Back

Privacy Policy

Last updated: April 2026

This Privacy Policy explains how [Company Name] ("Risala", "we", "us", "our") collects, uses, stores, and protects personal data when you use the Risala platform at risala.tech (the "Service"). It applies to anyone whose personal data we hold — workspace administrators, team members, and individuals captured in the call recordings our customers upload.

1. Who we are

Risala is operated by [Company Name], a company registered in Dubai, United Arab Emirates. For data-protection enquiries please contact privacy@risala.tech.

2. Our role under data-protection law

Risala plays two roles depending on whose data is being processed:

  • Controller — for data we collect directly about workspace administrators and team members (account email, name, billing details, login activity, IP address).
  • Processor — for the call recordings, transcripts, and AI analysis that our customers upload or capture using Risala. The customer is the Controller of that content; we process it on their instructions under our Data Processing Agreement (see DPA).

3. What we collect

Account data: name, work email, password hash, workspace name, role, time-zone, billing email, payment-method details (held by Stripe — we never see card numbers).

Usage data: sign-in logs, IP address, browser type, page-view telemetry, error traces. Used to keep the Service secure and to debug issues.

Customer content:uploaded audio, generated transcripts, AI analysis output, custom metric definitions, follow-up notes. Held strictly inside the customer's workspace; we do not access it except as needed to operate the Service or as instructed by the customer.

Cookies and similar technologies: see our Cookie Policy.

4. Lawful bases (UK / EU GDPR)

  • Contract — to provide and bill for the Service you signed up to.
  • Legitimate interest — securing the platform, detecting abuse, improving features.
  • Consent — for non-essential cookies and any optional marketing emails.
  • Legal obligation — tax, accounting, regulatory record-keeping.

5. Sub-processors

We use vetted sub-processors to deliver the Service. Each is bound by data-protection terms equivalent to ours.

  • Google Firebase (authentication, Firestore, Cloud Storage, App Hosting) — Ireland / EU
  • Deepgram (speech-to-text transcription) — United States
  • OpenAI (LLM-based analysis) — United States
  • Anthropic (LLM-based analysis) — United States
  • Stripe (payment processing) — Ireland / United States
  • Resend (transactional email) — United States

We will give customers reasonable advance notice of changes to this list via email or an in-app banner.

6. AI processing

Call audio and transcripts are sent to Deepgram, OpenAI, and Anthropic for transcription and analysis. We have configured these providers so that:

  • Submitted content is not used to train their underlying models.
  • Content is retained by the provider only for the minimum period needed to return a result, then deleted.
  • Transit is over TLS, and the provider stores content encrypted at rest.

7. International transfers

Some sub-processors are located outside the UK / EU (notably the United States). Where personal data is transferred internationally we rely on Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, supplemented by technical measures (encryption in transit and at rest).

8. Retention

  • Account data — for as long as the workspace is active, plus 90 days after closure.
  • Call recordings, transcripts, and analyses — per the customer's configured retention. Deleted within 30 days of workspace termination.
  • Billing records — 7 years (statutory accounting requirement).
  • Security logs — 12 months.

9. Your rights

Subject to applicable law (UK GDPR, EU GDPR, UAE PDPL) you can ask us to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete data (the "right to be forgotten"), subject to legal retention rules.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data.
  • Withdraw consent for any processing based on consent.

If your data is held inside a customer's Risala workspace (e.g. you appear in a call recording), please raise the request with that customer first — we will assist them as their Processor.

You can also lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) or your local data-protection authority.

10. Security

  • TLS 1.2+ for all traffic.
  • Encryption at rest for recordings, transcripts, and database content.
  • Workspace-scoped access controls — no cross-tenant reads.
  • Audit logging for administrative actions.
  • Multi-factor authentication available on every account.
  • Internal access on a least-privilege basis.

11. Breach notification

In the event of a personal-data breach affecting customer content, we will notify affected workspace administrators without undue delay and within 72 hours of becoming aware, in line with UK / EU GDPR requirements. The notification will set out what happened, the data affected, our remediation steps, and a contact for follow-up questions.

12. Changes to this policy

We may update this policy from time to time. Material changes will be communicated by email to workspace administrators and via an in-app banner at least 14 days before taking effect.

13. Contact

Privacy enquiries: privacy@risala.tech
Legal: legal@risala.tech