PIPEDA Statement

This PIPEDA Statement explains how OpusCall Inc. ("OpusCall," "we," "us," or "our") handles personal information in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law for private-sector organizations.

PIPEDA governs how we collect, use, disclose, store, and protect personal information in the course of commercial activities. This Statement applies to:

• Customers who use the OpusCall platform
• Patients, callers, and members of the public who interact with an OpusCall AI agent
• Visitors to opuscall.ai
• Any other individuals whose personal information OpusCall handles

For Ontario healthcare clinics, this Statement should be read alongside our PHIPA Statement, which addresses the handling of personal health information in greater detail.

OpusCall is committed to protecting personal information in accordance with PIPEDA's ten fair information principles:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

Each of these principles is reflected in how we operate the Services, train our team, and design our platform.

OpusCall is responsible for the personal information under our control. We have designated a Privacy Officer who is accountable for compliance with PIPEDA and this Statement.

For privacy questions or concerns, contact:

• OpusCall Inc. — Privacy Officer
• Richmond Hill, Ontario, Canada
• Email: hello@opuscall.ai

We use written agreements and contractual safeguards with our service providers (sub-processors) to ensure they protect personal information transferred to them for processing.

We identify the purposes for collecting personal information at or before the time it is collected. The main purposes include:

• Providing and operating the Services
• Handling inbound calls, bookings, and follow-ups on behalf of customers
• Generating call summaries, transcripts, and insights for customers
• Processing payments and managing subscriptions
• Communicating with customers about updates, billing, and support
• Improving the Services in aggregated and de-identified form
• Detecting and preventing fraud, abuse, and security incidents
• Complying with legal and regulatory obligations

If we ever need to use personal information for a new purpose not described in this Statement or our Privacy Policy, we will obtain consent before doing so.

We collect, use, and disclose personal information based on consent, which may be:

• Express consent: Provided directly by the individual (for example, when a customer signs up for an account or a caller voluntarily shares information during a call).
• Implied consent: Reasonably inferred from the individual's actions or from the circumstances (for example, a patient calling a clinic to book an appointment).
• Consent through the customer: When OpusCall processes personal information on behalf of a customer (such as a clinic), the customer is responsible for obtaining valid consent from the individuals whose information is collected.

Individuals may withdraw consent at any time, subject to legal or contractual restrictions. Withdrawing consent may affect our ability to provide the Services.

We collect only the personal information that is necessary for the purposes identified.

We do not collect more information than is needed. Information collected during calls is limited to what is reasonably required to handle the call, complete the booking, or address the caller's request.

We collect personal information through fair and lawful means.

7.1 Use

Personal information is used only for the purposes for which it was collected, or for a related purpose, unless we obtain additional consent or are required by law.

We do not use personal information to train AI models.

7.2 Disclosure

We do not sell or rent personal information.

We disclose personal information only:

• To the customer on whose behalf the information was collected
• To our service providers under strict contractual obligations
• When required by law (court order, subpoena, lawful government request)
• To prevent fraud, abuse, or imminent harm
• In connection with a business transfer (merger, acquisition, sale), with notice

7.3 Retention

We retain personal information only as long as necessary to fulfill the identified purposes or as required by law:

• Call recordings and transcripts: 30 days, then automatically deleted unless exported by the customer
• CRM contacts and call summaries: retained for the duration of the customer's account
• Account and billing records: retained for 7 years after account closure (Canadian tax law)
• Marketing contacts: retained until the individual unsubscribes or requests deletion

When personal information is no longer needed, we delete or anonymize it in a secure manner.

We take reasonable steps to keep personal information accurate, complete, and up to date for the purposes for which it is used.

Customers can update their account information directly through the dashboard. Individuals can request corrections by contacting us at hello@opuscall.ai.

For information held on behalf of a customer (such as patient records), corrections should be requested directly from the customer (the clinic or business that owns the record).

We protect personal information using safeguards appropriate to its sensitivity. These include:

• Physical safeguards: Hosting infrastructure in secure, certified data centres in Canada.
• Technical safeguards: Encryption of data in transit and at rest, role-based access controls, passwordless authentication, audit logs, and regular security reviews.
• Administrative safeguards: Privacy and security training for our team, written agreements with service providers, and internal policies governing access to personal information.

We continuously review and improve our safeguards. No system is perfectly secure, but we work to ensure that personal information is protected against loss, theft, unauthorized access, disclosure, copying, use, or modification.

We make information about our privacy practices readily available. Our Privacy Policy, PHIPA Statement, and this PIPEDA Statement are published on opuscall.ai and updated as our practices evolve.

We are happy to answer questions about our privacy practices. Contact hello@opuscall.ai.

Individuals have the right to:

• Access the personal information we hold about them
• Be informed of how it is being used and to whom it has been disclosed
• Challenge the accuracy of the information and have it corrected

To make a request, contact hello@opuscall.ai. We will respond to verified requests within 30 days, as required by PIPEDA.

In limited circumstances, we may not be able to provide access (for example, if doing so would reveal information about a third party, breach legal privilege, or compromise security). If we deny a request, we will explain why and inform the individual of their right to challenge the decision.

For information held on behalf of a customer, individuals should contact the customer directly. OpusCall will support customers in responding to such requests.

If you have concerns about how we handle personal information, please contact our Privacy Officer:

• OpusCall Inc. — Privacy Officer
• Richmond Hill, Ontario, Canada
• Email: hello@opuscall.ai

We will investigate all complaints. If a complaint is found to be justified, we will take appropriate steps to resolve it, including correcting our practices and policies if necessary.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC):

• Website: priv.gc.ca
• Phone: 1-800-282-1376

You may also have the right to file a complaint with the privacy regulator in your province or jurisdiction.

OpusCall stores personal information in Canada. We do not transfer personal information outside of Canada in the normal course of operations.

If we ever need to transfer personal information internationally (for example, as we expand into the United States or other markets), we will:

• Provide notice to affected individuals or customers
• Use appropriate contractual and technical safeguards
• Comply with applicable cross-border data transfer requirements under PIPEDA and other applicable laws

We use cookies and similar technologies on opuscall.ai to operate the website, remember preferences, and measure performance. We do not use third-party advertising cookies or sell browsing data.

For more information, see Section 12 of our Privacy Policy.

We may update this PIPEDA Statement from time to time. When we make material changes:

• We will update the "Last Updated" date at the top
• We will notify customers by email or through the dashboard
• We will provide reasonable notice before changes take effect

Continued use of the Services after changes are posted constitutes acceptance of the updated Statement.

For questions about this PIPEDA Statement or our privacy practices:

• OpusCall Inc. — Privacy Officer
• Richmond Hill, Ontario, Canada
• Email: hello@opuscall.ai

This PIPEDA Statement describes our practices in good faith and is not a substitute for legal advice. OpusCall complies with PIPEDA in our handling of personal information. Customers using OpusCall remain responsible for their own compliance with PIPEDA and any other privacy laws applicable to their business.