Caaisy
LoginSign up

Privacy Policy

Last updated: October 2025

1. Controller and Scope

This Privacy Policy applies to the use of all online services provided by Caaisy (mii ventures GmbH) at caaisy.com, including the web app, marketing website, and all subpages. The controller within the meaning of the GDPR is mii ventures GmbH, represented by Michael Schmitt. No data protection officer has been appointed.

2. Principles of Data Processing

We process personal data strictly in accordance with the requirements of the GDPR, the German Federal Data Protection Act (BDSG), and the Telecommunications Telemedia Data Protection Act (TTDSG). We only process data if:

  • It is necessary to fulfill a contract or to take pre-contractual steps (Art. 6(1)(b) GDPR),
  • you have given your consent (Art. 6(1)(a) GDPR), or
  • we have a legitimate interest (Art. 6(1)(f) GDPR), e.g. in the secure and efficient operation of our services.

3. Provision of Website and Web App

Our website and web app are hosted by Vercel Inc., USA (using EU-based data centers). When you access our website or app, server log data (such as IP address, browser type, and access time) is automatically processed. This processing is based on our legitimate interest in providing a secure and technically functional service (Art. 6(1)(f) GDPR). Log data is deleted after 30 days, unless security-related incidents (e.g., attack attempts, abuse cases) require longer retention.

4. User Accounts, Scheduling, and Voice Processing

To use Caaisy, you need a user account. We process the following data:

  • Account data: name, email address, phone number
  • Conversation data: audio recordings, transcripts, metadata
  • Usage data: call logs, timezone settings, scheduling preferences, and configuration data

The purpose of processing is to provide our AI-assisted scheduling and voice services. Legal basis: Art. 6(1)(b) GDPR (performance of a contract). Data is retained for the duration of the customer account and deleted 30 days after contract termination.

5. Payment Processing

Payments are handled exclusively through our partner Paddle Payments Ltd. (“Merchant of Record”). Paddle processes payment and billing data under UK and EU data protection law as an independent controller. Legal basis: Art. 6(1)(b) GDPR (performance of a contract).

6. Communication and Support

When you contact us (e.g., via email or form), we process the data you provide to handle your request (Art. 6(1)(b) GDPR).

Support emails and transactional notifications are sent via Postmark, a service provided by ActiveCampaign LLC, 1 North Dearborn Street, 5th Floor, Chicago, IL 60602, USA. Processing is carried out solely for technical communication (e.g., confirmations, system notifications) and is based on Art. 6(1)(b) GDPR. Transfers to the USA rely on the EU–US Data Privacy Framework (DPF).

Additionally, we use Novu, provided by Novu Ltd., Tel Aviv, Israel, to send product notifications. Novu processes user data (e.g., email address, user ID, notification content) on our behalf to deliver in-app or email notifications. Processing is based on Art. 6(1)(b) GDPR. If data is processed outside the EU, this is done under Standard Contractual Clauses (SCCs) in accordance with Art. 46 GDPR and appropriate technical and organizational safeguards.

7. Newsletter and Marketing

Marketing emails and newsletters are sent only with prior consent (Art. 6(1)(a) GDPR). You can unsubscribe at any time.

8. Analytics and Measurement Tools

We use Plausible Analytics, PostHog, and Vercel Analytics solely for anonymized usage and performance measurement. These tools operate without cookies and are proxied via EU servers, ensuring no direct data transfer to third countries. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in statistical analysis).

9. Cookies

We use only essential cookies — for example, to store your language preference or maintain your login session. Processing is based on Section 25(2) TTDSG in conjunction with Art. 6(1)(f) GDPR.

10. AI-Based Voice Processing

Caaisy uses AI-driven voice agents to conduct automated scheduling conversations. At the start of each call, the callee is informed, in accordance with Art. 50 of the EU AI Act, that they are interacting with an AI system. There is no automated decision-making within the meaning of Art. 22 GDPR. Responsibility for all content and outcomes remains with mii ventures GmbH.

11. Processors and Sub-Processors

We use carefully selected partners and service providers to operate our services. A current and complete list of sub-processors is available here. Data processing agreements bind all service providers in accordance with Art. 28 GDPR.

12. International Data Transfers

When personal data is transferred to third countries (e.g., the USA), we rely, depending on the provider, on the EU–US Data Privacy Framework (DPF) or the Standard Contractual Clauses (SCCs) combined with Transfer Impact Assessments (TIAs). Wherever possible, we use EU-based data centers.

13. Data Retention and Deletion

Personal data is stored only as long as necessary for its intended purpose. After contract termination, data is deleted within 30 days, unless legal retention periods apply. Backups are rotated and overwritten regularly.

14. Rights of Data Subjects

You have the right to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

To exercise your rights, please contact us at support@caaisy.com. Please include which rights you wish to exercise. We will confirm receipt within 7 days and respond within the deadlines set by Art. 12(3) of the GDPR.

15. Security

We apply technical and organizational measures in accordance with Art. 32 GDPR, including TLS encryption, multi-factor authentication, role-based access controls, and logging of security-related events.

16. Changes to this Privacy Policy

We reserve the right to update this Privacy Policy to reflect changes in legal or technical requirements.

Privacy Policy - Caaisy