In this document, “client” refers to the business that contracts Call2Cash (e.g., a plumbing company, a professional firm), and “caller” refers to the person calling that business.
1. Who We Are
Call2Cash designs, deploys, and maintains AI-powered voice agents on behalf of its clients. When a caller reaches one of our voice agents, certain personal information may be collected and processed.
This policy outlines our commitments and practices in compliance with Quebec’s Law 25, the Act respecting the protection of personal information in the private sector (LPRPSP), and the Personal Information Protection and Electronic Documents Act (PIPEDA).
Our Commitment: Privacy by Design
Call2Cash operates under an architecture where caller data is not stored in our internal systems. It is transmitted directly to the client’s own systems. Call2Cash acts as a technology integrator, not as a data custodian.
2. Privacy Officer
In accordance with Law 25, the person holding the highest authority at Call2Cash is designated as the person responsible for the protection of personal information (Privacy Officer).
3. Personal Information Collected
Our voice agents collect only the information necessary to fulfill their mission, following the principle of data minimization. The data collected varies depending on the client’s needs:
| Category | Examples | Purpose |
|---|
| Identity | First name, last name | Caller identification for follow-up |
| Contact details | Phone number | Enable callback by the client |
| Preferences | Language, preferred callback time | Personalize service |
| Voice content | Call recording | Quality assurance (if enabled) |
| Transcription | Conversation text | Transmission to client |
| Specific information | Based on client needs | Appointment booking, lead qualification |
Call2Cash never collects health information, financial data, social insurance numbers, biometric data, or information about minors under 14 years of age.
4. How Your Data Is Protected
Call2Cash selects its technology providers based on strict security and compliance criteria.
| Measure | Description |
|---|
| Encryption | All data is encrypted in transit (TLS) and at rest with every provider. |
| Certifications | Our providers hold SOC 2 Type II certifications, and where applicable, HIPAA and GDPR. |
| No AI training | Data is not used to train artificial intelligence models. |
| Automatic redaction | Personally identifiable information can be automatically masked from transcripts and recordings. |
| Restricted access | Access is limited to authorized personnel with multi-factor authentication. |
| Contractual agreements | Data Processing Agreements (DPAs) are in place with every provider. |
5. Data Transfers Outside Quebec
Some data may transit through servers located in the United States and the European Union. In compliance with Law 25, Call2Cash conducts a Privacy Impact Assessment (PIA) before any transfer outside Quebec. These transfers are governed by contractual agreements ensuring an adequate level of protection.
6. Data Retention & Deletion
Call2Cash applies the principle of minimal retention.
| Data Type | Duration | Method |
|---|
| Audio recordings | Max. 30 days | Automatic deletion |
| Transcriptions | Max. 30 days | Automatic deletion |
| Structured data | Transit only | Transmitted to client, not stored |
| Orchestration logs | Max. 30 days | Automatic expiration |
| Data at the client | Per client policy | Client’s responsibility |
7. Transparency & Artificial Intelligence
- Every voice agent identifies itself as an AI assistant at the beginning of the call.
- Callers are informed that the call may be recorded.
- No significant decision is made exclusively by the automated system without the possibility of human review.
- AI models operate in API mode with no data retention for training purposes.
8. Confidentiality Incident Management
In the event of an incident presenting a serious risk of harm, Call2Cash commits to:
- Taking immediate measures to contain the incident.
- Notifying the Commission d’accès à l’information du Québec (CAI).
- Notifying affected callers and the client.
- Recording the incident in the internal registry (kept for a minimum of 5 years).
- Coordinating the response with affected providers.
9. Your Rights
| Right | Description |
|---|
| Access | Obtain confirmation that personal information about you is held and receive a copy. |
| Rectification | Have any inaccurate or incomplete information corrected. |
| Deletion | Request the deletion of your personal information. |
| Portability | Obtain your information in a structured, commonly used format. |
| De-indexing | Request the cessation of dissemination in certain circumstances. |
10. Shared Responsibilities
| Call2Cash | The Client (Business) |
|---|
| Secure configuration of the technical pipeline | Securing its own systems (CRM, email) |
| Default privacy settings | Informing its callers about voice agent processing |
| PIA for transfers outside Quebec | Obtaining caller consent where required |
| Contractual agreements with providers | Retention and deletion of received data |
| Support in the event of an incident | Forwarding any access requests to Call2Cash |
11. Updates
This policy is reviewed at least annually or upon any significant change.
Last updated: April 2026
Contact: [email protected]
