Loray (loray.ai)
Effective date: April 25, 2026
Last updated: April 25, 2026 · Version 1
This Data Processing Addendum ("DPA") forms part of the agreement between Loray and the Client for the use of Loray's services.
This DPA applies when Loray processes personal data on behalf of a Client in connection with Loray's AI-powered SMS, voice, scheduling, and customer communication services.
If there is a conflict between this DPA and another agreement between Loray and the Client, this DPA controls with respect to the processing of personal data.
"Client" means the business, contractor, company, or organization that subscribes to or uses Loray's services.
"Contact" or "End User" means a customer, lead, caller, message recipient, or other person who communicates with a Client through Loray's platform.
"Client Data" means data submitted to Loray by or on behalf of the Client, including business configuration, account information, appointment data, SMS conversations, call audio, call transcripts, call metadata, and contact information.
"Personal Data" means any information relating to an identified or identifiable individual that is processed by Loray on behalf of the Client.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, transmission, use, disclosure, deletion, or retrieval.
"Subprocessor" means a third-party service provider engaged by Loray to process Personal Data on behalf of the Client.
"Services" means Loray's SaaS platform, including AI-powered SMS automation, voice automation, appointment scheduling, mobile application features, administrative tools, billing, and related support services.
For Personal Data relating to Contacts and End Users, the Client is the controller, business, or equivalent role under applicable privacy laws.
Loray acts as the processor, service provider, or equivalent role when processing such Personal Data on behalf of the Client.
For data Loray collects directly from the Client for account administration, billing, support, security, and business operations, Loray may act as an independent controller.
Loray processes Personal Data only as necessary to provide the Services and in accordance with the Client's documented instructions.
The purpose of processing includes:
Loray will not process Personal Data for purposes unrelated to the Services unless required by law or authorized by the Client.
The Personal Data processed by Loray may include:
Loray does not require Clients to submit sensitive personal data to use the Services. Clients should not submit sensitive personal data unless necessary for their lawful use of the Services.
Data subjects may include:
The Client instructs Loray to process Personal Data as necessary to:
Loray will notify the Client if Loray believes an instruction violates applicable data protection law, unless prohibited by law.
Loray will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
Loray restricts access to Personal Data to personnel who need access to provide, support, secure, or improve the Services.
Loray will implement and maintain reasonable technical, organizational, and administrative safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.
Security measures include, where applicable:
Additional information is available on Loray's Security & Trust page.
The Client authorizes Loray to use subprocessors to provide the Services.
Loray maintains a current list of subprocessors at:
Loray requires subprocessors to process Personal Data only for the purposes listed and under written contractual obligations that provide appropriate confidentiality, security, and data protection commitments.
Loray remains responsible for the performance of its subprocessors to the extent required by applicable law and the agreement between Loray and the Client.
Loray will notify Clients by email at least 30 days in advance before adding or materially changing a subprocessor where the change may materially affect the processing of Personal Data.
Clients may object in writing to a new subprocessor within 15 days of notice by contacting:
If the objection cannot be reasonably resolved, the Client may terminate the affected Service without penalty.
Loray may use AI subprocessors to generate responses, summarize or process conversations, classify requests, or support automation features.
Loray does not permit AI subprocessors to use Client Data or Contact Data to train their general-purpose AI models.
Where technically feasible, Loray removes direct identifiers, such as phone numbers, before sending conversation context to AI language model providers.
However, conversation content may still include personal information voluntarily provided by a caller or message sender, such as name, service address, appointment details, or service request information.
Zero-data-retention or reduced-retention configurations are used where available and commercially supported.
The Client is responsible for ensuring that it has the necessary rights, notices, permissions, and consents to communicate with Contacts using SMS, voice, AI assistants, call recording, transcription, and appointment-related messaging.
Loray provides technical tools to support compliance, including:
Loray does not provide legal advice. Clients are responsible for their own compliance with applicable laws, including TCPA, CAN-SPAM, state call-recording laws, industry rules, and carrier requirements.
If Loray receives a privacy request from a Contact whose Personal Data is processed on behalf of a Client, Loray may refer the request to the Client.
Loray will reasonably assist the Client in responding to data subject requests, including requests to access, correct, delete, or export Personal Data, to the extent required by applicable law and technically feasible.
Requests may be submitted to:
Upon termination of the Services, Loray will delete or return Client Data in accordance with the agreement, Loray's retention policies, and applicable legal obligations.
Certain data may be retained where necessary for:
Voice call audio is retained for 30 days after the call unless a shorter period is configured or deletion is required earlier.
Opt-out and consent records may be retained for at least 4 years or longer where required for legal compliance.
Loray will notify affected Clients without undue delay after confirming a security incident involving Personal Data processed on behalf of the Client.
The notice will include, where available:
Loray will cooperate reasonably with the Client in investigating and responding to the incident.
Upon reasonable written request, Loray will provide information necessary to demonstrate compliance with this DPA.
This may include:
Requests must be reasonable in scope, frequency, and timing and must not compromise Loray's security, confidentiality, other customers, or trade secrets.
Loray currently hosts its infrastructure in the United States and uses subprocessors that operate through US-based endpoints or process data in the United States.
Loray does not currently target or market its Services to the European Economic Area, the United Kingdom, or Switzerland.
If international transfer mechanisms become necessary, Loray will implement appropriate safeguards as required by applicable law.
The Client is responsible for:
This DPA does not replace Loray's Terms of Service, Privacy Policy, Subprocessors page, or other applicable agreements.
This DPA is intended to describe Loray's processing obligations for Personal Data processed on behalf of Clients.
For privacy, security, or DPA-related questions:
Privacy email: [email protected]
Legal email: [email protected]
Website: loray.ai