Order Call AIOrder Call AI
← Legal

Data Processing Addendum

Order Call AI, a d/b/a of Celestial Import LLC · Effective July 18, 2026 · Last updated July 18, 2026

This Addendum (“DPA”) forms part of the Terms of Service between Order Call AI, a d/b/a of Celestial Import LLC (“Service Provider”) and the restaurant customer (“Business”). It applies automatically to every customer; no opt-in is required. A countersigned copy is available on request from legal@ordercallai.com.

1. Definitions and roles

Terms such as business, service provider, third party, personal information, sell, share and business purposehave the meanings given in the California Consumer Privacy Act as amended (“CCPA”).

With respect to Personal Information contained in call audio, transcripts, orders and reservations (“Customer Personal Information”), the Business is the business and Order Call AI is a service provider as defined in Cal. Civ. Code § 1798.140(ag). Order Call AI is not a “Third Party” as defined in § 1798.140(ai).

2. Service provider restrictions

Order Call AI is prohibited from, and shall not:

  • Sell or share the Customer Personal Information;
  • Retain, use or disclose it for any purpose other than the business purposes specified in the Agreement, including retaining, using or disclosing it for a commercial purpose other than those business purposes;
  • Retain, use or disclose it outside the direct business relationship between Order Call AI and the Business;
  • Combine it with personal information received from or on behalf of another person, or collected from its own interaction with the consumer, except as permitted by the CCPA.

3. Service provider obligations

  • Specified purposes. Order Call AI processes Customer Personal Information only to answer calls, capture orders and reservations, present them to the Business, and provide support and security for the service.
  • Compliance. Order Call AI shall comply with the CCPA and shall provide the same level of privacy protection as is required by this title.
  • Oversight. The Business may take reasonable and appropriate steps to help ensure that Order Call AIuses Customer Personal Information in a manner consistent with the Business’s obligations.
  • Notification. Order Call AI shall notify the Business promptly if it determines it can no longer meet its obligations under the CCPA.
  • Remediation. The Business may take reasonable and appropriate steps to stop and remediate unauthorised use of Customer Personal Information.

4. No-training covenant

AI model training. We do notuse Customer Data, including call audio, transcripts, or data derived from them, to train, fine-tune, or improve any machine learning model, whether our own or a third party’s. We contractually require our AI subprocessors to do the same.

This is a contractual obligation, not a policy statement, and it survives termination of the Agreement. The parties acknowledge that using Customer Personal Information to improve a model would constitute retaining or using it for a purpose other than the specified business purposes.

5. No biometric processing

Order Call AI does not collect, capture or store voiceprints or other biometric identifiers, and does not perform speaker identification or verification. Speech is transcribed for content only.

6. Consumer requests

The Business is responsible for responding to consumer requests regarding Customer Personal Information. Order Call AI will provide reasonable assistance, and will forward to the Business any request it receives directly.

7. Security and incident notification

Order Call AI maintains the technical and organisational measures described in Annex II and on our security page. Order Call AI will notify the Business without undue delay and in any case within 72 hours of becoming aware of a personal data breach affecting Customer Personal Information, and will provide the information the Business reasonably needs to meet its own notification obligations.

8. Subprocessors

Order Call AI may engage the subprocessors listed in Annex III and on our subprocessors page, each bound by written terms no less protective than this DPA. The Business will receive notice before a new subprocessor is engaged and may object on reasonable data-protection grounds.

9. Audit

Once per year, and on 30 days’ written notice, the Business may request information reasonably necessary to verify compliance with this DPA. Order Call AI will respond with its then-current security documentation and answer reasonable follow-up questions.

10. Deletion and return

On termination, and on request during the term, Order Call AI will delete Customer Personal Information within 30 days, except where retention is required by law.

11. Other state privacy laws

Where the Virginia CDPA, Colorado Privacy Act, Connecticut CTDPA, Utah UCPA or Texas TDPSA applies, Order Call AI acts as a processor on behalf of the Business as controller, and the commitments above apply with equivalent effect: processing only on documented instructions, confidentiality, security, assistance with consumer rights and breach notification, subprocessor flow-down, and deletion or return at the end of the engagement.

12. Conflict

In the event of a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of personal information.

Annex I — Description of processing

  • Subject matter — provision of an AI phone answering and order-taking service.
  • Duration — the term of the Agreement, plus up to 30 days for deletion.
  • Categories of data subject— guests who call the Business; the Business’s own staff who use the panel.
  • Categories of personal information — call audio and transcripts; caller phone number; call time and duration; name and details a caller provides to complete an order or reservation.
  • Excluded — no payment card data; no biometric identifiers; no special category data is requested.

Annex II — Security measures

  • Encryption in transit (TLS) and at rest.
  • Tenant isolation enforced in the database by row-level security, so a signed-in user can only reach data for restaurants they belong to.
  • Least-privilege access; administrative credentials confined to server-side environments and never exposed to browsers.
  • Access to production restricted to authorised personnel.
  • Data stored in the United States (AWS us-east-1). Full detail on our security page.

Annex III — Subprocessors

The current list is maintained at ordercallai.com/legal/subprocessors.

Signature

Accepted by the Business on acceptance of the Terms of Service. For Order Call AI, a d/b/a of Celestial Import LLC: 4405 Jager Dr NE, Ste C4-4282, Rio Rancho, NM 87144. Legal contact: legal@ordercallai.com.