On this page
- Who we are
- Scope of this policy
- Data we collect
- How we use your data
- AI processing and automated decisions
- Call recording and voice AI
- When Kalitu acts as a processor
- Legal bases for processing
- Who we share data with
- Cookies & tracking
- Health-related information
- How long we keep data
- International transfers
- US privacy rights
- HIPAA and healthcare data (US)
- Your rights
- Security
- Children
- Changes to this policy
- Contact & complaints
1. Who we are
This policy explains how Talitu Ltd. (“Kalitu”, “we”, “us”, “our”) handles personal data. Talitu Ltd. is a company registered in United Kingdom (company number 10295016), with registered office at 483 Green Lanes, London N13 4BS.
Kalitu operates AI teammates and related services for Med Spa, Cosmetic Dental and similar aesthetic businesses. Depending on the context, Kalitu acts in one of two roles in relation to personal data:
- As a controller — when you visit our website, book a call, contact us, or otherwise interact with Kalitu directly.
- As a processor — when we operate AI teammates and related systems on behalf of a Business Client (such as a clinic). In those cases the Business Client is the controller of their customers’ personal data and we process it under their instructions and our agreement with them.
Data protection contact: privacy@talitu.com.
2. Scope of this policy
This policy covers personal data that Kalitu collects and processes as a controller, including data of website visitors, prospective customers, Business Clients, affiliates and others who interact with Kalitu directly. It applies to visitors and customers in the United Kingdom, the European Economic Area, the United States, and other regions where Kalitu does business.
Where Kalitu operates AI teammates, communications systems and workflow automation on behalf of a Business Client, our handling of that data is governed by our agreement with that Business Client. Please refer to that business’s own privacy notice for the controller-level disclosures that apply to its customers and patients. The “When Kalitu acts as a processor” section below explains that arrangement in more detail.
3. Data we collect
| Category | Examples |
|---|---|
| Identity & contact | Name, email address, phone number, business name. |
| Business enquiry | Clinic or business type, what you’d like help with, fit and goal answers, and details you share when booking a call or engaging our services. |
| Account | Login details and settings, where an account is created. |
| Usage & technical | IP address, device and browser type, pages viewed, referring source, and similar data collected through cookies and analytics. |
| Communications | Messages, enquiries and correspondence you send us by email, web form, chat, phone or other channels. |
| Customer interaction data | For Business Clients and where we operate AI teammates: inquiry details, appointment requests, communication history, lead status and similar records generated through customer-facing AI teammate interactions. |
| AI interaction data | Conversation transcripts, AI-generated summaries, classifications, recommendations and operational metadata produced by AI teammates as they handle interactions. |
| CRM data | Where AI teammates connect to a Business Client’s CRM: notes, tags, pipeline stages, booking history and related records used or updated by the AI teammates. |
| Voice and recording data | Where voice-based AI teammates are used: call audio, transcriptions and related metadata, subject to the disclosures and consents described below. |
| Billing | Billing contact and transaction records for Business Clients. Card details are handled by our payment providers; we do not store full card numbers. |
4. How we use your data
- To respond to enquiries, schedule and conduct calls, and deliver the Services you or your business ask for.
- To operate AI teammates, communications systems and workflow automation for Business Clients under their instructions.
- To create and manage accounts, process payments and provide support.
- To send service messages and, where permitted, relevant marketing.
- To monitor, analyse, improve and secure our Services, including the performance of AI teammates.
- To prevent fraud, misuse and abuse of the Services.
- To comply with legal, accounting and regulatory obligations.
5. AI processing and automated decisions
Kalitu uses AI systems and third-party AI service providers to deliver the Services, including responding to enquiries, summarising and classifying information, supporting appointment workflows, generating communications and automating routine tasks. These systems may process information you provide directly to Kalitu and information submitted by or on behalf of Business Clients.
AI systems may operate automatically and may involve human review where appropriate. AI outputs can contain inaccuracies, omissions or unexpected results and are not a substitute for professional, medical, legal or clinical advice.
Automated processing. Kalitu may use automated systems to classify enquiries, route communications, trigger workflows and generate recommendations or suggested responses. Where Kalitu acts as a processor for a Business Client, final business decisions (including any decisions that produce legal or similarly significant effects on individuals) remain the responsibility of that Business Client.
Solely automated decisions with legal effect. Kalitu does not, as controller, take decisions about you that are based solely on automated processing and that produce legal or similarly significant effects on you, except where allowed by law and with appropriate safeguards.
6. Call recording and voice AI
Where Kalitu provides voice-based AI teammates, calls, voice interactions and related communications may be recorded, transcribed or analysed for service delivery, quality assurance, training, security and improvement purposes.
Where required by law, individuals will be notified at the start of a call that the call may be recorded or handled by an AI system, and given an opportunity to decline or request a human alternative where one is available. In jurisdictions that require the consent of all parties to a recording (for example, certain US states), Kalitu and Business Clients will follow the applicable consent requirements.
Business Clients using voice-based AI teammates are responsible for ensuring that their use of recording and voice AI complies with applicable telephone, recording, wiretap and consumer-protection laws in the regions where they and their customers are located.
7. When Kalitu acts as a processor
When Kalitu operates AI teammates and related systems on behalf of a Business Client, Kalitu generally acts as a data processor for the personal data of that Business Client’s customers and prospects. Kalitu processes that data only under the Business Client’s documented instructions and our agreement with that Business Client.
Data processing agreements. Where required by law, Kalitu enters into data processing agreements (DPAs) with Business Clients that govern processor obligations, including confidentiality, security, sub-processor management, assistance with data-subject rights, breach notification and return or deletion of data at the end of the engagement.
If you are a customer or prospect of a Business Client and you want to exercise your rights in relation to data the Business Client has shared with us, please contact that Business Client first. We will support them in responding to your request.
8. Legal bases for processing
Where Kalitu acts as a controller, we rely on the following legal bases under UK GDPR and EU GDPR:
- Contract — to provide the Services you or your business request.
- Legitimate interests — to run, secure and improve our business, develop new features, prevent misuse, and grow the business, where these interests are not overridden by your rights and interests.
- Consent — for non-essential cookies, certain marketing communications, and other processing requiring consent; you can withdraw consent at any time.
- Legal obligation — to meet our legal, accounting and regulatory duties.
Where Kalitu acts as a processor (see section 7), the legal basis for processing is set by the Business Client who acts as controller.
9. Who we share data with
We share personal data with:
- Service providers who help us operate, including:
- Hosting and infrastructure (such as Cloudflare and Amazon Web Services).
- CRM, scheduling, messaging and telephony platforms (such as GoHighLevel and Twilio).
- Analytics, session recording and product measurement (such as Google Analytics, Plausible and Microsoft Clarity).
- Advertising, conversion tracking and audience platforms (such as Meta and Meta Conversions API, Google Ads, LinkedIn Ads and Microsoft Advertising).
- Video embedding (YouTube).
- AI model and infrastructure providers, including large language model providers (such as OpenAI, Anthropic and Google), voice AI and orchestration providers (such as ElevenLabs, Retell and VAPI), and speech-to-text providers (such as AssemblyAI and Deepgram).
- Email, payment and other operational vendors.
- Business Clients, where the data relates to services we deliver for them (for example, a referrer who introduced them through our affiliate program).
- Professional advisers, such as legal and accounting advisers.
- Authorities, where required by law or to protect our rights.
- A buyer or successor, in connection with a business sale or reorganisation.
We do not sell your personal data and we do not share your personal data for cross-context behavioural advertising in a way that would constitute a “sale” or “share” under US state privacy laws (see section 14 below).
10. Cookies & tracking
We use cookies and similar technologies to operate the website, remember preferences, measure performance and, where you consent, support advertising. You can manage your preferences through our cookie banner and your browser settings. Full detail is in our Cookie Policy.
11. Health-related information
Kalitu does not intentionally request health, medical or treatment information through its website. However, Business Clients and their customers may submit information that could include health-related, treatment-related or other sensitive information during the operation of AI teammates or related Services (for example, when a prospective patient describes the procedure they are interested in).
Where this happens, Kalitu processes such information only as necessary to deliver the Services and in accordance with the Business Client’s instructions and the applicable agreement (see also “HIPAA and healthcare data (US)” below). Business Clients are responsible for ensuring that they have all required rights, notices and consents to provide such information to Kalitu.
Please do not send Kalitu detailed health or medical information unless it is necessary for the Services you are using. If sensitive information is shared with us by mistake, we will delete it on request.
12. How long we keep data
We keep personal data only as long as needed for the purposes set out here, including to meet legal, accounting and reporting requirements. Indicative retention periods (which may vary depending on the agreement with the Business Client, the category of data and legal obligations):
| Data type | Indicative retention |
|---|---|
| Website enquiries and call bookings | Up to 36 months from the last interaction. |
| Business Client account data | Duration of the relationship, plus any legally required period. |
| AI conversation transcripts and interaction logs | As needed to deliver the Services and as set out in the relevant Business Client agreement; typically deleted or anonymised on termination of the engagement. |
| Call recordings and voice transcripts | As needed for service delivery and as set out in the Business Client agreement; typically deleted within a defined window unless a longer period is required for legal or safety reasons. |
| CRM data | Held in the Business Client’s CRM and retained per the Business Client’s own policy. |
| Billing and transaction records | For as long as required by tax, accounting and statutory rules. |
| Marketing communications | Until consent is withdrawn or the contact becomes inactive. |
When data is no longer needed, we delete or anonymise it.
13. International transfers
Kalitu is based in the United Kingdom but works with service providers and customers in multiple regions, including the European Economic Area and the United States. Some service providers (in particular AI model providers and global cloud infrastructure) may process personal data across multiple jurisdictions.
Where personal data is transferred outside the UK or EEA, we put appropriate safeguards in place, such as UK or EU approved standard contractual clauses, the UK Addendum, adequacy decisions where they apply, or other lawful transfer mechanisms. For US-based providers, transfers are made under the relevant approved mechanisms, including (where applicable) the EU-US Data Privacy Framework and the UK Extension.
14. US privacy rights
This section applies if you are a resident of a US state with a comprehensive privacy law, including California (CCPA / CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA) and other states with similar laws.
Subject to applicable state law, you may have the right to:
- Know what personal information we collect, use, disclose and retain about you.
- Access a copy of your personal information.
- Correct inaccurate personal information.
- Delete personal information we hold about you, subject to exceptions allowed by law.
- Opt out of the sale or sharing of your personal information for targeted advertising, profiling for decisions producing legal or similarly significant effects, and (in California) the use or disclosure of sensitive personal information for purposes beyond those allowed without further consent.
- Limit our use of sensitive personal information, where applicable.
- Non-discrimination — we will not deny services, charge different prices or provide a different level of service because you exercised your privacy rights.
- Appeal a refused request, where the applicable state law provides an appeal mechanism.
To exercise these rights, contact us at privacy@talitu.com. You may use an authorised agent to submit a request on your behalf, subject to verification.
Kalitu does not sell personal information for money, and does not knowingly “sell” or “share” personal information of any individual under 16 years of age. Where applicable, you can submit a Do Not Sell or Share My Personal Information request at privacy@talitu.com.
California residents may also request information about categories of personal information disclosed to third parties for those third parties’ direct marketing purposes (“Shine the Light” request). Kalitu does not currently disclose personal information to third parties for their own direct marketing.
15. HIPAA and healthcare data (US)
Where a US-based Business Client is a HIPAA-covered entity (for example, certain Med Spas, dental practices and other healthcare providers) and uses Kalitu’s Services to handle protected health information (PHI), Kalitu may act as a “business associate” under HIPAA. In those cases, Kalitu and the Business Client enter into a Business Associate Agreement (BAA) before any PHI is shared with Kalitu, and the BAA governs Kalitu’s use and protection of that PHI.
Without a signed BAA in place, Kalitu does not knowingly accept or process PHI on behalf of a US-based covered entity. Business Clients who are covered entities are responsible for ensuring that a BAA is in place before configuring Kalitu’s Services to handle PHI, and for complying with their own HIPAA obligations (including notice, minimum necessary use, and patient rights).
16. Your rights
Subject to applicable law, you may have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to processing; data portability; and withdraw consent where processing is based on consent. US-state- specific rights are set out in section 14, and US healthcare data is addressed in section 15.
To exercise any of these rights, contact us at privacy@talitu.com or use our contact page. You will not usually be charged, and we will respond within the time required by law. We may need to verify your identity before acting on a request.
Where Kalitu acts as a processor, please contact the Business Client (the controller) first; we will support them in responding.
17. Security
We take reasonable technical and organisational measures to protect personal data, including access controls, encryption in transit, vendor due-diligence and incident response procedures. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to respond appropriately to any incident.
18. Children
The Services are intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided us with data, please contact us so we can remove it. This applies equally to the children’s privacy protections of US state laws and the UK / EU children’s data rules.
19. Changes to this policy
We may update this policy from time to time. The “last updated” date shows when changes took effect. Material changes will be notified where reasonably practicable.
20. Contact & complaints
For privacy questions or to exercise your rights, contact privacy@talitu.com or use our contact page.
If you are in the United Kingdom and are unhappy with how we handle your data, you can complain to the Information Commissioner’s Office (ICO) at ico.org.uk. If you are in the European Economic Area, you may complain to your local supervisory authority. If you are a US resident and your state privacy law provides a right of appeal or a complaint mechanism (for example, the California Privacy Protection Agency or your state attorney general), you may contact that authority. We would appreciate the chance to address your concerns first.