Privacy Policy

Tirza is operated by Tirza AI Ltd (Ireland), CRO number [CRO: pending — issued at public launch], registered office [address: pending]. Tirza AI Ltd is the controller responsible for the processing of personal data described in this policy.

Do you have a privacy question or would you like to exercise a right? Email us at privacy@tirza.ai. We respond within 5 working days.

We process two types of data: data from business owners who use Tirza as their receptionist, and data from callers who speak with that receptionist.

From business owners (our customers)

• Name, business name, phone number, email address
• Opening hours, services, prices, FAQ information
• Calendar connection (Google Calendar tokens)
• Payment details (processed by Stripe; we never see card numbers)
• Dashboard usage (anonymised, via PostHog EU)

From callers

• Phone number (of the caller)
• Name and contact details if the caller provides them
• Audio recording of the call
• Transcript (written version of the call)
• Reason for calling, requested appointment time

Audio recordings fall under special categories of personal data (Article 9 GDPR). We handle them accordingly: minimal retention period, secure storage, strict access controls.

We keep data for as short a time as possible, but as long as necessary. Specifically:

• Audio recordings: 30 days (Solo plan) or 90 days (Pro). Deleted automatically after that.
• Call transcripts: 2 years. These serve as evidence of booked appointments and for the EU AI Act.
• Evidence log: 6 years. Statutory retention period for AI systems.
• Customer account & contact details: as long as your account is active, plus 30 days after cancellation.
• Invoices & accounting: 7 years (tax retention obligation).

As a business owner you can delete audio recordings earlier from your dashboard. If you cancel your subscription, we delete all personal data within 14 days. The evidence log is retained in anonymised form.

To make Tirza work we use a number of specialised partners (sub-processors). We only share what is strictly necessary.

• Retell AI (US) — telephony infrastructure and speech recognition
• ElevenLabs (US) — voice synthesis
• Anthropic (US) — language AI for wizard guidance
• Supabase (EU, Frankfurt) — database and auth
• Vercel (EU edge) — hosting
• Stripe Payments Europe (Ireland) — payments
• PostHog (EU, Frankfurt) — product analytics
• Sentry (EU region) — error tracking
• Google (EU/US) — calendar integration (only if you enable it yourself)
• Twilio Ireland (EU) — SMS confirmations

A complete, up-to-date list with countries, roles and legal basis is available at /subprocessors.

A few partners (Retell, ElevenLabs, Anthropic) are based in the United States. For those transfers we apply:

• Standard Contractual Clauses (SCCs, European Commission modules, 2021);
• a Transfer Impact Assessment (TIA) per provider;
• technical safeguards: encryption in transit (TLS 1.3) and at rest, data minimisation, PII filters for evidence logs.

Where an EU region is available, we choose it by default (Supabase, PostHog, Sentry, Vercel, Stripe, Twilio). That way your core data stays in Europe.

Tirza is an AI system. At the start of every call Tirza clearly states that she is an AI receptionist. Callers can always ask for a real human — just say "human", "person", "someone else", "manager", "owner" or "call me back" and we log a callback request.

Every AI decision (which answer, which appointment suggestion) is logged in our evidence log. That way we can account for what the system did and why.

Under the GDPR you have the right to:

• Access your data
• Rectification if something is incorrect
• Erasure ("right to be forgotten")
• Restriction of processing
• Data portability (a copy in a readable format)
• Object to processing based on legitimate interest
• Withdraw consent previously given

Send your request to privacy@tirza.ai. We respond within 30 days. Are you a caller and want the recording of a call deleted? We usually handle that within 48 hours.

We take appropriate technical and organisational measures: encryption in transit and at rest, strict access controls, audit logs for admin access, automatic deletion after the retention period, and regular security reviews. No measure is watertight, so we also maintain an incident procedure: in the event of a data breach we notify the supervisory authority within 72 hours and affected individuals as soon as reasonably possible.

By default we use only strictly necessary cookies. For analytics (PostHog EU) we actively ask for your consent via the banner at the bottom of the screen. You can always refuse and it costs you nothing.

Disagree with something? Let us know first — we'll try to resolve it. If we can't, you can file a complaint with:

• Data Protection Commission (Ireland) — dataprotection.ie
• Information Commissioner's Office (UK) — ico.org.uk

Tirza AI Ltd (Ireland)
Email: privacy@tirza.ai
General: hello@tirza.ai

We are not legally required to appoint a Data Protection Officer. If that changes, we will update this page.