Recording AI voice agent conversations under GDPR: the operating manual

Recording AI voice agent calls is legitimate: it improves the prompt, traces decisions, resolves disputes. But it's regulated. Here's the procedure we apply at VocazAI, verified by a GDPR firm.

Disclosure — non-negotiable#

The agent's first line: 'This call is handled by an automated voice assistant and may be recorded for service-improvement purposes. To talk to a human, say "human agent" at any time.' 6 seconds. Without it, the recording is illegal — regardless of your prompt.

Legal basis#

• Legitimate interest (service improvement): OK for 90-day retention.
• Explicit consent: OK for long-term retention.
• Legal obligation (commercial dispute): OK for 5 years contract-side.
• Marketing: FORBIDDEN without separate consent.

Retention duration#

Raw audio: 30 days maximum for product improvement. Anonymized transcript (no names or phone numbers): 1 year for statistical analysis. Beyond that, delete. Document the deletion in your GDPR processing register.

Security#

• Encryption at rest (AES-256 minimum).
• Access logged — who listened to what, when.
• Hosted in EU zone explicitly.
• Subprocessors with signed DPA (LLM, STT).

Caller rights#

Any caller can request: access to their transcript, audio copy, deletion. You must respond within 30 days. In practice: an admin endpoint that filters by phone number and exports or deletes. VocazAI ships this in the dashboard by default.

The trap nobody mentions#

If you use an LLM via external API (OpenAI, Anthropic), the system prompt may include identifiable data ('Marie Dupont has an appointment Tuesday'). That data crosses borders. Solution: scrub identifying data BEFORE sending to LLM, or pick an EU-hosted provider (Mistral).

Compliant start#

Disclosure ✓, 30-day audio ✓, anonymized transcript ✓, dashboard access ✓, Mistral DPA signed ✓. That's the VocazAI default setup. First month free to validate your compliance with our internal DPO.