Privacy Policy

Rannly, operated by Marwan Samir, registered in Egypt with active data flows to/from UAE, Saudi Arabia, Qatar, Bahrain, Kuwait, and Oman. Contact: hello@rannly.com.

Three categories, no more:

• Visitor data — when you load this site: IP, user agent, page viewed. Used for analytics (Plausible, cookieless) and security (Cloudflare). No advertising trackers.
• Lead data — when you submit the call-me form or the custom-industry form: phone number, country code, business name, industry, the pain you typed, locale (EN/AR), source page, and the timestamp. Sent to our internal lead inbox and stored on an encrypted Railway volume in the EU region.
• Customer + caller data — once you become a paying Rannly customer: business profile, hours, services, the audio of inbound calls to the Rannly number you forward, transcripts, booking metadata, and WhatsApp lead push history. Stored in Postgres on Railway (EU) and call recordings on Cloudflare R2.

• To call you back when you ask us to (the call-me form).
• To run the AI receptionist for your business (core service).
• To send you WhatsApp + email notifications when a lead is captured.
• To bill, troubleshoot, and improve the service.
• To comply with our legal obligations.

Performance of contract (running the service for you), legitimate interests (security, fraud prevention, service improvement), and consent (analytics + marketing emails). You can withdraw consent anytime via the dashboard or by emailing us.

For Saudi customers we comply with the Personal Data Protection Law (PDPL); for UAE customers, the Federal Decree-Law No. 45 of 2021 on Personal Data Protection. Data of Gulf residents is processed in the EU region by Railway and Cloudflare (sub-processors). On request, we will move customer-level data to a UAE region — see hello@rannly.com.

When a caller dials a Rannly number, the AI states clearly that the call is recorded and handled by an AI agent at the start of the conversation, in Arabic and English. Customers must not disable this notice. The notice text is auditable in the customer dashboard.

• Visitor analytics: 90 days, then aggregated.
• Lead data: 24 months unless you request deletion.
• Call recordings + transcripts: 90 days by default, configurable per customer.
• Billing records: 7 years (legal requirement).

The named third parties that touch your data:

• Railway (hosting, EU region)
• Cloudflare (CDN, DNS, R2 storage)
• Vapi.ai (voice AI orchestration, US)
• Twilio (telephony)
• OpenAI (LLM inference)
• ElevenLabs (text-to-speech)
• Resend (transactional email)
• Stripe (payments, US/EU)
• Clerk (authentication, US)
• Plausible (privacy-friendly analytics, EU)
• Sentry (error monitoring, EU region)

Access, rectification, erasure, restriction, portability, objection. Email hello@rannly.com with your request. We respond within 30 days.

We use no advertising cookies. Plausible analytics is cookieless. Clerk auth uses a strictly necessary session cookie when you log into a customer dashboard. Cloudflare may set a security cookie to detect bots — these are essential.

TLS 1.2+ everywhere, HSTS preloaded, encryption at rest on Railway volumes and R2, secrets never committed to git, principle of least privilege. We will publicly disclose any breach within 72 hours per GDPR/PDPL norms.

Rannly is a B2B service. We don't knowingly collect data on anyone under 18. If you believe a minor's data is in our system, email us and we'll delete it.

We'll post the change date at the top and email customers if the change is material.