VoiBo

Legal

GDPR & Data Protection

Last updated: May 2026

Working document. This statement has been prepared in good faith and reflects our current practices. Tech Bake Ltd intends to seek independent legal review. If you have any questions in the meantime, please contact us directly.

Our commitment

Tech Bake Ltd is committed to processing personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are registered with the Information Commissioner's Office:
ICO Registration No. ZB939721

Roles and responsibilities

As a data controller, Tech Bake Ltd determines the purposes and means of processing personal data collected through voibo.io, our booking system, and our client portal.

As a data processor, Tech Bake Ltd processes candidate and applicant data on behalf of our recruitment agency and in-house talent acquisition clients, who act as data controllers for their own candidates. We do so only on documented instructions from those clients.

Where Tech Bake Ltd acts as a data processor, we:

  • Process data only as instructed by the client
  • Ensure all staff with access to that data are bound by confidentiality
  • Implement appropriate technical and organisational security measures
  • Assist clients in responding to data subject rights requests
  • Delete or return data at the end of the service relationship
  • Notify clients without undue delay in the event of a data breach

Lawful basis for processing

Processing activityLawful basis
Responding to website enquiriesLegitimate interests
Demo bookingsLegitimate interests / Contract
AI call processing on behalf of clientsContract (with client)
Client portal accessContract
Website analyticsConsent (when implemented)

International data transfers

Some of our sub-processors are based outside the UK/EEA, including GoHighLevel and Retell AI (both USA). We rely on Standard Contractual Clauses (SCCs) approved by the ICO as the lawful mechanism for these transfers.

What this means in practice

We understand that “data processed in the US” can sound concerning. Here is an honest explanation of what Standard Contractual Clauses actually are and what they mean for your data.

SCCs are pre-approved legal contracts published by the UK's Information Commissioner's Office. When a UK or EU organisation uses a US-based technology provider, both parties sign these contracts. They legally bind the US provider to handle your data to exactly the same standards required by UK GDPR — not as a workaround, but as a formal, ICO-recognised legal safeguard.

Every major platform most organisations already use — Salesforce, HubSpot, Zoom, Microsoft Teams, Google Workspace — operates under this same SCC framework. It is the established international standard for responsible data handling across global software infrastructure.

Under SCCs, Retell AI and GoHighLevel are contractually required to:

  • Protect your data to UK GDPR standards
  • Use your data only for the purpose of delivering the service
  • Notify us promptly of any breach affecting your data
  • Delete your data when instructed to do so
  • Submit to audit rights

Your core data — call records, candidate information, and reporting — is stored in Supabase, which operates within EU jurisdiction on AWS infrastructure. If your organisation requires EU-only data storage across all processing, please contact us to discuss your specific requirements.

Data subject rights

Under UK GDPR, individuals have the following rights. To exercise any of them, contact info@techbake.ai:

  • Right of access — request a copy of data we hold about you
  • Right to rectification — request correction of inaccurate data
  • Right to erasure — request deletion of your data
  • Right to restrict processing — request we limit how we use your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to object — object to processing based on legitimate interests
  • Rights related to automated decision-making — VoiBo uses AI to conduct calls and summarise conversations. Final decisions about candidates are always made by human recruiters, not by automated systems alone.

We will respond to all requests within 30 days.

Data breach notification

In the event of a personal data breach likely to result in a risk to individuals' rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to individuals, we will also notify those individuals directly without undue delay.

Contact and complaints

For all data protection queries, contact us at info@techbake.ai.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office:

  • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Privacy PolicyTerms of ServiceCookie Policy