CallTorch

Privacy Policy

Last updated: February 23, 2026

CallTorch ("the Service") is operated by GlobecSys Inc. ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your information when you use the Service at calltorch.com.

1. Information We Collect

When you use CallTorch, we may collect the following information depending on how you access the Service:

  • Account Data (Authenticated Users): Your name, email address, and profile image provided through Google OAuth or Microsoft Azure AD sign-in.
  • Guest Data: If you join a session as a guest (without signing in), we collect only the display name you provide. No account or email data is stored for guests.
  • Phone Numbers: The phone number pairs you enter to create call sessions. These are stored as cryptographic hashes (SHA-256) for matching purposes and in normalized E.164 format for display.
  • Session Data: Call session metadata including creation timestamps, match status, session settings (guest access, password protection), and associated document references.
  • OAuth Tokens: Access and refresh tokens from Google or Microsoft used to create, share, and manage documents in your cloud storage on your behalf.
  • Session Logs: Diagnostic log entries associated with your call session (e.g. connection events, participant joins/leaves). These are stored temporarily in memory or Redis and are automatically deleted when the session ends.

2. How We Use Your Information

We use the collected information exclusively to:

  • Authenticate your identity via Google OAuth or Microsoft Azure AD.
  • Match phone number pairs between callers to establish shared sessions.
  • Create, share, and manage documents in your Google Drive or Microsoft OneDrive on your behalf.
  • Display your call session history, participant information, and shared documents.
  • Provide real-time updates to session participants via server-sent events (SSE).
  • Enable the destruction of documents and session data when requested or upon automatic expiry.
  • Generate diagnostic session logs for troubleshooting and operational monitoring.

3. Data Storage

CallTorch stores session and user data in a database. Documents are created in your personal Google Drive or Microsoft OneDrive account — CallTorch does not store document content on its own servers. Phone numbers are hashed using SHA-256 for matching and stored in normalized form for display purposes only.

Temporary real-time data (session events, participant state, session logs) may be stored in Redis, an in-memory data store. This data is ephemeral and is automatically purged when the session ends or the server restarts.

4. Data Sharing

We do not sell, trade, or otherwise transfer your personal information to third parties. Your data is shared only with:

  • Google APIs: To create and manage documents in Google Drive (for Google-authenticated sessions).
  • Microsoft Graph APIs: To create and manage documents in OneDrive (for Microsoft-authenticated sessions).
  • Your matched caller(s): When a call session is matched, other participants gain writer access to the shared documents. Their name and email may be visible to you and vice versa. Guest participants' chosen display names are visible to other session participants.

5. Data Destruction & Expiry

CallTorch is designed around ephemeral collaboration. Your data may be destroyed in the following ways:

  • Manual destruction: The session host can end a call at any time. Documents marked for auto-delete are permanently removed from the cloud provider, and all session records are deleted from our database.
  • Document preservation: Documents individually toggled to "preserved" by the host will not be deleted from the cloud provider when the session ends, though our database records are still removed.
  • Automatic expiry: Sessions that remain idle beyond a configurable lifetime (default: 24 hours) are automatically destroyed by our server-side housekeeping process. All associated documents, participant records, and session logs are permanently deleted.
  • Session logs: Per-session diagnostic logs stored in Redis are deleted when the session ends or expires.
  • This action is irreversible. GlobecSys Inc. cannot recover destroyed data.

6. CTDocuShare Linker Desktop Application

The CTDocuShare Linker ("Linker") is an optional desktop application that connects your workstation to CallTorch via the DialPad phone system. When you install and use the Linker, the following additional data practices apply:

  • Installation Registration: When first launched, the Linker registers itself with the CallTorch server, receiving a unique installation ID and API token. These are stored locally on your workstation.
  • DialPad OAuth: The Linker connects to your DialPad account via OAuth 2.0. By authorizing, you permit CallTorch to access your DialPad user profile (name, email, phone number) and call event data. OAuth tokens (access and refresh) are stored on the server and used to receive incoming call notifications.
  • Phone Number: Your DialPad phone number is fetched automatically via the DialPad API after OAuth authorization. It is not entered manually and is stored on the server to match incoming calls to your installation.
  • Heartbeat Data: The Linker periodically contacts the server (every 5–30 seconds) to check for notifications and report its online status. Only your installation ID and API token are transmitted.
  • Call Notifications: When an incoming call matches your DialPad phone number, the server queues a notification containing the caller's phone number and name (if available). The Linker retrieves and acknowledges these notifications.
  • No Screen or Keystroke Data: The Linker does not capture screen content, keystrokes, browsing history, or any data beyond what is described above.
  • Local Configuration: Settings (server URL, installation ID, API token) are stored in your operating system's user data directory using encrypted local storage. No passwords are stored locally.
  • HMAC Signing: API requests from the Linker may be signed with HMAC-SHA256 to verify authenticity. The shared signing key is embedded in the application.

You may disconnect your DialPad account at any time through the Linker's settings or by revoking access in your DialPad account settings. Uninstalling the Linker removes all locally stored configuration. Server-side records can be deactivated by contacting support.

7. OAuth Scopes

CallTorch requests the following OAuth permissions depending on your sign-in provider:

Google OAuth:

  • profile & email: To identify you and display your name and avatar.
  • drive.file: To create, edit, share, and delete files that CallTorch creates in your Google Drive. This scope does not grant access to your other Drive files.

Microsoft Azure AD:

  • profile & email: To identify you and display your name and avatar.
  • Files.ReadWrite.All: To create, edit, and delete documents in your OneDrive.
  • Notes.Create & Notes.ReadWrite.All: To create and manage OneNote notebooks (organizational accounts only).

8. Guest Access

Session hosts may enable guest access, allowing participants to join without signing in. Guests provide only a display name. Guest participants do not have OAuth tokens and therefore cannot create documents directly; they receive access to documents shared by the host. Guest sessions may be further protected by a password set by the host.

9. Cookies & Local Storage

We use session cookies to maintain your authentication state. These are essential and do not require consent.

In addition, when you accept cookies via the on-screen consent bar, we load the following third-party analytics and advertising services which set their own cookies:

  • GoSquared — web analytics to understand how visitors use the Service (page views, session duration, feature usage). GoSquared Privacy Policy.
  • Google Ads (gtag.js) — conversion tracking and remarketing to measure the effectiveness of our advertising. Google Privacy Policy.
  • Microsoft Advertising (Bing UET) — conversion tracking to measure the effectiveness of our Microsoft Ads campaigns. Microsoft Privacy Statement.

You may accept or decline tracking cookies when first visiting the site. If you decline, no third-party tracking scripts are loaded and no tracking cookies are set. Your preference is stored in browser local storage under the key cookie_consent and can be reset by clearing your browser's local storage for this site.

10. Security

We implement reasonable security measures to protect your data, including encrypted connections (HTTPS), secure OAuth token handling, cryptographic hashing of phone numbers, and optional password protection for call sessions. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

11. Children's Privacy

CallTorch is not intended for use by individuals under the age of 13. We do not knowingly collect personal information from children under 13.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Your continued use of the Service after changes constitutes acceptance.

13. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Request deletion of your data (use "End Call" or contact us).
  • Revoke Google OAuth access at any time through your Google Account settings.
  • Revoke Microsoft OAuth access at any time through your Microsoft Account settings.

14. Contact

For questions or concerns about this Privacy Policy, please contact GlobecSys Inc. at [email protected].

© 2026 CallTorch. All rights reserved.
Terms|Privacy|About|Help|

Share & destroy call notes — phone-matched ephemeral collaboration.