Privacy Notice and Personal Data Protection Policy

1. Purpose

To establish the guidelines, principles, and responsibilities governing the collection, use, storage, processing, and final disposition of personal data at VOX ASSIST AI, in order to guarantee the confidentiality, integrity, and availability of information, ensure the full exercise of the rights of data subjects (Habeas Data/ARCO), and strictly comply with data protection regulations in the jurisdictions where we operate.

2. Scope

This policy is globally applicable and mandatory for all VOX ASSIST AI processes. It covers the processing of personal data from:

Direct Clients (B2B): Administrative and billing data.
End Users: Voice, text, and interaction data processed by AI Agents.
Visitors and Prospects: Data captured through the website and commercial channels.

It applies to all employees, contractors, and third-party providers who have access to or process personal data on behalf of the organization.

3. Privacy Notice and Personal Data Protection Policy - Purpose and Scope

This document constitutes the Global Privacy Notice of VOX ASSIST AI, prepared in strict compliance with the personal data protection laws in force in Latin American countries, the USA, and other related international regulations. Its purpose is to inform about the processing, use, and protection of data, guaranteeing the rights of data subjects.

We detail what personal data we obtain, the purposes of its processing, with whom we share it, the rights you have as a data subject, and the security measures implemented, in strict compliance with the regulations in force in the countries where we operate (detailed in the Regulatory Compliance section).

4. Identity and Contact Details of the Data Controller

VOX ASSIST AI (hereinafter, "We" or the "Controller") is responsible for the processing of personal data collected through its website and other direct contact channels.

Website: https://www.voxassist.ai
Email for general inquiries: contacto@voxassist.ai
Email for privacy matters: privacy@voxassist.ai (Recommended for centralizing requests)

4.1. Roles and Responsibilities (Shared Responsibility Model)

For greater transparency, we operate under two modalities:

4.1.1. As Data Controller and Custodian: For the administrative data of our Direct Clients (billing, commercial contact).
4.1.2. As Data Processor: Within the framework of our SaaS services and in compliance with public procurement regulations, we act as Data Processor (or Data Custodian according to applicable local legislation).

We acknowledge that we process personal data solely and exclusively on behalf of and in the name of the Client, who acts as the Data Controller. We commit to not using the data for purposes other than those stipulated in the contract.

5. General Principles

At VOX ASSIST AI, we are committed to protecting information. Our processing of personal data is governed by the principles of lawfulness, consent, information, quality, purpose, loyalty, proportionality, and accountability. Security and data protection are integrated into every layer of our solution by design.

6. What Personal Data Do We Process and for What Purposes?

We obtain personal data in different ways, depending on your interaction with us:

A. If you are a visitor to our website or contact us directly:

Data we obtain: Name, email address, phone number, and content of messages you send us.

Purposes:

Respond to your inquiries and requests for information or demos.
Provide information about our products and services.
Improve the browsing experience on our website.

B. If you are a client who contracts our services:

Data we obtain: Professional contact data, billing information, and data of designated users to manage the platform.

Purposes:

Fulfill contractual obligations arising from the provision of the service.
Manage billing and payments.
Provide technical support and strategic guidance.
Communicate updates and service improvements.

C. If you are an end user who interacts with a VOX ASSIST AI AI Agent (implemented by one of our clients):

Data we obtain: The AI Agent processes the content of conversations (voice and/or text). This may include, depending on the purpose defined by our client (the Controller), data such as: names, phone numbers, emails, appointment scheduling data, order information, financial data, health data, among others (This will depend on the type of client and type of business).

Purposes: The purposes are defined by our client (the Controller). We process this data to:

Execute the tasks for which the Agent was designed (e.g., qualify a lead, schedule an appointment, resolve an inquiry).
Allow smooth transition of the conversation to a human agent when necessary.
Analyze interactions in an anonymized manner to generate metrics and reports for our client.
Improve and optimize Machine Learning models to increase service efficiency and accuracy.

7. Transfer and Communication of Data to Third Parties

We share your data in the following cases:

7.1. Our Clients' Systems: By design, our agents integrate securely with our clients' business systems (CRM, ERP, etc.) to execute tasks in real-time, following their instructions.
7.2. Transition to Humans: When a conversation is escalated, the information and context are transferred to the human team designated by our client.
7.3. Sub-Processors and International Transfer: Due to the personalized and modular nature of our Artificial Intelligence solutions, the specific architecture may vary according to the needs of each Client, requiring subcontracting of third parties that provide specific services. For the provision of global service, the Client authorizes the contracting of providers within the following strategic categories. The specific sub-processors applicable to your solution will be those defined in the approved Commercial Proposal or Technical Configuration.
7.4. Competent Authorities: We will share your personal information when legally required by a founded and motivated authority.
7.5. Telephony Providers (Transmission Only): For voice services, we use telecommunications operators and SIP trunk providers (e.g., Twilio, local operators). These act as mere transmission channels and do not store information persistently beyond what is necessary for the technical connection of the call and billing records (CDRs).
7.6. Transfer Guarantee: All international data transfers to these providers have appropriate legal safeguards (Standard Contractual Clauses) and current data processing agreements (DPA).

8. Data Processing and Custody Agreement

When contracting our services, the following binding obligations are established:

Processing will be carried out strictly in accordance with the Client's instructions. Any change in configuration will require express instruction.
All personnel and subcontractors are subject to confidentiality agreements that persist indefinitely, even after the contractual relationship ends.
In the event of a security breach, we will notify the Client without undue delay and within a maximum of 72 hours, providing the information for regulatory compliance.
We will not subcontract processing services without the general or specific authorization of the Client (granted through acceptance of this Policy and the list of providers in Section 7), extending the same security obligations to them.

9. Exercise of Your Rights (ARCO)

You have the right to request Access, Rectification, Cancellation, and Opposition regarding your personal data.

If your data was collected directly by VOX ASSIST AI (e.g., on our website), you can exercise your rights by sending a request to privacy@voxassist.ai, clearly indicating your name and your request.
If you interacted with an AI Agent as an end user of one of our clients, your request should be directed to that client, who is the Controller of your data. We will collaborate with our client to address your request as stipulated in our contract.

We will respond to your request within the timeframes and forms required by the applicable laws in your jurisdiction.

10. Data Security, Privacy, and Destruction

Trust is our fundamental pillar. To protect your most important asset, we apply physical, technical, and organizational security controls based on international best practices, guaranteeing a robust and private architecture:

10.1. Security Measures and Technical Architecture

Environment Segregation: We maintain separate environments for development, testing, and production, ensuring the integrity of the Client's real data.
Vulnerability Management: We perform continuous monitoring of threats and system resilience.
Data Encryption: Data is encrypted both in transit and at rest.
Robust Infrastructure: We guarantee business continuity with proactive 24/7 monitoring and contingency management.
Security by Design: Our architecture is designed to be inherently secure and protect confidential information against malicious interactions.

10.2. Privacy Guarantees and Service Evolution

Absolute Privacy and No-Training: We guarantee that your information belongs exclusively to you. Your data is never used to train public AI models; your agent's training is 100% isolated and your intellectual property remains with your company.
Private Infrastructure: We do not use shared public platforms for the core of your business. Your agent operates in a proprietary and secure environment.
Quality and Acceptance Testing: We don't just implement; we validate. Before going live, we guarantee that the agent complies 100% with your business rules through exhaustive testing.
Hybrid Monitoring and Evolution: We use automated testing and a human quality team to monitor agent accuracy, ensuring that each review translates into continuous improvement of effectiveness.

10.3. Data Lifecycle Closure

Deletion and Certification: Once the provision of services is completed, VOX ASSIST AI commits to deleting or returning all personal data and its copies (unless legally required). Upon express request from the Client, a secure destruction certificate will be issued.

11. Regulatory Compliance

We commit to strict compliance with data protection regulations in the countries where we operate:

Colombia: We operate in full compliance with the General Personal Data Protection Regime, including Statutory Law 1581 of 2012 and Law 1266 of 2008 on Financial Habeas Data.
Costa Rica: We adhere to the provisions of Law No. 8968, Law for the Protection of the Person Against the Processing of Their Personal Data, and its regulations, ensuring compliance with the principles of informed consent, quality of information, and the rights of Costa Rican citizens.
Guatemala: Our operation aligns with the principles established in the Constitution of the Republic and the Law on Access to Public Information (Decree 57-2008), which regulates the processing of personal and sensitive data, guaranteeing confidentiality and proper use of information.
Panama: We rigorously comply with Law 81 of 2019 on Personal Data Protection and Executive Decree 285, ensuring proper processing of information of Panamanian citizens.
Peru: Our platform aligns with Law No. 29733, Personal Data Protection Law, and its regulations, guaranteeing the rights of data subjects in the country.
Dominican Republic: Our operation is governed by Law No. 172-13, which aims to comprehensively protect personal data. We ensure lawful processing of information, explicit consent of the data subject, and full exercise of access, rectification, and cancellation rights.
United States: We understand the complex regulatory landscape and adapt our operation to sectoral federal laws such as HIPAA (health sector) and key state regulations such as the California Consumer Privacy Act (CCPA/CPRA).
Venezuela: We are governed by the constitutional framework and the Special Law Against Computer Crimes to guarantee the protection and proper handling of information and data.
Argentina: We align with Law 25.326 on Personal Data Protection, which regulates data processing in the public and private sectors. We ensure compliance with obligations and the rights of data subjects, in accordance with the guidelines of the Agency for Access to Public Information (AAIP).

12. Modifications

We reserve the right to modify this policy at any time. Any changes will be published on our website https://www.voxassist.ai and the "Last updated" date will be updated.