Privacy Policy | AI ChatterVox

1. Introduction

AI ChatterVox Consulting ("we," "our," or "us") is a managed AI voice agent service incorporated in the Province of Ontario, Canada, and operated from Toronto. We provide AI-powered voice agents that answer telephone calls, book appointments, and qualify leads on behalf of our business clients across the United States and Canada, including medical practices, real estate agencies, and home service companies.

This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you:

Visit or interact with our website at https://aichattervox.com (the "Site");
Subscribe to or use our managed AI voice agent services as a business client (a "Client"); or
Place a telephone call to a phone number serviced by our AI voice agent (a "Caller").

By using our Site or services, or by calling a number handled by our AI voice agent, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please discontinue use of our Site and services.

2. Information We Collect

We collect personal information from three categories of individuals: Clients, Callers, and website visitors. The types of information collected vary by category.

2.1 Information Collected from Clients

Account Information: Full name, business name, email address, phone number, and mailing address provided during registration and onboarding.
Payment Information: Credit or debit card details, billing address, and transaction history. All payment data is processed and stored by Stripe, Inc. We do not store full card numbers on our own servers.
Business Configuration Data: Industry type, call handling instructions, greeting scripts, appointment types, business hours, CRM integration credentials, and calendar connection details.
Communications: Emails, support tickets, and other correspondence exchanged between you and our team.

2.2 Information Collected from Callers

Phone Number: The caller's telephone number as transmitted by their carrier (caller ID).
Voice Recordings: Audio recordings of the entire telephone conversation between the Caller and our AI voice agent.
AI-Generated Transcripts: Text transcriptions of recorded calls produced through automated speech-to-text processing.
Appointment and Scheduling Details: Date, time, reason for appointment, and any other details provided by the Caller during the call.
Caller-Provided Personal Information: Name, email address, mailing address, and any additional personal details a Caller voluntarily provides during a call.
Protected Health Information (PHI): For calls to medical practice clients, Callers may disclose health-related information such as symptoms, medical conditions, prescriptions, or insurance details. See Section 9 for specific protections.

2.3 Information Collected Automatically

Device and Browser Data: IP address, browser type and version, operating system, device type, screen resolution, and language preference.
Usage Data: Pages visited, time spent on each page, click patterns, referral URLs, and session identifiers.
Cookies and Tracking Technologies: We use cookies and similar technologies through PostHog, Google Analytics (GA4), and Vercel Analytics. See Section 14 for details.

3. How We Use Information

We use the information we collect for the following specific purposes:

3.1 Client Information

To create, maintain, and administer your account;
To configure, deploy, and manage your AI voice agent;
To process subscription payments and issue invoices;
To provide technical support and respond to inquiries;
To send service-related communications, including billing confirmations, plan changes, and scheduled maintenance notices;
To integrate with your CRM, calendar, and other third-party tools as directed by you.

3.2 Caller Information

To provide real-time AI voice agent responses during the call;
To book appointments, answer inquiries, and qualify leads on behalf of the Client;
To generate call transcripts and summaries for the Client;
To improve voice agent accuracy and call handling quality;
To share call data (recordings, transcripts, appointment details) with the Client whose phone number was called;
To comply with call recording consent laws.

3.3 Website Visitor Information

To analyze website traffic and usage patterns;
To improve our Site's performance, navigation, and content;
To detect and prevent fraud, abuse, and security incidents;
To comply with applicable legal obligations.

4. AI and Automated Processing

Our core service relies on artificial intelligence to handle telephone calls on behalf of our Clients. You should be aware of the following:

AI-Handled Calls: All calls answered by our service are handled by an AI voice agent, not a human. The AI agent identifies itself as an AI assistant at the beginning of each call.
Voice Processing: We use ElevenLabs, a third-party AI voice technology provider, to process voice data. This includes converting spoken words to text (speech-to-text) and generating spoken responses from text (text-to-speech). ElevenLabs processes voice data in real time to facilitate the conversation.
Automated Transcription: Call recordings are processed by AI to generate text transcripts. These transcripts may contain inaccuracies inherent to automated speech recognition.
No Model Training: Call recordings and transcripts are not used to train any AI models, whether our own or those of our third-party providers. Your voice data is used solely for the purpose of providing the service during and after the call.
Automated Decision-Making: The AI agent may make automated decisions during a call, such as determining appointment availability or qualifying a lead based on Client-defined criteria. These decisions are based on the Client's configuration and do not involve profiling that produces legal or similarly significant effects on the Caller.

5. Call Recording and Consent

Call recording is a fundamental component of our service. We take the following steps to ensure compliance with applicable consent laws:

Recording Disclosure: Our AI voice agent announces at the beginning of every call that the call may be recorded. This announcement is made before any substantive conversation takes place.
AI Identification: Our AI voice agent identifies itself as an AI assistant at the start of each call, ensuring the Caller is aware they are speaking with an automated system.
Consent Model: We default to an all-party (two-party) consent model, meaning the AI agent obtains verbal acknowledgment before proceeding. This satisfies the requirements of both one-party and two-party consent jurisdictions.
Two-Party Consent Jurisdictions: The following U.S. states require all-party consent for call recording: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, and Washington. In Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and the Criminal Code generally require one-party consent, though we apply all-party consent as our standard practice.
Withdrawal of Consent: If a Caller declines to be recorded or requests that recording stop, they may disconnect the call or inform the AI agent. Clients are responsible for providing an alternative contact method (such as a direct phone line) for Callers who do not wish to interact with the AI voice agent.

6. Data Sharing and Third Parties

We share personal information with the following categories of third-party service providers, solely for the purposes described in this Policy. We do not sell personal information to any third party.

ElevenLabs (San Francisco, CA, USA) — Processes voice data in real time for speech-to-text and text-to-speech functionality during AI voice agent calls. Voice data is processed transiently and is not retained by ElevenLabs for model training under our agreement.
Stripe, Inc. (San Francisco, CA, USA) — Processes Client subscription payments, stores payment methods, and manages billing. Stripe is a PCI-DSS Level 1 certified payment processor.
Supabase, Inc. (San Francisco, CA, USA) — Provides our primary database and data storage infrastructure. Client account data, call records, transcripts, and agent configurations are stored in Supabase-hosted databases.
Cal.com, Inc. (San Francisco, CA, USA) — Provides scheduling and appointment booking infrastructure for Clients who enable calendar integration.
Resend, Inc. (San Francisco, CA, USA) — Delivers transactional emails on our behalf, including account notifications, billing receipts, and service communications.
PostHog, Inc. (San Francisco, CA, USA) — Provides product analytics to help us understand how visitors and Clients use our Site and dashboard. Collects usage data, session recordings, and event data.
Google LLC (Mountain View, CA, USA) — Provides Google Analytics 4 (GA4) for website traffic analysis, including page views, referral sources, and demographic data.
Vercel, Inc. (San Francisco, CA, USA) — Hosts our website and provides Vercel Analytics for performance monitoring, including page load times and visitor metrics.
Client-Designated CRM Providers — Where a Client has configured a CRM integration, we transmit call data (Caller phone number, transcript summaries, appointment details, and lead qualification data) to the Client's CRM platform as directed. The CRM provider's own privacy policy governs their use of that data.

We may also disclose personal information where required by law, regulation, court order, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The following retention periods apply:

Call Recordings: Retained for 90 days from the date of the call, then permanently deleted. Clients may request earlier deletion.
Call Transcripts: Retained for 12 months from the date of the call, then permanently deleted. Clients may request earlier deletion.
Client Account Data: Retained for the duration of the Client's active subscription plus 12 months following account closure, to allow for account reactivation and to resolve any post-termination matters.
Payment and Billing Records: Retained for 7 years from the date of the transaction, as required by Canadian and U.S. tax laws.
Website Analytics Data: Retained for 26 months from the date of collection, consistent with standard analytics retention periods.

Where a legal obligation, regulatory investigation, or dispute requires longer retention, we will retain the relevant data for the duration necessary to resolve the matter.

8. Data Security

We implement commercially reasonable technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

Encryption in Transit: All data transmitted between your browser and our servers, and between our servers and third-party providers, is encrypted using TLS 1.2 or higher.
Encryption at Rest: Call recordings, transcripts, and Client data stored in our databases are encrypted at rest using AES-256 encryption.
Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis. We enforce role-based access controls and multi-factor authentication for all administrative access.
Infrastructure Security: Our application is hosted on Vercel's SOC 2 compliant infrastructure, and our database is hosted on Supabase's SOC 2 compliant platform.
Incident Response: We maintain an incident response plan to address suspected data breaches. In the event of a breach involving personal information, we will notify affected individuals and relevant regulatory authorities within the timeframes required by applicable law (72 hours under PIPEDA breach notification requirements).

Despite these measures, no system of transmission or storage is completely secure. We cannot guarantee the absolute security of your personal information.

9. HIPAA and Healthcare Data

Certain Clients are healthcare providers or medical practices subject to the U.S. Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). When we process Protected Health Information ("PHI") on behalf of such Clients, the following additional protections apply:

Business Associate Agreement (BAA): Before we process any PHI, the Client must execute a Business Associate Agreement with us. We will not knowingly handle PHI for any Client who has not signed a BAA.
PHI Protections: PHI is handled in accordance with HIPAA's Privacy Rule and Security Rule, including the minimum necessary standard, access controls, audit logging, and encrypted storage.
Zero Retention API Mode: For healthcare Clients, we configure our AI voice processing provider (ElevenLabs) to operate in Zero Retention Mode, meaning that voice data is processed in real time and is not stored or retained by ElevenLabs after the call ends.
Breach Notification: In the event of a breach of unsecured PHI, we will notify the affected Client without unreasonable delay and no later than 60 days from discovery, in accordance with HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D). The Client (as the Covered Entity) is responsible for notifying affected individuals and the U.S. Department of Health and Human Services.
Subcontractor Agreements: We ensure that any subcontractor that processes PHI on our behalf has entered into an appropriate Business Associate subcontractor agreement.

10. Your Privacy Rights

Your rights depend on your jurisdiction. Below, we describe the rights available to individuals under Canadian and California law.

10.1 Rights Under PIPEDA (Canada)

If you are a resident of Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) grants you the following rights:

Right of Access: You may request a copy of the personal information we hold about you.
Right to Correction: You may request that we correct inaccurate or incomplete personal information.
Right to Withdraw Consent: You may withdraw your consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We will inform you of the consequences of withdrawal.
Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe we have violated your privacy rights.

To exercise these rights, contact our Privacy Officer at privacy@aichattervox.com. We will respond to your request within 30 days.

10.2 Rights Under the CCPA/CPRA (California)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), grants you the following rights:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the third parties with whom we share it.
Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You may request that we correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. As stated in Section 11, we do not sell or share personal information.
Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use and disclosure of your sensitive personal information to only what is necessary to provide the service.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To exercise these rights, contact us at privacy@aichattervox.com. We will acknowledge your request within 10 business days and provide a substantive response within 45 days. If additional time is needed, we will notify you of an extension of up to an additional 45 days.

We may require you to verify your identity before fulfilling a request. For Callers, identity verification may require providing the phone number used for the call, the approximate date and time of the call, and sufficient information to locate the relevant records.

11. Do Not Sell or Share

We do not sell your personal information to third parties, and we have not sold personal information in the preceding 12 months. We do not share your personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

Caller data processed on behalf of our Clients is shared with the applicable Client as part of our service delivery. This data sharing is performed at the Client's direction and constitutes a service provider relationship, not a sale or sharing of personal information under the CCPA/CPRA.

12. Children's Privacy

Our Site and services are not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13, we will take steps to delete that information as promptly as practicable. If you believe we have collected information from a child under 13, please contact us at privacy@aichattervox.com.

13. International Data Transfers

Our company is based in Ontario, Canada, and our third-party service providers are primarily located in the United States. As a result, personal information may be transferred across the Canada-United States border and processed in a jurisdiction other than where it was originally collected.

When personal information is transferred from Canada to the United States, or vice versa, we ensure that it is protected by appropriate contractual safeguards consistent with PIPEDA's requirements for cross-border transfers. By using our services, you acknowledge that your personal information may be processed in Canada and the United States, where data protection laws may differ from those in your jurisdiction.

14. Cookie Policy

Our Site uses cookies and similar tracking technologies to collect and store information when you visit our pages. The following cookies are in use:

PostHog: Sets analytics cookies to track user sessions, page views, and feature usage. These cookies help us understand how visitors interact with our Site and dashboard.
Google Analytics 4 (GA4): Sets cookies (including _ga and _ga_*) to distinguish unique users, track sessions, and collect aggregate traffic data. Data is processed by Google LLC.
Vercel Analytics: Uses lightweight, privacy-focused analytics that collect performance data including page load times and Web Vitals. Vercel Analytics is designed to operate without persistent cookies in most cases.

You can control cookie preferences through your browser settings. Disabling cookies may affect the functionality of certain features on our Site. Most browsers allow you to refuse or delete cookies; consult your browser's help documentation for instructions.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page;
Post the revised Privacy Policy on our Site; and
For Clients with active accounts, send an email notification to the email address associated with your account at least 15 days before the changes take effect.

Your continued use of our Site or services after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms.

16. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us using the information below:

Privacy Officer: privacy@aichattervox.com
General Inquiries: admin@aichattervox.com
Mailing Address:
AI ChatterVox Consulting
Toronto, Ontario, Canada

We aim to respond to all privacy-related inquiries within 30 days of receipt.