At Davoxly (davoxly.com) we respect your privacy and are committed to protecting your personal data. This Privacy Policy describes what data we collect through the Davoxly mobile app and the website davoxly.com, how we use it, and your rights under the EU General Data Protection Regulation (GDPR, EU 2016/679) and applicable Spanish law (LOPDGDD).
Important notice: Davoxly is a management tool intended exclusively for clinic and business staff (receptionists, professionals and administrators). It is not a patient- or client-facing application. Patient or client data you manage through the platform is the responsibility of your organisation as Data Controller; Davoxly acts as Data Processor in that respect.
1. Data Controller
| Name | Flormarys Elena Diaz Diaz |
| Legal status | Self-employed (autónoma, Spain) |
| Address | Murcia, Spain |
| support@davoxly.com | |
| Website | https://davoxly.com |
With regard to personal data of platform users (clinic staff), Davoxly acts as Data Controller.
With regard to personal data of patients entered or managed on the platform, Davoxly acts as Data Processor on behalf of each clinic, which is the Data Controller for its patients.
2. Data We Collect
2.1 Platform user data (clinic staff)
| Category | Specific data | Source |
|---|---|---|
| Identity | Full name, email address, role (receptionist, doctor, admin) | Account created by clinic administrator |
| Credentials | Password (stored as bcrypt hash, never in plain text), Sanctum session tokens | Generated by the system |
| Usage data | Access log (date/time, source IP), actions performed on the platform (appointments created/modified) | Automatically during use |
| Device | Push notification token (Expo Push Token), platform (iOS/Android) | When user grants notification permission |
| Diagnostics | Application errors, error traces (stack traces), partially anonymised IP | Automatically via Sentry (error monitoring service) |
2.2 Patient data (processed as Data Processor)
In carrying out our functions as Data Processor, we may access patient data that the clinic enters in the platform: full name, ID number, phone, email, date of birth, address, clinical notes and appointment data. This data belongs to the clinic and is managed under the Data Processing Agreement (DPA) signed or accepted when the account is activated.
2.3 Phone call recordings
The platform integrates an AI voice assistant that handles patient calls to the clinic. Call recordings are processed by Vapi AI and stored temporarily. Patients are verbally notified at the start of each call that it may be recorded. Recordings are used exclusively for service quality monitoring and incident resolution. Where conversations contain patient health information, the processing of such data is additionally based on Art. 9.2.h GDPR, relating to the provision of healthcare.
3. Purpose and Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing the contracted service (appointment management, platform access) | Art. 6.1.b — Performance of a contract |
| User account administration and authentication | Art. 6.1.b — Performance of a contract |
| Sending push notifications about appointments | Art. 6.1.a — Consent of the data subject |
| Technical error monitoring and application security | Art. 6.1.f — Legitimate interests (service security and stability) |
| Compliance with legal obligations | Art. 6.1.c — Legal obligation |
| AI voice call processing | Art. 6.1.b — Performance of contract with the clinic; Art. 9.2.h GDPR (where calls contain health data) |
4. Data Retention
| Data | Retention period |
|---|---|
| Active user accounts | While the account is active or until deletion is requested |
| Access and activity logs | 12 months from the log entry |
| Appointment and patient data (as Processor) | Per clinic instructions (minimum 5 years due to fiscal and health obligations) |
| Call recordings (audio) | Maximum 90 days, stored by Vapi AI per their retention policy. Call metadata (duration, transcript, summary) is managed by Davoxly and retained per clinic instructions. |
| Push notification tokens | While the device is registered or until deactivation by the user |
| Error logs (Sentry) | 90 days |
Once the specified periods have elapsed, data will be securely deleted or anonymised.
5. Recipients and Third Parties
Davoxly shares data with the following service providers acting as Data Processors, with whom data processing agreements have been signed or EU Standard Contractual Clauses apply:
| Provider | Service | Country | Safeguards |
|---|---|---|---|
| DigitalOcean LLC | Server hosting (FRA1 region, Frankfurt, Germany) | USA / EU (data in Germany) | Servers in the EU; Standard Contractual Clauses (SCCs) for EU-US transfers |
| Vapi AI Inc. | AI voice assistant, call processing | USA | Standard Contractual Clauses (SCCs) |
| Twilio Inc. | SMS notification delivery | USA | Standard Contractual Clauses (SCCs) |
| Functional Software Inc. (Sentry) | Technical error monitoring | USA | Standard Contractual Clauses (SCCs); IPs anonymised |
| Expo (Expo SDK / EAS) | Mobile app distribution and push notification delivery | USA | Standard Contractual Clauses (SCCs) |
We do not sell, rent or share your personal data with third parties for their own commercial purposes.
6. International Data Transfers
Some of our providers are located in the United States. In all cases, transfers are made under Standard Contractual Clauses (SCCs) adopted by the European Commission or another valid transfer mechanism under GDPR (Chapter V). Production data is stored on servers located in Germany (DigitalOcean FRA1 region), within the European Economic Area.
7. Your Rights
Under GDPR and applicable Spanish law, you have the right to:
- Access: Obtain confirmation about whether we process your data and access to it.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure ("right to be forgotten"): Request deletion of your data when, among other circumstances, it is no longer necessary for the purposes for which it was collected.
- Restriction of processing: Request that we temporarily suspend processing of your data.
- Data portability: Receive your data in a structured, commonly used, machine-readable format.
- Objection: Object to processing based on legitimate interest.
- Not be subject to automated decisions: Not be subject to decisions based solely on automated processing that produce legal effects.
- Withdraw consent: Where processing is based on your consent (e.g. push notifications), you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, send an email to support@davoxly.com indicating the right you wish to exercise and attaching a copy of your identity document. We will respond within a maximum of one month (extendable to three months for complex cases, with notification within the first month).
If you believe that the processing of your data infringes applicable regulations, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD) — www.aepd.es.
8. Account Deletion
If you wish to delete your Davoxly account and all associated personal data, you can do so in the following ways:
- From the app: Go to Profile → Account settings → Delete account and follow the instructions.
- By email: Send a request to support@davoxly.com with the subject "Delete account" from the email address associated with your account.
- Through your administrator: Your clinic administrator can delete your account from the management panel.
- Web form: Visit davoxly.com/delete-account.
We will process your request within a maximum of 30 days. Appointment records and historical data required to fulfil legal or contractual obligations to the clinic may be retained for the legally required period, duly anonymised or dissociated from your identity where possible.
9. Call Recordings
Davoxly's AI voice assistant records incoming calls from patients to the clinic. Before any conversation starts, the assistant verbally informs patients that the call may be recorded. These recordings:
- Are processed and stored by Vapi AI (sub-processor) for a maximum of 90 days, in accordance with Vapi AI's retention policy. Call metadata (duration, transcript, summary and call identification) is managed by Davoxly and retained per clinic instructions.
- Are accessible to authorised clinic staff for quality supervision and incident resolution.
- Are not used for advertising purposes and are not disclosed to third parties other than those indicated in this policy.
- Where conversations contain patient health data, processing is additionally based on Art. 9.2.h GDPR (provision of healthcare).
- Patients may request deletion of their recording by contacting the clinic directly or us at support@davoxly.com.
10. Push Notifications
With your consent, Davoxly sends push notifications to your device about appointment updates (confirmations, cancellations, new bookings). The device token required for delivery is transmitted to our servers and to Expo (EAS).
You can revoke this permission at any time from your device settings (iOS: Settings → Davoxly → Notifications / Android: Settings → Apps → Davoxly → Notifications) or from the profile section of the app. Upon revoking permission, you will stop receiving notifications and we will delete your device token.
11. Security
We apply appropriate technical and organisational measures to protect your data against unauthorised access, loss, disclosure or alteration. These include:
- Communications encrypted using HTTPS/TLS.
- Passwords stored with bcrypt (one-way hash).
- Short-lived authentication tokens (Sanctum).
- Data access restricted by user role.
- Continuous error and anomaly monitoring (Sentry).
- Regular backups on secure infrastructure.
However, no system is completely impenetrable. If you discover a potential security vulnerability, please disclose it responsibly to support@davoxly.com.
12. Minors
Davoxly is intended exclusively for adult professionals (aged 18 and over). We do not knowingly collect data from persons under 18. If you become aware that a minor has created an account, please notify us at support@davoxly.com so we can delete it.
13. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our services or applicable regulations. When changes are significant, we will notify you by email or a prominent notice in the application at least 30 days in advance. The "Last updated" date at the top of this page reflects the current version.
Continued use of the service after changes take effect constitutes acceptance of the updated Privacy Policy.
14. Contact
If you have questions, requests or complaints regarding this Privacy Policy or the processing of your personal data, you can contact us at:
- Email: support@davoxly.com
- Website: https://davoxly.com