Loray (loray.ai)
Effective date: April 30, 2026
Last updated: April 30, 2026 · Version 2
This Data Processing Addendum ("DPA") forms part of the agreement between Loray and the Client for the use of Loray's services.
This DPA applies when Loray processes personal data on behalf of a Client in connection with Loray's AI-powered SMS, voice, scheduling, and customer communication services.
If there is a conflict between this DPA and another agreement between Loray and the Client, this DPA controls with respect to the processing of personal data.
"Client" means the business, contractor, company, or organization that subscribes to or uses Loray's services.
"Contact" or "End User" means a customer, lead, caller, message recipient, or other person who communicates with a Client through Loray's platform.
"Client Data" means data submitted to Loray by or on behalf of the Client, including business configuration, account information, appointment data, SMS conversations, call audio, call transcripts, call metadata, and contact information.
"Personal Data" means any information relating to an identified or identifiable individual that is processed by Loray on behalf of the Client.
"Processing" means any operation performed on Personal Data, including collection, recording, storage, transmission, use, disclosure, deletion, or retrieval.
"Subprocessor" means a third-party service provider engaged by Loray to process Personal Data on behalf of the Client.
"Services" means Loray's SaaS platform, including AI-powered SMS automation, voice automation, appointment scheduling, mobile application features, administrative tools, billing, and related support services.
For Personal Data relating to Contacts and End Users, the Client is the controller, business, or equivalent role under applicable privacy laws.
Loray acts as the processor, service provider, or equivalent role when processing such Personal Data on behalf of the Client.
For data Loray collects directly from the Client for account administration, billing, support, security, and business operations, Loray may act as an independent controller.
Loray processes Personal Data only as necessary to provide the Services and in accordance with the Client's documented instructions.
The purpose of processing includes:
Loray will not process Personal Data for purposes unrelated to the Services unless required by law or authorized by the Client.
The Personal Data processed by Loray may include:
Loray does not require Clients to submit sensitive personal data to use the Services. Clients should not submit sensitive personal data unless necessary for their lawful use of the Services.
Data subjects may include:
The Client instructs Loray to process Personal Data as necessary to:
Loray will notify the Client if Loray believes an instruction violates applicable data protection law, unless prohibited by law.
Loray will ensure that personnel authorized to process Personal Data are subject to confidentiality obligations.
Loray restricts access to Personal Data to personnel who need access to provide, support, secure, or improve the Services.
Loray will implement and maintain reasonable technical, organizational, and administrative safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.
Security measures include, where applicable:
Additional information is available on Loray's Security & Trust page.
The Client authorizes Loray to use subprocessors to provide the Services.
Loray maintains a current list of subprocessors at:
Loray requires subprocessors to process Personal Data only for the purposes listed and under written contractual obligations that provide appropriate confidentiality, security, and data protection commitments.
Loray remains responsible for the performance of its subprocessors to the extent required by applicable law and the agreement between Loray and the Client.
Loray will notify Clients by email at least 30 days in advance before adding or materially changing a subprocessor where the change may materially affect the processing of Personal Data.
Clients may object in writing to a new subprocessor within 15 days of notice by contacting:
If the objection cannot be reasonably resolved, the Client may terminate the affected Service without penalty.
Loray may use AI subprocessors to generate responses, summarize or process conversations, classify requests, or support automation features.
Loray does not permit AI subprocessors to use Client Data or Contact Data to train their general-purpose AI models.
Where technically feasible, Loray removes direct identifiers, such as phone numbers, before sending conversation context to AI language model providers.
However, conversation content may still include personal information voluntarily provided by a caller or message sender, such as name, service address, appointment details, or service request information.
Zero-data-retention or reduced-retention configurations are used where available and commercially supported.
The Client is responsible for ensuring that it has the necessary rights, notices, permissions, and consents to communicate with Contacts using SMS, voice, AI assistants, call recording, transcription, and appointment-related messaging.
Loray provides technical tools to support compliance, including:
Loray does not provide legal advice. Clients are responsible for their own compliance with applicable laws, including TCPA, CAN-SPAM, state call-recording laws, industry rules, and carrier requirements.
If Loray receives a privacy request from a Contact whose Personal Data is processed on behalf of a Client, Loray may refer the request to the Client.
Loray will reasonably assist the Client in responding to data subject requests, including requests to access, correct, delete, or export Personal Data, to the extent required by applicable law and technically feasible.
Requests may be submitted to:
Upon termination of the Services, Loray will delete or return Client Data in accordance with the agreement, Loray's retention policies, and applicable legal obligations.
Certain data may be retained where necessary for:
Voice call audio is retained for 30 days after the call unless a shorter period is configured or deletion is required earlier.
Opt-out and consent records may be retained for at least 4 years or longer where required for legal compliance.
Loray will notify affected Clients without undue delay after confirming a security incident involving Personal Data processed on behalf of the Client.
The notice will include, where available:
Loray will cooperate reasonably with the Client in investigating and responding to the incident.
Upon reasonable written request, Loray will provide information necessary to demonstrate compliance with this DPA.
This may include:
Requests must be reasonable in scope, frequency, and timing and must not compromise Loray's security, confidentiality, other customers, or trade secrets.
Loray currently hosts its infrastructure in the United States and uses subprocessors that operate through US-based endpoints or process data in the United States.
Loray does not currently target or market its Services to the European Economic Area, the United Kingdom, or Switzerland.
If international transfer mechanisms become necessary, Loray will implement appropriate safeguards as required by applicable law.
The Client is responsible for:
Loray's platform uses artificial intelligence and prerecorded voice technology to handle and initiate voice calls on Client's behalf. For inbound calls initiated by end users, Loray will provide an automated disclosure at the start of the call indicating that AI technology is in use. For outbound AI-generated or prerecorded voice calls initiated by Loray's platform on Client's behalf, Client is solely responsible for obtaining prior express written consent from each recipient before such calls are placed, as required under the TCPA and applicable FCC rules (including FCC-24-24A1). Written consent may be collected via web opt-in forms, signed agreements, SMS double opt-in (reply YES), or other documented written acknowledgment. Loray does not verify or validate that such consent has been obtained prior to placing calls.
Client is solely responsible for ensuring that all outbound communications facilitated through Loray's platform — including SMS messages, voice calls, and automated follow-ups — are sent only during legally permitted hours (8:00 AM to 9:00 PM local time of the recipient), in compliance with the TCPA and applicable state regulations. Loray does not technically restrict or enforce communication time windows and will not be liable for communications sent outside permitted hours.
End users may revoke consent at any time through any reasonable means, including: (i) replying STOP, CANCEL, QUIT, END, or UNSUBSCRIBE to any SMS message; (ii) verbally requesting removal during a voice call; (iii) submitting a written request via email or web form to Client. Loray's platform automatically honors STOP-keyword opt-outs in real time. For revocations received through other channels (verbal, email, or other written means), Client is responsible for processing the request and, where applicable, updating suppression lists within a commercially reasonable time not to exceed 10 business days. Loray shall not be liable for revocations communicated solely to Client through non-automated channels if Client fails to update the platform accordingly.
This DPA does not replace Loray's Terms of Service, Privacy Policy, Subprocessors page, or other applicable agreements.
This DPA is intended to describe Loray's processing obligations for Personal Data processed on behalf of Clients.
For privacy, security, or DPA-related questions:
Privacy email: [email protected]
Legal email: [email protected]
Website: loray.ai