> ## Documentation Index
> Fetch the complete documentation index at: https://docs.apifycloud.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Compliance & privacy

> What data Click to Call processes, consent patterns, and how to handle sensitive use cases

Click to Call processes voice and personal data on behalf of both you
(the controller) and ApifyCloud (the processor). This page covers what
data is involved and the consent patterns you can build into the
widget.

## Personal data processed

The widget touches four categories of data:

| Category          | Examples                                                                        |
| ----------------- | ------------------------------------------------------------------------------- |
| Identifiers       | IP address, user agent, session token                                           |
| Call metadata     | Call id, duration, timestamps                                                   |
| Voluntary content | URL context (`orderId`, `customerTier`), survey responses, pre-call form fields |
| Audio stream      | The call audio itself                                                           |

URL context is whatever you pass to the widget — you control what goes
in it, and you're responsible for the lawful basis to send it to us.
Don't include sensitive categories (health, financial account numbers,
biometrics) unless you've done the legal analysis on your side.

## Consent patterns

### Microphone permission

Handled by the browser's native permission prompt. No extra layer is
added. When the visitor taps the call button for the first time, the
browser shows its standard "allow microphone access" dialog.

### Before-call disclosure

Regulated industries (finance, health) often require disclosing data
collection before the microphone is active. Place a text block in the
idle state of the widget (designed in Call Studio) with your disclosure
text — it renders above the call button, so the visitor reads it
before tapping.

### Cookie consent (for custom code / analytics)

Any analytics pixels you add via [Custom code](/guides/click-to-call/custom-code)
live inside a sandbox with an opaque origin. They can't read or write
cookies on your domain, so they don't fall under your site's cookie
banner — they get their own cookie jar per sandbox.

That said, if you ship analytics pixels inside the sandbox, their
tracking is still attributable to the visitor on the pixel provider's
own domains. You should disclose their presence in your privacy
notice.

## PCI, HIPAA, and similar

* **PCI** — we're not a payment processor and we do not accept card
  data through the widget. Don't paste card numbers into URL context
  or survey fields.
* **HIPAA** — Click to Call is not currently a HIPAA-eligible service.
  Do not use it to transmit Protected Health Information (PHI).

## Contact

For privacy questions or compliance review requests, contact support.
