BURKI.DEV
Start Free

Privacy Policy

Last updated: April 28, 2026

1. Who we are

Burki (“we”, “us”) operates the voice AI platform at burki.dev. Contact: [email protected]. For data subject requests under GDPR or CCPA, use the same address.

2. What we collect

  • Account data: name, email, organization, hashed password, OAuth identifiers.
  • Billing data: handled by Stripe. We never see your full card number.
  • Voice + telephony data: call audio, transcripts, recordings, phone numbers, call metadata. Retention is configurable per organization.
  • Usage telemetry: aggregated, mostly anonymized analytics about which features are used (PostHog, Microsoft Clarity).
  • Provider keys: if you opt into BYO mode we store your API keys encrypted at rest.

3. How we use it

To run the service: route calls, generate transcripts, bill accurately, and surface analytics in your dashboard. We do not sell your data. We do not use your voice or transcript data to train any models — yours, ours, or third party — without explicit, organization-level opt-in.

4. Subprocessors

We rely on third-party providers to operate the service. Each only receives the minimum data needed for their function:

  • Hosting + database: AWS, PostgreSQL with pgvector.
  • Telephony: Twilio, Telnyx, Vonage (whichever you select).
  • STT/TTS/LLM: provider you select per assistant (Deepgram, OpenAI, Anthropic, ElevenLabs, etc.).
  • Payments: Stripe.
  • Email: Resend / Postmark.
  • Analytics: PostHog, Microsoft Clarity.

A current subprocessor list is available on request for customers under DPA.

5. Retention and deletion

Default retention for call recordings and transcripts is 30 days. Organizations can shorten or extend (subject to plan limits) and can purge data on demand. Account-level deletion purges all associated data within 30 days, except where retention is required by law (e.g., billing records).

6. Compliance posture

  • HIPAA: BAA available for healthcare customers on appropriate plans.
  • GDPR / UK GDPR / CCPA: data subject access, rectification, erasure, and portability requests honored within 30 days.
  • SOC 2: in progress.
  • Encryption at rest (AES-256) and in transit (TLS 1.2+).

7. International transfers

Data is processed in US AWS regions by default. EU/UK customers can request EU-region processing via DPA. Cross-border transfers rely on Standard Contractual Clauses where applicable.

8. Cookies

We use first-party cookies for session, authentication, and analytics. We do not use cross-site advertising trackers. You can disable analytics in your browser without losing functionality.

9. Changes to this policy

We'll update this page when material changes happen and notify active customers by email. The current version is always accessible at this URL.

10. Contact

Privacy questions, data requests, or DPO contact: [email protected].

This page is not legal advice. For binding terms, see your DPA and signed agreements.