Privacy Policy
Last updated: 18 February 2026
1. Introduction
This Privacy Policy explains how Tulvan Ltd ("Tulvan", "we", "us", or "our") collects, uses, discloses, and protects personal information when you use our AI-powered voice agent platform for property management (the "Platform").
This Privacy Policy applies to:
Property management companies, letting agents, and landlords who subscribe to our Platform ("Customers" or "Business Users").
Tenants, leaseholders, prospective tenants, and other individuals who interact with our Voice Agent by telephone or other communication channels ("End Users" or "Callers").
Visitors to our website at tulvan.com ("Website Visitors").
We are committed to protecting your privacy and processing your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR), and applicable US federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and other applicable state privacy legislation.
2. Data Controller and Data Processor
2.1 When Tulvan Acts as Data Controller
Tulvan acts as the data controller for personal data collected directly from Customers and Website Visitors, including account registration information, billing details, and website analytics data.
2.2 When Tulvan Acts as Data Processor
Tulvan acts as the data processor when processing personal data on behalf of our Customers. This includes all Tenant Data processed through the Voice Agent, such as call recordings, transcripts, and maintenance request details. In this capacity, we process personal data solely on the instructions of the Customer (the data controller) and in accordance with our Data Processing Agreement.
2.3 Customer Responsibilities
Our Customers are responsible for determining the lawful basis for processing End User personal data, providing appropriate privacy notices to their tenants, and ensuring compliance with applicable data protection laws in their use of the Platform.
3. Personal Data We Collect
3.1 Data Collected from Customers (Business Users)
Account Information: Name, email address, telephone number, company name, company address, job title.
Billing Information: Payment card details (processed by our payment provider; we do not store full card numbers), billing address, VAT/tax registration numbers.
Configuration Data: Voice Agent settings, property portfolio information, staff contact details, escalation preferences, maintenance categories.
Usage Data: Login history, feature usage, API call logs, dashboard activity.
3.2 Data Collected from End Users (Tenants and Callers)
When End Users call the Voice Agent, the following personal data may be collected and processed:
Identity Information: Name as provided by the caller.
Contact Information: Telephone number (automatically captured from caller ID).
Property Information: Property address, unit number, tenancy reference.
Call Content: The substance of the conversation, including maintenance requests, complaints, enquiries, and any other information voluntarily provided by the caller.
Voice Data: Audio recordings of telephone calls (where call recording is enabled by the Customer and appropriate consent or notice has been provided).
Call Transcripts: Text transcriptions of telephone calls generated by automated speech-to-text processing.
Call Metadata: Date, time, and duration of calls; call routing information; call outcome classification.
IMPORTANT: We do not intentionally collect sensitive personal data (special category data) from End Users, including health information, racial or ethnic origin, political opinions, religious beliefs, or biometric data for identification purposes. If such data is incidentally disclosed by a caller during a conversation, it may be captured in call recordings or transcripts. Customers are responsible for configuring appropriate data handling procedures.
3.3 Data Collected from Website Visitors
Technical Data: IP address, browser type and version, operating system, device type, screen resolution.
Analytics Data: Pages visited, time spent on pages, referral source, click patterns.
Cookie Data: Information collected through cookies and similar technologies (see Section 10).
4. How We Use Personal Data
4.1 Processing Purposes and Legal Bases
We process personal data for the following purposes and on the following legal bases:
| Purpose | Description | Legal Basis (UK/EU GDPR) |
|---|---|---|
| Service Delivery | Processing calls, generating transcripts, triaging maintenance, routing escalations | Performance of contract (Art. 6(1)(b)); Legitimate interests (Art. 6(1)(f)) |
| Account Management | Managing Customer accounts, billing, authentication, support | Performance of contract (Art. 6(1)(b)) |
| Service Improvement | Analysing aggregated usage patterns to improve Voice Agent accuracy and Platform features | Legitimate interests (Art. 6(1)(f)) |
| Quality Assurance | Reviewing call recordings and transcripts for quality monitoring (when enabled by Customer) | Legitimate interests (Art. 6(1)(f)) |
| Legal Compliance | Complying with legal obligations, responding to regulatory requirements, preventing fraud | Legal obligation (Art. 6(1)(c)); Legitimate interests (Art. 6(1)(f)) |
| Safety & Emergencies | Detecting and escalating emergency situations reported by callers | Vital interests (Art. 6(1)(d)); Legitimate interests (Art. 6(1)(f)) |
| Communications | Sending service notifications, updates, and (with consent) marketing communications | Consent (Art. 6(1)(a)); Legitimate interests (Art. 6(1)(f)) |
4.2 Automated Decision-Making
The Voice Agent uses artificial intelligence to interpret caller requests and generate responses. This constitutes automated processing but does not involve automated decision-making that produces legal effects or similarly significantly affects End Users within the meaning of Article 22 of the UK GDPR/GDPR. The Voice Agent is designed to triage and log requests, not to make binding decisions regarding tenancy rights, rent obligations, or other legal matters. All substantive decisions remain with the Customer's human staff.
End Users have the right to request human intervention at any point during a call. The Voice Agent is configured to transfer calls to a human operator upon request.
5. AI Disclosure and Transparency
Tulvan is committed to transparency about the use of artificial intelligence in our Services:
AI Identification: The Voice Agent identifies itself as an AI assistant at the beginning of each telephone call. End Users are informed that they are speaking with an AI system, not a human.
Scope of AI Processing: The Voice Agent processes voice input in real-time, converting speech to text, analysing intent, generating appropriate responses, and converting text responses to speech. This processing occurs during the call and is not used for profiling or behavioural analysis of individual callers.
No Voice Biometric Processing: Tulvan does not use voice data for biometric identification or authentication purposes. Voice recordings are not analysed to identify individuals by voice characteristics.
Human Oversight: The Customer retains full control over the Voice Agent's configuration and can review all call interactions through the dashboard. The Customer is responsible for implementing appropriate human oversight processes.
6. Data Sharing and Sub-Processors
6.1 Sub-Processors
To provide the Services, we share personal data with the following categories of sub-processors. Each sub-processor processes data solely for the purpose of providing its component of the Services:
| Category | Function | Data Processed | Data Location |
|---|---|---|---|
| Telephony Provider | Call routing, connectivity, phone number provision | Phone numbers, call metadata, audio streams | US/EU (DPF Certified) |
| Speech-to-Text Provider | Real-time transcription of voice to text | Audio streams (processed in real-time, not retained) | EU endpoint |
| AI/LLM Provider | Natural language understanding and response generation | Call transcripts (processed with Zero Data Retention) | US (ZDR enabled, SOC 2 Type II) |
| Text-to-Speech Provider | Voice synthesis for agent responses | Response text (processed in real-time, not retained) | US/EU |
| Database Hosting | Storage of call logs, transcripts, tenant records | All Customer Data and Tenant Data | EU (configurable) |
A complete, up-to-date list of specific sub-processors, including company names and processing locations, is maintained at tulvan.com/sub-processors and is incorporated into our Data Processing Agreement.
6.2 Other Disclosures
We may also disclose personal data:
To professional advisers (lawyers, accountants, auditors) where necessary for the operation of our business.
To law enforcement agencies, regulatory bodies, or courts where required by applicable law or regulation, or in response to a valid legal process.
To a potential buyer, successor, or assignee in connection with a merger, acquisition, corporate reorganisation, or sale of assets, provided that the acquiring entity agrees to be bound by the terms of this Privacy Policy.
Where disclosure is necessary to protect the vital interests of any individual, including in emergency situations.
We do not sell personal data. We do not share personal data with third parties for their own direct marketing purposes.
7. International Data Transfers
Where personal data is transferred outside of the United Kingdom or the European Economic Area to a country that has not been deemed to provide an adequate level of data protection, we implement appropriate safeguards to protect the data, including:
Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as applicable.
Reliance on the EU-US Data Privacy Framework (DPF) and UK Extension to the DPF for transfers to certified US organisations, where applicable.
Binding Corporate Rules, where adopted by the relevant sub-processor.
Transfer Impact Assessments conducted in accordance with regulatory guidance to evaluate the effectiveness of the chosen transfer mechanism in light of the laws of the recipient country.
Copies of the relevant transfer safeguards are available upon request by contacting us at privacy@tulvan.com.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are:
| Data Category | Retention Period | Basis |
|---|---|---|
| Call Recordings | 90 days (configurable by Customer, max 12 months) | Customer configuration; quality assurance |
| Call Transcripts | Duration of subscription + 30 days | Service delivery; Customer access |
| Call Metadata | Duration of subscription + 30 days | Analytics; billing; service delivery |
| Customer Account Data | Duration of subscription + 6 months | Account management; legal obligations |
| Billing Records | 7 years from date of transaction | Tax and accounting obligations |
| Website Analytics | 26 months | Service improvement |
Upon termination of a Customer's subscription, all Customer Data (including Tenant Data) shall be deleted within thirty (30) days unless the Customer requests data export, in which case data shall be made available for export for a period of thirty (30) days following termination and then deleted.
9. Your Rights
9.1 Rights Under UK GDPR and EU GDPR
If you are located in the United Kingdom or the European Economic Area, you have the following rights in relation to your personal data:
Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data.
Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects or similarly significantly affects you.
Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.
For End Users (tenants): If you wish to exercise your rights in relation to personal data processed through the Voice Agent, please contact your property management company directly, as they are the data controller for that data. You may also contact us at privacy@tulvan.com and we will forward your request to the relevant Customer or assist in facilitating your request.
We will respond to data subject requests within one month of receipt, or within two months for complex requests (in which case we will inform you of the extension within the initial one-month period).
9.2 Rights Under US State Privacy Laws
California Residents (CCPA/CPRA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:
Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share it.
Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct: You have the right to request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell personal information or share it for cross-context behavioural advertising purposes. Therefore, there is no need to opt out.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted under the CCPA/CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
To submit a request, contact us at privacy@tulvan.com or call us at the number provided on our website. We will verify your identity before processing your request.
Virginia Residents (VCDPA)
Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not engage in these activities.
Colorado Residents (CPA)
Colorado residents have similar rights to access, correct, delete, and port their personal data, and to opt out of targeted advertising, sale, or profiling. We do not engage in these activities.
Connecticut Residents (CTDPA)
Connecticut residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of the processing of personal data for targeted advertising, sale, or profiling. We do not engage in these activities.
Other US States
We comply with applicable privacy legislation in all US states in which we operate. Residents of states with comprehensive privacy laws (including but not limited to Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and other states that have enacted consumer privacy legislation) may exercise their applicable rights by contacting us at privacy@tulvan.com.
9.3 Appeals
If we decline to take action on your request, you have the right to appeal our decision. To appeal, please contact us at privacy@tulvan.com with the subject line "Privacy Rights Appeal". We will respond to appeals within the timeframes required by applicable law.
10. Cookies and Similar Technologies
Our website uses cookies and similar technologies. We categorise cookies as follows:
Strictly Necessary Cookies: Required for the website to function and cannot be switched off. They are usually set in response to actions you take, such as setting privacy preferences, logging in, or filling in forms.
Analytics Cookies: Allow us to measure and improve the performance of our website by counting visits and traffic sources. All analytics data is anonymised.
Functional Cookies: Enable enhanced functionality and personalisation, such as remembering your preferences.
We do not use advertising or tracking cookies. You can manage your cookie preferences through your browser settings or through the cookie banner displayed on our website.
11. Call Recording and Voice Data
11.1 Call Recording
Call recording is an optional feature that may be enabled by the Customer. When call recording is enabled:
A disclosure message is played at the beginning of the call informing the caller that the call may be recorded.
The caller is given the opportunity to request that recording be disabled for their call.
Recordings are stored securely and encrypted at rest and in transit.
Access to recordings is restricted to authorised personnel of the Customer and Tulvan support staff (only with the Customer's permission and for troubleshooting purposes).
11.2 Real-Time Voice Processing
Regardless of whether call recording is enabled, the Voice Agent processes voice data in real-time to provide the Services. This involves:
Streaming audio to our speech-to-text provider for real-time transcription. Audio is processed in real-time and is not retained by the speech-to-text provider.
Sending transcribed text to our AI language model for intent analysis and response generation. The language model processes with Zero Data Retention and does not use conversation data for model training.
Sending response text to our text-to-speech provider for voice synthesis. Response text is processed in real-time and is not retained by the text-to-speech provider.
11.3 No Voice Biometric Processing
Tulvan does not process voice data for biometric identification or authentication purposes. We do not create voiceprints, voice signatures, or any biometric identifiers from voice data. This is relevant to compliance with the Illinois Biometric Information Privacy Act (BIPA) and similar state biometric privacy laws.
12. Children's Privacy
The Platform is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal data from children. However, children may incidentally call the Voice Agent (for example, a tenant's child calling to report a maintenance issue). In such cases, the data is processed in the same manner as any other call, and the Customer (as data controller) is responsible for determining appropriate handling.
If we become aware that we have collected personal data from a child under the age of thirteen (13) in the United States without verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA), we will take steps to delete such data promptly.
13. Data Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:
Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest using AES-256 encryption.
Access controls including role-based access control (RBAC) and multi-factor authentication for administrative access.
Regular security assessments and penetration testing.
Employee security awareness training and confidentiality agreements.
Incident response procedures and data breach notification processes.
Physical security measures at our hosting facilities, including SOC 2 Type II certified data centres.
Network security controls including firewalls, intrusion detection systems, and DDoS protection.
Regular backups with secure, encrypted backup storage.
While we take all reasonable precautions, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security.
14. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:
We will notify affected Customers without undue delay and, where feasible, within seventy-two (72) hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR/GDPR and the terms of the Data Processing Agreement.
The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
Where the breach is likely to result in a high risk to individuals, we will assist the Customer in complying with its obligation to notify affected individuals under Article 34 of the UK GDPR/GDPR.
For US operations, we will comply with applicable state data breach notification laws, which generally require notification to affected individuals within thirty (30) to sixty (60) days, depending on the state.
15. Supervisory Authorities and Complaints
If you believe that our processing of your personal data infringes applicable data protection laws, you have the right to lodge a complaint with a supervisory authority:
United Kingdom: Information Commissioner's Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Website: ico.org.uk. Telephone: 0303 123 1113.
European Union: The supervisory authority of the EU Member State in which you reside or work, or where the alleged infringement took place.
United States: The relevant state Attorney General's office for state privacy law complaints, or the Federal Trade Commission (FTC) for federal privacy concerns.
We encourage you to contact us first at privacy@tulvan.com so that we can address your concerns directly.
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Post the updated Privacy Policy on our website with a new "Last Updated" date.
Notify Customers by email at least thirty (30) days before material changes take effect.
Where required by applicable law, obtain your consent to material changes.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
17. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about our data practices, please contact us:
Tulvan Ltd
Data Protection Enquiries
Email: privacy@tulvan.com
Website: https://tulvan.com
For data protection specific enquiries, you may also contact our Data Protection Officer at: dpo@tulvan.com