Privacy Policy

Apym apym.io

Last updated: June 2026

This policy explains how Dream Reality Technologies SASU("we", "us") processes personal data when you use Apym. It applies to customers worldwide, including in the United States, and is designed to meet GDPR requirements. See also our legal notice and Terms of Service.

1. Data controller

Dream Reality Technologies SASU is the data controller for account, billing, and marketing data relating to business customers.

  • Legal name: Dream Reality Technologies SASU
  • Trade name: InDream Technologies
  • Registered office: Registered office to be confirmed
  • SIRET: Pending assignment
  • Privacy contact: legal@apym.io

2. Our roles (controller vs. processor)

We are the controller for business customer account data: signup, subscription, assistant configuration, billing, and support.

We are a processor (GDPR Art. 28) when you use Apymto handle your callers' data: phone numbers, call content, transcripts, and email recaps. You remain the controller toward your callers. We process that data only to perform our contract with you and according to your settings.

For website visitors without an account, we are the controller of contact-form and cookie data.

Caller records you upload (Pro plan): you may import cases tied to phone numbers (order/ticket reference, status, summary). You remain the controller toward your customers. We act as processor when looking up those records during a call. Verification codes, if any, are stored only as HMAC hashes — never in plain text. Lookup activity is logged for security (audit trail).

Live API lookup (Pro, optional):you may configure an HTTPS endpoint you host. On each call, Apym sends a signed (HMAC) request to fetch the matching record. You remain responsible for your API's security, availability, and data; we act as processor when transmitting the request and using the response during the call.

3. Purposes and legal bases

PurposeLegal basis
Account creation and customer portal accessContract performance (GDPR Art. 6(1)(b))
Voice assistant: inbound calls, transcription, summaries, appointment bookingContract performance
Caller personalization via imported records or live API — lookup during calls, optional verification, audit logsContract performance; processor role (Art. 28) for end-customer data you provide
Subscription, billing, Stripe payments, pay-as-you-go, auto-recharge, usage alerts, add-ons (US/Canada +1 line, French +33 line on French-market subscriptions, assisted setup)Contract performance; legal obligation (tax/accounting)
Fraud prevention and abuse detection (referrals, fake accounts)Legitimate interests — security (Art. 6(1)(f))
Transactional emails (call recaps, alerts, billing)Contract performance
Customer support and privacy rights requestsContract performance; legal obligation where applicable
Service security: intrusion detection, technical logging, apym_device_ip security trackerLegitimate interests — security and integrity
Accounting records and lawful authority requestsLegal obligation (Art. 6(1)(c))
Analytics cookies (Vercel Analytics, Speed Insights) and comfort cookies (theme)Consent (Art. 6(1)(a)) via cookie banner
Optional Google Calendar connection to offer appointment slots to callersContract performance — feature you enable
Optional integrations (Slack recaps; HubSpot CRM sync in beta)Contract performance — features you authorize

We do not rely on vague "service improvement" purposes unrelated to the items above.

4. Data we collect

Account identification (required): email address, password (hashed, never stored in plain text), first and last name.

Business data (optional at signup): company name, industry, business phone or callback number. A company registration number (e.g. SIRET) may be collected only as part of regulatory verification for a French (+33) phone line.

Configuration (required depending on plan): assistant settings, phone line mode (your existing line or Apym line), business instructions. For a French (+33) Apym line, account-level regulatory verification data (company registration, representative ID, proof of address) required by our telecom operator (Telnyx) before number assignment.

Call data (generated by use): caller phone number, duration, audio recording, transcript, summary, call outcome, technical metadata.

Billing (required for paid plans): Stripe customer ID, plan, minute usage, payment history and invoices. Card numbers are entered directly with Stripe — they do not pass through our servers.

Optional: Google Calendar connection; Slack workspace connection (call recaps); HubSpot CRM connection (beta, Business plan — contacts, notes, deals after calls); additional phone numbers; theme preference (cookie); referral code (30-day cookie); enterprise contact form message.

Imported caller records (Pro, optional): caller phone, contact label, external reference, status, summary, expected date, verification hash (never plain code). Lookup audit logs (timestamp, method, match/verify outcome).

Technical: server logs (including source IP per request — see section 18); apym_device_ip tracker (see section 16); authentication session identifier.

5. Consequences of refusal (optional data and cookies)

Without required data, you cannot create an account or use the voice assistant.

If you refuse non-essential cookies via the banner: the public site remains usable, but Vercel Analytics and Speed Insights are not loaded, and your theme preference will not be remembered. Strictly necessary cookies (session, security) remain active.

If you disable call recap retention (see section 9), summaries and transcripts are no longer shown in your dashboard or Apym admin tools. The assistant and billing continue to work.

Without Google Calendar, automatic appointment booking on your calendar is unavailable; you can still receive requests via email recap.

6. Retention periods

Data typeRetention
Active account (profile, business, configuration)Contract duration; see account deletion (section 15)
Email/name change history (profile_change_history)During contract; up to 3 years after deletion for disputes, fraud, security (section 7)
Call recaps (transcript, summary) — retention enabledContract duration while account is active
Imported caller records and lookup audit logs (tenant_caller_records, tenant_caller_lookup_audit)Contract duration; deleted with account or on request. Audit logs kept up to 24 months for security.
Call metadata — recap retention disabledUp to 24 months for billing and support unless law requires longer
Invoices and accounting records10 years (French legal accounting obligation)
Payment data at StripePer Stripe policy and legal requirements
Technical logs (access, errors, security)12 months maximum
apym_device_ip tracker (section 16)12 months
Theme and consent cookies12 months
Data kept after account deletion (soft delete)See section 15 — 10 years maximum only for legal obligation, proven fraud, litigation, or lawful authority request

The 10-year post-deletion period does not apply to all data. It covers accounting records, fraud investigations, litigation, unpaid invoices, or authority requests only. Call transcripts are not kept for 10 years by default when recap retention is disabled.

7. Email and name change history

When you change your email or name in settings (or at signup), we record the previous and new values in internal history (profile_change_history).

Purposes: account security, customer support, fraud prevention (referrals, multi-accounts), and evidence in contractual disputes.

Retention: during the contract; after deletion, up to 3 years unless a longer period is required by law or ongoing proceedings (10 years maximum).

This history is not visible in your dashboard. Only authorized Apym administrators can access it.

8. AI, profiling, and automated decisions

The Apym voice assistant uses speech synthesis and language understanding (provider: Retell). It greets callers, asks questions adapted to your business, and may offer a callback or appointment slot depending on your configuration.

No solely automated decision producing legal or similarly significant effects is made. Call outcomes (qualification, summary) are available to you; you remain solely responsible toward your customers.

Apym does not build marketing profiles of callers. Processing is limited to handling the call and sending the recap to you.

For questions about automated processing, contact legal@apym.io. Human review by Apym or you is available on reasonable request.

9. Call recaps and retention setting

Recaps include the summary and, where applicable, the call transcript. They are visible in your dashboard and, when retention is enabled, to authorized Apym staff for support and incident resolution.

In Settings → Call recap retention, you can disable display and storage of recaps in your dashboard and Apym admin. Minimal metadata (duration, billing) may still be kept per section 6.

Legal basis: contract performance for retention you enable; legitimate interest or legal obligation for data strictly necessary for billing, security, or lawful requests.

10. Data location and transfers outside the EU

We prioritize processing within the European Union where possible. Core data (accounts, calls, transcripts) is hosted with an EU-based provider, subject to your account configuration and our subprocessors.

Providers with EU infrastructure used for Apym:

  • Vercel (site and API hosting) — Paris (France) region
  • Resend (transactional email) — Ireland

US-established providers — transfers may occur: Stripe, Retell, and Telnyx are US companies. If you connect optional integrations, Slack and HubSpot (beta) are also US companies. Even when you access the service from the EU, some data (payment, call audio, transcripts, metadata, phone numbers, and — when enabled — call recaps or CRM records) may be processed in the US or elsewhere. Where transfers outside the EU are required, they are governed by Standard Contractual Clauses (SCCs) and supplementary measures where applicable.

  • Stripe — billing, subscription, payment methods
  • Retell — voice AI and call processing — audio, transcripts, call metadata
  • Telnyx — US (+1) and French (+33) phone number provisioning and routing
  • Slack (optional) — call recaps to a channel you choose
  • HubSpot (optional beta, Business) — CRM contacts, notes, and deals after calls

Transactional email is sent via Resend (Ireland). The site and APIs run on Vercel (Paris). Voice calls, phone numbers, and payments involve Stripe, Retell, and Telnyx with the transfers described above. Optional Slack and HubSpot connections involve the additional transfers listed when you enable them.

If you accept analytics cookies, Vercel Analytics and Speed Insights may involve processing by Vercel Inc. (US), including outside the EU depending on configuration.

Contact legal@apym.io for available information on contractual safeguards (including SCCs) within the limits of documents we hold.

11. Subprocessors

We use the following subprocessors, within the scope of their missions:

  • Stripe — payments and subscriptions (section 12); possible US transfers (SCCs)
  • Retell — voice AI, recording, call processing; possible US transfers (SCCs)
  • Slack (optional — when you connect your workspace) — posting call recaps to a channel you choose; US company; OAuth tokens stored per account
  • HubSpot (optional beta — Business plan, when you connect your portal) — creating or updating CRM contacts, notes, and deals after calls; US company; OAuth tokens stored per account
  • Telnyx — US (+1) and French (+33) phone number provisioning and routing; possible US transfers (SCCs)
  • Resend — transactional email from notifications@apym.io (recaps, alerts, support); Ireland (EU)
  • Vercel — application hosting; Paris (France, EU)
  • EU host — primary storage of accounts, calls, and business data

Each subprocessor is contractually bound (data processing agreements and transfer clauses where required). This list may evolve; this policy will be updated accordingly.

12. Stripe and payment data

Stripe acts as an independent payment provider. Apym does not collect or store card numbers on its own servers.

Data sent to or managed by Stripe includes:

  • Stripe customer ID linked to your Apym account
  • Billing email, name, address if entered in the Stripe portal
  • Amounts, subscriptions, invoices, payment status
  • Card data — entered and stored only at Stripe (PCI-DSS certified)

Stripe's privacy policy also applies: stripe.com/privacy.

13. Security

We implement measures appropriate to the risk, including:

  • Encryption in transit (HTTPS/TLS) across the site and API
  • Hashed passwords — never stored in plain text
  • Restricted production access to authorized, authenticated personnel
  • Logical isolation per customer account (row-level security)
  • Admin access monitoring and logging of sensitive operations
  • Hosting in data centers meeting industry standards
  • Imported caller data: per-account access (RLS), HMAC-hashed verification codes, signed and tokenized webhooks, rate limits on lookups
  • Live API lookup: HTTPS-only URLs, SSRF protections, signed outbound requests, timeouts

No measure guarantees absolute security. If a breach is likely to affect your rights, we will notify you as required by GDPR.

14. Your rights

Under GDPR you may access, rectify, erase, restrict, port, or object to processing, and withdraw consent (for consent-based processing, without retroactive effect).

How to exercise rights: email legal@apym.io with your request and a way to verify your identity. We respond within one month (extendable by two months for complex requests, with prior notice).

Complaint: you may lodge a complaint with your supervisory authority (in France: CNIL).

Your callers' customers exercise rights with you as controller; Apym assists within our processor role on request via legal@apym.io.

US residents: we honor applicable state privacy requests (access, deletion, opt-out of sale/sharing where applicable — we do not sell personal data).

15. Account deletion

You can request deletion from Settings → Delete account. Outstanding balances and pending overage must be settled first (see Terms).

Immediate effect: access revoked, voice assistant disabled, Stripe subscription canceled, Google Calendar disconnected.

Data retained (soft delete): only the categories below, for the minimum duration required:

  • Invoices and accounting — 10 years (legal obligation)
  • Evidence of fraud, unpaid invoices, or Terms violations — up to 10 years if required
  • Response to court or authority request — as imposed
  • Email/name history — up to 3 years (section 7), unless cases above apply

Beyond these cases, data is purged or anonymized as soon as possible. Apym does not keep all your personal data for 10 years by default.

16. Security tracker (apym_device_ip) and IP address

An IP address is personal data when it can identify a device or, indirectly, a person. Apym processes it in two distinct ways:

  • Server logs (section 18): source IP recorded on each request for operation and security.
  • Tracker apym_device_ip: httpOnly cookie set on first visit, storing the detected IP to correlate sessions and limit abuse (login attempts, fraud). Not an authentication session cookie.

Purpose: service security, fraud prevention, abuse rate limiting.

Retention: 12 months, renewed while you use the service.

Legal basis: legitimate interests — security (GDPR Art. 6(1)(f)). Considered strictly necessary under cookie rules; deposited without prior consent, separate from analytics or comfort cookies.

17. Callers (your end customers)

Each call handled by Apym includes a greeting informing the caller that the call is recorded and processed by a voice assistant (AI). You remain responsible toward your callers and must ensure this information fits your business context.

Callers do not create an Apym account. Their data is processed for the duration needed for the call, the recap sent to you, and the periods in section 6.

18. Technical logs

Our servers and host record technical logs: timestamp, requested URL, response code, request ID, source IP, user-agent, application errors.

Purposes: service operation, incident diagnosis, security, attack prevention.

Retention: 12 months maximum, unless a longer period is required for an ongoing security investigation or legal obligation.

19. Professional and personal data (B2B customers)

Apym serves businesses (B2B). Data you provide for your company (company name, business phone, service usage) relates to your professional activity.

Your contact email and name may be personal data about you as an individual acting for your company. They are processed for B2B contract management and the commercial relationship.

Billing and accounting concern the Apym ↔ business customer relationship, separate from accounting you maintain for your own customers.

20. Cookies and trackers

On first visit, a banner lets you accept, refuse, or customize non-essential cookies. Your choice is stored in apym_cookie_consent(12 months). Change it anytime via "Manage cookies" in the footer or Settings → Cookies.

Strictly necessary cookies (authentication session, security) are set without prior consent to enable login and protect the service.

Categories

  • Strictly necessary — always active (auth session, apym_device_ip security tracker).
  • Analytics — Vercel Analytics and Speed Insights, only if you accept this category.
  • Comfort — display preference (apym_theme), only if you accept this category.
NamePurposeDurationLegal basis
session authMaintains your logged-in sessionSession or auto-renewalStrictly necessary — contract
apym_device_ipSecurity tracker: stores detected IP on first visit to limit abuse (section 16)12 monthsStrictly necessary — legitimate interest
apym_cookie_consentStores your cookie choices12 monthsConsent
apym_themeLight / dark display preference12 monthsConsent — Comfort category
Vercel AnalyticsAggregated audience measurement. Loaded only after Analytics consent.Variable (per Vercel, up to 24 months)Consent — Analytics
Vercel Speed InsightsPerformance measurement (Core Web Vitals). Loaded only after Analytics consent.Variable (per Vercel)Consent — Analytics
apym_referral_codeStores referral code before signup30 daysLegitimate interest — contract (referral)

Withdraw consent via "Manage cookies" or Settings. You can also delete cookies in your browser; removing the session cookie logs you out. Refusing non-essential cookies does not block the public site (section 5).

21. Changes to this policy

Last revision: June 2026. We may update this policy to reflect service or legal changes. For material changes, we will notify you by email or in-app notice at least 30 days before the effective date when required by law or when the change significantly affects your rights.

The current version is always on this page. In case of conflict, our Terms of Service govern the contractual relationship.

← Back