Privacy Policy

Overview

VOX provides a virtual phone system for Canadian small business. We process personal information as a service provider to your organization and, where applicable, as a data controller for account and billing data. This policy summarizes our practices under PIPEDA and applicable provincial privacy law.

Information we collect

• Account details (name, email, organization profile, team roles)
• Call metadata (direction, duration, numbers, timestamps, recording references)
• SMS/MMS content and delivery status required for the shared inbox
• Voicemail audio, transcriptions when enabled, and playback logs
• Contact records, consent type, consent source, and opt-out timestamps you store
• E911 emergency address data associated with purchased numbers
• Billing and subscription information processed via Stripe (we do not store full card numbers)
• Technical logs (IP address, browser type, error reports via Sentry when enabled)
• Optional analytics page views if you accept our cookie banner (PostHog)

Lawful basis and purpose

We process personal information to deliver the contracted phone service, prevent fraud and abuse, meet billing obligations, and comply with telecommunications and privacy law. For customer end-users (callers and texters), your organization determines the primary purpose of collection; VOX acts as a service provider processing data on your instructions.

How we use information

We use data to provide telephony, messaging, voicemail, IVR, team routing, billing, support, security monitoring, and legal compliance. We do not sell personal information.

CASL and commercial messages

Your organization is responsible for obtaining appropriate consent before sending commercial electronic messages through VOX under Canada's Anti-Spam Legislation (CASL). VOX helps you comply by tracking consent on contact records, honouring STOP/unsubscribe keywords on inbound SMS, and optionally appending a CASL footer (business name, sender number, and opt-out instructions) on the first outbound SMS in each conversation.

Implied consent may apply in limited circumstances (existing business relationship, conspicuous publication with no opt-out). When in doubt, obtain express consent and record it in VOX.

Retention and storage

Call logs, messages, voicemails, and recordings are retained for the life of your subscription unless you delete them or submit a privacy request. Voicemail and call recordings may be archived to secure storage in Supabase (Montreal region). You can export contact and consent data from Settings → Privacy. We delete or anonymize data within 30 days of a verified deletion request, subject to legal retention requirements.

Cross-border processing

Primary database hosting is in Canada (Supabase Montreal). Twilio, Stripe, Vercel, Resend, and Sentry may process data in the United States under contractual safeguards. We select providers that offer data processing agreements appropriate for Canadian business customers.

Your rights (PIPEDA)

Under PIPEDA, individuals have the right to access, correct, and challenge the accuracy of personal information held about them. Organization administrators can submit export or deletion requests in Settings → Privacy. Data subjects may also contact their organization directly or reach us at hello@voxtech.app for platform-level inquiries. We respond to verified requests within 30 days.

Security

Access to tenant data is isolated by organization (row-level security). Passwords are hashed by Supabase Auth. Webhook endpoints validate Twilio signatures. Production error monitoring via Sentry is optional and does not include message body content by default.

Sub-processors

We rely on infrastructure and communications providers including Supabase (database, auth), Twilio (telephony and SMS), Stripe (billing), and Vercel (hosting). Data is stored in Canada where configured for Supabase Montreal region.