On this page
- Who we are
- Scope of this policy
- Data we collect
- How we use your data
- AI processing and automated decisions
- Call recording and voice AI
- When Talitu acts as a processor
- Legal bases for processing
- Who we share data with
- Google API limited use
- Cookies & tracking
- Sensitive information
- How long we keep data
- International transfers
- US privacy rights
- Sensitive and special-category data
- Your rights
- Security
- Children
- Additional notices
- Changes to this policy
- Contact & complaints
1. Who we are
This policy explains how Talitu Ltd. (“Talitu”, “we”, “us”, “our”) handles personal data. Talitu Ltd. is a company registered in United Kingdom (company number 10295016), with registered office at 483 Green Lanes, London N13 4BS.
Talitu operates AI teammates and related services for professional services firms (for example accounting, insurance, consulting, wealth and advisory firms) and similar businesses. Depending on the context, Talitu acts in one of two roles in relation to personal data:
- As a controller — when you visit our website, book a call, contact us, or otherwise interact with Talitu directly.
- As a processor — when we operate AI teammates and related systems on behalf of a Business Client (such as a clinic). In those cases the Business Client is the controller of their customers’ personal data and we process it under their instructions and our agreement with them.
Data protection contact: privacy@talitu.com.
2. Scope of this policy
This policy covers personal data that Talitu collects and processes as a controller, including data of website visitors, prospective customers, Business Clients, affiliates and others who interact with Talitu directly. It applies to visitors and customers in the United Kingdom, the European Economic Area, the United States, and other regions where Talitu does business.
Where Talitu operates AI teammates, communications systems and workflow automation on behalf of a Business Client, our handling of that data is governed by our agreement with that Business Client. Please refer to that business’s own privacy notice for the controller-level disclosures that apply to its customers and clients. The “When Talitu acts as a processor” section below explains that arrangement in more detail.
3. Data we collect
| Category | Examples |
|---|---|
| Identity & contact | Name, email address, phone number, business name. |
| Business enquiry | Clinic or business type, what you’d like help with, fit and goal answers, and details you share when booking a call or engaging our services. |
| Account | Login details and settings, where an account is created. |
| Usage & technical | IP address, device and browser type, pages viewed, referring source, and similar data collected through cookies and analytics. |
| Communications | Messages, enquiries and correspondence you send us by email, web form, chat, phone or other channels. |
| Customer interaction data | For Business Clients and where we operate AI teammates: inquiry details, appointment requests, communication history, lead status and similar records generated through customer-facing AI teammate interactions. |
| AI interaction data | Conversation transcripts, AI-generated summaries, classifications, recommendations and operational metadata produced by AI teammates as they handle interactions. |
| CRM data | Where AI teammates connect to a Business Client’s CRM: notes, tags, pipeline stages, booking history and related records used or updated by the AI teammates. |
| Voice and recording data | Where voice-based AI teammates are used: call audio, transcriptions and related metadata, subject to the disclosures and consents described below. |
| Billing | Billing contact and transaction records for Business Clients. Card details are handled by our payment providers; we do not store full card numbers. |
4. How we use your data
- To respond to enquiries, schedule and conduct calls, and deliver the Services you or your business ask for.
- To operate AI teammates, communications systems and workflow automation for Business Clients under their instructions.
- To create and manage accounts, process payments and provide support.
- To send service messages and, where permitted, relevant marketing.
- To monitor, analyse, improve and secure our Services, including the performance of AI teammates.
- To prevent fraud, misuse and abuse of the Services.
- To comply with legal, accounting and regulatory obligations.
5. AI processing and automated decisions
Talitu uses AI systems and third-party AI service providers to deliver the Services, including responding to enquiries, summarising and classifying information, supporting appointment workflows, generating communications and automating routine tasks. These systems may process information you provide directly to Talitu and information submitted by or on behalf of Business Clients.
AI systems may operate automatically and may involve human review where appropriate. AI outputs can contain inaccuracies, omissions or unexpected results and are not a substitute for professional, legal, financial or other regulated advice.
Automated processing. Talitu may use automated systems to classify enquiries, route communications, trigger workflows and generate recommendations or suggested responses. Where Talitu acts as a processor for a Business Client, final business decisions (including any decisions that produce legal or similarly significant effects on individuals) remain the responsibility of that Business Client.
Solely automated decisions with legal effect. Talitu does not, as controller, take decisions about you that are based solely on automated processing and that produce legal or similarly significant effects on you, except where allowed by law and with appropriate safeguards.
6. Call recording and voice AI
Where Talitu provides voice-based AI teammates, calls, voice interactions and related communications may be recorded, transcribed or analysed for service delivery, quality assurance, training, security and improvement purposes.
Where required by law, individuals will be notified at the start of a call that the call may be recorded or handled by an AI system, and given an opportunity to decline or request a human alternative where one is available. In jurisdictions that require the consent of all parties to a recording (for example, certain US states), Talitu and Business Clients will follow the applicable consent requirements.
Business Clients using voice-based AI teammates are responsible for ensuring that their use of recording and voice AI complies with applicable telephone, recording, wiretap and consumer-protection laws in the regions where they and their customers are located.
7. When Talitu acts as a processor
When Talitu operates AI teammates and related systems on behalf of a Business Client, Talitu generally acts as a data processor for the personal data of that Business Client’s customers and prospects. Talitu processes that data only under the Business Client’s documented instructions and our agreement with that Business Client.
Data processing agreements. Where required by law, Talitu enters into data processing agreements (DPAs) with Business Clients that govern processor obligations, including confidentiality, security, sub-processor management, assistance with data-subject rights, breach notification and return or deletion of data at the end of the engagement.
If you are a customer or prospect of a Business Client and you want to exercise your rights in relation to data the Business Client has shared with us, please contact that Business Client first. We will support them in responding to your request.
8. Legal bases for processing
Where Talitu acts as a controller, we rely on the following legal bases under UK GDPR and EU GDPR:
- Contract — to provide the Services you or your business request.
- Legitimate interests — to run, secure and improve our business, develop new features, prevent misuse, and grow the business, where these interests are not overridden by your rights and interests.
- Consent — for non-essential cookies, certain marketing communications, and other processing requiring consent; you can withdraw consent at any time.
- Legal obligation — to meet our legal, accounting and regulatory duties.
Where Talitu acts as a processor (see section 7), the legal basis for processing is set by the Business Client who acts as controller.
9. Who we share data with
We share personal data with:
- Service providers and sub-processors who help us operate Talitu (hosting, CRM, messaging and telephony, AI model and voice providers, analytics, advertising, video, email and payments). Each acts under our instructions and a written data processing agreement or its equivalent. We keep the current list of these providers, what they do and where they are based, on our Sub-processors page, which we update as our stack changes.
- Business Clients, where the data relates to services we deliver for them (for example, a referrer who introduced them through our affiliate program).
- Professional advisers, such as legal and accounting advisers.
- Authorities, where required by law or to protect our rights.
- A buyer or successor, in connection with a business sale or reorganisation.
We do not sell your personal data and we do not share your personal data for cross-context behavioural advertising in a way that would constitute a “sale” or “share” under US state privacy laws (see section 15 below).
10. Google API limited use
Some Talitu Services connect to Google services (for example Gmail, Google Calendar or Google Drive) using Google APIs, where you or a Business Client choose to connect a Google account. Talitu’s use and transfer of information received from Google APIs follows the Google API Services User Data Policy, including its Limited Use requirements.
In particular: we only use Google user data to provide and improve the features you have connected; we do not use Google Workspace data to train generalised AI or machine-learning models; we do not sell Google user data; we do not transfer it to others except to provide the Services, comply with the law, or protect security, and then only under confidentiality terms; and we do not allow anyone to read Google user data unless you have given affirmative consent for specific items, it is needed for security or abuse investigation, it is required by law, or the data has been aggregated and anonymised.
11. Cookies & tracking
We use cookies and similar technologies to operate the website, remember preferences, measure performance and, where you consent, support advertising. You can manage your preferences through our cookie banner and your browser settings. Full detail is in our Cookie Policy.
Browser signals. Some browsers can send a “Do Not Track” (DNT) signal or a Global Privacy Control (GPC) signal. There is no common industry standard for DNT, so our website does not currently respond to DNT signals. Where US state law treats an opt-out preference signal such as GPC as a valid request, we will treat a GPC signal from your browser as a request to opt out of any “sale” or “sharing” of personal information and of targeted advertising for that browser or device.
12. Sensitive information
Talitu does not intentionally request sensitive information through its website. However, Business Clients and their customers may submit information that could include financial details, identification documents or other sensitive information during the operation of AI teammates or related Services (for example, when a prospective client describes their situation or the service they are interested in).
Where this happens, Talitu processes such information only as necessary to deliver the Services and in accordance with the Business Client’s instructions and the applicable agreement (see also “Sensitive and special-category data” below). Business Clients are responsible for ensuring that they have all required rights, notices and consents to provide such information to Talitu.
Please do not send Talitu detailed sensitive or financial information unless it is necessary for the Services you are using. If sensitive information is shared with us by mistake, we will delete it on request.
13. How long we keep data
We keep personal data only as long as needed for the purposes set out here, including to meet legal, accounting and reporting requirements. Indicative retention periods (which may vary depending on the agreement with the Business Client, the category of data and legal obligations):
| Data type | Indicative retention |
|---|---|
| Website enquiries and call bookings | Up to 36 months from the last interaction. |
| Business Client account data | Duration of the relationship, plus any legally required period. |
| AI conversation transcripts and interaction logs | As needed to deliver the Services and as set out in the relevant Business Client agreement; typically deleted or anonymised on termination of the engagement. |
| Call recordings and voice transcripts | As needed for service delivery and as set out in the Business Client agreement; typically deleted within a defined window unless a longer period is required for legal or safety reasons. |
| CRM data | Held in the Business Client’s CRM and retained per the Business Client’s own policy. |
| Billing and transaction records | For as long as required by tax, accounting and statutory rules. |
| Marketing communications | Until consent is withdrawn or the contact becomes inactive. |
When data is no longer needed, we delete or anonymise it.
14. International transfers
Talitu is based in the United Kingdom but works with service providers and customers in multiple regions, including the European Economic Area and the United States. Some service providers (in particular AI model providers and global cloud infrastructure) may process personal data across multiple jurisdictions.
Where personal data is transferred outside the UK or EEA, we put appropriate safeguards in place, such as UK or EU approved standard contractual clauses, the UK Addendum, adequacy decisions where they apply, or other lawful transfer mechanisms. For US-based providers, transfers are made under the relevant approved mechanisms, including (where applicable) the EU-US Data Privacy Framework and the UK Extension.
15. US privacy rights
This section applies if you are a resident of a US state with a comprehensive privacy law, including California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA) and other states with similar laws.
Subject to applicable state law, you may have the right to:
- Know what personal information we collect, use, disclose and retain about you.
- Access a copy of your personal information.
- Correct inaccurate personal information.
- Delete personal information we hold about you, subject to exceptions allowed by law.
- Opt out of the sale or sharing of your personal information for targeted advertising, profiling for decisions producing legal or similarly significant effects, and (in California) the use or disclosure of sensitive personal information for purposes beyond those allowed without further consent.
- Limit our use of sensitive personal information, where applicable.
- Non-discrimination — we will not deny services, charge different prices or provide a different level of service because you exercised your privacy rights.
- Appeal a refused request, where the applicable state law provides an appeal mechanism.
To exercise these rights, contact us at privacy@talitu.com. You may use an authorised agent to submit a request on your behalf, subject to verification.
Talitu does not sell personal information for money, and does not knowingly “sell” or “share” personal information of any individual under 16 years of age. Where applicable, you can submit a Do Not Sell or Share My Personal Information request at privacy@talitu.com.
California residents may also request information about categories of personal information disclosed to third parties for those third parties’ direct marketing purposes (“Shine the Light” request). Talitu does not currently disclose personal information to third parties for their own direct marketing.
Categories of personal information (California). In the last 12 months we have collected the following categories of personal information, as defined by the CCPA. We collect these from you directly, from your use of our website, and from Business Clients. We disclose them to the types of recipient listed in “Who we share data with” for the business purposes described in this policy, and we do not sell them.
| CCPA category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, phone, IP address, account identifiers | Yes |
| Customer records | Billing contact and transaction records | Yes |
| Commercial information | Services enquired about or purchased | Yes |
| Internet or network activity | Pages viewed, referring source, and interactions with our site and AI teammates | Yes |
| Geolocation data | Approximate location derived from IP address | Yes |
| Audio or electronic information | Call recordings and transcripts, where voice AI is used | Yes |
| Professional or employment information | Business name, role and similar details you provide | Yes |
| Inferences | AI-generated summaries, classifications and lead status | Yes |
| Sensitive personal information | Only if a Business Client’s customer provides it during the Services; not requested by us | Limited |
We keep each category for the periods set out in “How long we keep data” and use it only for the purposes described in this policy.
16. Sensitive and special-category data
Some Business Clients handle sensitive personal data about their own clients, such as financial information, identification documents or, in limited cases, special-category data under UK and EU data-protection law. Where Talitu processes such data on a Business Client’s behalf, it does so only as a processor, on the Business Client’s documented instructions and under the data processing terms in the applicable agreement.
Business Clients are responsible for identifying any special-category or otherwise sensitive data they ask Talitu to process, for establishing a lawful basis and any additional conditions required for that processing, and for providing all required notices and consents to the individuals concerned before the data is shared with Talitu.
17. Your rights
Subject to applicable law, you may have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to processing; data portability; and withdraw consent where processing is based on consent. US-state- specific rights are set out in section 15, and sensitive and special-category data is addressed in section 16.
To exercise any of these rights, contact us at privacy@talitu.com or use our contact page. You will not usually be charged, and we will respond within the time required by law. We may need to verify your identity before acting on a request.
Where Talitu acts as a processor, please contact the Business Client (the controller) first; we will support them in responding.
18. Security
We take reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit, vendor due-diligence and incident response procedures. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to respond appropriately to any incident.
19. Children
The Services are intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us so we can remove it. This applies equally to the children’s privacy protections of US state laws and the UK / EU children’s data rules.
20. Additional notices
Some Services or products may have their own privacy notice or data processing terms (for example, the terms in an agreement with a Business Client, or a notice given when you sign up for a specific feature). Where one of those applies and conflicts with this policy, the specific notice or agreement applies for that Service. This policy and our Cookie Policy otherwise set out how we handle personal data.
21. Changes to this policy
We may update this policy from time to time. The “last updated” date shows when changes took effect. Material changes will be notified where reasonably practicable.
22. Contact & complaints
For privacy questions or to exercise your rights, contact privacy@talitu.com or use our contact page.
If you are in the United Kingdom and are unhappy with how we handle your data, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the European Economic Area, you may complain to your local supervisory authority. If you are a US resident and your state privacy law provides a right of appeal or a complaint mechanism (for example, the California Privacy Protection Agency or your state attorney general), you may contact that authority. We would appreciate the chance to address your concerns first.
EU and UK representatives. Talitu is established in the United Kingdom, and the Information Commissioner’s Office (ICO) is our supervisory authority. If you are in the EEA and have a concern we cannot resolve, you may also contact your local supervisory authority.