How Rhanta handles your call data

The business that subscribes to Rhanta is the data controller for the calls it receives. REWORK Digital Inc., operator of Rhanta, is the data processor that stores and transmits those calls on the business’s behalf.

If you’re a caller who wants to exercise your rights (“what do you have about me?” or “please delete it”), contact the business you called. The business can action your request via the Rhanta dashboard in real time. If you can’t reach the business, write to info@rhanta.com.

From callers (people who phone a Rhanta-powered number):

• Your phone number (from caller-ID).
• An audio recording of the call — only if you consent. If the business uses explicit consent mode, Rhanta plays a disclosure and asks you to say “yes” before any recording starts.
• A transcript of what was said, in the language detected.
• Details you volunteer: name, email, the reason for calling, and the appointment you book.
• Coarse location from the caller-ID (city, region) — never GPS.

From subscribed businesses (Rhanta users who connect Google Calendar):

• OAuth tokens (refresh + access) issued by Google, stored encrypted.
• Calendar IDs and free/busy time blocks — read on demand to check availability before offering an appointment slot. We do not read event titles, attendee lists, or descriptions.
• Event metadata for appointments Rhanta itself created (start time, end time, our generated title and notes) — so the business can see them in the dashboard alongside Google Calendar.

Rhanta never sells your data, never shares it for advertising, and never trains AI models on it.

Businesses can configure one of three consent postures on a Rhanta-powered number:

• Implied: the call starts with a recording disclosure; continuing the call is consent.
• Explicit: Rhanta asks you to say “yes” before any recording begins. Say “no” and the call continues without a recording.
• No recording: Rhanta never records, and no transcript is stored beyond the call.

When Quebec Law 25 mode is enabled, implied consent is automatically escalated to explicit, and a French-first legal addendum is played before the yes/no question.

All recordings, transcripts, and personal data are stored in Canada — specifically, Google Cloud’s northamerica-northeast1 region in Montréal. Recordings sit in a private, CMEK-encrypted bucket accessible only via signed URLs.

We treat every piece of personal information Rhanta processes — call recordings, transcripts, lead records, OAuth tokens, and the Google user data we hold on the business owner’s behalf — as confidential. Security procedures, encryption, and access controls are in place to keep that data confidential, and apply equally to Google user data and all other sensitive information.

Encryption in transit:

• Every connection between callers, the business owner’s browser, Rhanta’s APIs, Google’s OAuth and Calendar endpoints, and our subprocessors uses TLS 1.2 or higher with strong cipher suites.
• HTTP Strict Transport Security (HSTS) is enforced on all Rhanta domains, so browsers refuse downgrade attempts.
• OAuth handshakes with Google use Google’s official OAuth 2.0 endpoints with PKCE-style signed state, redirect-URI allow-listing, and short-lived authorization codes.

Encryption at rest:

• All databases and storage buckets in Google Cloud are encrypted at rest with AES-256 by default.
• Call recordings live in a private, customer-managed-encryption-key (CMEK)Google Cloud Storage bucket. The bucket is not publicly listable; playback is served only through short-lived, signed URLs that expire within minutes.
• Google OAuth refresh and access tokens are encrypted at the application layer using authenticated symmetric encryption (Fernet / AES-128-CBC + HMAC-SHA256) before being written to the database. The encryption key is held in Google Secret Manager — never in source code, never on disk, never in logs — so the raw token cannot be read directly from a database dump.
• Backups inherit the same encryption-at-rest guarantees and are stored in the same Canadian region as the live data.

Access controls and confidentiality:

• Role-based access control (RBAC) on every production system. Each Rhanta tenant’s data is isolated; application-layer authorization checks run on every read and write.
• Engineering and support staff sign in through Google Workspace SSO with mandatory two-factor authentication. There are no shared accounts.
• Production database and bucket credentials are short-lived tokens issued through Google Cloud’s Workload Identity. Break-glass human access requires an audit ticket and is logged.
• Google user data — including OAuth tokens, calendar IDs, and the events Rhanta created — is reachable only by the Rhanta backend service account on the business owner’s behalf. Humans do not read it except as required for a support request the business owner explicitly initiates, or for a documented security investigation.
• Tokens are scrubbed from application logs, error traces, and analytics events before anything leaves our infrastructure.

Network & infrastructure hardening:

• Backend services run inside a private Google Cloud VPC; only the public API gateway is exposed to the internet, fronted by DDoS protection and request-level rate limiting.
• Container images are scanned for known vulnerabilities on every build; dependencies are patched on a regular cadence.
• Authentication, authorization, and API usage are continuously monitored for anomalies; suspicious access patterns trigger automatic alerts.

Subprocessor & vendor security:

• Every subprocessor listed in section 9 is contractually bound to maintain PIPEDA-equivalent security controls, including encryption in transit and at rest, access controls, and breach notification obligations.
• We do not transfer Google user data to any third party except as required to provide the booking feature itself (Google Calendar API), and we never sell or share it for advertising.

Incident response:

If a confirmed security incident affects your data, we notify the affected business owner without undue delay and cooperate with breach-notification obligations under PIPEDA, Quebec Law 25, GDPR (72-hour rule), and any other applicable law.

Despite these safeguards, no system on the public internet is 100% secure. If you believe an account has been compromised, or want to report a vulnerability, email info@rhanta.com with “Security” in the subject so we can act immediately.

When a subscribed business clicks Connect Google Calendar, Rhanta asks Google for two scopes via OAuth 2.0. This section covers exactly what Google data Rhanta accesses, how we use it, and how the business owner can revoke at any time.

Scopes Rhanta requests:

• .../auth/calendar.readonly — list calendars and read free/busy time blocks so Rhanta’s AI agent can confidently offer the caller a slot that doesn’t conflict with the owner’s existing schedule.
• .../auth/calendar.events — create the appointment event in the owner’s calendar when the caller confirms a booking. Rhanta writes only the events it creates; it does not modify or delete events created elsewhere.

How we use Google data:

• Solely to provide the booking feature — checking availability and writing booked appointments. Nothing else.
• Rhanta does not read event titles, attendees, descriptions, attachments, or any data outside the free/busy windows and the events Rhanta itself created.
• Google data is never sold, never shared with advertisers, never used to build user profiles, never used to train or fine-tune any AI model, and never accessed by humans except as required for support requests the business owner explicitly initiates, or for documented security investigations.
• We do not transfer Google user data to any third party except as required to provide the booking feature (see Subprocessors below).

Storage and retention of Google data:

• OAuth refresh tokens are encrypted at rest in our database, hosted in Google Cloud’s Montréal region.
• Free/busy time blocks are fetched live on each call and not persisted beyond the duration of the call.
• Events Rhanta created are retained for as long as the corresponding appointment record exists in the dashboard (default 365 days, then purged).

Revoking access:

The business owner can disconnect Rhanta from Google Calendar at any time from two places:

• Rhanta dashboard — Settings → Calendar → Disconnect. We immediately delete the stored OAuth tokens and stop fetching new data.
• Google Account permissions — myaccount.google.com/permissions. Revoking from Google’s side has the same effect; our stored token stops working immediately.

Limited Use compliance:

Rhanta’s use and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Each business sets its own retention windows. Default values:

• 90 days for call recordings.
• 365 days for transcripts.

A daily sweep permanently purges anything past those windows. Billing call rows (time, duration, outcome) are kept longer in anonymized form so the business’s usage history stays intact.

Any caller can ask for either of the following at any time, with no reason required and at no cost:

• Right of access — a copy of every recording and transcript tied to your phone number.
• Right of deletion — we permanently scrub your recordings, transcripts, and any lead record we kept. Billing rows stay but are redacted so nothing in them points to you.
• Right of rectification — correct anything we got wrong about you.
• Right to withdraw consent — we stop recording and, on request, delete past recordings.

Requests go to the business you called — they can action them from their dashboard immediately. Requests escalated to us get an answer within 30 days (PIPEDA) or 30 days (Law 25 for Quebec residents), whichever applies.

Rhanta uses a small set of named subprocessors to run the service. Each one is contractually bound to PIPEDA-equivalent terms:

• Twilio (USA) — phone numbers and audio transport.
• Deepgram (USA) — real-time speech-to-text.
• Anthropic (USA) — Claude for conversation reasoning. No training on caller data.
• ElevenLabs (USA) — text-to-speech voice synthesis.
• Google Cloud Platform (Canada, Montréal region) — hosting + storage of Rhanta application data, including encrypted OAuth refresh tokens.
• Google Calendar API (USA) — only when the business owner has connected Google Calendar via OAuth. Rhanta sends free/busy queries and event-create requests to Google’s Calendar API on the owner’s behalf. No caller data is sent to Google — only the appointment metadata (start time, end time, the title Rhanta generated from the call).
• Stripe (Canada entity) — billing for the business subscription only; no caller data.

Material changes are announced to subscribed businesses at least 30 days ahead. Minor edits (wording, clarifications) are logged in the “last updated” stamp at the top.

Privacy questions: info@rhanta.com. You may also contact the Office of the Privacy Commissioner of Canada or the Commission d’accès à l’information du Québec for unresolved complaints.