Privacy Policy

OpusCall Inc. ("OpusCall," "we," "us," or "our") respects your privacy and is committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, store, and safeguard information when you use our AI receptionist platform, website (opuscall.ai), and related services (collectively, the "Services").

OpusCall Inc. is a corporation incorporated in Ontario, Canada, with its registered office in Richmond Hill, Ontario.

This policy is governed by Canadian privacy law, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Personal Health Information Protection Act, 2004 (PHIPA) for Ontario healthcare clients. Where applicable, it also reflects requirements under other Canadian provincial privacy laws and international privacy frameworks.

This policy applies to:

• Clinic customers (businesses that subscribe to OpusCall)
• End users (patients, callers, or members of the public who interact with an OpusCall AI agent)
• Website visitors (anyone browsing opuscall.ai)
• Prospective customers (people who contact us, sign up for a trial, or engage with our marketing)

OpusCall operates as a service provider to its clinic customers.

When a clinic uses OpusCall to handle patient calls, the clinic is the health information custodian under PHIPA (or equivalent under provincial law). The clinic determines what data is collected, why, and how long it is retained.

OpusCall acts as the clinic's agent and information processor. We process personal information and personal health information on the clinic's behalf, under contract.

For our own business operations (billing, marketing, account management), OpusCall is the data controller and is directly responsible for that information.

This distinction matters. If you are a patient and have questions about your health information, your first point of contact is your clinic. We support clinics in handling those requests, but the clinic owns the relationship.

4.1 Information You Provide Directly

When clinics sign up, we collect:

• Business name, address, and contact details
• Owner or admin name, email, and phone number
• Billing information (handled by Stripe, see Section 8)
• Clinic configuration data (hours, services, pricing, FAQs, knowledge base content)
• Any custom system instructions or scripts uploaded to the platform

4.2 Information Collected Through Calls

When an AI agent handles a call on behalf of a clinic, we may process:

• Caller's phone number
• Audio recording of the call
• Transcript of the conversation
• Information the caller provides during the call (name, reason for call, insurance details, appointment preferences, callback number, and similar)
• Call metadata (duration, time, outcome, transfer status)

This information is collected under the clinic's instructions and stored on the clinic's account.

4.3 Information Collected Automatically

When you visit our website or use our dashboard, we automatically collect:

• IP address and approximate location
• Browser type and device information
• Pages visited, time spent, and referral source
• Cookies and similar tracking technologies (see Section 12)

4.4 Information from Third Parties

We may receive information from:

• Stripe (payment confirmations, billing status)
• Twilio Canada (call routing data, phone number provisioning)
• Google or Microsoft (if you sign in using SSO or connect your calendar)

We collect and use information to:

• Provide and operate the Services
• Allow clinics to handle patient calls, bookings, and follow-ups
• Generate transcripts, summaries, and insights for clinics
• Process payments and manage subscriptions
• Provide customer support
• Improve the Services (in aggregated, de-identified form only)
• Detect and prevent fraud, abuse, and security incidents
• Comply with legal and regulatory obligations
• Communicate with customers about updates, billing, and support

We do not sell personal information. We do not use clinic data or patient data to train AI models.

Under PIPEDA, we process personal information based on:

• Consent (express or implied), provided by the individual or by the clinic acting on their behalf
• Contractual necessity (to deliver the Services)
• Legitimate business interests (security, fraud prevention, service improvement)
• Legal obligation (tax, regulatory, court orders)

For personal health information processed on behalf of clinics, the legal basis is the clinic's authority as the health information custodian under PHIPA or equivalent provincial law. Consent for the collection of patient information rests with the clinic and the patient.

7.1 Data Location

All customer and patient data is stored in Canada, on infrastructure hosted in:

• Amazon Web Services (AWS) Canada Central region (ca-central-1) for application data, recordings, and transcripts
• Supabase (Canadian region) for database services
• Twilio Canada for telephony and call routing

Data does not leave Canada in the normal course of operations. If you are an international customer (US or other), specific data residency arrangements will be disclosed in your customer agreement.

7.2 AI Processing

Our AI receptionist uses voice and language models from OpenAI, Google (Gemini), and our own proprietary voice models. Where third-party models are used, we configure them with enterprise data protection settings to limit retention and prevent training on customer data. Transient processing may occur in the model provider's infrastructure for the purpose of generating a response, after which the data is not retained by the model provider.

7.3 Security Measures

We use industry-standard safeguards, including:

• End-to-end encryption of calls in transit
• Encryption of data at rest
• Role-based access controls
• Regular security reviews and updates
• Passwordless authentication (magic-link or SSO) to reduce credential risk
• Audit logs for sensitive actions

No system is perfectly secure. We cannot guarantee absolute security, but we work continuously to protect the information entrusted to us.

We work with a limited number of trusted third parties to operate the Services. Each is bound by contract to protect personal information and use it only for the purposes we authorize.

• Amazon Web Services (AWS) — Application hosting and storage. Data location: Canada (ca-central-1).
• Supabase — Database and authentication. Data location: Canada.
• Twilio Canada — Telephony, SMS, and phone numbers. Data location: Canada.
• OpenAI — AI language and voice processing. Transient processing only, no retention.
• Google (Gemini) — AI language and voice processing. Transient processing only, no retention.
• Stripe — Payment processing. PCI-DSS compliant. Data location: Canada and United States.

We may update this list from time to time. Material changes will be communicated to clinic customers in advance.

• Call recordings and transcripts: Retained for 30 days, then automatically deleted unless exported by the clinic.
• CRM contacts and call summaries: Retained for the duration of the clinic's account. Deleted on request.
• Account and billing records: Retained for 7 years after account closure, in accordance with Canadian tax law.
• Website analytics and cookies: Retained for up to 24 months.
• Marketing contacts: Retained until you unsubscribe or request deletion.

Clinics can export their data at any time. Patients should contact their clinic for access, correction, or deletion of their personal health information.

We do not sell or rent personal information.

We may disclose information only in these limited cases:

• To clinic customers: Patient call data is shared with the clinic on whose behalf the call was handled.
• To service providers: As listed in Section 8, under strict contractual obligations.
• For legal compliance: When required by law, court order, subpoena, or to respond to lawful government requests.
• To protect rights or safety: To prevent fraud, abuse, or imminent harm.
• In a business transfer: If OpusCall is involved in a merger, acquisition, or sale, your information may be transferred. We will notify customers in advance.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete information
• Delete your information (subject to legal retention requirements)
• Withdraw consent for marketing communications
• Lodge a complaint with a privacy regulator

To exercise these rights, contact us at hello@opuscall.ai. If you are a patient of a clinic that uses OpusCall, please contact your clinic first, as they are the custodian of your health information.

We will respond to verified requests within 30 days.

Our website uses cookies and similar technologies to:

• Keep you signed in
• Remember your preferences
• Measure website traffic and performance
• Improve the user experience

You can disable cookies in your browser settings. Some features of the Services may not work without them.

We do not use third-party advertising cookies or sell browsing data.

OpusCall is intended for use by businesses, not by children directly. However, healthcare clinics that use OpusCall may collect appointment information for pediatric patients. In those cases:

• The clinic is responsible for obtaining appropriate consent from a parent or legal guardian
• OpusCall processes that information only on the clinic's instructions
• We apply the same security and retention standards to all patient data, regardless of age

We do not knowingly collect personal information directly from children under 13 through our website or marketing channels. If you believe a child has provided us information directly, please contact us and we will delete it.

OpusCall is currently focused on the Canadian market. If you access the Services from outside Canada (including the United States), your information may be transferred to and processed in Canada.

As we expand internationally, we will update this policy and provide region-specific terms where required (including under GDPR, CCPA, and other applicable laws).

OpusCall may be used by businesses outside the healthcare sector. For non-healthcare customers, PHIPA does not apply, but PIPEDA and applicable provincial privacy laws still govern the handling of personal information. The protections in this policy apply equally to all customers.

We may update this Privacy Policy from time to time. When we make material changes:

• We will update the "Last Updated" date at the top
• We will notify customers by email or through the dashboard
• We will provide reasonable notice before changes take effect

Continued use of the Services after changes are posted constitutes acceptance of the updated policy.

For privacy questions, requests, or complaints:

• OpusCall Inc. — Privacy Officer
• Richmond Hill, Ontario, Canada
• Email: hello@opuscall.ai

If you are not satisfied with our response, you may file a complaint with:

• Office of the Privacy Commissioner of Canada (OPC) — priv.gc.ca
• Information and Privacy Commissioner of Ontario (IPC) — ipc.on.ca
• The privacy regulator in your province or country

This Privacy Policy describes our practices in good faith. It is not a substitute for legal advice. OpusCall is designed to support clinics in meeting their privacy obligations under PHIPA, PIPEDA, and applicable provincial health privacy laws. Final compliance responsibility rests with the clinic as the health information custodian.