Privacy Policy
Effective date: 2026-07-13 · Aura Media Studios LLC
This Privacy Policy describes how Aura Media Studios LLC ("Aura Media Studios," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with Magic Receptionist (the "Service"). This policy applies to our customers ("Customers"), their callers and end users ("Callers"), and visitors to magicreceptionist.com ("Visitors").
By using the Service or visiting our website, you acknowledge the practices described in this policy. This policy is incorporated into and governed by our Terms of Service, and our use of data is also subject to our Acceptable Use Policy.
1. Information We Collect
1.1 Information from Customers. When a business subscribes to the Service, we collect: business name, primary contact name, email address, phone number, billing address, payment method details (processed via Stripe), assigned phone numbers, and configuration preferences including greeting scripts, routing rules, and intake form definitions.
1.2 Information from Callers. When a Caller contacts a Customer through a number managed by the Service, we collect: call audio recordings, automated transcripts of the conversation, Caller-supplied details provided during the call (name, contact information, reason for calling, vehicle or property details, appointment preferences, insurance or intake information), caller phone number (via caller ID), call metadata (date, time, duration, routing outcome), and voice biometric patterns processed transiently for speech recognition.
1.3 Information from Visitors. When you visit magicreceptionist.com, we collect: IP address, browser type and version, device information, pages visited, referring URLs, and standard server logs. We may use privacy-friendly analytics to understand aggregate usage patterns.
1.4 Sensitive information. The Service may incidentally collect sensitive information provided voluntarily by Callers during intake, including health-related details (for medical and medspa customers), financial details, and government identification numbers. We process such information only as necessary to provide the Service and in accordance with Customer configuration. See Section 8 (HIPAA) for information regarding health data.
2. How We Use Information
We use the information we collect to:
- Provide, operate, and maintain the Service, including answering calls, transcribing conversations, capturing leads, and routing calls;
- Process payments and manage subscriptions;
- Provide customer support and respond to inquiries;
- Detect, prevent, and address fraud, abuse, and security issues;
- Improve the Service through aggregated analytics, model training on de-identified data, and quality assurance;
- Comply with legal obligations and respond to lawful requests from authorities;
- Communicate with Customers about service updates, billing, and policy changes.
We do not use Caller personal information for our own independent commercial purposes beyond providing the Service to the Customer. Callers are the end users of our Customers, and their data is processed on behalf of and under the direction of the Customer.
3. Legal Bases for Processing (GDPR)
For individuals in the European Economic Area, the United Kingdom, and Switzerland, we process personal information under the following legal bases:
- Performance of a contract: Processing necessary to provide the Service to Customers under our Terms of Service;
- Legitimate interests: Processing for fraud prevention, security, service improvement, and network operations, balanced against individuals' rights;
- Legal obligation: Processing to comply with applicable laws, including tax and recordkeeping requirements;
- Consent: Processing based on consent where applicable, including for optional analytics or marketing, which may be withdrawn at any time.
4. Data Retention
We retain personal information only as long as necessary to fulfill the purposes described in this policy and as required by law. The following retention schedule applies:
- Call audio recordings: 90 days from the date of the call, after which they are automatically and permanently deleted unless the Customer has contracted for extended retention.
- Call transcripts: 90 days from the date of the call, after which they are automatically and permanently deleted unless the Customer has contracted for extended retention.
- Lead and intake data: Retained indefinitely for the duration of the Customer's subscription and beyond, as this data constitutes the Customer's business records. Customers may export or delete lead data at any time through the administrative dashboard. Lead data is deleted within ninety (90) days of account termination if the Customer has not exported it.
- Billing data: 7 years to comply with tax and financial recordkeeping requirements. This includes invoices, payment records, and transaction history.
- Account and configuration data: Retained for the duration of the subscription and deleted within ninety (90) days of termination, except for records required for legal, tax, or security purposes.
- Server and analytics logs: 12 months, after which they are automatically deleted or anonymized.
Where Aura Media Studios is required by law to retain data beyond these periods (e.g., pursuant to a legal hold or government order), we will retain only what is legally required and delete it once the obligation expires.
5. Data Subject Rights (GDPR & CCPA)
Individuals located in the European Economic Area, United Kingdom, Switzerland, and California have specific rights regarding their personal information. Depending on jurisdiction, these rights may include:
- Right of access: Request a copy of the personal information we hold about you;
- Right to deletion (erasure): Request that we delete your personal information, subject to legal retention obligations;
- Right to rectification: Request correction of inaccurate or incomplete personal information;
- Right to data portability: Receive your personal information in a structured, machine-readable format and transmit it to another controller;
- Right to object: Object to processing based on legitimate interests or for direct marketing;
- Right to restrict processing: Request that we limit processing of your personal information under certain circumstances;
- Right to opt out of sale or sharing (CCPA): Californians may opt out of the "sale" or "sharing" of their personal information. See Section 6 below;
- Right to withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@auramediastudios.com. We will respond within thirty (30) days, or as otherwise required by applicable law. We may request information to verify your identity before processing a request. If you are a Caller, please note that some of your data may be controlled by the Customer (the business you called); we may direct you to that Customer for certain requests.
Authorized agents. You may authorize an agent to submit requests on your behalf. We require the agent to provide proof of authorization and may still verify your identity directly.
Non-discrimination. We will not discriminate against you for exercising your privacy rights.
6. "Do Not Sell or Share My Personal Information" (CCPA)
Under the California Consumer Privacy Act (CCPA), California residents have the right to opt out of the "sale" or "sharing" of their personal information. Aura Media Studios does not sell personal information for monetary consideration.
However, we may "share" personal information within the meaning of the CCPA when we disclose data to our service providers and subprocessors for the purpose of providing the Service, as described in Section 7. To opt out of such sharing, contact privacy@auramediastudios.com with the subject line "CCPA Opt-Out." We do not knowingly share the personal information of Callers for cross-context behavioral advertising.
If you are under sixteen (16) years of age, you must have a parent or guardian opt out on your behalf. We do not knowingly collect personal information from children under thirteen (13); see Section 12 (Children's Privacy).
7. Service Providers & Subprocessors
We use third-party service providers and subprocessors to deliver and support the Service. These providers process personal information only on our behalf and under written agreements that require appropriate security and confidentiality. Our current subprocessors are:
- Cloudflare, Inc. — Web hosting, content delivery network (CDN), edge compute, D1 database, and R2 object storage. Data is processed in the EU/US edge network. Cloudflare Privacy Policy.
- VAPI Inc. (or its operating entity) — Voice AI infrastructure including call orchestration, speech recognition, text-to-speech, and call handling. VAPI uses in-call large language models to conduct conversations. VAPI Privacy Policy.
- WorkOS, Inc. — Authentication and identity management for administrative access to the Service. WorkOS Privacy Policy.
- Stripe, Inc. — Payment processing and billing. Stripe handles all payment card data and we do not store full card numbers. Stripe Privacy Policy.
- Google LLC (Google Cloud / Gemini). — Large language model inference (Gemini) used in-call to generate conversational responses. Audio and text are processed transiently during the call to produce AI responses. Google Cloud Privacy.
We may engage additional subprocessors from time to time. We will provide notice of new subprocessors by updating this policy and, for material changes, notifying active Customers at least thirty (30) days in advance. Customers may object to a new subprocessor by contacting privacy@auramediastudios.com within the notice period.
8. HIPAA & Health Data
The Service offers a "HIPAA-aware intake" feature designed for healthcare-adjacent businesses such as medical practices, dental offices, and medical spas (medspas). This feature allows Customers to configure intake forms that may collect health-related information from Callers.
Business Associate Agreements (BAAs). For Customers that are Covered Entities or Business Associates under HIPAA and intend to use the Service to create, receive, maintain, or transmit Protected Health Information (PHI), a Business Associate Agreement (BAA) must be executed between the Customer and Aura Media Studios before PHI is processed. A BAA is available upon request by contacting privacy@auramediastudios.com.
Exclusion without a BAA. Customers who have not executed a BAA with Aura Media Studios must not use the Service to collect, process, transmit, or store PHI or any other regulated health information. If no BAA is in place, the HIPAA-aware intake feature must not be configured to capture PHI, and Aura Media Studios explicitly disclaims any obligation under HIPAA with respect to such Customers. Any health information submitted by a Customer without a BAA is processed at the Customer's sole risk, and Customer assumes all liability for HIPAA violations.
Minimum necessary. Even with a BAA in place, Customers should apply the HIPAA "minimum necessary" standard when configuring intake forms, collecting only the information needed to serve the Caller. We do not provide medical advice through the Service, and the Service does not make clinical decisions.
9. International Data Transfers
The Service is hosted primarily on Cloudflare's global edge network and may process data in the United States and the European Union. Aura Media Studios LLC is a U.S.-based entity. For transfers of personal information from the EEA, UK, or Switzerland to the United States, we rely on recognized transfer mechanisms, which may include the EU-U.S. Data Privacy Framework, the UK Extension, Standard Contractual Clauses (SCCs), or other legally valid mechanisms. A copy of our transfer safeguards is available upon request.
10. Data Security
We implement industry-standard technical and organizational measures to protect personal information, including encryption in transit (TLS) and at rest, access controls, regular security assessments, and background-checked personnel for sensitive operations. Our subprocessors are similarly required to maintain appropriate security measures.
Despite these measures, no system is perfectly secure. We cannot guarantee absolute security of personal information. We continuously monitor for threats and update our security practices in response to evolving risks.
11. Data Breach Notification
In the event of a personal data breach affecting Customer or Caller data, Aura Media Studios will follow a defined incident response procedure:
- Detection & containment. Upon identifying a suspected or confirmed breach, we will take immediate steps to contain the incident, preserve evidence, and assess the scope of affected data.
- Customer notification. We will notify affected Customers without undue delay and in any case within seventy-two (72) hours of confirming a breach that is likely to result in a risk to the rights and freedoms of individuals, as required by GDPR Article 33/34. Notification will include the nature of the breach, categories and approximate number of affected records, likely consequences, measures taken, and a contact point for further information.
- Authority notification. Where required by law (including GDPR Article 33), we will notify the competent supervisory authority within seventy-two (72) hours of becoming aware of a notifiable breach.
- Caller notification. Aura Media Studios will assist Customers in fulfilling their obligations to notify Callers and regulators. Customers are responsible for directly notifying their Callers where required by law; Aura Media Studios will provide the necessary information to support such notifications.
- Documentation. All breaches will be documented internally, including facts, effects, and remedial actions, regardless of whether notification is required.
Customers are similarly obligated to notify Aura Media Studios without undue delay if they become aware of a breach involving their account credentials or data.
12. Children's Privacy
The Service is a business-to-business (B2B) product intended for use by commercial entities. It is not directed to children under the age of thirteen (13), and we do not knowingly collect personal information from children under thirteen. If we learn that we have collected personal information from a child under thirteen without verifiable parental consent, we will delete that information as quickly as possible.
Because the Service handles inbound calls, Callers may include minors. We do not knowingly collect personal information directly from children through the Service. Customers are responsible for handling any calls from minors in accordance with applicable law, including obtaining parental consent where required. If you believe a child has provided personal information through the Service, contact privacy@auramediastudios.com immediately.
For California residents, the California Age-Appropriate Design Code Act imposes additional obligations on services "likely to be accessed by children." As a B2B service, Magic Receptionist is not primarily directed to children, but Customers should be aware that Callers may include minors and configure the Service accordingly.
13. Cookies & Tracking
The magicreceptionist.com website uses a minimal set of cookies and similar technologies for essential functionality, security, and aggregate analytics. We do not use cookies for cross-site advertising or third-party tracking beyond what is necessary to operate the site. You can control cookies through your browser settings; disabling essential cookies may affect site functionality.
The Service's administrative dashboard uses authentication cookies managed through WorkOS to maintain login sessions. These cookies are strictly necessary and cannot be disabled while using the dashboard.
14. Your Choices
You can exercise the following choices regarding your information:
- Account information: Customers can view and update account information through the administrative dashboard;
- Marketing communications: Unsubscribe from marketing emails using the link in any email or by contacting us;
- Caller data: Callers may request access, deletion, or correction of their data by contacting the Customer or us at privacy@auramediastudios.com;
- Browser controls: Manage cookies and tracking through your browser settings.
15. Our Role: Controller vs. Processor
For personal information that we collect directly from Customers and Visitors (such as account information, billing details, and website analytics), Aura Media Studios acts as a data controller and determines the purposes and means of processing.
For personal information of Callers that is collected through the Service (such as call recordings, transcripts, and lead data), Aura Media Studios acts as a data processor on behalf of the Customer, who is the data controller. We process Caller data only as directed by the Customer and as necessary to provide the Service. Customers are responsible for complying with their obligations as data controllers, including providing privacy notices to their Callers and obtaining necessary consents.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated policy on this page and update the "Effective date" above. For material changes, we will notify active Customers by email at least thirty (30) days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
17. Contact Us
If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:
Aura Media Studios LLC
Email: privacy@auramediastudios.com
Legal inquiries: legal@auramediastudios.com
If you are a Customer seeking a Data Processing Addendum (DPA) or Business Associate Agreement (BAA), contact privacy@auramediastudios.com.
Aura Media Studios LLC · Magic Receptionist · Terms of Service · Acceptable Use Policy