Privacy Policy

1. Introduction

Neon Fox Inc. ("we," "our," or "us") is a federally incorporated Canadian corporation with its head office in Ontario. We operate multiple software applications and services, including Dialbox, Call Bodyguard, Wrapi, and our corporate website at neonfox.io (collectively, the "Services"). As a federal private-sector organization, we are subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and comply with data protection requirements across all jurisdictions in which we operate. We are committed to protecting your privacy and handling your personal information with transparency and care.

This Privacy Policy complies with the Personal Information Protection and Electronic Documents Act (PIPEDA), Québec's Act Respecting the Protection of Personal Information in the Private Sector as amended by Law 25 ("Law 25"), and applicable provincial privacy requirements including those governing professional confidentiality obligations for clients who are regulated (e.g., CPA Ontario and CPA Québec).

This Privacy Policy explains how we collect, use, disclose, safeguard, and retain your information when you:

• Visit our websites
• Use our mobile or desktop applications
• Subscribe to our services
• Communicate with us

By using any of our Services, you consent to the data practices described in this policy. If you do not agree with our practices, please do not use our Services.

2. Person Responsible for Personal Information (Privacy Officer)

In accordance with Law 25 and PIPEDA, we have designated a Privacy Officer responsible for overseeing compliance with this Privacy Policy and applicable privacy laws. The Privacy Officer ensures that personal information is handled in accordance with our obligations and responds to inquiries and complaints regarding our privacy practices.

You may contact the Privacy Officer at:

• Title: Privacy Officer, Neon Fox Inc.
• Email: privacy@neonfox.io
• Mailing Address: Neon Fox Inc., Ontario, Canada

The Privacy Officer is accountable for our organization's compliance with privacy legislation and is available to address any questions or concerns you may have about how we handle your personal information.

3. Information We Collect

We collect different types of information depending on which Service you use. This section describes the information we may collect across all Services.

3.1 Personal Information You Provide

Account Information:

• Full name (first and last name)
• Email address
• Phone numbers
• Username and password (encrypted and hashed)
• Company or organization name
• Billing and payment details (processed via Stripe)
• Account preferences and settings

Service-Specific Information:

Dialbox:

• Business contact information
• Call audio recordings (all inbound and outbound calls are automatically recorded by default when recording disclosure is enabled; recordings are disabled when disclosure is turned off)
• Call transcripts (AI-generated from call audio recordings; disabled when recording disclosure is turned off)
• Voice data and caller information (phone numbers, names, conversation content)
• AI processing metadata and call analytics (intent classification, sentiment, call duration, routing decisions)
• Call logs and document data
• Account usage information

Voice Biometric Data Considerations (Dialbox):

While Dialbox does not currently use voiceprint or voice biometric identification technology, we acknowledge that voice recordings may constitute biometric data under certain privacy laws (e.g., Illinois Biometric Information Privacy Act (BIPA), Colorado biometric privacy law effective July 1, 2025). We do not extract biometric identifiers (voiceprints) from call recordings or use voice data for biometric authentication, identification, or verification purposes. Voice recordings are used solely for transcription, AI call handling, service delivery, business analytics, and regulatory compliance as described in this Privacy Policy.

Call Bodyguard:

• Phone numbers you choose to protect
• Contact names and phone numbers (synced from your device)
• Contact relationships and categories
• Call screening decisions and AI-generated reasoning

Wrapi:

• Event details (titles, descriptions, schedules)
• Attendee registration information
• Chat messages, Q&A submissions, poll responses, and survey data
• Support ticket conversations

General Communications:

• Information you provide when contacting customer support
• Newsletter subscriptions
• Marketing preferences
• Feedback and survey responses

3.2 Information Automatically Collected

Technical and Usage Data:

• IP addresses and general location information
• Device identifiers and fingerprints (for security)
• Browser type, version, and language settings
• Operating system and device information
• Time zone settings
• Usage patterns and analytics
• Pages viewed, features used, and time spent
• Error logs and diagnostic information
• Performance metrics

Call Data (Call Bodyguard only):

• Caller phone numbers and names (when available)
• Call timestamps and duration
• Contact Lists
• Call history and analytics

Event Data (Wrapi only):

• Attendance and participation metrics
• Engagement data from polls, chat, and Q&A
• Streaming analytics

3.3 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to:

• Maintain your login session
• Remember your preferences and settings
• Analyze website traffic and usage patterns
• Improve our Services and user experience
• Provide security features (e.g., device fingerprinting)
• Deliver relevant content

Types of Cookies:

• Essential Cookies: Required for the Services to function properly
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how visitors interact with our Services (e.g., Google Analytics)
• Performance Cookies: Optimize loading times and user experience
• Marketing Cookies: Used to deliver relevant advertisements (with your consent)

Consent Management and Opt-Out:

• Consent Banner: When you first visit our website, we display a consent banner allowing you to accept or reject non-essential cookies before they are placed
• Granular Control: You can accept or reject specific cookie categories. Marketing cookies are never placed without your explicit consent
• Consent Validity: Your cookie consent preferences are valid for 6-12 months, after which we will request renewed consent
• Withdrawal: You can withdraw your cookie consent at any time using our cookie management tool or by contacting us
• Browser Controls: You can control cookies through your browser settings and use Global Privacy Control signals
• Third-Party Cookies: Essential cookies are placed before consent; other cookies are placed only with your explicit opt-in

Disabling cookies may affect functionality of some Services. To learn more about Google Analytics privacy practices, visit https://policies.google.com/privacy.

3.4 Information from Third Parties

We may receive information about you from third-party services you connect to your account or from publicly available sources, including:

• Third-party apps you explicitly link to your account
• Payment processors
• Identity verification services
• Analytics providers

4. How We Use Your Information

We use your information for the following purposes. Under GDPR Article 6, our processing activities are based on one or more of the following lawful bases: (a) your explicit consent; (b) performance of our contract with you; (c) compliance with legal obligations; (d) protection of vital interests; (e) performance of tasks in the public interest; or (f) legitimate interests pursued by Neon Fox Inc. or third parties. Each processing activity described below is supported by at least one lawful basis.

4.1 Service Provision and Account Management

• Create, maintain, and secure your account
• Authenticate users and prevent unauthorized access
• Provide, deliver, and improve our Services
• Process transactions, billing, and payments
• Manage subscriptions and renewals
• Provide customer support and respond to inquiries

4.2 Service-Specific Functions

Dialbox:

• Create and manage your business account
• Process orders and payments
• Record and transcribe inbound and outbound calls for service delivery, business analytics, and regulatory compliance (when recording disclosure is enabled; disabled when disclosure is turned off)
• Process voice data through AI systems for automated call answering, natural language understanding, and intent classification
• Generate call summaries, appointment bookings, and call routing decisions using AI-powered conversation analysis
• Store call recordings, transcripts, logs, and document data securely
• Facilitate business communications and customer interactions
• Provide call analytics, reporting, and service improvement insights

Call Bodyguard:

• Screen incoming calls using AI analysis
• Identify and block spam and scam calls
• Recognize emergency keywords and legitimate callers
• Auto-whitelist your contacts for instant connection
• Provide call history, analytics, and protection management tools
• Enable family protection features

Wrapi:

• Facilitate live streaming and webcasting
• Manage event registration and attendee information
• Enable attendee engagement tools (chat, polls, Q&A)
• Provide analytics and reporting features
• Deliver white-label branding capabilities

4.3 Communications

• Send transactional notifications about your account and Services
• Provide service updates, security alerts, and technical notices
• Send marketing communications and promotional materials (with your consent - you may opt out at any time)
• Respond to your questions, requests, and feedback

4.4 Analytics and Improvements

• Analyze usage patterns and user behavior
• Improve our Services and develop new features
• Understand how our Services are accessed and used
• Optimize system performance and user experience
• Conduct research and testing

4.5 Security and Fraud Prevention

• Detect, prevent, and address security issues
• Prevent fraud, abuse, and unauthorized activity
• Protect the rights, property, and safety of Neon Fox Inc., our users, and others
• Conduct security audits and vulnerability assessments

4.6 AI and Machine Learning (Call Bodyguard)

• Analyze call patterns to improve AI accuracy
• Identify new spam and scam tactics
• Develop and enhance conversational intelligence capabilities
• Optimize call screening decisions

4.7 Legal Compliance

• Comply with applicable laws, regulations, and legal processes
• Enforce our Terms of Service and other agreements
• Respond to lawful requests from government authorities
• Protect our legal rights and interests

4.8 Artificial Intelligence and Automated Decision-Making

Neon Fox Inc. uses artificial intelligence and automated decision-making systems in several services to enhance functionality, provide better protection, and deliver personalized experiences. We are committed to transparent AI practices and compliance with the EU AI Act, GDPR Article 22, and Québec's Law 25 requirements for automated decision-making.

AI Systems in Our Services:

• Dialbox: AI-powered call answering and routing that processes incoming calls in real-time to understand caller intent, answer questions, book appointments, take messages, and route calls appropriately to the correct person or department. The AI system makes automatic decisions about call handling based on learned patterns, business rules configured by the customer, natural language understanding, and conversational context. Business customers configure AI behavior, override settings, and control call routing logic. Callers should be informed they are speaking with an AI system (recommended disclosure within first 10 seconds of the call). The AI processes voice data, extracts caller intent, and generates responses, but all decisions can be reviewed and overridden by the business customer. Calls are recorded and transcribed for service delivery, quality assurance, and compliance purposes.
• Call Bodyguard: AI-powered call screening that analyzes incoming calls to identify spam, scam attempts, and potentially harmful callers. The AI system makes automatic decisions about whether to connect, screen, or block calls based on learned patterns of legitimate vs. illegitimate calls. Users maintain full control to override AI decisions, whitelist contacts, and adjust screening sensitivity.

Automated Decision-Making and Your Rights:

• Right to Know: We disclose when you are interacting with AI systems and explain how they work in clear, non-technical language.
• Right to Object: For Call Bodyguard, you may object to AI-based call screening decisions by manually managing your contact list, adjusting screening preferences, or requesting human review of specific decisions. You can disable AI screening entirely.
• Right to Human Review: You have the right to request human review of significant automated decisions affecting your use of our Services, except where such review is impossible or disproportionately burdensome.
• Right Not to Be Subject to Automated Decision-Making: Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects concerning you. If you believe a decision has such effects, you may request that a human review the decision.

EU AI Act Compliance: Neon Fox Inc. acknowledges the European Union's AI Act (entered into force August 2024) and commits to complying with its requirements for high-risk AI systems. Our AI systems are designed with appropriate safeguards including bias mitigation, accuracy testing, and human oversight mechanisms. We maintain documentation regarding AI system testing, performance, and limitations.

AI Training Data: We use personal data to improve AI accuracy and develop new AI capabilities only where we have an appropriate lawful basis (typically legitimate interests with user consent).

5. How We Share Your Information

We do not sell, trade, or rent your personal information to third parties. We may share your information only in the following limited circumstances:

5.1 Service Providers and Business Partners

We share information with trusted third-party service providers who assist us in operating our Services:

Common Service Providers:

• Stripe: Payment processing and billing management
• Google Analytics: Website performance tracking and analytics
• Email service providers: Transactional and marketing email delivery

Service-Specific Providers:

Call Bodyguard:

• Voice infrastructure
• AI processing for call screening
• Speech recognition services

Wrapi:

• Video streaming and delivery infrastructure
• Hosting and deployment platform
• Real-time database and backend services
• Content delivery and DDoS protection
• Database services

Infrastructure:

• Cloud hosting and storage providers
• Content delivery networks (CDNs)
• Customer support tools
• Analytics and monitoring services
• Security and fraud prevention services

These service providers are contractually bound to protect your data and use it only for providing their specific services to us.

5.2 Third-Party Apps and Integrations

When you explicitly link third-party apps or services to your account, we may share data necessary for those integrations to function. You should review the privacy policies of these third-party services separately, as we are not responsible for their practices.

5.3 Legal Requirements and Protection of Rights

We may disclose your information when we believe in good faith that disclosure is necessary to:

• Comply with applicable laws, regulations, legal processes, or government requests
• Enforce our Terms of Service and other agreements
• Detect, prevent, or address fraud, security issues, or technical problems
• Protect the rights, property, or safety of Neon Fox Inc., our users, or the public
• Respond to emergency situations involving potential threats to physical safety

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. The acquiring entity will be bound by the same privacy commitments, and we will provide notice before your information is transferred and becomes subject to a different privacy policy.

5.5 With Your Consent

We may share your information for other purposes with your explicit consent or at your direction.

5.6 Aggregated and Anonymized Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, marketing, analytics, or other business purposes.

5.7 Sub-Processor Transparency and Approval

For B2B customers and users whose personal data is processed on behalf of a third-party controller, we maintain transparency regarding sub-processors who assist us in providing our Services. Sub-processors are third-party service providers we engage to process personal data on our behalf under appropriate data processing agreements.

Sub-Processor Management:

• Sub-Processor List: We maintain a current list of sub-processors who may access personal data. Enterprise customers can request our current sub-processor list by contacting us at privacy@neonfox.io
• Notice and Approval: We provide at least 30 days advance notice before adding or replacing any sub-processor. Enterprise customers have the right to object to the engagement of new sub-processors on reasonable grounds. If you object, we will either not engage the sub-processor or provide you with a mechanism to terminate our Services without penalty
• Contractual Safeguards: All sub-processors are bound by written data processing agreements that incorporate obligations equivalent to those in our customer agreements, including confidentiality, security, and data protection requirements
• Monitoring: We regularly audit sub-processors to ensure ongoing compliance with our data protection standards and contractual obligations
• Data Processing Agreements: For B2B customers, we maintain data processing agreements complying with GDPR Article 28 and comparable requirements under other applicable laws, which detail the specific terms governing sub-processor relationships

5.8 Data Processing Relationships (B2B Services)

For our B2B services (Dialbox, Wrapi), we act as a data processor on behalf of our business customers, who are the data controllers. This relationship is critical to understanding privacy responsibilities under PIPEDA, GDPR, and other applicable privacy laws. For complete legal definitions of data processing roles (Data Controller, Data Processor, Sub-processor, Personal Data, End User), see our Terms of Service Section 5.0.

Data Controller (You - The Business Customer):

As the data controller, you have the following responsibilities:

• Determine the purposes and means of processing personal data collected through our Services
• Obtain all necessary consents from individuals (callers, event attendees, customers, end-users) before collecting their personal information
• Ensure compliance with applicable privacy laws (PIPEDA, GDPR, provincial recording consent laws, US state privacy laws) for the personal data you collect and process
• Provide clear privacy notices to your callers, customers, and end-users explaining how their data will be collected, used, and shared
• Handle individual rights requests from your callers/customers (requests for access, correction, deletion, objection to processing)
• Provide us with documented, lawful instructions on how to process personal data (retention periods, deletion requests, data exports, specific processing limitations)
• Ensure that any data you provide to us is lawfully collected and that you have authority to share it with us for processing
• Notify affected individuals of data breaches where required by applicable law

Data Processor (Neon Fox Inc.):

As the data processor, we have the following obligations:

• Process personal data only according to your documented, lawful instructions as outlined in our customer agreements
• Implement appropriate technical and organizational security measures to protect personal data (encryption, access controls, monitoring, incident response)
• Assist you in responding to individual rights requests where technically feasible (providing call recordings, deleting data upon instruction, exporting data)
• Notify you without undue delay upon becoming aware of any data breach affecting your data (within 72 hours under GDPR)
• Delete or return all personal data to you upon termination of our Services, subject to legal retention requirements (e.g., 3-year telecom record retention for Dialbox)
• Maintain confidentiality of personal data and limit access to authorized personnel only on a need-to-know basis
• Engage sub-processors only with your knowledge and subject to equivalent data protection obligations (see Section 4.7)
• Cooperate with supervisory authorities and assist you in data protection impact assessments where required

Sub-Processors:

We engage sub-processors (cloud infrastructure providers, AI processing services, telecommunications carriers, payment processors) to assist in providing our Services. All sub-processors are bound by written data processing agreements with data protection obligations equivalent to those in our customer agreements. Enterprise customers may request our current sub-processor list and receive 30-day advance notice of any changes (see Section 4.7 for details).

Distinction: Caller/End-User Rights vs. Subscriber (Business Customer) Rights:

It is important to distinguish between the privacy rights of callers/end-users (individuals whose data is processed) and subscribers (our business customers):

Callers/End-Users (individuals calling Dialbox customers, attending Wrapi events):

• Have privacy rights under PIPEDA, GDPR, and other applicable laws including: access to their data, correction of inaccurate data, deletion (subject to legal retention requirements), objection to processing, and data portability
• Should contact the business they interacted with (the data controller) to exercise their privacy rights
• May contact us at hello@neonfox.io if the business is unresponsive, and we will assist in coordinating the response
• Have the right to be informed that their call is being recorded (Dialbox customers must provide recording disclosure per Canadian law) and that they are speaking with an AI system (AI disclosure is a recommended best practice)
• Can object to call recording before or during a call, and the business must provide meaningful alternatives (see Section 7.7 for Dialbox caller rights)

Subscribers (our business customers using Dialbox or Wrapi):

• Have privacy rights regarding their own business account information, contact details, payment information, and usage data
• Can exercise rights directly with us through their account dashboard or by contacting support
• Control how end-user/caller data is processed and are responsible for honoring end-user privacy rights requests
• Must implement processes to handle caller/end-user rights requests in compliance with applicable privacy laws

Important: If you are a business customer using our B2B services, you are the data controller for any personal information collected from your callers, customers, or end-users. You must ensure that you have appropriate legal bases, consents, and privacy notices in place before collecting personal information through our Services. We will assist you in fulfilling your obligations as the data processor, but ultimate responsibility for compliance with privacy laws rests with you as the data controller.

6. Data Security

We implement industry-standard security measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

6.1 Security Measures

Technical Safeguards:

• Encryption in transit using TLS/SSL
• Encryption at rest using AES-256 or equivalent
• Secure authentication mechanisms
• Multi-factor authentication options
• Device fingerprinting for security verification
• Firewalls and intrusion detection systems
• 24/7 security monitoring and incident response

Organizational Safeguards:

• Strict access controls on a need-to-know basis
• Employee background checks and privacy training
• Regular security audits and vulnerability assessments
• Incident response procedures
• Data breach notification protocols

Infrastructure Security:

• SOC 2 compliant cloud infrastructure (where applicable)
• Automated backups with point-in-time recovery
• Redundant systems and disaster recovery plans
• Canadian-based servers for Dialbox app data
• US-based secure data centers with appropriate safeguards

6.2 Important Security Notes

Dialbox Recording Security:

For details on Dialbox call recording functionality, disclosure controls, and consent requirements, see Section 4.2 (Dialbox Call Recording and Transcription).

• Storage: Call recordings and transcripts are stored securely using AES-256 encryption at rest and TLS 1.2+ encryption in transit
• Retention Period: Recordings are retained for 3 years + 14 days from the call date to comply with Canadian telecommunications record-keeping requirements (CRTC)
• Access Control: Only authorized personnel have access to call recordings on a need-to-know basis; business customers can access their own recordings via secure dashboard
• Backup Protection: Recordings are backed up in encrypted format for 60 days after account deletion to prevent data loss

Call Bodyguard: We do not record or store audio from phone calls. Only text transcripts are maintained for service purposes.

Limitations: While we use commercially acceptable means to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6.3 Privacy by Design and Default

Neon Fox Inc. is committed to implementing privacy by design and by default principles throughout all our operations. We recognize that privacy protection is most effective when embedded into the core architecture of our systems, products, and processes rather than added as an afterthought.

Our Privacy by Design Commitments:

• Proactive Approach: We identify and address privacy risks during the initial design phase of new products, features, and systems rather than waiting for problems to emerge.
• Privacy as Default: Our systems are configured to protect privacy by default, with strong data protection safeguards applied automatically without requiring users to take additional steps.
• Data Minimization: We collect only the personal data that is necessary to fulfill specific, explicit, and legitimate purposes. We regularly audit data collection points to eliminate unnecessary data elements.
• Purpose Limitation: Personal data is processed only for the purposes for which it was collected. Any secondary use requires establishing a new lawful basis and obtaining appropriate consent.
• Encryption and Pseudonymization: We use encryption in transit and at rest to protect personal data, and we implement pseudonymization techniques where feasible to separate data from individual identities.
• Access Controls: We implement role-based access controls ensuring that only personnel with legitimate business needs access personal data, with multi-factor authentication protecting access to sensitive systems.
• Transparency and User Empowerment: We provide clear, understandable information about our data practices and implement features enabling users to manage their personal information effectively.
• Accountability: We maintain clear documentation of privacy safeguards and conduct regular assessments to ensure that privacy by design principles are effectively implemented.

Continuous Improvement: We regularly review and update our privacy safeguards to maintain effectiveness against emerging threats and comply with evolving regulatory requirements. Privacy considerations influence product development decisions at every stage, from initial concept through deployment and retirement.

6.4 Data Breach Notification and Response

In the event of a confirmed security incident that compromises the confidentiality or integrity of personal information, Neon Fox Inc. commits to prompt notification and remediation in accordance with applicable laws and regulations.

Incident Response Procedures:

• Immediate Response: Upon discovery of a suspected security incident, we immediately activate our incident response team to contain the breach, prevent further unauthorized access, and assess the scope and nature of the compromise.
• Investigation: We conduct a thorough investigation to determine what personal data was affected, who was affected, and what measures are necessary to restore the security of the system.
• Regulatory Notification: We comply with all applicable legal requirements regarding notification to supervisory authorities. Under GDPR, we notify relevant data protection authorities without undue delay and in any case within 72 hours of becoming aware of a personal data breach.
• Individual Notification: We notify affected individuals of confirmed security incidents where their personal data may have been compromised, except where encryption or other safeguards render the information unintelligible to unauthorized persons. Notifications include details about the incident, steps individuals should take to protect themselves, and our contact information for questions.
• Remediation: We implement corrective measures to address the vulnerability that enabled the breach and prevent similar incidents from occurring in the future.
• Public Communication: For significant incidents affecting large numbers of individuals, we provide transparent public communication about the incident, our response, and steps affected individuals should take.

Notification Timeline:

• GDPR (European residents): Notification to supervisory authority without undue delay and in any case within 72 hours of discovery; notification to affected individuals without undue delay.
• CCPA (California residents): Notification without unreasonable delay and generally within specified timeframes under California law.
• PIPEDA (Canadian residents): Notification as soon as feasible if there is a real risk of significant harm; notification to Privacy Commissioner if breach involves significant number of Canadians.
• Other Jurisdictions: Compliance with all applicable local requirements for the jurisdictions in which affected individuals reside.

You may sign up to receive security alerts and incident notifications at security@neonfox.io.

7. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

7.1 General Retention Periods

• Account Information: Retained until you delete your account
• Transactional Data: Retained for as long as necessary to provide Services and fulfill legal obligations
• Billing Records: Retained for 7 years for legal and tax compliance
• Support Communications: Retained for reasonable periods to provide ongoing support

7.2 Service-Specific Retention

Dialbox:

• Call recordings and transcripts: Retained for 3 years + 14 days from the call date (required by Canadian telecommunications law - CRTC - for regulatory compliance and audit purposes)
• Service delivery data: Retained for active subscription duration + 30 days after account termination to allow for account recovery and final billing
• Backup retention: 60 days in encrypted backups after account deletion to protect against data loss
• Customer-requested deletion: Available upon request through your account dashboard or by contacting hello@dialbox.ca, subject to mandatory legal retention requirements (call recordings must be retained for 3 years + 14 days regardless of deletion requests)
• Regulatory hold: Indefinite retention if call recordings are subject to CRTC investigation, legal proceedings, court orders, or regulatory audits
• After mandatory retention period: Call recordings and transcripts are permanently deleted or anonymized after 3 years + 14 days unless subject to ongoing legal hold
• Account information: Business contact details, payment records, and transaction history retained for 7 years for tax and financial compliance purposes

Call Bodyguard:

• Account Information: Until account deletion
• Call Screening Data: 1 year for account history and analytics
• Contact Data: Until manually deleted or account closure

Wrapi:

• Event Data: 1 year for analytics and compliance purposes
• Attendee Data: Deleted upon event conclusion unless the event organizer requests retention for follow-up purposes
• Account Data: Deleted or anonymized within 1 year after account deletion, except where required by law

7.3 Deletion

When you delete your account or request deletion of your data:

• We will delete or anonymize your personal information within 90 days
• Some information may be retained in backup systems for a limited time
• We may retain information as required by law or for legitimate business purposes (e.g., fraud prevention, resolving disputes, enforcing agreements)

8. Your Privacy Rights

You have certain rights regarding your personal information, which may vary based on your location.

8.1 General Rights (All Users)

• Access: Request a copy of the personal information we hold about you
• Correction/Rectification: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (right to be forgotten)
• Data Portability: Receive your data in a machine-readable format or request transfer to another service provider
• Restriction: Request restriction or limitation of how we process your personal information
• Objection: Object to processing of your personal information for certain purposes
• Opt-Out: Unsubscribe from marketing communications at any time via your account dashboard, unsubscribe links in emails, or by contacting us

8.2 United States State Privacy Rights

California (CCPA/CPRA):

If you are a California resident, you have rights under the California Consumer Privacy Act and California Privacy Rights Act:

• Right to Know: Request disclosure of what personal information we collect, use, disclose, and share
• Right to Delete: Request deletion of personal information we have collected
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of the sale or sharing of personal information for cross-context behavioral advertising. Note: We do not sell your personal information
• Right to Limit Sensitive Information: Limit our use and disclosure of sensitive personal information (SSN, precise geolocation, racial/ethnic origin, religious beliefs, genetic data, biometric identifiers for identification, health information, sexual orientation, citizenship/immigration status, trade secret status, union membership)
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights
• Right to Appeal: Appeal our decision regarding your privacy rights request

California Shine the Light Law: California residents may request information about disclosures of personal information to third parties for direct marketing purposes.

Colorado Privacy Act (CPA):

If you are a Colorado resident, you have rights under the Colorado Privacy Act, including:

• Right to Know: Request confirmation of whether we process your personal information
• Right to Access: Request a copy of your personal information in a portable and readily useable format
• Right to Delete: Request deletion of your personal information
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out: Opt-out of targeted advertising, sale of personal information, and profiling for decisions producing legal or similarly significant effects
• Biometric Data Rights: As of July 1, 2025, Colorado law requires explicit affirmative informed consent before we collect or process your biometric identifiers. We must disclose our collection practices, purposes, and intended uses. Biometric data includes information generated from technological processing of biometric samples
• Right to Non-Discrimination: We will not discriminate against you for exercising your CPA rights

Other State Laws:

As of 2025, sixteen United States states have comprehensive privacy laws. If you reside in Virginia (VCDPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Kentucky, Nebraska, Montana, Rhode Island, or another state with privacy legislation, you may have similar rights to those described for California and Colorado above, including rights to know, delete, correct, and opt-out. Please contact us if you have questions about your privacy rights under your state's applicable law.

8.3 European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation:

• Legal Basis for Processing: We process your data based on consent, contract performance, legal obligations, or legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Object: Object to processing based on legitimate interests
• Right to Lodge a Complaint: File a complaint with your local data protection authority

EU Representative: For GDPR-related inquiries, contact us at the email address below.

8.4 Canadian Privacy Rights (PIPEDA and Law 25)

All Neon Fox Inc. Services comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA). Québec residents have additional rights under Law 25 (Act Respecting the Protection of Personal Information in the Private Sector).

Rights Under PIPEDA and Law 25:

• Access to Personal Information: Request a copy of the personal information we hold about you
• Correction of Inaccuracies: Request correction of inaccurate or incomplete personal information
• Deletion: Request deletion of personal information when no longer required for the purposes collected
• Data Portability (Law 25): Receive your personal information in a structured, commonly used format and request transfer to another organization
• Withdrawal of Consent: Withdraw consent for processing at any time, subject to legal or contractual obligations
• Restriction of Processing: Request that we limit certain processing activities
• Right to Be Informed of Automated Processing: Know when automated decision-making systems are used and understand how they operate
• Right to Human Review: Challenge or obtain human review of decisions made solely by automated processing

Response Time: Requests will be responded to within 30 days, as required by PIPEDA and Law 25. Complex requests may require an extension, and we will notify you if additional time is needed.

8.5 Other Jurisdictions

We respect privacy rights under applicable laws in other jurisdictions. Contact us to exercise your rights or for questions about data protection laws in your region.

8.6 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: hello@neonfox.io

You may also manage many settings directly through your account dashboard.

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

8.7 Caller Rights (Dialbox)

If you are a caller who contacted a business using Dialbox (rather than a Dialbox subscriber/business customer), you have specific privacy rights regarding your call recording and personal data under PIPEDA and applicable provincial laws.

Access to Call Recordings:

You have the right to request access to any recording of your phone call with a Dialbox customer:

• Primary Contact: Contact the business you called directly to request your call recording. The business is the data controller and manages caller data.
• Response Time: The business should respond within 30 days (or as required by applicable privacy law in your jurisdiction).
• If Unresponsive: If the business does not respond to your request within a reasonable timeframe, you may contact us at hello@neonfox.io and we will assist in coordinating the response.
• Verification: You may need to provide identifying information to verify your identity (e.g., phone number you called from, approximate date/time of call, details discussed during the call).
• Format: Call recordings can be provided in audio format (MP3/WAV) or transcript format (PDF/text), depending on your preference.

Objection to Call Recording:

You have the right to object to call recording under PIPEDA before or during a call:

• Before the Call: If you are informed at the beginning of the call that it will be recorded and you do not wish to be recorded, you may ask to speak with someone on a non-recorded line or request alternative contact methods.
• During the Call: You may object to recording at any time during the call. If you object, the business must provide meaningful alternatives such as email correspondence, in-person visit, or non-recorded phone line.
• Implied Consent: Under PIPEDA, if you proceed with the call after being notified of recording, your consent to recording is implied. However, you retain the right to withdraw consent and request alternative communication methods.
• Business Obligation: The business using Dialbox must honor your objection and provide reasonable alternatives. If they refuse, you may file a complaint with the Privacy Commissioner of Canada.

Correction and Deletion Rights:

• Correction: You may request correction of inaccurate information in call transcripts or records. Contact the business to request corrections.
• Deletion Request: You may request deletion of your call recording. However, Canadian telecommunications law requires retention of call records for 3 years + 14 days for regulatory compliance purposes (CRTC requirement).
• Mandatory Retention Period: Call recordings cannot be deleted before the mandatory 3-year + 14-day retention period expires, even if you request deletion.
• After Retention Period: After 3 years + 14 days from the call date, you may request permanent deletion of your call recording, and we will honor that request unless the recording is subject to legal hold.
• Anonymization: If deletion is not possible during the retention period, you may request anonymization (removal of identifying information) where technically feasible.

Other Privacy Rights:

• Data Portability: You may request a copy of your call recording and transcript in a portable, machine-readable format (e.g., MP3 + JSON transcript).
• Restriction of Processing: You may request restriction of processing for specific purposes (e.g., restrict use for marketing but allow retention for regulatory compliance).
• Withdrawal of Consent: If you initially consented to recording but wish to withdraw consent for future calls, contact the business and request to be placed on their "do not record" list for future interactions.
• Complaint Rights: If the business or Neon Fox Inc. violates your privacy rights, you have the right to file a complaint with the Privacy Commissioner of Canada (for federal privacy matters) or your provincial privacy commissioner.

How to Exercise Your Caller Rights:

To exercise any of these rights:

1. Contact the Business First: Reach out to the business you called (they are the data controller responsible for your data). Their contact information should have been provided during or after your call.
2. Provide Details: Include the following information in your request:
   • Business name you called
   • Approximate date and time of your call
   • Your phone number (the number you called from)
   • Brief description of the call or subject matter discussed
   • Specific request (access, correction, deletion, objection, etc.)
3. If Business is Unresponsive: If the business does not respond within 30 days or refuses your request unreasonably, contact us at:
   • Email: hello@neonfox.io
   • Subject Line: "Dialbox Caller Rights Request"
   • Include all the information listed above
4. Escalation: If neither the business nor Neon Fox Inc. resolves your concern, you may file a complaint with the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca or 1-800-282-1376.

Important Note: Dialbox is used by businesses to manage their phone communications. Neon Fox Inc. acts as a data processor on behalf of these businesses. The business you called is the data controller and has primary responsibility for handling your privacy rights requests. We will assist businesses in fulfilling their obligations and will coordinate with you if the business is unresponsive.

9. International Data Transfers

Your information may be transferred to, stored, and processed in countries other than your own, including the United States and Canada, where data protection laws may differ from those in your jurisdiction. As a federally incorporated Canadian corporation, we comply with PIPEDA's requirements for cross-border data transfers, including the requirement to ensure "comparable" protection of personal information transferred outside of Canada through contractual safeguards and other appropriate measures.

9.1 Data Storage Locations and Canadian Residency

• Dialbox: App data stored exclusively in Canada; marketing website may be hosted on servers outside Canada (e.g., U.S./EU)
• Call Bodyguard: Data may be stored and processed in Canada and/or the United States through cloud service providers
• Wrapi: Data may be stored and processed in Canada and/or the United States through cloud service providers
• Neon Fox Corporate: Data may be stored in multiple jurisdictions including Canada and the United States

9.2 Safeguards for International Transfers and PIPEDA Compliance

When we transfer data internationally, we ensure adequate protection through multiple complementary safeguards:

• Privacy Impact Assessments (PIAs): Required under Law 25 for transfers outside Québec; we evaluate privacy risks, legal frameworks of destination countries, and implement appropriate safeguards before transferring personal information
• Standard Contractual Clauses (SCCs): Approved by the European Commission and Swiss authorities for data transfers from the EEA/Switzerland to countries without adequacy determinations
• EU-US Data Privacy Framework: Where applicable, reliance on the DPF adequacy decision for transfers to certified US organizations
• Transfer Impact Assessments (TIAs): For international transfers, we conduct Transfer Impact Assessments evaluating the legal framework of the destination country and implementing supplementary measures where necessary to ensure comparable protection
• PIPEDA Comparable Protection: For transfers of Canadian personal data outside Canada, we ensure comparable protection through contractual safeguards, data processing agreements requiring equivalent protections, and supplementary technical measures. We notify individuals when personal information may be transferred abroad and accessed by foreign authorities
• Encryption and Pseudonymization: We use encryption in transit and at rest, and implement pseudonymization techniques to limit identification risks during transfer
• Data Minimization: We transfer only personal data that is necessary for the specified purposes

PIPEDA Federal Corporation Obligations:

As a federally incorporated Canadian corporation, Neon Fox Inc. is subject to PIPEDA for all data flows that cross provincial or national borders in the course of commercial activities. We comply with PIPEDA's requirement to ensure that personal information transferred outside Canada receives "comparable" protection through contractual obligations requiring the recipient to protect personal data in a manner substantially similar to PIPEDA's requirements. We maintain documentation of all international transfer mechanisms and are prepared to provide information to the Privacy Commissioner of Canada regarding our transfer safeguards.

By using our Services, you consent to the transfer of your information to countries outside your jurisdiction in accordance with this Privacy Policy, subject to the safeguards described above and applicable legal requirements in your jurisdiction.

10. Children's Privacy

Our Services are not intended for, and we do not knowingly collect personal information from, children under the age specified below:

• General Policy: Our Services are not directed to individuals under 18 years of age
• Stricter Standards: We do not knowingly collect information from children under 13 (or 16 in some jurisdictions)
• Call Bodyguard: Children between 13-18 may use the service with parental consent where required by applicable law

If we learn that we have collected personal information from a child under the applicable age without proper consent, we will delete that information promptly. If you believe we may have collected information from a child, please contact us immediately at privacy@neonfox.io.

Important: If you use our Services to protect a family member who is a minor, you represent that you have the authority to provide their information and manage their account.

11. Third-Party Links and Services

Our Services may contain links to third-party websites, applications, or services that are not owned or controlled by Neon Fox Inc. This Privacy Policy does not apply to third-party services.

Our Responsibilities:

• We have no control over third-party content, privacy policies, or practices
• We are not responsible for the privacy or security practices of third-party services
• We do not endorse or assume responsibility for third-party services

Your Responsibilities:

• We strongly advise you to review the privacy policies and terms of any third-party services you access
• Exercise caution when providing information to third parties
• Understand that data shared with third-party integrations is subject to their privacy policies

Third-Party Service Providers: When we share data with service providers (as described in Section 4.1), those providers are contractually obligated to protect your data. The integrations and apps YOU choose to connect are separate and governed by their own policies.

12. Do Not Track Signals

Some web browsers have "Do Not Track" features. Currently, there is no uniform standard for how DNT signals should be interpreted. Our Services do not respond to Do Not Track signals. We will continue to monitor developments in DNT browser technology and industry standards.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, Services, legal requirements, or for other operational, legal, or regulatory reasons.

13.1 How We Notify You of Changes

When we make changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post the updated policy on our websites and in our applications
• Notify you via email for material changes (to the email address associated with your account)
• Provide in-app notifications for significant changes
• Give reasonable advance notice before material changes take effect

13.2 Material Changes

For material changes that significantly affect your rights or how we handle your information, we will provide prominent notice and may request your consent where required by law.

13.3 Your Continued Use

Your continued use of our Services after changes become effective constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, please discontinue use of our Services and contact us to close your account.

13.4 Review This Policy Regularly

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

14. Complaints

Individuals may submit complaints regarding our handling of personal information to our Privacy Officer at privacy@neonfox.io. We take all complaints seriously and will investigate and respond within 30 days.

If your complaint is not resolved to your satisfaction, you may contact:

• Office of the Privacy Commissioner of Canada: https://www.priv.gc.ca | 1-800-282-1376
• Commission d'accès à l'information du Québec (for Québec residents): https://www.cai.gouv.qc.ca
• Your provincial privacy commissioner (if applicable)

15. Contact Us

If you have any questions, concerns, requests, or complaints regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries

We will respond to your inquiries within a reasonable timeframe, typically within 30 days.

16. Legal Compliance

This Privacy Policy complies with applicable privacy laws and regulations, including:

Canadian Laws:

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
• Québec's Act Respecting the Protection of Personal Information in the Private Sector as amended by Law 25
• Provincial privacy legislation (Alberta PIPA, British Columbia PIPA, where applicable)
• Professional confidentiality requirements (CPA Ontario, CPA Québec, for regulated clients)

International and Regional Laws:

• General Data Protection Regulation (GDPR) and ePrivacy Directive
• United Kingdom GDPR and Data Use and Access Act (DUAA) 2025
• European Union Artificial Intelligence Act (AI Act)
• Brazil's Lei Geral de Proteção de Dados (LGPD)

United States Federal and State Laws:

• Children's Online Privacy Protection Act (COPPA) and FTC Amendments effective June 2025
• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
• California Online Privacy Protection Act (CalOPPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Virginia Consumer Data Protection Act (VCDPA)
• Utah Consumer Privacy Act (UCPA)
• Texas Data Privacy and Security Act (TDPSA)
• Oregon Consumer Privacy Act (OCPA)
• Comprehensive privacy laws in Delaware, Iowa, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Kentucky, Nebraska, Montana, Rhode Island, and other states
• Illinois Biometric Information Privacy Act (BIPA)
• Federal Trade Commission Act (FTC Act) Sections 5 and 501

Sector-Specific and Other Applicable Laws:

• Health Insurance Portability and Accountability Act (HIPAA) where applicable
• Gramm-Leach-Bliley Act (GLBA) where applicable
• Other applicable international, federal, state, provincial, and local privacy and data protection laws

Neon Fox Inc. commits to remaining current with evolving privacy regulations and updating our practices and policies accordingly. This Privacy Policy is subject to change as new laws are enacted and regulatory guidance evolves.