processors.

10. Retention and Deletion

We retain personal data only as long as necessary for the relevant purpose:

Data categoryRetention period
Call transcriptions and summariesPer customer configuration, default 90 days
Call metadata (date, duration, number)Per customer configuration, default 90 days
Voice recordings (if enabled)Per customer configuration, maximum 30 days
Customer (contract) dataDuration of the business relationship + statutory retention periods
Billing dataAs required by applicable accounting and tax law

Data is automatically and irreversibly deleted after the retention period expires.

11. Data Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, including: encryption in transit (TLS 1.3); encryption at rest (AES-256); role-based access control with multi-factor authentication; logging of access to personal data; strict logical separation of data between customers; and regular encrypted backups.

12. Your Rights

Under the GDPR and UK GDPR you have the right to access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction of processing (Art. 18), data portability (Art. 20), and to object to processing based on legitimate interests (Art. 21). Where processing is based on consent, you may withdraw it at any time (Art. 7(3)) without affecting prior processing.

To exercise your rights, contact: privacy@fonea.ai. We will respond within one month (Art. 12(3) GDPR). We may request additional information to verify your identity.

Note for callers: If you called a business that uses fonea, that business is the controller of your data. You may contact that business directly or contact us, and we will assist as the processor.

13. Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your residence, place of work, or the place of the alleged infringement (Art. 77 GDPR). In Spain, this is the Agencia Española de Protección de Datos (AEPD, aepd.es); in the United Kingdom, the Information Commissioner's Office (ICO, ico.org.uk). As we are established in Switzerland, you may also contact the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch).

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version is always available on our website. In the event of material changes, we will notify our customers by email.

15. Contact

kraftscale GmbH — Data Protection
Aastrasse 8
8853 Lachen SZ, Switzerland
privacy@fonea.ai