Last updated: May 2026
You (Customer) are the Data Controller (GDPR) / Database Owner (Israeli PPL) in respect of personal data belonging to your leads, callers, and customers that flows through the Boltcall platform.
Boltcall is the Data Processor (GDPR) / Database Holder (Israeli PPL). We process personal data on your behalf only as instructed by you and as described in this DPA.
In respect of account data you provide about yourself or your team, Boltcall is an independent Data Controller. See our Privacy Policy for that processing.
Processing is solely to provide the Boltcall Service as described in the Terms of Service. Duration is for the term of your subscription plus the retention periods in our Privacy Policy.
You provide general authorisation for Boltcall to engage the sub-processors listed below. We will notify you at least 14 days before adding or replacing a sub-processor that processes your customers' data.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and storage | United States (AWS us-east-1) |
| Retell AI | AI voice agent engine and call transcription | United States |
| Twilio | Phone number provisioning, SMS, and call routing | United States |
| Stripe | Payment processing and subscription management | United States (EU/UK residents: also EU data residency) |
| OpenAI | AI language model inference for agent conversations | United States |
| ElevenLabs | Text-to-speech voice synthesis for AI agents | United States |
| Brevo (formerly Sendinblue) | Transactional and marketing email delivery | France (EU) |
| Meta (WhatsApp Business API) | WhatsApp message delivery | United States / Ireland (EU residents) |
| Google (GTM + GA4) | Analytics (consent-gated — only active after user accepts cookies) | United States |
| Greeninvoice | Israeli tax invoice generation (חשבונית מס) for Israeli customers | Israel |
Disclosure required by Israeli PPL Amendment 13: The majority of sub-processors listed above are located in the United States, which is not on Israel's list of countries with adequate data protection. Data transferred to these processors is protected by contractual safeguards (Standard Contractual Clauses / equivalent data processing agreements with each sub-processor).
Core customer data (account records, leads, conversation history) is stored in Supabase (AWS us-east-1, United States). If your business requires Israeli or EU data residency, contact privacy@boltcall.org to discuss options.
To sign a countersigned DPA for enterprise contracts, or to submit data subject requests on behalf of your customers:
Related documents: Privacy Policy · Terms of Service
We use cookies to improve your experience
Essential cookies keep the site working. Analytics cookies help us understand how visitors use Boltcall so we can improve it.