VICIfast

Privacy policy

Last updated · May 20, 2026

This policy covers both the VICIfast web platform and the VICIfast mobile softphone. Sections below are split so you can find what applies to you quickly.

What we collect (web platform)

Account data (name, email, country, optional phone), billing data (Stripe handles card details — we never see them), server metadata (host, IP, region, status), email delivery logs, and audit logs of state transitions.

Sub-processors

See our sub-processors list.

Your rights (GDPR)

You can export everything we have about you and request permanent anonymization any time from Data & privacy. Financial records are retained 7 years for legal/tax reasons.

Data residency

Your customer-facing server lives in the cloud region you picked at order time. Our control plane (this app, the billing database) lives separately — see DPA for the current location and sub-processor list.

VICIfastmobile softphone (Android & iOS)

The VICIfastmobile app is a SIP softphone that lets call-centre agents take and place calls on their employer’s VICIdial server. The sections below describe what the app collects, where it sends data, and why.

Device permissions and what they’re used for

  • Microphone— required only while a call is active. Audio is streamed in real time over SIP/RTP to your employer’s VICIdial server. The app itself never records, stores, or uploads call audio to VICIfast.
  • Notifications — required so incoming calls can ring on the device even when the app is in the background. The notification carries only the caller ID / extension, never call content.
  • Camera— used only when you choose the “Scan QR” provisioning flow under Settings → Advanced. The camera reads the QR code on screen; no photos or video are taken or stored.
  • Phone state (Android) — used to detect when a regular cellular call interrupts a SIP call so the app can hand off audio gracefully.
  • Network access— required to register with your employer’s VICIdial server, authenticate against VICIfast, and receive push notifications.
  • Foreground service / lock-screen call surface — required to keep the SIP socket alive and to show calls on the lock screen (Android ConnectionService / iOS CallKit + PushKit).

Data the mobile app collects or stores

  • VICIdial credentials(username + password + the “company code” / server slug you type at login) — stored on the device in encrypted secure storage (iOS Keychain / Android EncryptedSharedPreferences) so the app can transparently refresh your firewall whitelist when your IP changes. Sent to https://vicifast.com/api/mobile/login over HTTPS at sign-in and again when the firewall TTL approaches expiry.
  • Source IP address — captured by VICIfastwhen you sign in, used to add a temporary allow-rule on your employer’s VICIdial firewall so the server accepts your SIP connection. Logged in our audit trail (geo-enriched: country, city, ASN) and retained for 7 days, then purged automatically.
  • SIP credentials returned by your employer’s server (extension number + register password) — stored on the device in encrypted secure storage. Never transmitted to VICIfast.
  • Call history — stored locally on the device only, in an encrypted SQLite database. Never uploaded to VICIfast or any third party. Deleting the app deletes this history.
  • Push notification token (FCM on Android, PushKit on iOS) — kept on the device and provided to the SIP server so it can wake the app for incoming calls. Tokens are device-scoped; rotating them or uninstalling the app invalidates the token.

What we do not collect

  • No call audio recordings on our infrastructure. If your employer records calls, those recordings live on their VICIdial server.
  • No advertising IDs, no third-party advertising or marketing trackers.
  • No browsing history, no precise location (we do not use the Location permission), no contacts, no SMS, no calendar, no photos.
  • No analytics SDKs in the mobile app (no Google Analytics, no Firebase Analytics, no third-party crash reporters in production builds).

Who we share data with

  • Your employer’s VICIdial server — receives your SIP registration, call audio, and signaling. This server is administered by your employer (the VICIfast customer), not by us.
  • Google Firebase Cloud Messaging (Android only) — receives the push token used to wake the app for incoming calls. Subject to Firebase’s privacy notice.
  • Apple Push Notification service (PushKit) (iOS only) — same purpose as FCM on Apple devices.
  • We do not sell personal information, do not share it with advertisers, and do not use it for cross-context behavioural advertising.

Encryption in transit and at rest

  • All HTTPS traffic to VICIfast uses TLS 1.2 or higher with modern cipher suites and HSTS.
  • Credentials on the device are stored in the platform’s hardware-backed keystore (iOS Keychain / Android EncryptedSharedPreferences).
  • SIP signaling can be configured by your employer to use UDP, TCP, or TLS; transport is chosen by the server config they push to the app.

Data retention

  • Firewall whitelist rules expire automatically (default 24 h). Audit rows of sign-in attempts are retained for 7 days, then purged by an automated cron.
  • Call history stored locally on the device is retained until you delete the app or clear it from the Recents screen.
  • If your employer revokes your VICIdial account, the next sign-in attempt fails and the app deletes the locally-stored session.

Children

VICIfast is a business product for call-centre operators. It is not directed at children, and we do not knowingly collect personal information from anyone under 16.

Requesting deletion of mobile-app data

To delete your mobile app data:

  1. Sign out from the app (Settings → Sign out) — clears local credentials and call history.
  2. Uninstall the app — removes any remaining device-stored data.
  3. Email support@vicifast.com to request deletion of the audit-trail rows associated with your VICIdial username and last-known IPs.

Contact

Privacy requests: support@vicifast.com