Click to Call is built with the understanding that it runs on arbitrary websites, talks to live visitors, and handles voice — a category of data that most privacy frameworks treat as sensitive. This page explains the technical controls that keep the widget safe to deploy.Documentation Index
Fetch the complete documentation index at: https://docs.apifycloud.io/llms.txt
Use this file to discover all available pages before exploring further.
Call audio in transit
Voice media travels over DTLS-SRTP end-to-end between the visitor’s browser and our infrastructure. Signalling runs over TLS 1.2+ with modern cipher suites. Audio captured on the network without the session keys is unintelligible. The widget itself is served over HTTPS only; modern browsers reject microphone access on any insecure page before audio is ever captured.Call recording
The Click to Call widget does not record call audio. No audio stream is captured, stored, or proxied on our side. If your contact centre records on its own side (e.g. on the SIP trunk it terminates calls on), that recording and its handling are governed by your contact centre’s policy — not by ApifyCloud. You’re responsible for any consent and retention obligations that apply.Data the widget processes
The widget collects visitor IP and user-agent (for fraud prevention and rate limiting), call metadata (IDs, duration, timestamps), any voluntary content you pass in via URL context or the pre-call form, and the live audio stream for the duration of a call. See Compliance for the full breakdown and lawful-basis guidance.Data retention
Retention for call metadata, survey responses, and event deliveries is defined per contract. Retention windows are agreed with each customer — there is no one-size-fits-all default. For deletion requests on specific records, contact support.Custom code sandbox
When you inject HTML / JavaScript into the widget, the code runs inside an iframe withsandbox="allow-scripts" and no
allow-same-origin. Because the sandbox has an opaque origin, the
script:
- Cannot read cookies or
localStorageon your site or onapifycloud.io. - Cannot read or modify the widget’s DOM.
- Cannot navigate the top-level window.
- Cannot call our APIs with the visitor’s credentials.
postMessage. See Custom code.
Parent-frame events
When the widget is embedded as an iframe, it can emit events to the parent page viapostMessage. The widget only delivers events to
origins you’ve allowlisted for your widget in the console (Call Studio
→ Embed). Default is deny — with no allowlist configured, no
events cross the frame boundary at all.
Custom code and server-side integrations still receive events — only
the cross-frame boundary is gated.
Visitor data boundaries
Everything the widget forwards to custom code, integrations, and parent pages is filtered:- Internal credentials (session tokens, voice-infrastructure tokens) are never exposed.
- URL context passed in query params is sanitised — keys must match a safe pattern, each value is capped, and a total budget applies per session.