Legal

Privacy Policy

How Twenty2 collects, processes, and protects your data across our AI-powered voice automation platform. Governed by the DPDP Act, 2023 and the Information Technology Act, 2000.

Your Data, Your Control

Encrypted end-to-end

TLS 1.2+ in transit, AES-256 at rest. Role-based access and multi-factor authentication across the platform.

Consent-first by design

We never infer consent from silence. Withdraw anytime from your dashboard, and we act on it within 30 days.

72-hour response

Any grievance or data request is acknowledged within 72 hours and resolved within 30 calendar days.

01Introduction & Scope

Twenty2 ("Company", "We", "Us") operates an AI-powered voice automation platform enabling businesses to build and deploy intelligent voice agents. This Privacy Policy ("Policy") governs how We collect, process, store, transfer, and disclose personal data of Users ("You") in connection with the Services.

This Policy applies to platform access, website usage, AI calling services, APIs, dashboards, and all third-party integrations. It is an electronic record under the Information Technology Act, 2000 and Rule 3(1)(a) of the IT (Intermediary Guidelines) Rules, 2021, and must be read alongside our Terms of Service.

By accessing or using the Services, You expressly consent to the practices described herein. If You do not agree, You must discontinue use of the Services.

02Key Definitions

  • Personal Data — Any information identifying or identifiable to a natural person, including Sensitive Personal Data (SPDI).
  • Data Principal — The natural person to whom personal data relates (DPDP Act, 2023).
  • Call Data — Recordings, transcripts, AI summaries, sentiment scores, and call metadata.
  • AI Assistant — An AI-powered voice agent configured and deployed by a User through the platform.
  • Processing — Any operation on personal data including collection, storage, use, disclosure, or deletion.
  • Third-Party Integrations — External APIs and platforms connected to the Services (telecom carriers, NBFCs, CRMs, payment processors).

03Information We Collect

3.1 Account & Registration Data

  • Name, email, phone number, business details, and account credentials.
  • Billing information and GST details (payment card data is processed by PCI-DSS compliant third parties).

3.2 Call Data & Voice Interaction Data

  • Audio recordings of calls (subject to User-obtained consent from call recipients).
  • AI-generated transcripts, sentiment scores, summaries, and campaign analytics.
  • Caller and recipient phone numbers, call duration, timestamps, and disposition data.

3.3 User Content

  • Scripts, prompts, knowledge base documents, and phone number lists uploaded by Users.
  • AI assistant configuration parameters and deployment settings.

3.4 Technical & Usage Data

  • IP address, browser type, device identifiers, and session tokens.
  • Feature usage patterns, API logs, and platform interaction analytics.
  • Cookies and similar tracking technologies (see Section 9).

04Purpose of Processing

We process personal data only for the following specified purposes:

  • Providing, operating, and improving AI-based calling and automation Services.
  • Processing, transcribing, and analysing voice calls to generate AI-powered insights.
  • AI model operation — Call Data used for model training is aggregated and anonymised unless explicit consent is obtained.
  • Account management, billing, payment processing, and subscription administration.
  • Customer support, grievance redressal, and dispute resolution.
  • Security monitoring, fraud detection, and prevention of prohibited activity.
  • Regulatory and legal compliance under the DPDP Act, IT Act, and applicable Indian law.
  • Marketing and service communications, where consent has been obtained.
  • Automated decision-making (e.g., call routing, sentiment-based escalation) — human review available on request where decisions produce significant effects.

05Legal Basis for Processing

  • Consent: For Sensitive Personal Data, call recording, marketing communications, and AI model training using identifiable data.
  • Contractual Necessity: For account provisioning, service delivery, and payment processing.
  • Legitimate Interests: For security monitoring, fraud prevention, and platform analytics, subject to a balancing assessment.
  • Legal Obligation: To comply with the DPDP Act, IT Act, court orders, and regulatory directions.

06Consent Mechanism

Consent is obtained through an affirmative act (e.g., checkbox or confirmation button) and is never inferred from silence or inaction. Prior to collection, We provide a clear notice of: the data categories sought, the purposes of processing, and the right to withdraw.

Users are solely responsible for obtaining valid consent from call recipients for recording and automated AI interactions, in compliance with applicable telecom and data protection laws.

Consent may be withdrawn at any time via account dashboard settings or by written request to the Grievance Officer. Withdrawal does not affect the lawfulness of prior processing. The Company shall give effect to withdrawal requests within thirty (30) days.

07Data Sharing & Third Parties

We do not sell, rent, or trade personal data. Data may be shared only in the following circumstances:

  • Service Providers: Telecom carriers, cloud hosting providers, AI model providers, payment processors, and analytics platforms — bound by confidentiality and data processing agreements.
  • Third-Party Integrations: Where Users activate integrations (NBFCs, CRMs, HR platforms), data flows under the User's direction. Users must review such third parties' own privacy notices.
  • Business Transfers: In mergers, acquisitions, or asset sales, data may be transferred to a successor entity subject to equivalent obligations.
  • Legal Disclosure: To law enforcement, regulators, or courts where required by applicable law.
  • Anonymised Data: De-identified, anonymised data may be shared for research or benchmarking without restriction.

08Data Retention

Data TypeRetention Period
Account DataDuration of active relationship + 3 years post-closure
Call Data & Transcripts12 months from call date, unless extended by User settings or legal requirements
Financial Records7 years per applicable Indian tax law
Consent Records3 years post-processing
Inactive AccountsMay be deleted following 3 consecutive years of inactivity

Upon expiry of retention periods or receipt of a valid deletion request, data shall be securely deleted or irreversibly anonymised within thirty (30) days, subject to legal hold obligations.

09Cookies & Tracking Technologies

We use strictly necessary, performance, functional, and (with consent) marketing cookies. Users are presented with a consent notice on first access and may manage preferences via cookie settings at any time. Disabling non-essential cookies will not affect core platform functionality. Third-party cookies placed by embedded analytics or advertising providers are subject to those providers' own policies.

10Data Security Measures

We implement technical and organisational safeguards including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, multi-factor authentication, web application firewalls, regular penetration testing, and mandatory data protection training for personnel. All third-party processors are bound by equivalent security obligations.

Notwithstanding the foregoing, no system is entirely secure. In the event of a personal data breach likely to cause risk to Data Principals, We shall notify the competent authority and affected Users in accordance with the timelines prescribed under the DPDP Act. Users must notify the Grievance Officer immediately upon becoming aware of suspected unauthorised access.

11Rights of Data Principals

Subject to applicable law, Data Principals may exercise the following rights by written request to the Grievance Officer. Requests are acknowledged within seventy-two (72) hours and resolved within thirty (30) days.

  • Access & Information: Obtain confirmation and a summary of personal data processed and third parties with whom it is shared.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion when data is no longer necessary, consent is withdrawn, or processing is unlawful — subject to legal retention obligations.
  • Portability: Receive data in a structured, machine-readable format or have it transferred to a designated fiduciary, where technically feasible.
  • Withdraw Consent: Withdraw consent for any consent-based processing at any time.
  • Nomination: Nominate another individual to exercise rights in case of death or incapacity (DPDP Act, 2023).
  • Escalation: Escalate unresolved complaints to the Data Protection Board of India, once constituted.

12Cross-Border Data Transfers

The Services are hosted on cloud infrastructure that may involve cross-border transfer of personal data. Subject to the DPDP Act and any notifications issued by the Central Government, We ensure such transfers occur only to jurisdictions with adequate protection or under appropriate contractual safeguards (including standard contractual clauses). Third-party AI model providers and telecom partners may process data in their own data centres; they are contractually required to maintain standards equivalent to applicable Indian law.

13Children's Data

The Services are intended solely for persons aged eighteen (18) years or above. We do not knowingly collect personal data of minors. Users are strictly prohibited from using the platform to target or collect data from individuals below the age of eighteen. If We become aware of inadvertent collection of a minor's data, such data shall be deleted immediately and the Grievance Officer notified.

14Limitation of Liability

To the maximum extent permitted by applicable law, the Company's aggregate liability arising from or in connection with this Policy shall not exceed the amount paid by the User in the one (1) month preceding the claim. The Company shall not be liable for: (a) breaches attributable to User failure to safeguard credentials; (b) data practices of third-party integrations; (c) User failure to obtain requisite consents from call recipients. Nothing herein limits liability for fraud or wilful misconduct.

15Changes to This Policy

We reserve the right to update this Policy at any time. Material changes (including changes to data categories, processing purposes, or User rights) will be notified via platform dashboard notice or email at least seven (7) days prior to taking effect. Continued use of the Services after the effective date constitutes acceptance of the revised Policy. The English-language version shall prevail in the event of any conflict between translated versions.

16Grievance Officer

In accordance with the DPDP Act, 2023 and Rule 5(9) of the IT (Intermediary Guidelines) Rules, 2021, the following officer has been designated to address complaints and data-related requests:

Name
Sunil Kumar
Designation
Grievance Officer
Email
[email protected]
Address
416, Phase-III, Udyog Vihar, Gurgaon, Haryana-122002

Complaints are acknowledged within seventy-two (72) hours and resolved within thirty (30) calendar days. Unresolved grievances may be escalated to the Data Protection Board of India, once constituted.