How we protect your business data and your callers' privacy.
Every business's data is fully isolated using Postgres row-level security (RLS) on Supabase. Every query is scoped to the authenticated business by row policies enforced at the database engine layer — not in application code. No application bug can leak one business's calls or contacts to another business.
All data in transit is encrypted with TLS 1.2+. All data at rest (including database, file storage, and call recordings) is encrypted with AES-256 via our infrastructure providers (Supabase, Cloudflare, Vercel). API keys and tokens never appear in client-side code.
We never see or store your card number. All payment processing is handled by Stripe, which is PCI-DSS Level 1 certified. Card details go directly from your browser to Stripe via Stripe Checkout / Stripe Elements; our servers only ever see opaque customer/subscription IDs.
Call recordings are opt-in per business. When enabled, the AI verbally discloses the recording to callers at the start of the call as required by law in two-party-consent jurisdictions. Recordings are stored encrypted with configurable retention. You can delete any recording at any time from the dashboard.
You own your data. You can export it via the dashboard at any time, and you can delete your account along with all associated data (calls, transcripts, recordings, customer info) at any time. Deletion is propagated to our subprocessors within 30 days.
Delusia.AI works with vetted infrastructure partners across these categories: cloud database and authentication, application hosting, voice and SMS telephony, AI voice orchestration, large language model providers, text-to-speech, transactional email, payment processing, and DNS / CDN. All partners maintain industry-standard security certifications (SOC 2, ISO 27001, PCI-DSS or equivalent).
For our complete subprocessors disclosure list — including specific vendor names, certifications, and data flows — please email support@delusia.ai. We're happy to share under NDA for compliance reviews or procurement questionnaires.
Our infrastructure providers hold SOC 2 Type 2, ISO 27001, and PCI-DSS Level 1 certifications where applicable. We are designed to meet GDPR, CASL, and Canadian PIPEDA requirements out of the box. For Enterprise customers with strict procurement requirements, we offer a Data Processing Agreement (DPA), security questionnaire responses, and detailed subprocessor disclosure on request. Contact support@delusia.ai.
In the event of a security incident affecting your data, we will notify you within 72 hours of confirmation, in line with GDPR Article 33 timelines. Status updates are posted on our status page, and individual affected accounts receive direct email notification.
If you discover a security vulnerability in Delusia.AI, please email support@delusia.ai with details. We'll acknowledge within 24 hours, work with you on a fix, and credit you publicly if you'd like. We don't have a formal bug-bounty payout structure yet but we're happy to send swag and a personal thank-you.
For specific security questions, compliance documentation, or to request a DPA, please contact us at support@delusia.ai or via our contact form.