Articles on: Account & Billing

Data retention, GDPR, CCPA, and HIPAA compliance in Nimbata

Nimbata is designed to support customers operating under major data protection regulations, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA). This article explains how Nimbata handles personal data, what tools are available to you, and how to access the relevant agreements.


How Nimbata processes personal data


When you use Nimbata, personal data flows through the platform as a result of call tracking and related features.


The categories of data involved include:

  • Call metadata: Caller ID, call duration, call times, call outcome, and routing information.
  • Call content: Audio recordings and transcriptions, if you have enabled those features.
  • Web interaction data: IP addresses, landing pages, referring URLs, UTM parameters, device types, and session identifiers collected via the DNI script.
  • Form submission data: Names, email addresses, and phone numbers submitted through tracked forms, if form tracking is enabled.
  • Advertising identifiers: Google Click IDs (GCLID), Facebook Click IDs (FBCID), and similar campaign identifiers.
  • Custom data: Call tags, conversion values, and other variables you define.


The data collected depends entirely on which features you have enabled.

Features like call recording, transcription, and form tracking involve more personal data than basic call attribution tracking.


Controller and processor roles


Under the GDPR and UK GDPR, you are the data controller and Nimbata is the data processor.


This means:

  • You determine the purposes and means of processing.
  • Nimbata processes personal data only on your instructions and for the purposes of delivering the service.
  • Nimbata does not sell or share your data, use it for its own purposes, or combine it with data from other customers.


Under the CCPA, the equivalent roles are business (you) and service provider (Nimbata).


Under HIPAA, the equivalent roles are covered entity or business associate (you) and business associate (Nimbata).


Data Processing Agreement (DPA)


A Data Processing Agreement governs the relationship between you and Nimbata for all personal data processing under the service.


The DPA covers:

  • The categories of personal data processed and the purposes of processing.
  • Nimbata's obligations regarding confidentiality, security, and sub-processor oversight.
  • Data subject rights and how Nimbata supports you in responding to them.
  • International data transfer mechanisms, including EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA).
  • Data breach notification obligations (48-hour notification to you upon becoming aware of a breach).
  • Retention and deletion of personal data upon termination.


To request a signed DPA, contact support@nimbata.com.


Business Associate Agreement (BAA)


If you are a covered entity or business associate under HIPAA, and you use Nimbata in a way that may involve protected health information (PHI), you are required to have a signed Business Associate Agreement in place before processing any PHI through the platform.


Do not use Nimbata to process protected health information until a signed BAA is in place.


The BAA covers:

  • Permitted uses and disclosures of PHI by Nimbata as a business associate.
  • Nimbata's obligations to safeguard PHI using appropriate administrative, physical, and technical safeguards.
  • Breach notification obligations in accordance with the HIPAA Breach Notification Rule.
  • Requirements for sub-contractors who handle PHI on Nimbata's behalf.
  • Return or destruction of PHI upon termination of the agreement.


To request a signed BAA, contact support@nimbata.com.


International data transfers


Nimbata LLC is incorporated in the United States.


When personal data subject to the GDPR or UK GDPR is transferred to Nimbata, those transfers are covered by:

  • EU Standard Contractual Clauses (SCCs): Module 2 (Controller to Processor), under Irish law and jurisdiction.
  • UK International Data Transfer Addendum (UK IDTA): For transfers subject to UK GDPR.


Both mechanisms are incorporated into the DPA.


Sub-processors


Nimbata uses a limited number of sub-processors to deliver the service.

All sub-processors are bound by data protection obligations consistent with the DPA.


The current list includes:

  • Amazon Web Services (AWS): Cloud infrastructure and storage (United States)
  • Google: Transcription and AI/LLM services (United States)
  • Twilio: Telephony services (United States)
  • Telnyx: Telephony services (United States)
  • DIDWW: Telephony services (Ireland, EEA)


An up-to-date list is maintained at nimbata.com/privacy-policy.


Nimbata provides at least 10 business days' advance notice before adding or replacing a sub-processor.


Security measures


Nimbata implements technical and organizational security measures in accordance with Article 32 GDPR and the HIPAA Security Rule, including:

  • Role-based access controls and multi-factor authentication for all administrative access.
  • Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Network segmentation, firewalls, and intrusion detection.
  • Centralized logging and monitoring.
  • Automated backups and disaster recovery planning.
  • Confidentiality obligations and security training for all personnel with access to personal data.
  • Periodic internal and third-party security assessments.


Data retention


Nimbata retains personal data for as long as necessary to deliver the service and as directed by you.


Specific retention periods:

  • Call recordings and transcriptions: Retained based on your account settings. You can configure retention periods or delete data manually.
  • Call metadata and analytics data: Stored for the duration of your customer relationship, subject to your data retention settings.
  • Form and web interaction data: Retained in accordance with your configuration and applicable data protection requirements.

Upon termination of your account, Nimbata will delete or return personal data in accordance with the DPA, unless storage is required by applicable law.


Tools for managing personal data


Nimbata provides the following tools to help you meet your data protection obligations:

  • Manual deletion: Individual calls, recordings, and transcripts can be deleted directly from Activity > Calls.
  • Phone number redaction: Prevents caller IDs from being stored. Enabled via the advanced settings in Tracking > Tracking Code.
  • Text redaction: Prevents SMS message content from being stored.
  • Data export: Call data can be exported in full for portability or subject access requests.
  • Account deletion: Deleting your account or a project removes associated data in accordance with retention settings.



In EU and UK jurisdictions, recording a call requires the caller's explicit consent before the recording begins.


An opt-out option alone is not sufficient under the GDPR.


If you have call recording enabled, use a Call Greeting to play a consent message before the call connects to an agent.


Detailed Guide: How to set up call greetings

Detailed Guide: How to allow customers to stop call recordings


Questions, DPA requests, and BAA requests


For data protection inquiries, DPA requests, BAA requests, or to exercise your rights as a data subject, contact support@nimbata.com.


Detailed Guide: What is the documentation required to comply with local telecommunications regulations?

Detailed Guide: Personal identity verification: how to activate a single tracking number


Updated on: 20/05/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!