Apym — apym.io
Last updated: June 2026
This policy explains how Dream Reality Technologies SASU("we", "us") processes personal data when you use Apym. It applies to customers worldwide, including in the United States, and is designed to meet GDPR requirements. See also our legal notice and Terms of Service.
Dream Reality Technologies SASU is the data controller for account, billing, and marketing data relating to business customers.
We are the controller for business customer account data: signup, subscription, assistant configuration, billing, and support.
We are a processor (GDPR Art. 28) when you use Apymto handle your callers' data: phone numbers, call content, transcripts, and email recaps. You remain the controller toward your callers. We process that data only to perform our contract with you and according to your settings.
For website visitors without an account, we are the controller of contact-form and cookie data.
Caller records you upload (Pro plan): you may import cases tied to phone numbers (order/ticket reference, status, summary). You remain the controller toward your customers. We act as processor when looking up those records during a call. Verification codes, if any, are stored only as HMAC hashes — never in plain text. Lookup activity is logged for security (audit trail).
Live API lookup (Pro, optional):you may configure an HTTPS endpoint you host. On each call, Apym sends a signed (HMAC) request to fetch the matching record. You remain responsible for your API's security, availability, and data; we act as processor when transmitting the request and using the response during the call.
| Purpose | Legal basis |
|---|---|
| Account creation and customer portal access | Contract performance (GDPR Art. 6(1)(b)) |
| Voice assistant: inbound calls, transcription, summaries, appointment booking | Contract performance |
| Caller personalization via imported records or live API — lookup during calls, optional verification, audit logs | Contract performance; processor role (Art. 28) for end-customer data you provide |
| Subscription, billing, Stripe payments, pay-as-you-go, auto-recharge, usage alerts, add-ons (US/Canada +1 line, French +33 line on French-market subscriptions, assisted setup) | Contract performance; legal obligation (tax/accounting) |
| Fraud prevention and abuse detection (referrals, fake accounts) | Legitimate interests — security (Art. 6(1)(f)) |
| Transactional emails (call recaps, alerts, billing) | Contract performance |
| Customer support and privacy rights requests | Contract performance; legal obligation where applicable |
Service security: intrusion detection, technical logging, apym_device_ip security tracker | Legitimate interests — security and integrity |
| Accounting records and lawful authority requests | Legal obligation (Art. 6(1)(c)) |
| Analytics cookies (Vercel Analytics, Speed Insights) and comfort cookies (theme) | Consent (Art. 6(1)(a)) via cookie banner |
| Optional Google Calendar connection to offer appointment slots to callers | Contract performance — feature you enable |
| Optional integrations (Slack recaps; HubSpot CRM sync in beta) | Contract performance — features you authorize |
We do not rely on vague "service improvement" purposes unrelated to the items above.
Account identification (required): email address, password (hashed, never stored in plain text), first and last name.
Business data (optional at signup): company name, industry, business phone or callback number. A company registration number (e.g. SIRET) may be collected only as part of regulatory verification for a French (+33) phone line.
Configuration (required depending on plan): assistant settings, phone line mode (your existing line or Apym line), business instructions. For a French (+33) Apym line, account-level regulatory verification data (company registration, representative ID, proof of address) required by our telecom operator (Telnyx) before number assignment.
Call data (generated by use): caller phone number, duration, audio recording, transcript, summary, call outcome, technical metadata.
Billing (required for paid plans): Stripe customer ID, plan, minute usage, payment history and invoices. Card numbers are entered directly with Stripe — they do not pass through our servers.
Optional: Google Calendar connection; Slack workspace connection (call recaps); HubSpot CRM connection (beta, Business plan — contacts, notes, deals after calls); additional phone numbers; theme preference (cookie); referral code (30-day cookie); enterprise contact form message.
Imported caller records (Pro, optional): caller phone, contact label, external reference, status, summary, expected date, verification hash (never plain code). Lookup audit logs (timestamp, method, match/verify outcome).
Technical: server logs (including source IP per request — see section 18); apym_device_ip tracker (see section 16); authentication session identifier.
Without required data, you cannot create an account or use the voice assistant.
If you refuse non-essential cookies via the banner: the public site remains usable, but Vercel Analytics and Speed Insights are not loaded, and your theme preference will not be remembered. Strictly necessary cookies (session, security) remain active.
If you disable call recap retention (see section 9), summaries and transcripts are no longer shown in your dashboard or Apym admin tools. The assistant and billing continue to work.
Without Google Calendar, automatic appointment booking on your calendar is unavailable; you can still receive requests via email recap.
| Data type | Retention |
|---|---|
| Active account (profile, business, configuration) | Contract duration; see account deletion (section 15) |
Email/name change history (profile_change_history) | During contract; up to 3 years after deletion for disputes, fraud, security (section 7) |
| Call recaps (transcript, summary) — retention enabled | Contract duration while account is active |
Imported caller records and lookup audit logs (tenant_caller_records, tenant_caller_lookup_audit) | Contract duration; deleted with account or on request. Audit logs kept up to 24 months for security. |
| Call metadata — recap retention disabled | Up to 24 months for billing and support unless law requires longer |
| Invoices and accounting records | 10 years (French legal accounting obligation) |
| Payment data at Stripe | Per Stripe policy and legal requirements |
| Technical logs (access, errors, security) | 12 months maximum |
apym_device_ip tracker (section 16) | 12 months |
| Theme and consent cookies | 12 months |
| Data kept after account deletion (soft delete) | See section 15 — 10 years maximum only for legal obligation, proven fraud, litigation, or lawful authority request |
The 10-year post-deletion period does not apply to all data. It covers accounting records, fraud investigations, litigation, unpaid invoices, or authority requests only. Call transcripts are not kept for 10 years by default when recap retention is disabled.
When you change your email or name in settings (or at signup), we record the previous and new values in internal history (profile_change_history).
Purposes: account security, customer support, fraud prevention (referrals, multi-accounts), and evidence in contractual disputes.
Retention: during the contract; after deletion, up to 3 years unless a longer period is required by law or ongoing proceedings (10 years maximum).
This history is not visible in your dashboard. Only authorized Apym administrators can access it.
The Apym voice assistant uses speech synthesis and language understanding (provider: Retell). It greets callers, asks questions adapted to your business, and may offer a callback or appointment slot depending on your configuration.
No solely automated decision producing legal or similarly significant effects is made. Call outcomes (qualification, summary) are available to you; you remain solely responsible toward your customers.
Apym does not build marketing profiles of callers. Processing is limited to handling the call and sending the recap to you.
For questions about automated processing, contact legal@apym.io. Human review by Apym or you is available on reasonable request.
Recaps include the summary and, where applicable, the call transcript. They are visible in your dashboard and, when retention is enabled, to authorized Apym staff for support and incident resolution.
In Settings → Call recap retention, you can disable display and storage of recaps in your dashboard and Apym admin. Minimal metadata (duration, billing) may still be kept per section 6.
Legal basis: contract performance for retention you enable; legitimate interest or legal obligation for data strictly necessary for billing, security, or lawful requests.
We prioritize processing within the European Union where possible. Core data (accounts, calls, transcripts) is hosted with an EU-based provider, subject to your account configuration and our subprocessors.
Providers with EU infrastructure used for Apym:
US-established providers — transfers may occur: Stripe, Retell, and Telnyx are US companies. If you connect optional integrations, Slack and HubSpot (beta) are also US companies. Even when you access the service from the EU, some data (payment, call audio, transcripts, metadata, phone numbers, and — when enabled — call recaps or CRM records) may be processed in the US or elsewhere. Where transfers outside the EU are required, they are governed by Standard Contractual Clauses (SCCs) and supplementary measures where applicable.
Transactional email is sent via Resend (Ireland). The site and APIs run on Vercel (Paris). Voice calls, phone numbers, and payments involve Stripe, Retell, and Telnyx with the transfers described above. Optional Slack and HubSpot connections involve the additional transfers listed when you enable them.
If you accept analytics cookies, Vercel Analytics and Speed Insights may involve processing by Vercel Inc. (US), including outside the EU depending on configuration.
Contact legal@apym.io for available information on contractual safeguards (including SCCs) within the limits of documents we hold.
We use the following subprocessors, within the scope of their missions:
Each subprocessor is contractually bound (data processing agreements and transfer clauses where required). This list may evolve; this policy will be updated accordingly.
Stripe acts as an independent payment provider. Apym does not collect or store card numbers on its own servers.
Data sent to or managed by Stripe includes:
Stripe's privacy policy also applies: stripe.com/privacy.
We implement measures appropriate to the risk, including:
No measure guarantees absolute security. If a breach is likely to affect your rights, we will notify you as required by GDPR.
Under GDPR you may access, rectify, erase, restrict, port, or object to processing, and withdraw consent (for consent-based processing, without retroactive effect).
How to exercise rights: email legal@apym.io with your request and a way to verify your identity. We respond within one month (extendable by two months for complex requests, with prior notice).
Complaint: you may lodge a complaint with your supervisory authority (in France: CNIL).
Your callers' customers exercise rights with you as controller; Apym assists within our processor role on request via legal@apym.io.
US residents: we honor applicable state privacy requests (access, deletion, opt-out of sale/sharing where applicable — we do not sell personal data).
You can request deletion from Settings → Delete account. Outstanding balances and pending overage must be settled first (see Terms).
Immediate effect: access revoked, voice assistant disabled, Stripe subscription canceled, Google Calendar disconnected.
Data retained (soft delete): only the categories below, for the minimum duration required:
Beyond these cases, data is purged or anonymized as soon as possible. Apym does not keep all your personal data for 10 years by default.
An IP address is personal data when it can identify a device or, indirectly, a person. Apym processes it in two distinct ways:
apym_device_ip: httpOnly cookie set on first visit, storing the detected IP to correlate sessions and limit abuse (login attempts, fraud). Not an authentication session cookie.Purpose: service security, fraud prevention, abuse rate limiting.
Retention: 12 months, renewed while you use the service.
Legal basis: legitimate interests — security (GDPR Art. 6(1)(f)). Considered strictly necessary under cookie rules; deposited without prior consent, separate from analytics or comfort cookies.
Each call handled by Apym includes a greeting informing the caller that the call is recorded and processed by a voice assistant (AI). You remain responsible toward your callers and must ensure this information fits your business context.
Callers do not create an Apym account. Their data is processed for the duration needed for the call, the recap sent to you, and the periods in section 6.
Our servers and host record technical logs: timestamp, requested URL, response code, request ID, source IP, user-agent, application errors.
Purposes: service operation, incident diagnosis, security, attack prevention.
Retention: 12 months maximum, unless a longer period is required for an ongoing security investigation or legal obligation.
Apym serves businesses (B2B). Data you provide for your company (company name, business phone, service usage) relates to your professional activity.
Your contact email and name may be personal data about you as an individual acting for your company. They are processed for B2B contract management and the commercial relationship.
Billing and accounting concern the Apym ↔ business customer relationship, separate from accounting you maintain for your own customers.
On first visit, a banner lets you accept, refuse, or customize non-essential cookies. Your choice is stored in apym_cookie_consent(12 months). Change it anytime via "Manage cookies" in the footer or Settings → Cookies.
Strictly necessary cookies (authentication session, security) are set without prior consent to enable login and protect the service.
apym_device_ip security tracker).apym_theme), only if you accept this category.| Name | Purpose | Duration | Legal basis |
|---|---|---|---|
| session auth | Maintains your logged-in session | Session or auto-renewal | Strictly necessary — contract |
| apym_device_ip | Security tracker: stores detected IP on first visit to limit abuse (section 16) | 12 months | Strictly necessary — legitimate interest |
| apym_cookie_consent | Stores your cookie choices | 12 months | Consent |
| apym_theme | Light / dark display preference | 12 months | Consent — Comfort category |
| Vercel Analytics | Aggregated audience measurement. Loaded only after Analytics consent. | Variable (per Vercel, up to 24 months) | Consent — Analytics |
| Vercel Speed Insights | Performance measurement (Core Web Vitals). Loaded only after Analytics consent. | Variable (per Vercel) | Consent — Analytics |
| apym_referral_code | Stores referral code before signup | 30 days | Legitimate interest — contract (referral) |
Withdraw consent via "Manage cookies" or Settings. You can also delete cookies in your browser; removing the session cookie logs you out. Refusing non-essential cookies does not block the public site (section 5).
Last revision: June 2026. We may update this policy to reflect service or legal changes. For material changes, we will notify you by email or in-app notice at least 30 days before the effective date when required by law or when the change significantly affects your rights.
The current version is always on this page. In case of conflict, our Terms of Service govern the contractual relationship.