Security & Trust

Loray (loray.ai)
Last updated: April 25, 2026 · Version 1

Loray is built to help small businesses communicate with customers through AI-powered SMS, voice, and appointment automation.

Because Loray processes customer conversations, phone numbers, call transcripts, appointment details, and business configuration data, security and privacy are core parts of how the platform is designed.

This page summarizes Loray's current security, privacy, infrastructure, AI data handling, and compliance practices.

1. Security Overview

Loray uses administrative, technical, and organizational safeguards designed to protect Client data and end-user contact data.

Our security approach focuses on:

protecting personal data in transit and at rest
limiting access to production data
isolating Client data in a multi-tenant environment
monitoring sensitive platform activity
minimizing unnecessary data sent to subprocessors
enforcing SMS opt-out and consent requirements
retaining data only for as long as needed
maintaining clear subprocessor transparency
responding promptly to security incidents

2. Infrastructure

Loray's production infrastructure is hosted in the United States.

Current hosting provider:

OVHcloud (US, LLC)
Region: USA — Oregon, us-west-or-2, Hillsboro, OR.

Loray uses OVHcloud for:

application hosting
database storage
MySQL infrastructure
Redis cache
network services
backups
server infrastructure

More information about subprocessors is available at:

loray.ai/subprocessors

3. Encryption

Loray uses encryption to protect personal data where applicable.

Encryption in transit

Data transmitted between user devices, Loray systems, and subprocessors is protected using TLS 1.2 or higher.

This includes:

web application traffic
API traffic
mobile application communication
communication with subprocessors
administrative interfaces

Encryption at rest

Stored personal data is encrypted at rest where applicable using AES-256 or equivalent encryption.

This includes, where applicable:

phone numbers
SMS conversation content
voice call transcripts
call metadata
Client configuration data
audit and operational records

4. Phone Number Handling

Phone numbers are sensitive identifiers in Loray's platform.

Loray stores phone numbers encrypted during active use. Hashed copies may be retained for:

opt-out enforcement
deduplication
fraud prevention
suppression list management
compliance with telecommunications and carrier requirements

Loray uses hashed phone records to help ensure that Contacts who opt out are not contacted again through Loray-powered workflows.

5. Multi-Tenant Data Isolation

Loray is a multi-tenant SaaS platform.

Client data is logically separated so that each Client can access only their own business data, users, contacts, conversations, appointments, and configuration.

Loray uses application-level authorization controls to enforce tenant separation.

Production access is restricted to authorized personnel with a legitimate business need.

6. Access Control

Access to production systems and personal data is limited to authorized personnel.

Loray applies the principle of least privilege where practical.

Production access may be granted for:

customer support
debugging
security review
billing investigation
incident response
platform maintenance
legal or compliance obligations

Administrative and sensitive actions are logged where appropriate.

Access is reviewed and updated as personnel roles change.

7. Audit Logging and Monitoring

Loray maintains audit and operational logs to support:

security monitoring
troubleshooting
abuse detection
compliance review
account administration
incident investigation

Logs may include:

authentication events
administrative actions
system events
message delivery events
call metadata
API events
configuration changes
billing and subscription events

Logs are retained only as long as reasonably necessary for security, compliance, support, and business operations.

8. AI Data Handling

Loray uses AI services to generate responses, classify inquiries, support SMS automation, support voice automation, and assist with appointment-related workflows.

Current AI-related subprocessors may include:

Anthropic — primary AI language model provider
OpenAI — fallback AI language model provider
Deepgram — speech-to-text transcription
Google Cloud Text-to-Speech — AI voice synthesis

Loray does not permit AI subprocessors to use Client data or end-user contact data to train their general-purpose AI models.

Where technically feasible, Loray removes direct identifiers, such as phone numbers, before sending conversation context to AI language model providers.

However, conversation content may still include personal information voluntarily provided by a caller or message sender, such as:

name
service address
appointment details
description of a service issue
preferred callback time
other details needed to complete the request

Zero-data-retention or reduced-retention configurations are used where available and commercially supported.

9. Voice Call Audio and Transcripts

Loray may process voice call audio and transcripts when AI voice features are enabled.

Voice call audio

Voice call audio is used to:

transcribe calls
operate the AI voice assistant
troubleshoot call quality
support service reliability

Voice call audio is retained for 30 days after the call, then permanently deleted, unless a shorter retention period is configured or deletion is required earlier.

Voice call transcripts

Voice call transcripts may be retained longer than audio because they are used for:

appointment history
lead follow-up
service request details
customer support
conversation review
Client dashboard and inbox features

Voice call transcripts are retained according to Loray's Privacy Policy and Client configuration.

10. SMS Compliance and Opt-Out Handling

Loray supports SMS compliance through:

STOP handling
opt-out enforcement
consent record retention
suppression list management
A2P 10DLC campaign support
message delivery tracking
carrier compliance workflows

When a Contact replies STOP, Loray honors the opt-out and records the suppression event.

Opt-out and consent records may be retained for at least 4 years or longer where required for legal, carrier, or compliance purposes.

Loray does not share mobile phone numbers, SMS opt-in data, or SMS consent records with third parties or affiliates for their own marketing or promotional purposes.

11. Subprocessor Review

Loray uses third-party subprocessors to provide the Services.

Subprocessors are reviewed for their role, data access, purpose, and contractual data protection commitments.

Subprocessors are used for:

telephony and SMS
voice calls
speech-to-text
text-to-speech
AI language processing
hosting
payments
transactional email
A2P 10DLC registration

Loray maintains a current list of subprocessors at:

loray.ai/subprocessors

Clients are notified at least 30 days in advance of additions or changes that may materially affect data processing.

12. Data Retention

Loray retains data only as long as reasonably necessary to provide the Services, comply with legal obligations, support security, resolve disputes, enforce agreements, and maintain platform reliability.

Typical retention periods include:

SMS conversation content: duration of Client relationship + 24 months
Voice call audio: 30 days after the call
Voice call transcripts: duration of Client relationship + 24 months
Call metadata: duration of Client relationship + 24 months
Opt-out and consent records: at least 4 years
Client account data: duration of subscription + 90 days after cancellation
Billing records: 7 years or as required by accounting and tax laws
Support records: duration of account + 24 months

More information is available in Loray's Privacy Policy:

loray.ai/privacy

13. Data Deletion

Clients may request deletion of their account data and associated contact data by contacting:

[email protected]

Loray will honor deletion requests subject to:

legal retention obligations
tax and accounting requirements
fraud prevention
security requirements
backup retention
opt-out enforcement
telecommunications compliance
dispute resolution
carrier and A2P 10DLC requirements

End users who wish to delete data processed on behalf of a Client should contact that Client directly. Loray may assist the Client in responding to the request.

14. Backups and Recovery

Loray maintains backup and recovery practices designed to support service reliability and data restoration in the event of operational failure.

Backups may contain Client data and contact data.

Backup data is protected through access controls and infrastructure safeguards.

Data deleted from production systems may remain in backups for a limited period until backup rotation or deletion cycles complete.

15. Incident Response

Loray maintains procedures for investigating and responding to security incidents.

If Loray confirms a security incident affecting personal data, Loray will notify affected Clients without undue delay and as required by applicable law.

Incident notices may include, where available:

nature of the incident
categories of data affected
approximate number of affected individuals, if known
steps Loray has taken or plans to take
recommended actions for affected Clients
contact information for follow-up

16. Responsible Disclosure

If you believe you have discovered a security vulnerability in Loray, please report it responsibly.

Contact:

[email protected]

Please include:

description of the vulnerability
affected endpoint or feature
steps to reproduce
potential impact
your contact information

Do not access, modify, delete, or exfiltrate data that does not belong to you.

Loray will review security reports and respond as appropriate.

17. Compliance

Loray supports Clients with technical tools designed to help with telecommunications and communication compliance.

Relevant areas include:

TCPA support
SMS opt-out enforcement
A2P 10DLC registration support
call recording notice support
consent record retention
suppression list management
audit logs
subprocessor transparency
data deletion support

Clients are responsible for their own legal compliance when using Loray, including:

obtaining required consents
providing required privacy notices
complying with SMS and voice communication laws
complying with call-recording and transcription laws
ensuring lawful use of AI-generated communications
configuring Loray appropriately for their business and jurisdiction

Loray does not provide legal advice.

18. Documents

Relevant privacy and security documents:

Privacy Policy
Subprocessors
Data Processing Addendum — available at loray.ai/dpa or upon request
Security & Trust — loray.ai/security

19. Contact

For security, privacy, or compliance questions:

Security: [email protected]
Privacy: [email protected]
Legal: [email protected]
Website: loray.ai