Will it sound robotic?

Not at all. GreetEvo uses advanced AI voice models that sound natural, warm, and conversational. Most callers never realize they are speaking with an AI. You can also customize the personality and tone to match your brand.

Most businesses are live in under 5 minutes. Simply connect your existing phone number or get a new one, tell GreetEvo about your business, and go live instantly. No hardware, coding, or IT team required.

What if I want to take over a call?

GreetEvo is designed to know its limits. When a caller asks for a human or the AI cannot confidently answer, it smoothly transfers the call to you or takes a detailed message with contact info so you can call back.

Does it work with my existing phone number?

Absolutely. You can forward any existing business number to GreetEvo in minutes, or we can provision a new local or toll-free number for you. Porting is also available for enterprise customers.

Data Processing Agreement

1. Definitions and Interpretation

"Applicable Data Protection Law" means the GDPR, the UK GDPR, the Data Protection Act 2018 (UK), PIPEDA (Canada), Loi modernisant des dispositions lÃ©gislatives en matiÃ¨re de protection des renseignements personnels (QuÃ©bec Law 25), and any other data protection or privacy legislation applicable to the processing of Personal Data under this DPA.

"Controller" means the business customer who determines the purposes and means of the processing of Caller Personal Data.

"Processor" means GreetEvo Inc., a Canadian corporation headquartered in Toronto, Ontario, Canada, which processes Caller Personal Data on behalf of the Controller.

"Caller Personal Data" means any personal data relating to callers, leads, or other individuals whose data is processed through the Service, including but not limited to phone numbers, names, voice recordings, call transcripts, appointment details, and email addresses.

"Sub-processor" means any third-party processor engaged by GreetEvo to process Caller Personal Data on behalf of the Controller.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2. Details of Processing

The processing of Caller Personal Data under this DPA is subject to the following details:

Subject Matter

The processing of Caller Personal Data in connection with the provision of GreetEvo's AI-powered phone receptionist, video meeting, appointment booking, and related services.

Duration

For the duration of the Controller's subscription to the Service, plus any period required under Applicable Data Protection Law for the return or deletion of data.

Nature and Purpose

To automate call answering, transcribe and analyze calls, capture leads, book appointments, send SMS and email notifications, host video meetings, and provide analytics to the Controller.

Categories of Data

Phone numbers; caller names; voice recordings; call transcripts; appointment dates and times; email addresses; business names; call metadata (duration, timestamp, IP address if applicable); and any other information callers voluntarily provide during interactions.

Data Subjects

Callers to the Controller's business; individuals who submit information via public forms or portals; meeting participants; and other individuals whose data is processed through the Service at the Controller's direction.

3. Processor Obligations

GreetEvo agrees to comply with the following obligations under Article 28 of the GDPR and equivalent provisions of Applicable Data Protection Law:

Process Caller Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries or international organizations, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
Ensure that persons authorised to process the Caller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Take all measures required pursuant to Article 32 of the GDPR, including implementing appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Not engage another processor (Sub-processor) without prior specific or general written authorisation of the Controller. In the case of general written authorisation, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Controller the opportunity to object to such changes in accordance with Section 7 of this DPA.
Assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III of the GDPR.
Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
At the choice of the Controller, delete or return all Caller Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

Prohibited Use: GreetEvo shall not use Caller Personal Data for its own advertising, marketing, AI model training, product development, or any other commercial purpose not expressly authorised by the Controller in writing. GreetEvo shall process Caller Personal Data solely for the purpose of delivering the Service to the Controller in accordance with this DPA and the Controller's documented instructions.

Data Protection Impact Assessment Assistance: Taking into account the nature of the processing and the information available to GreetEvo, GreetEvo shall assist the Controller in conducting any Data Protection Impact Assessment (DPIA) required under Article 35 of the GDPR. This assistance includes providing a standard information questionnaire covering the processing activities, data flows, security measures, and sub-processor arrangements upon written request.

DPIA Trigger Guidance: GreetEvo considers the processing activities described herein â€” including the systematic recording, transcription, and AI-driven analysis of voice communications, and the processing of call metadata for behavioural analytics â€” likely to require a DPIA under Article 35(1) of the GDPR and the relevant supervisory authority's published list of processing operations requiring a DPIA. Controllers are encouraged to conduct a DPIA prior to processing and may request GreetEvo's standard DPIA information package at privacy@greetevo.com.

3.1 Records of Processing and PIPEDA Compliance

GreetEvo maintains a Record of Processing Activities (RoPA) in accordance with Article 30(2) of the GDPR, documenting the categories of processing carried out on behalf of Controllers, the categories of personal data processed, and the security measures implemented. A summary of the relevant RoPA entries is available to Controllers upon written request.

For Canadian Controllers subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), GreetEvo's processing obligations under this DPA are consistent with PIPEDA Schedule 1, Principle 7 (safeguards). GreetEvo shall not transfer Caller Personal Data outside Canada without ensuring that the recipient is subject to comparable safeguards, whether through contractual provisions, the EU SCCs referenced in Section 9, or other legally recognised transfer mechanisms.

3.2 QuÃ©bec Law 25 â€” Cross-Border Transfers

For QuÃ©bec-based Controllers and where the processing concerns personal information of QuÃ©bec residents, GreetEvo complies with Loi 25, including Article 17 (transfers outside QuÃ©bec). GreetEvo's cross-border transfer obligations under QuÃ©bec Law 25 are addressed through the Privacy Impact Assessment (PIA) programme referenced in Section 9 of this DPA, the EU SCCs (where applicable), and the technical and organisational measures described in Section 4. Where required, a summary of the PIA covering cross-border transfers to Sub-processors is available to QuÃ©bec Controllers upon written request.

Law 25 Breach Notification: In the event of a confidentiality incident affecting personal information of QuÃ©bec residents, GreetEvo shall notify the Commission d'accÃ¨s Ã l'information (CAI) within 72 hours of becoming aware of the incident where required by Article 64 of Law 25, and shall notify the affected Controller without undue delay.

4. Security Measures

GreetEvo implements the following technical and organisational security measures to protect Caller Personal Data:

•Encryption of data in transit using TLS 1.3 (with TLS 1.2 fallback where necessary) and at rest using AES-256.
•Role-based access controls (RBAC) limiting access to authorised personnel only.
•Multi-factor authentication (MFA) enforced for all administrative access.
•Regular security audits, vulnerability assessments, and penetration testing.
•Network segmentation and firewall protection for production environments.
•Automated backup and disaster recovery procedures with geographically separated storage.
•Employee confidentiality agreements and annual data protection training.
•Logging and monitoring of access to Caller Personal Data for security analysis.

GreetEvo maintains security controls aligned with SOC 2 Type II criteria and regularly reviews its security posture. A copy of our latest security documentation is available upon written request.

5. Sub-processors

The Controller grants general authorisation for GreetEvo to engage the Sub-processors listed at greetevo.com/sub-processors. GreetEvo maintains an up-to-date list of Sub-processors and their processing locations.

GreetEvo will inform the Controller of any intended addition or replacement of Sub-processors at least 30 days before the new Sub-processor begins processing Caller Personal Data. The Controller may object to a new Sub-processor on reasonable data protection grounds by emailing privacy@greetevo.com within the 30-day objection window.

If the Controller objects to a new Sub-processor and the parties cannot agree on a commercially reasonable alternative within 15 days of the objection, the Controller may terminate the affected portion of the Service without penalty. Termination under this Section does not relieve the Controller of any fees accrued prior to termination.

Where a Sub-processor is located outside the EEA, UK, or Canada, GreetEvo ensures that appropriate safeguards are in place for the transfer of Caller Personal Data, including the use of the Standard Contractual Clauses referenced in Section 9 of this DPA.

Sub-processor Data Retention: GreetEvo shall contractually require each Sub-processor to delete Caller Personal Data within 30 days of processing completion, or sooner where the Sub-processor's own terms permit. For AI inference sub-processors (Groq, OpenAI), processed data is retained only for the duration of the API request and is not used to train the sub-processor's own models. GreetEvo shall document the retention periods of each Sub-processor and make this documentation available to the Controller upon request.

6. Confidentiality of Processing Personnel

GreetEvo ensures that any natural person acting under its authority who has access to Caller Personal Data is subject to a duty of confidentiality, whether through contractual obligation or statutory obligation. This obligation survives the termination of the person's engagement with GreetEvo.

7. Data Subject Rights Assistance

GreetEvo shall promptly notify the Controller upon receiving any request, complaint, or inquiry from a data subject or supervisory authority relating to the processing of Caller Personal Data. GreetEvo shall not respond directly to the data subject or supervisory authority unless expressly authorised in writing by the Controller.

Taking into account the nature of the processing, GreetEvo shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III of the GDPR (including rights of access, rectification, erasure, restriction, data portability, and objection).

8. Personal Data Breach Notification

In the event of a personal data breach affecting Caller Personal Data, GreetEvo shall notify the Controller without undue delay and in any case within 24 hours of becoming aware of the breach. The notification shall include, where possible:

•The nature of the breach, including the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned.
•The likely consequences of the breach.
•The measures taken or proposed to be taken by GreetEvo to address the breach, including measures to mitigate its possible adverse effects.
•The contact details of the GreetEvo data protection contact for further information.

GreetEvo shall document all personal data breaches, comprising the facts relating to the breach, its effects, and the remedial action taken. Such documentation shall be made available to the Controller upon request.

9. Data Transfers and Standard Contractual Clauses

Where the transfer of Caller Personal Data to a third country is required for the provision of the Service, such transfers shall be governed by the EU Standard Contractual Clauses approved by the European Commission under Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as follows:

Module Two (Controller to Processor)

Applies where the Controller (Tenant) is the data controller for caller data and GreetEvo processes that data on the Controller's behalf. Clause 7 (Docking Clause) is included. Optional clauses are included as specified in Annex I.

Module Three (Processor to Processor)

Applies where GreetEvo engages Sub-processors to process caller data on our behalf. Clause 7 (Docking Clause) is included. Optional clauses are included as specified in Annex I.

For transfers from the United Kingdom: GreetEvo uses the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the UK Information Commissioner's Office and effective 21 March 2022, as amended from time to time ("UK Addendum"). The UK Addendum is incorporated by reference into this DPA.

GreetEvo carries out transfer impact assessments (TIAs) in accordance with the recommendations of the European Data Protection Board (EDPB) and the judgment of the Court of Justice of the European Union in Case C-311/18 (Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems, "Schrems II"). A summary of our TIA is available upon request.

SCC Annex I â€” Description of Transfers: The following constitutes Annex I to the EU SCCs incorporated by reference into this DPA:

Data Exporter: The Controller (business customer), who determines the purposes and means of processing of Caller Personal Data. Contact: the Controller's registered business address and the email address associated with the GreetEvo account.

Data Importer: GreetEvo Inc., a Canadian corporation headquartered in Toronto, Ontario, Canada. Contact: privacy@greetevo.com.

Categories of Data: Phone numbers; caller names; voice recordings; call transcripts; appointment dates and times; email addresses; business names; call metadata (duration, timestamp, IP address if applicable); and any other information callers voluntarily provide during interactions.

Sensitive Data: Voice recordings and call audio may constitute biometric data within the meaning of Article 9(1) of the GDPR, as they permit the unique identification of natural persons. Transcripts derived from voice recordings may also reveal special categories of personal data depending on the content of the conversation. Processing is necessary for the provision of the AI receptionist Service and is subject to the Controller's lawful basis under Article 9(2) GDPR.

Processing Operations: Automated call answering, transcription, AI-driven analysis, lead capture, appointment booking, SMS and email notifications, video meetings, and analytics.

Purpose: To provide the AI-powered phone receptionist and related services to the Controller's business.

Duration: For the duration of the Controller's subscription, plus any period required by Applicable Data Protection Law for return or deletion.

Frequency: Continuous, real-time processing during active calls and scheduled batch processing for analytics and reporting.

Data Subjects: Callers to the Controller's business; individuals who submit information via public forms or portals; meeting participants; and other individuals whose data is processed through the Service at the Controller's direction.

SCC Annex II â€” Technical and Organisational Measures: The security measures described in Section 4 of this DPA constitute Annex II to the EU SCCs.

SCC Annex III â€” List of Authorised Sub-processors: The current list of authorised sub-processors is maintained at greetevo.com/sub-processors and constitutes Annex III to the EU SCCs. GreetEvo will inform the Controller of any changes to Annex III in accordance with the 30-day objection process described in Section 5.

Fallback for Unavailable Transfer Mechanisms: If the EU Standard Contractual Clauses, the UK Addendum, or an applicable adequacy decision becomes invalid, suspended, or otherwise unavailable for a specific destination country, the parties shall cooperate in good faith to implement an alternative lawful transfer mechanism under Article 49 of the GDPR or equivalent provisions. If no alternative mechanism can be implemented within 15 days, GreetEvo shall suspend the transfer of Caller Personal Data to the affected destination until a lawful mechanism is in place, unless suspension would violate applicable law.

10. Audit Rights

The Controller has the right to audit GreetEvo's compliance with this DPA and Article 28 of the GDPR. Audits may be conducted by the Controller or an independent auditor mandated by the Controller, subject to the following conditions:

•The Controller shall provide at least 30 days' prior written notice of its intention to conduct a routine audit, except where required by supervisory authority order.
•The audit shall be conducted during GreetEvo's normal business hours and in a manner that minimises disruption to GreetEvo's operations.
•The Controller shall ensure that any auditor signs a confidentiality agreement in form acceptable to GreetEvo before commencing the audit.
•The Controller may conduct one audit per 12-month period at no charge. Additional audits within the same 12-month period may be subject to GreetEvo's reasonable fees.
•As an alternative to a physical audit, GreetEvo may provide the Controller with a copy of its most recent SOC 2 Type II report or equivalent third-party security certification.

Expedited Audit: Notwithstanding the 30-day notice requirement above, where there is a reasonable suspicion of a personal data breach, a security incident affecting Caller Personal Data, or a regulatory investigation or supervisory authority order, the Controller may conduct an expedited audit by providing 5 business days' prior written notice (or shorter notice if required by the supervisory authority). GreetEvo shall cooperate fully with any such expedited audit and shall not unreasonably withhold access to relevant systems, documentation, or personnel.

Audit reports generated by the Controller or its auditor shall remain the confidential property of the Controller and shall not be disclosed to third parties without GreetEvo's prior written consent, except as required by law or to a supervisory authority.

11. Data Return and Deletion

Upon termination or expiry of the Controller's subscription, or upon the Controller's written request, GreetEvo shall, at the Controller's choice, return or delete all Caller Personal Data and copies thereof.

Data deletion shall be carried out using secure methods that render the data irretrievable. Where deletion is not possible due to technical constraints, GreetEvo shall pseudonymise or anonymise the data to the extent practicable.

Notwithstanding the above, GreetEvo may retain Caller Personal Data to the extent required by Applicable Data Protection Law or for the establishment, exercise, or defence of legal claims. Any such retained data shall be subject to the confidentiality and security obligations of this DPA for so long as it is retained.

12. Liability

Where GreetEvo engages a Sub-processor for carrying out specific processing activities on behalf of the Controller, GreetEvo shall remain fully liable to the Controller for the performance of that Sub-processor's obligations.

Nothing in this DPA limits GreetEvo's liability to data subjects for compensation claims under Article 82 of the GDPR or equivalent statutory rights arising directly under Applicable Data Protection Law.

13. Term, Termination, and Acceptance

This DPA enters into force on the date the Controller accepts the Terms of Service or otherwise begins using the Service, whichever is earlier, and continues for the duration of the Controller's use of the Service.

DPA Acceptance: Acceptance of the Terms of Service constitutes acceptance of this DPA. For EEA-based Controllers, a separate DPA acceptance checkbox is presented during account onboarding, and Controllers may also request a countersigned copy of this DPA by emailing privacy@greetevo.com. GreetEvo shall return a countersigned copy within 10 business days of such a request.

Termination of the Terms of Service shall automatically terminate this DPA, subject to the survival of Sections 6 (Confidentiality), 8 (Breach Notification), 11 (Data Return and Deletion), and 14 (Governing Law and Dispute Resolution).

14. Governing Law and Dispute Resolution

This DPA shall be governed by and construed in accordance with the laws of the Province of Ontario, Canada, without regard to its conflict of laws principles.

Any dispute arising out of or in connection with this DPA, including any question regarding its existence, validity, or termination, shall first be attempted to be resolved through good-faith negotiations between the parties. If the dispute cannot be resolved through negotiation within 60 days, either party may refer the dispute to mediation administered by the ADR Institute of Ontario. If mediation is unsuccessful, the dispute shall be finally resolved by arbitration under the Arbitration Act, 1991 (Ontario), by a single arbitrator appointed in accordance with those rules. The seat of arbitration shall be Toronto, Ontario. The language of arbitration shall be English.

EU SCC Governing Law: Notwithstanding the above, disputes arising under the EU Standard Contractual Clauses shall be governed by the laws of Ireland, in accordance with Clause 17 of the SCCs, for the purpose of ensuring the enforceability of the SCCs before the courts of an EU Member State as required by Commission Implementing Decision (EU) 2021/914.

Nothing in this Section prevents either party from seeking urgent interim or injunctive relief from a court of competent jurisdiction, or from lodging a complaint with a supervisory authority under Applicable Data Protection Law.

15. CPRA and US State Privacy Law

15.1 Service Provider Status

For California-based business customers, GreetEvo acts as a Service Provider under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). GreetEvo processes Caller Personal Data solely on behalf of the Controller and does not "sell" or "share" Caller Personal Data within the meaning of the CPRA. GreetEvo shall not retain, use, or disclose Caller Personal Data for any purpose other than the specific purpose of performing the services specified in this DPA, including retaining, using, or disclosing Caller Personal Data for a commercial purpose other than providing the services.

15.2 Sensitive Personal Information

Call recordings and voice data may constitute Sensitive Personal Information under CPRA Section 1798.140(ae). GreetEvo processes such information solely for the purpose of providing the AI receptionist Service and shall not use it for inferring characteristics about consumers. The Controller is responsible for providing required notices and obtaining any necessary consents or opt-ins for the processing of Sensitive Personal Information under CPRA.

15.3 Controller Obligations

Controller Representation and Warranty: The Controller represents and warrants that it has provided all required notices and obtained all necessary consents for the processing of Sensitive Personal Information under CPRA prior to transmitting such data to GreetEvo.

15.4 Multi-State Compliance

Multi-State Privacy Law Compliance: To the extent GreetEvo processes personal data of residents of other US states with operative privacy legislation, GreetEvo shall comply with applicable processor or service provider obligations under such laws, including but not limited to the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Texas Data Privacy and Security Act (TDPSA), and the Connecticut Data Privacy Act (CTDPA).

GreetEvo certifies that it understands the restrictions of CPRA Section 1798.140(v) and shall comply with them. Where GreetEvo engages Sub-processors, it shall ensure they also comply with CPRA Service Provider requirements.

16. Data Protection Contact

For questions about this DPA, to request a signed copy, or to report a data protection concern, contact the GreetEvo data protection contact at privacy@greetevo.com or through the Contact page.