Privacy Policy

This Privacy Policy (“Policy”) describes how KAPION d.o.o., a company registered in Slovenia under registration number 1683438000, with its registered office at Kocljeva ulica 16, 9000 Murska Sobota, Slovenia, VAT ID SI32880227, operating the RingRealtor brand (“Company,” “we,” “us,” or “our”), collects, uses, stores, shares, and protects your personal information when you visit our website, create an account, subscribe to our service, or otherwise interact with the RingRealtor platform (collectively, the “Service”).

This Policy applies to all users of the Service, including website visitors, account holders, and authorized users within a subscriber’s organization. It covers data collected through our website, web application, APIs, and all related services.

For business customers (“Customers”) who use RingRealtor to process personal data of their callers and contacts, we act as a data processor on your behalf. Our processing of such data is governed by our Terms of Service and any applicable Data Processing Agreement, not solely by this Privacy Policy. Callers and contacts whose data is processed through the Service on behalf of a Customer should direct any privacy inquiries to that Customer.

The following terms have specific meanings throughout this Policy:

• Personal Data means any information relating to an identified or identifiable natural person, including name, email address, phone number, IP address, device identifiers, and usage data.
• Customer Data means all data, content, call recordings, transcriptions, contact lists, and other materials that a Customer uploads to, creates within, or transmits through the Service.
• Usage Data means data generated automatically by your interaction with the Service, including feature usage patterns, call volumes, performance metrics, session duration, and system logs.
• Controller means the entity that determines the purposes and means of processing Personal Data. We are the controller for data we collect about our website visitors, account holders, and for our own business purposes.
• Processor means the entity that processes Personal Data on behalf of a controller. We act as a processor when handling Customer Data on behalf of our business customers.

We collect personal information through three methods: data you provide directly, data collected automatically, and data from third-party sources.

Data you provide directly:

• Account information: name, email address, phone number, business name, and password when you register for an account
• Billing information: payment method details, billing address, and transaction history, processed through our third-party payment processor
• AI Agent configuration: business details, property information, scheduling preferences, and greeting scripts you provide to configure the AI Agent
• Support communications: information you provide when contacting our support team, including email correspondence and any attachments

Data collected automatically:

• Usage data: features used, actions taken within the dashboard, session duration, and interaction patterns
• Technical data: IP address, browser type and version, operating system, device type, screen resolution, and timezone
• Call data: call recordings, transcriptions, call duration, timestamps, caller phone numbers, and AI-generated summaries processed on behalf of our Customers
• Log data: server logs, error reports, and performance metrics

Data from third-party sources:

• Authentication providers: if you sign in through a third-party service, we receive your name, email address, and profile information as authorized by that provider
• Payment processor: transaction confirmations, payment status, and limited billing details from our payment processing partner

We process your personal information for the following specific purposes:

• Providing the Service: operating the AI Agent, processing and transcribing calls, generating analytics, and delivering core platform functionality
• Account management: creating and maintaining your account, authenticating your identity, and managing your subscription
• Billing and payments: processing subscription fees, usage-based charges, issuing invoices, and managing payment methods
• Customer support: responding to your inquiries, troubleshooting issues, and providing technical assistance
• Service improvement: analyzing usage patterns and performance data to improve functionality, fix bugs, and develop new features
• Communications: sending transactional emails (account confirmations, billing receipts, service notifications) and, with your consent, marketing communications about product updates and promotions
• Security and fraud prevention: monitoring for unauthorized access, detecting abuse, and protecting the integrity of the Service
• Legal compliance: fulfilling tax obligations, responding to lawful requests from authorities, and enforcing our Terms of Service

We do not use your Customer Data to train artificial intelligence or machine learning models. The AI Agent is powered by third-party AI technology, and your call data is processed solely for the purpose of delivering the Service to you.

Under the General Data Protection Regulation (GDPR) and Slovenian data protection law, we process your Personal Data based on the following legal grounds:

• Performance of a contract (Article 6(1)(b)): processing necessary to provide the Service, manage your account, process payments, and deliver customer support
• Consent (Article 6(1)(a)): marketing communications, optional analytics cookies, and newsletters. You may withdraw consent at any time without affecting the lawfulness of processing performed prior to withdrawal.
• Legitimate interests (Article 6(1)(f)): security monitoring, fraud prevention, product analytics for service improvement, and ensuring network and information security. We have conducted balancing tests to ensure these interests do not override your fundamental rights and freedoms.
• Legal obligation (Article 6(1)(c)): retaining billing and transaction records for tax and accounting purposes, and responding to lawful requests from authorities

We share your personal information only in the following circumstances and with the following categories of recipients:

• Cloud infrastructure providers: we use third-party hosting and cloud services to store and process data. These providers act as sub-processors and are contractually bound to protect your data.
• AI and voice processing providers: call audio is processed by our third-party AI and voice synthesis provider solely to deliver the AI Agent functionality. This data is processed under our instructions and subject to contractual data protection obligations.
• Payment processors: billing and payment information is shared with our payment processing partner to process transactions. The payment processor may act as an independent controller for its own fraud prevention purposes.
• Authentication providers: if you use third-party sign-in, limited data is exchanged with the authentication provider to verify your identity.
• Legal requirements: we may disclose your information when required by law, regulation, legal process, or enforceable governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers:in the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. The acquiring entity’s use of your personal information will be subject to their privacy policy, which may differ from this one.

We do not sell your personal information to third parties. We do not share your personal information with advertising networks or data brokers.

We use cookies and similar technologies to operate the Service, remember your preferences, and understand how you interact with our platform.

• Strictly necessary cookies: required for the Service to function, including authentication session cookies and security tokens. These cannot be disabled.
• Functional cookies: remember your preferences such as language settings and dashboard layout. These enhance your experience but are not essential for the Service to operate.
• Analytics cookies: help us understand how visitors interact with our website and Service, including pages visited, session duration, and feature usage. These are only placed with your consent.

We do not use advertising or third-party tracking cookies. We do not engage in cross-site behavioral advertising.

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies. Please note that disabling strictly necessary cookies may prevent you from using certain features of the Service.

We honor Global Privacy Control (GPC) signals as a valid opt-out of the sale or sharing of personal information, where applicable under state law.

We retain your personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, and resolve disputes. Specific retention periods are as follows:

• Account and profile data: retained for the duration of your account plus thirty (30) days after account closure for administrative purposes
• Billing and transaction records: retained for seven (7) years after the transaction date to comply with tax and financial reporting obligations under Slovenian and EU law
• Call recordings and transcriptions:retained for the duration of the Customer’s subscription plus thirty (30) days. Customers may request earlier deletion.
• Usage and analytics data: retained in identifiable form for up to twenty-four (24) months; aggregated and anonymized data may be retained indefinitely
• Support communications: retained for two (2) years after resolution
• Server and security logs: retained for twelve (12) months
• Marketing consent records: retained until consent is withdrawn, plus a reasonable period to process the withdrawal

After the applicable retention period expires, we delete your personal data from our active systems. Residual copies may persist in encrypted backups for a limited period in accordance with our standard backup retention practices (up to ninety days), after which they are purged. Anonymized data that cannot be used to identify you falls outside the scope of data protection law and may be retained indefinitely.

Depending on your location, you have the following rights regarding your personal information:

• Right of access: request a copy of the personal data we hold about you
• Right to rectification: request correction of inaccurate or incomplete personal data
• Right to erasure: request deletion of your personal data, subject to legal retention obligations
• Right to restrict processing: request that we limit the processing of your personal data in certain circumstances
• Right to data portability: receive your personal data in a structured, commonly used, machine-readable format
• Right to object: object to processing based on legitimate interests, including profiling
• Right to withdraw consent: withdraw consent for any processing based on consent at any time, without affecting the lawfulness of processing before withdrawal

To exercise any of these rights, contact us at rok@kapion.eu. We will respond to your request within one (1) month. If your request is complex or we receive a high volume of requests, we may extend this period by up to two (2) additional months, in which case we will inform you of the extension and the reasons for the delay.

We may request verification of your identity before processing your request to protect against unauthorized access to your personal data. If we deny your request, we will explain the reasons and inform you of your right to lodge a complaint with a supervisory authority.

If you believe that our processing of your personal data infringes data protection law, you have the right to lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) at www.ip-rs.si or with the supervisory authority in your country of residence.

Your personal data is primarily stored and processed within the European Economic Area (EEA). However, some of our third-party service providers may process data in countries outside the EEA, including the United States.

When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V, including:

• Adequacy decisions: transfers to countries that the European Commission has determined provide an adequate level of data protection
• Standard Contractual Clauses (SCCs): EU-approved contractual terms that bind the data recipient to protect your data to EEA standards
• EU-US Data Privacy Framework: for transfers to certified US organizations participating in the framework

You may request a copy of the specific safeguards applied to your data transfers by contacting us at rok@kapion.eu.

We implement technical and organizational measures designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256
• Role-based access controls limiting data access to authorized personnel
• Multi-factor authentication for administrative access
• Regular security assessments and monitoring
• Employee confidentiality agreements and security training
• Incident response procedures for prompt detection and remediation of breaches

While we use commercially reasonable measures to protect your data, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, in accordance with GDPR Article 33. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, unless the affected data was protected by encryption or other measures rendering it unintelligible to unauthorized parties, we have taken subsequent measures ensuring the high risk is no longer likely to materialize, or individual notification would involve disproportionate effort, in which case we will issue a public communication instead.

The Service is designed for use by real estate professionals and is not directed at children. We do not knowingly collect personal information from children under the age of sixteen (16). If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at rok@kapion.eu, and we will take steps to delete such information from our systems promptly.

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to any third-party services. We are not responsible for the privacy practices or content of third-party websites or services.

When you use a third-party integration in connection with the Service, the data you share with that third party is governed by their own privacy policy and terms. We encourage you to review the privacy policies of any third-party service before providing your personal information.

KAPION d.o.o. acts in two distinct capacities depending on the type of data being processed:

• As a data controller: for personal data of website visitors, account holders, and subscribers that we collect and process for our own business purposes (account management, billing, marketing, analytics, and security). This Privacy Policy governs our controller activities.
• As a data processor: for Customer Data, including call recordings, transcriptions, and caller information processed on behalf of our business customers. Our processing of this data is governed by our Terms of Service and any applicable Data Processing Agreement with the Customer.

If you are a caller or contact whose information has been processed through the Service on behalf of a RingRealtor customer, please direct any privacy inquiries or rights requests to the relevant customer (the data controller). We will assist our customers in responding to such requests in accordance with our contractual obligations.

The Service uses artificial intelligence and machine learning technologies to power the AI Agent’s voice interactions, lead qualification, appointment scheduling, and call transcription. The following disclosures apply:

• AI training: we do not use Customer Data (including call recordings, transcriptions, or caller information) to train AI or machine learning models. Call data is processed solely for the purpose of delivering the Service.
• Automated decision-making:the AI Agent makes automated decisions during calls, such as qualifying leads and scheduling appointments, based on the Customer’s configuration and the context of the conversation. These automated interactions do not produce legal or similarly significant effects on callers.
• Third-party AI providers: the AI Agent is powered by third-party artificial intelligence and voice synthesis technology. Call audio is transmitted to our AI provider for real-time processing and is not retained by the AI provider beyond the duration necessary to process each request.
• Aggregated analytics: we may use anonymized, aggregated Usage Data (never Customer Data) for service improvement purposes, including analyzing overall platform performance and usage trends.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. For material changes, we will provide at least thirty (30) days’ prior notice via email to the address associated with your account or through a prominent notice on the Service.

The “Effective” date at the top of this Policy indicates when the most recent revisions took effect. We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acknowledgment of the updated Policy.

We maintain archived versions of previous policies for our internal records.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information.

• Categories of personal information collected: identifiers (name, email, phone number, IP address); commercial information (subscription and transaction history); internet or electronic network activity (usage data, browser type, device information); and professional or employment-related information (business name, role)
• Sale and sharing: we do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Your rights: you have the right to know what personal information we collect and how it is used, to request deletion, to request correction, to opt-out of sale or sharing (not applicable as we do not sell or share), and to not be discriminated against for exercising your rights

To exercise your rights, contact us at rok@kapion.eu. We will respond within forty-five (45) days of receiving your verifiable request.

If you have any questions about this Privacy Policy, please contact us at:

KAPION d.o.o.
Kocljeva ulica 16, 9000 Murska Sobota, Slovenia
Registration number: 1683438000
VAT ID: SI32880227
Email: rok@kapion.eu

You may also lodge a complaint with the Information Commissioner of the Republic of Slovenia (Informacijski pooblaščenec) at www.ip-rs.si.