Founding shops — the first 10 lock Missed-Call Coverage at $397 $297/mo for life. Claim a spot →
Frontdesk AI ← Back to site
Legal

Data Processing Addendum

Last updated: July 9, 2026

This Data Processing Addendum ("DPA") forms part of, and is incorporated into, the Terms of Service between Frontdesk Systems LLC ("Frontdesk," "we," "us," or "Processor") and the client that uses our AI voice receptionist service ("Client," "you," or "Controller"). It governs Frontdesk's processing of personal information about your callers in connection with the service. If there is a conflict between the Terms of Service and this DPA on the subject of data protection, this DPA controls.

1Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in Applicable Privacy Laws.

2Roles of the parties

For Caller Data, the Client is the Controller (Business) and Frontdesk is the Processor (Service Provider) acting on the Client's behalf and on the Client's documented instructions. The Client is responsible for the lawfulness of the Caller Data it directs into the service and for having the rights necessary to share it with, and have it processed by, Frontdesk.

This DPA does not cover Frontdesk's processing of information about its own website visitors, prospects, or marketing audiences — including any processing through advertising or analytics providers. Frontdesk handles that information as an independent controller under its Privacy Policy, and it does not involve your Caller Data.

3Scope & Client instructions

Frontdesk will process Caller Data only to provide, maintain, secure, and improve the service, and only on the Client's documented instructions. Those instructions are set out in the Terms of Service, this DPA, and the configuration and settings the Client selects for its account. Frontdesk will inform the Client if, in Frontdesk's reasonable opinion, an instruction infringes Applicable Privacy Laws.

4Service-provider commitments

Frontdesk processes Caller Data solely as a service provider to the Client. Frontdesk certifies that it will:

  • Not sell or share Caller Data, as "sell" and "share" are defined under the CCPA/CPRA.
  • Not retain, use, or disclose Caller Data for any purpose other than performing the service described in the Terms of Service, or as otherwise permitted by Applicable Privacy Laws.
  • Not retain, use, or disclose Caller Data outside the direct business relationship between Frontdesk and the Client.
  • Not combine Caller Data with personal information Frontdesk receives from other sources, except as permitted by Applicable Privacy Laws.

Frontdesk understands these restrictions and will comply with them. Frontdesk will notify the Client if it determines it can no longer meet these obligations.

5Confidentiality

Frontdesk limits access to Caller Data to personnel who need it to provide the service, and ensures those personnel are bound by appropriate obligations of confidentiality.

6Security

Frontdesk maintains reasonable technical and organizational measures designed to protect Caller Data against a Personal Data Breach, appropriate to the nature of the data and the risk. A summary of these measures is set out in Annex B. Frontdesk may update its security measures over time, provided the level of protection is not materially reduced.

7Subprocessors

The Client provides a general authorization for Frontdesk to engage the Subprocessors listed in Annex C to process Caller Data. Frontdesk will:

  • impose data-protection obligations on each Subprocessor that are no less protective than those in this DPA; and
  • remain responsible to the Client for each Subprocessor's performance of its obligations.

Frontdesk will give the Client advance notice of any new or replacement Subprocessor (for example, by email or by updating Annex C on this page). The Client may object on reasonable data-protection grounds within 14 days of notice; if the parties cannot resolve the objection, the Client may cancel the affected service as its remedy.

8Assisting with data-subject requests

Taking into account the nature of the processing, Frontdesk will provide reasonable assistance to help the Client respond to requests from callers to exercise their rights under Applicable Privacy Laws (such as access, deletion, correction, or opt-out), to the extent the Client cannot address the request through its own account and tools. If a caller contacts Frontdesk directly about their Caller Data, Frontdesk will refer them to the Client and will assist the Client in responding, unless Applicable Privacy Laws require otherwise.

9Personal data breach

Frontdesk will notify the Client without undue delay after becoming aware of a Personal Data Breach affecting Caller Data. The notice will include the information then available to Frontdesk about the nature of the breach and the steps Frontdesk is taking to address it. Frontdesk will take reasonable measures to mitigate the breach and cooperate with the Client in its response. This notice is not an acknowledgment of fault or liability.

10Call recording, consent & caller notices

As set out in the Terms of Service and Privacy Policy, calls handled by the service may be recorded, transcribed, and processed as part of delivering the service. Recording and notice laws vary by state, and some require the consent of all parties to a call. The Client is responsible for ensuring that calls to its business may lawfully be recorded and handled by an automated service, and for any caller disclosures or consents required. Frontdesk can play a standard call notice at the Client's direction, but the Client remains responsible for compliance.

11Retention, return & deletion

Frontdesk retains Caller Data for as long as needed to provide the service and in line with the retention period described in the Privacy Policy. On termination of the service, or on the Client's written request, Frontdesk will delete or return Caller Data within a reasonable period, except to the extent Frontdesk is required to retain it by law. Once deleted, Caller Data may persist in routine backups for a limited time before being overwritten.

12Audits & information

Frontdesk will make available to the Client information reasonably necessary to demonstrate its compliance with this DPA. Where Applicable Privacy Laws give the Client a right to audit, the Client may, on reasonable prior notice and no more than once per year (unless required by a regulator or following a Personal Data Breach), request an inspection limited in scope, duration, and manner to what is reasonably necessary, subject to confidentiality and to not disrupting Frontdesk's operations or the data of other clients.

13International processing & transfers

Frontdesk is based in the United States, and Caller Data is generally processed in the United States by Frontdesk and its Subprocessors. If Caller Data is transferred from a jurisdiction that requires a specific transfer mechanism, the parties will cooperate to put an appropriate mechanism in place.

14Liability & order of precedence

Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. In the event of a conflict between this DPA and the Terms of Service regarding the processing of Caller Data, this DPA prevails.

15Term

This DPA takes effect on the date the Client accepts the Terms of Service and remains in effect for as long as Frontdesk processes Caller Data on the Client's behalf. Provisions that by their nature should survive termination will survive.

16Governing law

This DPA is governed by the laws of the State of Wyoming, United States, consistent with the Terms of Service, without prejudice to any mandatory provisions of Applicable Privacy Laws.

17Contact

Questions about this DPA or about data processing can be sent to hello@frontdesksystems.io or (307) 412-3475, Frontdesk Systems LLC, 1603 Capitol Ave, Cheyenne, Wyoming, USA.

AAnnex A — Details of the processing

Categories of data subjects: the Client's callers and prospective customers who contact the Client's business by phone.

Categories of Caller Data: caller name; phone number; vehicle details (year, make, model, mileage); the reason for the call or service concern; appointment details; call audio recordings and transcripts; and any other information the caller chooses to provide during the call.

Nature and purpose of processing: answering inbound calls; booking and managing appointments; capturing caller and vehicle information; answering frequently asked questions; routing or escalating calls; generating and delivering call summaries to the Client; and operating, securing, and improving the service.

Duration: for the term of the service and in line with the retention period in the Privacy Policy, unless the Client instructs otherwise.

Frequency: ongoing, for the duration of the service.

BAnnex B — Security measures

Frontdesk maintains measures that include, as applicable:

CAnnex C — Authorized subprocessors

SubprocessorPurposeLocation
Retell AI AI voice answering and real-time conversation; speech-to-text and transcription of calls. United States
GoHighLevel
(HighLevel, Inc.)
CRM, appointment scheduling and calendar, SMS and email delivery, and storage of call records, summaries, and caller details. United States
Make
(make.com)
Workflow automation connecting call events to notifications — routing call summaries and booking details to delivery systems. United States / European Union
Brevo Email delivery of call summaries and service notifications. European Union

The Subprocessors above may use their own sub-processors (for example, for telephony or email delivery) under their own data-protection commitments.