When you decide to become a reseller of Callin.io in Dubai, you are not just offering technology — you are also taking on responsibilities around compliance. AI voice agents process personal data such as voice recordings and conversations, and under UAE law this brings strict obligations on transparency, consent, and data protection.
Imagine a hotel in Dubai that chooses to use your branded AI receptionist to manage calls. The hotel is not contracting directly with Callin.io but with you, the reseller. In this setup:
- Callin.io acts as the processor, hosting the servers, providing the AI models, and securing the technical environment.
- You, as the reseller, become the controller in front of the hotels, signing the contract, ensuring compliance, and bridging between Callin.io and the hotel.
- The hotel is also a controller towards its callers, since it decides to use the AI receptionist in its daily operations.
This framework applies not only to hotel guests but also to non-guests — such as suppliers, business partners, or external prospects. Under UAE law, every caller is a “data subject” and their voice counts as personal data. That means the same obligations apply regardless of who is on the line.
In practice, you must first have a contract with Callin.io that sets out how data is handled, including the transfer of data outside the UAE to the United States. You must then mirror these obligations in the agreements you sign with hotels, covering security measures, data retention, and the handling of data subject rights.
Hotels must provide all callers — both guests and non-guests — with a clear privacy notice stating that calls may be handled by an AI system, that data may be processed outside the UAE, and that the purpose of processing is limited to service or business communication.
If calls are recorded or analyzed, explicit consent must be collected and documented. Data cannot be kept indefinitely; a retention policy must be in place, such as deleting recordings after 30 or 60 days. Any caller, whether a guest or a supplier, must be able to exercise their rights under UAE law, including the right to access their call data, request corrections, or demand deletion.
If a data breach occurs, you must alert the hotels, coordinate with Callin.io, and assist the hotels in notifying regulators and affected callers when necessary.
Callin.io provides the secure technology, but as a reseller you are responsible for giving hotels a compliance package: contracts, privacy notices, disclaimers, and retention rules. This protects you legally and strengthens your value proposition, because you are offering not just AI technology but a complete, regulator-ready solution.
Practical Compliance Toolkit and Core Documents for Privacy Compliance in Dubai
To help resellers and hotels implement AI voice agents in full compliance with UAE privacy regulations, it is essential to provide them with clear and ready-to-use compliance materials. These documents serve three purposes: they establish the legal framework between reseller and hotel, they inform callers transparently about how their data is processed, and they ensure that every interaction with the AI receptionist begins with proper disclosure.
Below you will find three practical components that form the foundation of this compliance package:
- A contractual clause to be included in reseller–hotel agreements, clarifying roles and responsibilities for data processing.
- A privacy notice for hotels to share with their callers, covering both guests and non-guests.
- A call disclaimer to be played at the start of each interaction, giving immediate transparency and offering callers the option to decline.
These elements together create a simple but robust framework that protects resellers, hotels, and end-users, while ensuring alignment with UAE privacy law.
1. Contractual Clause (Reseller → Hotel)
Data Processing and Compliance
The Reseller acknowledges that Callin.io acts as a Data Processor and that the Hotel acts as a Data Controller with respect to all personal data collected during the use of the AI voice agent.
The Hotel shall ensure that all callers (guests and non-guests) are informed that their calls may be handled by an AI system and that voice data may be processed outside the UAE, including on servers located in the United States.
The Hotel shall obtain explicit consent from callers where required by law, particularly when calls are recorded or analyzed for training or quality purposes. The Hotel shall implement appropriate data retention policies (not exceeding 60 days unless otherwise agreed in writing) and shall facilitate the exercise of data subject rights, including access, correction, and deletion requests. The Reseller will provide the Hotel with compliance materials (privacy notices and call disclaimers) to support these obligations.
2. Privacy Notice (Hotel → Callers)
Privacy Notice – AI Receptionist Service
This hotel uses an AI-powered receptionist system to manage incoming and outgoing calls. Your call may be handled by this system and, where necessary, recorded to assist with bookings, inquiries, or customer service.
Please note that your voice and related personal data may be processed securely on servers located outside the UAE, including in the United States. The data will only be used for legitimate business purposes and will not be shared for unrelated activities.
You have the right to request a copy of your data, ask for corrections, or request deletion at any time. To exercise these rights, please contact [Hotel Contact / Data Protection Officer email].
We apply strict retention policies and delete or anonymize call recordings after a maximum of 60 days unless a longer period is required for legal or contractual reasons.
By continuing with this call, you acknowledge that you have been informed of the processing of your data. If you do not wish to proceed, please inform our staff.
3. Call Disclaimer (to be played at the beginning of calls)
“This call may be handled by our AI receptionist system and may be recorded for service purposes. Your data may be processed securely, including on servers located outside the UAE. If you do not consent, please inform us immediately or end the call.”
A short disclaimer such as “This call may be managed by our AI system and your data may be processed and recorded securely. If you do not agree, please let us know.” is clear and concise, but on its own it may not fully meet UAE compliance requirements. The main issue is that it does not mention the potential transfer of data to foreign servers.
There are three approaches that hotels and resellers can adopt:
- Short disclaimer with reference to a privacy policy
Use an essential sentence during the call and direct callers to the hotel’s website for full details. For example: “…For more information, please see our Privacy Policy at [hotel website link].” - Disclaimer explicitly mentioning foreign servers
Make the notice more transparent by including cross-border transfers, e.g.: “This call may be managed by our AI system and your data may be processed and recorded securely on servers located outside the UAE. If you do not agree, please let us know.” - Hybrid approach (brief + policy reference)
Combine both: “This call may be managed by our AI system and your data may be processed securely, including on servers outside the UAE. For details, please see our Privacy Policy at [link]. If you do not agree, please let us know.”
From a legal standpoint, the safest option is either the explicit reference to foreign servers or the hybrid version that also links to a full privacy policy. The ultra-short version is user-friendly but carries more compliance risk if regulators question the adequacy of caller information.
Vincenzo Piccolo specializes in AI solutions for business growth. At Callin.io, he enables businesses to optimize operations and enhance customer engagement using advanced AI tools. His expertise focuses on integrating AI-driven voice assistants that streamline processes and improve efficiency.
Vincenzo Piccolo
Chief Executive Officer and Co Founder
