Privacy

Effective Date: November 30, 2025

OfferAxis, LLC dba CallVanta ("CallVanta," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you access or use our website at callvanta.com (the "Site"), AI receptionist services, dashboard, mobile applications, APIs, chatbots, SMS features, or any related tools (collectively, the "Services").

Our Services are provided exclusively to businesses and individuals in the United States (all 50 states and the District of Columbia). This policy applies to personal information we collect as a controller under applicable laws. It complies with federal laws (e.g., TCPA, COPPA) and all state comprehensive privacy laws effective as of 2026, including but not limited to: the California Privacy Rights Act (CPRA, effective with 2026 updates for automated decision-making technology or "ADMT" opt-outs and cybersecurity audits); Colorado Privacy Act (CPA, including opt-out preference signals); Virginia Consumer Data Protection Act (VCDPA); Connecticut Data Privacy Act (CTDPA, with 2026 amendments removing "solely" from automated decisions); Utah Consumer Privacy Act (UCPA); Texas Data Privacy and Security Act (TDPSA); Oregon Consumer Privacy Act (OCPA); Montana Consumer Data Privacy Act (MCDPA, with 2025 amendments); Delaware Personal Data Privacy Act (DPDPA); Iowa Consumer Data Protection Act (ICDPA); Indiana Consumer Data Protection Act (INDCDPA); Tennessee Information Protection Act (TIPA); Minnesota Consumer Data Privacy Act (MNC DPA); Nebraska Data Privacy Act (NDPA); New Hampshire Privacy Act (NHPA); New Jersey Data Privacy Act (NJDPA); Kentucky Consumer Data Protection Act (KCDPA); Maryland Online Data Privacy Act (MODPA); Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA); and Florida Digital Bill of Rights (FDBR). We also address AI-specific requirements under state laws like the California AI Transparency Act and Colorado AI Act (bias mitigation disclosures).

For non-U.S. residents, we do not intentionally target or collect data from individuals outside the U.S., and our Services are not available internationally. If you have questions, contact us at support@callvanta.com or: OfferAxis, LLC dba CallVanta 7901 4th St N Ste 300 St. Petersburg, FL 33702

This policy does not apply to third-party sites or services you access via integrations (e.g., Google Calendar, GoHighLevel, Mindbody, Jane,& EHRs). Review their policies separately.

  1. Information We Collect

We collect information only as necessary to provide the Services. "Personal information" means information that identifies, relates to, or could reasonably be linked to an individual or household (as defined under applicable state laws, e.g., CCPA §1798.140(v)).

A. Information You (Subscribers) Provide Directly

  • Account and billing details: Name, email, phone number, company name, billing address, payment method (via Stripe or QuickBooks Payments; we do not store full card details).

  • Business customization data: Website content, AI scripts/FAQs, calendar/CRM credentials (e.g., GoHighLevel, Salesforce), customer lists for reactivation, integration access tokens.

  • Communications: Support inquiries, feedback, or marketing opt-ins via email or dashboard.

B. Information from Callers and Interactions (Processed on Your Behalf)

  • Call-related data: Recordings, transcripts, voice biometrics (for AI processing), caller phone numbers, messages, appointment details, spam screening results.

  • SMS/MMS: Messages sent/received, opt-in confirmations, timestamps.

  • Chatbot interactions: Web chat logs, inquiries, lead capture data. We do not collect sensitive information (e.g., health, race, religion) unless you voluntarily provide it during customization, and even then, we process it only for service delivery. No precise geolocation or financial account details beyond basic payments.

C. Automatically Collected Information

  • Device and usage data: IP address, browser type, device ID, operating system, pages viewed, session duration, referral sources.

  • Analytics: Aggregated usage metrics (e.g., feature interactions) via tools like Google Analytics (anonymized IPs).

  • Cookies and trackers: Essential cookies for site functionality; analytics/marketing cookies for performance (opt-out via browser settings or our dashboard). We do not use third-party trackers for cross-site behavioral advertising.

D. Information from Third-Party Integrations

  • Limited data from connected tools: E.g., calendar availability from Google/Outlook, contact names from CRM—only what you authorize for integrations. We never access or store protected health information (PHI) under HIPAA.

Sources: Directly from you/subscribers, automatically via Services, or from integrations/third parties (e.g., payment processors). We collect no public records or inferred data beyond basic analytics..

2. How We Use Your Information

We use information for legitimate business purposes, with your consent where required, or as permitted by law:

  • Provide and improve Services: Customize AI scripts, handle calls/chats/SMS, book appointments, generate transcripts/analytics, integrate with your tools.

  • Billing and account management: Process payments, send invoices/receipts, manage subscriptions.

  • Communications: Send service updates, support responses, or (with opt-in) marketing emails/newsletters.

  • AI enhancement: Use de-identified/aggregated call transcripts, chat logs, and voice data to train/refine AI models (no re-identification; complies with CA AI Transparency Act disclosures and CO AI Act bias audits).

  • Security and compliance: Detect fraud, monitor for abuse, comply with legal requests (e.g., subpoenas), conduct risk assessments for high-risk processing (e.g., ADMT under CPRA 2026 updates).

  • Analytics: Generate anonymized insights for internal benchmarking (no selling).

Under state laws (e.g., CPA, VCDPA), we balance our interests against your rights and provide opt-outs for profiling/automated decisions (e.g., AI lead screening). We do not use data for unrelated purposes without notice/consent.

3. How We Disclose or Share Your Information

We disclose information only as necessary and never for monetary consideration (no "sales" under CCPA/CPRA or similar definitions in other states). In the past 12 months, we have disclosed the following categories (per CPRA §1798.130(a)(5)):

  • Identifiers (e.g., name, email, phone) to service providers and integrations.

  • Call recordings/transcripts (commercial info, audio) to processors for AI processing.

  • Usage data (internet activity) to analytics vendors.

Recipients:

  • Service providers/processors: E.g., Stripe, QuickBooks (payments), Twilio, Telnyx (SMS/calls), AWS (storage), OpenAI, Anthropic, Grok, Gemini, NedzoAI, (AI models), Google Analytics (anonymized metrics)—all bound by data processing agreements (DPAs) requiring confidentiality, security, and compliance with state laws (e.g., CTDPA processor duties).

  • Your integrations: Data shared at your direction (e.g., to your CRM).

  • Business transfers: In mergers/acquisitions (with notice).

  • Legal compliance: To courts, regulators, or law enforcement (e.g., TCPA disputes).

  • Affiliates: Limited internal sharing for service delivery.

No sharing for cross-context behavioral advertising. For aggregated/de-identified data (e.g., AI training sets), we apply techniques like pseudonymization/differential privacy to prevent re-identification (per best practices and CO AI Act).

4. Call Recordings, Transcripts, and TCPA Compliance

All calls are recorded/transcribed for service delivery, quality assurance, and AI improvement. Recordings capture voice data (considered biometric under some laws, e.g., Illinois BIPA, but we do not create/store voiceprints for identification). You (subscribers) own this data and control access/deletion via dashboard. We retain for 12 months or longer if required by law or active dispute.

TCPA Disclosures: We provide clear notices (e.g., "This call may be recorded/AI-handled") and log consents/opt-outs. You are responsible for obtaining caller consent per TCPA (e.g., prior express written for marketing SMS; one-party consent for recordings in most states). We support compliance with built-in tools but provide no legal advice—consult counsel. No autodialed calls without consent; outbound AI voices require disclosure.

5. Your Privacy Rights and Choices

As a U.S.-based controller, we honor rights under all applicable state laws. You (or your authorized agent) may:

  • Know/Access: Request categories/sources/purposes of data collected (past 12 months), specific pieces, and recipients (twice/year under CPRA; unlimited under some like CPA).

  • Correct: Update inaccurate data.

  • Delete: Request deletion (subject to exceptions, e.g., legal obligations; includes "right to be forgotten" under CTDPA).

  • Opt-Out: Of sales/sharing (none occur), targeted advertising, or profiling/ADMT (e.g., AI decisions; via dashboard toggle, Global Privacy Control/GPC signals—recognized per CO/DE/OR/TX 2025+ requirements, or email). Limit sensitive data use (we collect none).

  • Portability: Receive data in structured format (e.g., JSON/CSV).

  • Object/Restrict: To processing based on legitimate interests (e.g., analytics; balanced assessment provided).

  • Contest Automated Decisions: Question AI outputs (e.g., lead screening) and request human review (per MNC DPA, CPRA 2026 ADMT rules).

  • Appeal: If we deny a request, appeal via support@callvanta.com (response within 45-90 days per law). No discrimination (e.g., price hikes) for exercising rights.

How to Exercise: Submit via dashboard, email support@callvanta.com ("Privacy Rights Request"), or toll-free GPC integration. We verify using account details/security questions (no fees unless excessive). Agents need proof of authorization. Responses within 45 days (extendable 45 more under CPRA/CPA). For CA Shine the Light requests: No disclosures for direct marketing.

Minors: Enhanced protections under laws like CTDPA/MODPA (e.g., parental access for under-13s); we delete known child data immediately.

6. Data Security and Incident Response

We implement reasonable administrative, technical, and physical safeguards appropriate to data risks (e.g., AES-256 encryption at rest/in transit, RBAC access controls, annual audits per CPRA 2026 cybersecurity rules, bias audits per CO AI Act). Processors must meet equivalent standards via DPAs. Despite these, no system is impenetrable—we cannot guarantee absolute security. Breaches are reported to affected individuals/government as required (e.g., within 60 days under some states). You must secure your integrations/accounts.

7. Children's Privacy

Services are not directed to children under 16 (COPPA threshold). We do not knowingly collect data from children under 16 or sell/share minors' data (prohibited under MD/CO/VA laws). If discovered, we delete immediately and notify parents/guardians. Report suspected incidents to support@callvanta.com. Subscribers must prevent child interactions per their policies.

8. Cookies, Trackers, and Online Technologies

We use:

  • Essential cookies: For login/session management (no opt-out).

  • Analytics cookies: For performance (e.g., Google Analytics; anonymized, opt-out via tools.google.com/dlpage/gaoptout or GPC).

  • No advertising cookies or pixels for profiling.

Manage via browser settings. We honor Do Not Track (DNT) signals where feasible.

9. Data Retention and Anonymization

Retention is limited to what's necessary:

  • Account/billing: Duration of relationship + 7 years (tax/audit).

  • Calls/transcripts: 12 months or until deleted (backups 30 days).

  • Usage logs: 24 months (anonymized after).

We anonymize/de-identify data for AI training (e.g., remove PII, apply k-anonymity) and delete when no longer needed. Pre-2026 data audited by Dec. 31, 2027 per CPRA.

10. International Data Transfers

All processing occurs in the U.S. (no transfers abroad). If future international processors are used, we ensure adequacy (e.g., standard contractual clauses) and notify you.

11. Changes to This Policy

Updates posted here with effective date; material changes (e.g., new uses) notified via email/dashboard 30 days in advance (15 under some laws like UCPA). Continued use = acceptance. Check periodically.

12. Contact Us

For rights requests, appeals, or questions: support@callvanta.com. We respond promptly and document all interactions.