Is it really an AI? Will my customers know?

Yes, it's an AI, and Handled is honest by default — if a caller asks, it tells them so. Trust scales further than tricks.

Will it sound like my business or a chatbot?

It's tuned to your tone, prices, hours, and booking rules using your past texts and offer sheet.

What businesses does this work for?

Any business where customers call and the front desk can be busy — salons, clinics, law firms, agents, trades, vets, studios, restaurants, fitness studios, coaches, tutors, hotels.

Does it work with my existing phone number?

Yes — call forwarding, no porting, no number changes.

— Data processing addendum

The DPA
for the careful.

For procurement teams. Plain English. GDPR Art. 28 + CCPA service-provider terms. Subprocessor list. Breach reporting in 72 hours. Standard Contractual Clauses referenced where transfers happen.

Effective 2026-04-30 · Christian G Flair LLC

1. Roles

You are the Controller (or Business under CCPA) of personal data processed by your AI receptionist. Christian G Flair LLC, operating as Handled ("we", "Processor"), processes that data on your documented instructions, defined by these terms, the Privacy Policy, and your account configuration.

2. Scope

We process: caller phone numbers, voice recordings, transcripts, structured event metadata, and the destinations you configure (CRM contacts, calendar events, transfer endpoints).

We do not sell, share, or train external models on your data. We use it only to operate the service for your account and improve quality monitoring of that account.

3. Subprocessors

We use the subprocessors listed below. We notify you of changes by email at least 14 days before a new subprocessor handles your data. You can object in writing; if we cannot resolve, you may terminate the affected service for refund of the unused term.

Vendor	Use	Domain
Vapi Technologies, Inc.	Voice infrastructure (US)	vapi.ai
Twilio Inc.	Telephony + SMS (US, global PoPs)	twilio.com
Supabase, Inc.	Database + auth (US-East)	supabase.com
Stripe, Inc.	Billing (US)	stripe.com
Resend, Inc.	Transactional email (US)	resend.com
Vercel Inc.	Hosting + edge (US, EU)	vercel.com

4. Security

All transit is TLS 1.2+. Stored recordings and transcripts are encrypted at rest by the subprocessor (AES-256). Access is restricted by role; we run least-privilege on Vapi, Supabase, and Stripe consoles. We don't store payment card numbers — Stripe is the system of record.

We log access to customer data on the operations side and audit it monthly. Production deployments are reviewable in Vercel + git history.

5. Breach reporting

If we become aware of a personal-data breach affecting you, we notify you without undue delay and in any case within 72 hours, with what we know, what we don't, and what we're doing about it.

6. Your obligations

You are responsible for the lawful basis of every call your assistant makes or receives — consent for outbound, disclosure on inbound. Our compliance posture (FCC + CA AB 2905 + NY GBL § 396-b + two-party recording auto-honor) is set up; you must keep your call lists, dialer configurations, and recipient consent records lawful.

7. Data subject requests

We assist you in responding to access, deletion, correction, and portability requests within applicable legal windows. The dashboard exposes self-service export and deletion; for unusual cases, contact privacy@handled.build.

8. International transfers

Data flows from the controller's region to the US (where Handled and most subprocessors operate). Where required, we rely on Standard Contractual Clauses (2021 modules) plus the EU-US Data Privacy Framework via Stripe / Vercel / Twilio's certifications.

9. Termination + return / deletion

On termination, you have a 30-day window to export account data, recordings, and transcripts. After 30 days we delete (or anonymize) all customer-identifiable data unless retention is required by law (typically 7 years for tax records).

Privacy →Terms →Compliance receipts →

The DPAfor the careful.