Privacy Policy
Last updated: February 2026
Total View AI — operated by Human in the Loop Limited (trading as HITL Ltd)
A company incorporated in the Isle of Man
1. Who We Are
Human in the Loop Limited, trading as HITL Ltd ("we", "us", "our"), operates the Total View AI platform ("Platform"), an AI-powered quality assurance solution for call centres and regulated businesses.
Data Protection Contact:
Email: privacy@totalview.ai
For the purposes of applicable data protection legislation:
- When we process personal data of visitors to our website or prospective customers, we act as a Data Controller.
- When we process personal data contained in call recordings and transcripts on behalf of our clients, we act as a Data Processor under the instructions of our clients (who are the Data Controllers). The processing of such data is governed by our Master Services Agreement and Data Processing Addendum with each client.
2. Data Protection Framework
We are subject to the Isle of Man Data Protection Act 2018, which is aligned with and recognised as adequate under both the EU General Data Protection Regulation (EU 2016/679) and the UK GDPR. The Isle of Man holds adequacy decisions from both the European Commission and the UK Government, ensuring that personal data can flow freely between the Isle of Man, the EU, and the UK without additional safeguards.
3. Personal Data We Collect
3.1 Website Visitors and Prospective Customers
| Category | Data Types | Lawful Basis |
|---|---|---|
| Contact information | Name, email address, phone number, company name, job title | Consent / Legitimate interest |
| Account data | Login credentials, user preferences, role and permissions | Contract performance |
| Usage data | Pages visited, features used, session duration, IP address, browser type, device information | Legitimate interest |
| Communications | Emails, support tickets, enquiry forms, call notes | Consent / Legitimate interest |
| Payment data | Billing address, payment method details (processed via third-party payment provider — we do not store full card details) | Contract performance |
3.2 Call Data Processed on Behalf of Clients (Processor Role)
When our clients upload or transmit call recordings to the Platform, the following personal data may be processed:
- Voice recordings of callers and call centre agents
- Names and identifiers spoken during calls
- Telephone numbers and call metadata
- Account references and customer identifiers
- Financial information discussed during calls (e.g. account balances, payment details)
- Health and vulnerability data incidentally captured in call content (special category data)
Important: We process this data solely on the instructions of our clients under a Data Processing Addendum. Our clients are responsible for ensuring they have a lawful basis for recording calls and submitting them to us for processing.
4. How We Use Personal Data
4.1 As Data Controller (Our Own Purposes)
| Purpose | Lawful Basis |
|---|---|
| Providing and managing your account | Performance of contract |
| Processing payments | Performance of contract |
| Responding to enquiries and providing support | Legitimate interest |
| Sending service-related communications | Performance of contract |
| Marketing communications (only with consent) | Consent |
| Improving our Platform and services | Legitimate interest |
| Complying with legal obligations | Legal obligation |
| Protecting against fraud and security threats | Legitimate interest |
| Generating anonymised analytics and benchmarks | Legitimate interest |
4.2 As Data Processor (On Behalf of Clients)
We process Call Data solely to:
- Transcribe audio recordings using automated speech-to-text technology
- Analyse transcripts using AI to generate quality scores and compliance assessments
- Store Call Data for the retention period agreed with the client
- Return or delete Call Data upon the client's instruction or contract termination
We do not:
- Use Call Data for our own purposes (except where anonymised and aggregated as permitted by the MSA)
- Sell, rent, or share Call Data with third parties except approved Sub-processors
- Make independent decisions about how Call Data is used
- Retain Call Data beyond the agreed retention period
5. AI Processing and Automated Decision-Making
Our Platform uses artificial intelligence (including large language models) to analyse call transcripts and generate Quality Scores. This constitutes automated processing of personal data.
Quality Scores are provided to our clients as decision-support tools only. They are not used to make decisions that produce legal effects or similarly significant effects on individuals without human involvement.
Our clients are responsible for ensuring that any decisions made using Quality Scores (including employment, performance, or disciplinary decisions relating to call centre agents) comply with applicable data protection legislation, including the right not to be subject to solely automated decision-making under Article 22 of the GDPR.
We do not use Call Data to train, fine-tune, or improve AI models. Call Data is processed through AI models on a transactional basis only and is not retained by AI providers for model training purposes.
6. Data Sharing and Sub-Processors
We may share personal data with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| AssemblyAI | Automated transcription of audio recordings via EU endpoint. Ephemeral processing — no long-term storage. SOC 2 Type 2 compliant. | EU (Dublin, AWS eu-west-1) |
| Anthropic (Claude) via AWS Bedrock | AI-powered quality analysis of transcripts via AWS Bedrock with Cross-Region Inference Settings (CRIS) enforcing EU-only processing. No data retention by Anthropic. Not used for model training. | EU (AWS eu-west-1 / eu-west-2) |
| Amazon Web Services (AWS) | Cloud infrastructure, hosting, compute, database, and data storage for the entire Platform | EU (AWS eu-west-1) |
| Paddle.com Market Limited / Paddle.com Inc | Merchant of Record and payment processing. Paddle acts as the authorised reseller and handles all billing, invoicing, tax collection, and refunds on our behalf. We do not store full card details. | UK / USA |
| Professional advisers | Legal, accounting, and insurance services | Isle of Man / UK |
We will not sell your personal data to any third party.
We may disclose personal data where required by law, regulation, court order, or request from a regulatory authority (including the FCA, Ofcom, ICO, or SRA where applicable to our clients' operations).
7. International Data Transfers
All Call Data is processed and stored within the European Union.
HITL Ltd is incorporated in the Isle of Man, which benefits from adequacy decisions by both the European Commission and the UK Government under their respective data protection frameworks.
Where any Sub-processor processes data outside the EU or Isle of Man, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, verification of the receiving country's data protection standards, and supplementary measures where required following a transfer impact assessment.
8. Data Retention
8.1 Data We Control
| Data Category | Retention Period |
|---|---|
| Account information | Duration of the account + 12 months after closure |
| Billing and payment records | 7 years (legal and tax obligations) |
| Marketing consents | Until consent is withdrawn |
| Website analytics | 26 months |
| Support correspondence | Duration of the account + 24 months |
8.2 Data We Process on Behalf of Clients
Call Data is retained for the period specified in the applicable Order Form or Data Processing Addendum. Upon termination of the client relationship or expiry of the retention period, Call Data is securely deleted within 30 days unless the client requests return of data.
9. Data Security
We implement the following technical and organisational measures to protect personal data:
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Access control: Role-based access with least-privilege principle
- Authentication: Multi-factor authentication for all administrative and platform access
- Monitoring: Automated audit logging of all data access and processing activities
- Testing: Regular penetration testing and vulnerability assessments (at least annually)
- Personnel: Background checks and confidentiality agreements for all staff with data access
- Incident response: Documented security incident response plan with defined escalation procedures
- Business continuity: Regular encrypted backups with tested restoration procedures
10. Your Rights
Under applicable data protection legislation, you have the following rights in relation to personal data we hold about you as a Data Controller:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your data where there is no compelling reason for continued processing |
| Restriction | Request restriction of processing in certain circumstances |
| Portability | Receive your data in a structured, commonly used, machine-readable format |
| Objection | Object to processing based on legitimate interest or for direct marketing |
| Automated decisions | Not be subject to decisions based solely on automated processing that produce legal or significant effects |
| Withdraw consent | Withdraw consent at any time where processing is based on consent |
For data subjects whose data is in Call Data: If your personal data has been processed through our Platform on behalf of one of our clients, please direct your data subject rights request to the relevant client (the Data Controller). We will assist our clients in responding to such requests in accordance with our contractual obligations.
To exercise your rights: Contact us at privacy@totalview.ai.
We will respond to all valid requests within one calendar month of receipt. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests.
11. Cookies and Tracking
Our website uses cookies and similar tracking technologies. We categorise these as:
- Strictly necessary cookies: Required for the Platform to function. No consent required.
- Analytical cookies: Help us understand how visitors use our website. Require consent.
- Marketing cookies: Used to deliver relevant advertising. Require consent.
You can manage your cookie preferences through our cookie consent tool displayed on first visit, or through your browser settings.
We do not use tracking technologies within the Platform's call processing environment.
12. Children's Data
Our Platform and services are designed for business use only. We do not knowingly collect personal data from individuals under the age of 18. If call recordings submitted by clients contain the voices of minors, the client is responsible for ensuring appropriate legal bases and safeguards are in place.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the updated policy on our website with a revised "Last updated" date
- Emailing registered users of the Platform
- Providing notice within the Platform interface
14. Complaints
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with:
Isle of Man Information Commissioner
P.O. Box 69, Douglas, Isle of Man, IM99 1EQ
Email: ask@inforights.im
If your complaint relates to processing carried out under EU GDPR, you may also lodge a complaint with the relevant supervisory authority in your EU Member State.
If your complaint relates to processing carried out under UK GDPR, you may contact:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
15. Contact Us
For any questions about this Privacy Policy or our data processing practices:
Human in the Loop Limited (trading as HITL Ltd)
Isle of Man
Data Protection Contact: privacy@totalview.ai