Effective Date: December 21, 2025
Last Updated: December 21, 2025

1. Introduction

This Privacy Policy describes how Instinct Growth Solutions ("we," "us," or "our") collects, uses, discloses, and protects personal information when providing AI-powered communication services, including SMS, WhatsApp, and voice AI systems to B2C companies and their customers.

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR), Canada's Anti-Spam Legislation (CASL), the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, state privacy laws (including CCPA/CPRA and other comprehensive state privacy laws), and Application-to-Person (A2P) messaging protocols.

2. Information We Collect

2.1 Information Collected from End Users

When you interact with our AI systems on behalf of our clients, we may collect:

Contact Information: Phone numbers, email addresses, names

Communication Data: Content of SMS messages, WhatsApp messages, and voice conversations

Interaction Data: Timestamps, conversation history, response patterns, engagement metrics

Technical Data: Device information, IP addresses, browser type, operating system

Preference Data: Communication preferences, opt-in/opt-out status, language preferences

2.2 Information Collected from Business Clients

Company information and business contact details

Customer lists and contact databases

Campaign specifications and messaging content

Account credentials and authentication data

Billing and payment information

Usage analytics and performance metrics

3. Legal Basis for Processing (GDPR)

We process personal data based on the following legal grounds:

Consent: When you explicitly opt-in to receive communications

Legitimate Interests: To improve our services, prevent fraud, and ensure system security

Contractual Necessity: To fulfill our obligations to business clients

Legal Obligations: To comply with applicable laws and regulations

4. How We Use Your Information

4.1 Service Delivery

Facilitate AI-powered conversations via SMS, WhatsApp, and voice systems

Route leads to sales teams or schedule appointments

Provide automated responses and customer support

Analyze conversation quality and system performance

4.2 Communication Management

Process opt-in and opt-out requests

Maintain do-not-contact lists

Verify consent status before sending messages

Track delivery status and engagement metrics

4.3 Service Improvement

Train and improve AI models and algorithms

Analyze conversation patterns for better responses

Generate aggregate analytics and insights

Conduct quality assurance and system testing

4.4 Compliance and Security

Maintain audit logs for compliance verification

Detect and prevent fraud or abuse

Respond to legal requests and enforce our terms

Protect the security and integrity of our systems

5. Consent and Opt-In Requirements (CASL Compliance)

5.1 Express Consent

We only send commercial electronic messages (CEMs) when:

You have provided clear, explicit consent to receive messages

Consent was obtained before sending any commercial messages

The nature and purpose of messages were clearly disclosed

You were informed of your right to withdraw consent at any time

5.2 Consent Records

We maintain detailed records of consent, including:

Date and time of consent collection

Method of consent collection

Specific messages consented to

Identification of the person who provided consent

5.3 Opt-Out Mechanism

Every commercial message includes:

Clear unsubscribe instructions

A functioning opt-out mechanism (reply STOP or similar)

Processing of opt-out requests within 10 business days

No fees or barriers to unsubscribe

5A. US Telecommunications Compliance (TCPA & CAN-SPAM)

5A.1 TCPA Compliance for SMS and Voice Calls

We comply with the Telephone Consumer Protection Act (TCPA), which regulates telemarketing calls and text messages to protect consumers from unwanted communications.

Prior Express Written Consent Required:

We obtain prior express written consent before sending marketing SMS messages or making marketing calls using automated systems

Consent clearly authorizes us or our clients to contact you using automated technology

Consent specifies the phone number(s) to be contacted

Consent is obtained in writing (including electronic forms with e-signatures)

Consent Requirements:

One-to-one consent: Consent must be specific to individual sellers, not blanket consent for multiple marketers

Cannot be a condition of purchase unless directly related to the product/service

Must include clear disclosure that consent is not required for purchase (where applicable)

Opt-Out Rights (Effective April 11, 2025): You may revoke consent through any reasonable means, including replying with informal messages like "Leave me alone," sending emails, or leaving voicemails

We process opt-out requests within 10 business days

We send only ONE confirmation message after your opt-out request

Opt-out requests can be made through SMS, email, voicemail, or other reasonable communication methods

Calling Time Restrictions: We only send messages or make calls between 8 AM and 9 PM in your local time zone

Reassigned Numbers: We use the FCC's Reassigned Numbers Database to avoid contacting numbers that have been reassigned to new users

5A.2 WhatsApp Messaging Compliance

While WhatsApp messages use internet protocol (IP) rather than cellular networks, we treat WhatsApp marketing with the same compliance rigor as SMS

WhatsApp-Specific Requirements:

Explicit opt-in consent obtained before any WhatsApp marketing messages

Use of WhatsApp Business API or official WhatsApp Business platforms only

Compliance with WhatsApp's Commerce and Business Policies

Clear opt-out mechanisms provided in every marketing message

Records maintained of all consent obtained, including how, when, and what was consented to

Important Note: While the TCPA technically does not apply to WhatsApp messages because they use IP connectivity rather than telephone networks, we follow best practices and obtain proper consent to ensure ethical marketing practices.

5A.3 CAN-SPAM Act Compliance (Email)

When we send commercial emails on behalf of our clients:

We never use false or misleading header information

Subject lines accurately reflect the content of the message

We identify the message as an advertisement where appropriate

We include our valid physical postal address

We provide a clear and conspicuous opt-out mechanism

We honor opt-out requests within 10 business days

We monitor what others do on our behalf (if we hire companies to handle email marketing)

5A.4 Lead Generation and Third-Party Consent

We do not participate in deceptive lead generation practices

When working with comparison shopping websites or lead generators, we ensure one-to-one consent is obtained for each seller

We verify that consent obtained through third parties meets all legal requirements

We do not use consent obtained through hidden hyperlinks or unclear disclosures

6. A2P Messaging Compliance

We comply with Application-to-Person (A2P) messaging standards by:

Registering our services with mobile carriers and messaging platforms

Following platform-specific content and delivery policies

Implementing proper sender identification

Maintaining message throughput limits and delivery standards

Monitoring for spam reports and adjusting sending practices

Using approved message templates for WhatsApp Business API

Adhering to character limits and formatting guidelines

7. Data Sharing and Disclosure

7.1 With Business Clients

We share conversation data and lead information with our business clients who engage our services. Clients are responsible for their own use of this data and must comply with applicable privacy laws.

Our Role as Data Processor: When processing personal data on behalf of our business clients, we act as a data processor. Our clients remain the data controllers responsible for the lawful collection and use of end-user data. We process client data strictly according to their documented instructions and our contractual obligations.

7.2 With Service Providers

We may share data with trusted third-party providers who assist us with:

Cloud hosting and infrastructure (AWS, Google Cloud, Azure, etc.)

SMS and WhatsApp delivery platforms (Twilio, MessageBird, etc.)

Voice AI services and telephony providers

Payment processing and billing

Analytics and monitoring tools

All service providers are contractually bound to protect your data and use it only for specified purposes.

7.3 Legal Requirements

We may disclose information when required by law, court order, or legal process, or to protect our rights, property, or safety.

7.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity.

8. International Data Transfers

We may transfer personal data outside your country of residence, including to countries that may not provide the same level of data protection. When we do:

We implement appropriate safeguards such as Standard Contractual Clauses (SCCs)

We ensure recipients are bound by adequate data protection obligations

For EU residents, we comply with GDPR transfer requirements

9. Data Retention

We retain personal data for as long as necessary to:

Fulfill the purposes outlined in this policy

Comply with legal and regulatory requirements

Resolve disputes and enforce our agreements

Typical retention periods:

Active conversation data: Duration of engagement plus 30 days

Opt-out lists: Permanently maintained to honor preferences

Consent records: 3 years from last interaction (CASL requirement)

Analytics and aggregated data: Up to 2 years

Account and billing data: 7 years for tax and accounting purposes

10. Your Rights

10.1 Rights for All Users

Opt-Out: Unsubscribe from messages at any time by replying STOP or using provided unsubscribe links

Access: Request information about data we hold about you

Correction: Request correction of inaccurate personal data

Deletion: Request deletion of your personal data (subject to legal retention requirements)

10.2 Additional Rights for EU/UK Residents (GDPR)

Portability: Receive your data in a structured, machine-readable format

Restriction: Request restriction of processing in certain circumstances

Objection: Object to processing based on legitimate interests

Withdraw Consent: Withdraw consent at any time where processing is based on consent

Lodge a Complaint: File a complaint with your local data protection authority

10.3 Additional Rights for Canadian Residents (CASL)

Withdraw Consent: Withdraw consent at any time for commercial electronic messages

Access Consent Records: Request information about how and when consent was obtained

10.4 Additional Rights for US Residents (State Privacy Laws)

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Iowa, Montana, Oregon, Texas, Delaware, Florida, Indiana, Tennessee, New Hampshire, New Jersey, Nebraska, Kentucky, Maryland, Minnesota, or Rhode Island, you may have additional rights under your state's privacy law:

Universal Rights Across Most State Laws:

Right to Know: Confirm whether we process your personal data and access that data

Right to Delete: Request deletion of personal data we have collected from you

Right to Correct: Request correction of inaccurate personal data

Right to Opt-Out: Opt-out of:

Sale of personal data

Sharing of personal data for targeted advertising

Profiling in furtherance of decisions that produce legal or similarly significant effects

Right to Data Portability: Receive a copy of your personal data in a portable format (some states)

Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights

California-Specific Rights (CCPA/CPRA):

Right to limit use and disclosure of sensitive personal information

Right to opt-out of automated decision-making technology

Right to request information about financial incentives offered

Private right of action for certain data breaches

Additional State-Specific Rights: Some states provide additional rights such as:

Oregon: Right to obtain a list of specific third parties to whom data was disclosed

Florida: Right to opt-out of collection via voice or facial recognition

Indiana: Right to obtain a representative summary of personal data

How to Exercise Your State Privacy Rights: To exercise any of these rights, contact us at [privacy email] or call [toll-free number]. We will respond to verifiable requests within 45 days (or as required by your state law). We may need to verify your identity before processing your request.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. We will require verification of the agent's authority.

Appeals Process: If we deny your request, you have the right to appeal that decision. Appeals should be submitted to [appeals email] within [timeframe per state law].

11. Data Security

We implement industry-standard security measures to protect personal data:

Encryption of data in transit (TLS/SSL) and at rest (AES-256)

Access controls and authentication mechanisms

Regular security audits and vulnerability assessments

Employee training on data protection practices

Incident response and breach notification procedures

Secure data centers with physical and logical safeguards

11.1 API Security and Data Protection

Our secure API infrastructure ensures client data is protected through:

Authenticated Access: All API connections require secure authentication tokens with role-based access controls

Encrypted Transmission: End-to-end encryption for all data transmitted via API (TLS 1.3)

Rate Limiting: Protection against unauthorized access attempts and DDoS attacks

API Activity Logging: Comprehensive audit trails of all data access and processing activities

Data Isolation: Strict segregation of client data with multi-tenant security architecture

Secure Key Management: Encryption keys stored in hardware security modules (HSMs) or secure key management services

Zero-Knowledge Architecture: Where possible, data is processed without persistent storage

Minimal Data Access: Employees have access only to data necessary for their specific roles

11.2 Client Data Processing Safeguards

When processing data on behalf of our clients:

Contractual Protections: Data Processing Agreements (DPAs) with all clients outlining security obligations

Purpose Limitation: Client data used only for explicitly authorized purposes

No Secondary Use: We do not use client data for our own marketing or sell it to third parties

Confidentiality Obligations: All personnel sign confidentiality and non-disclosure agreements

Data Minimization: We collect and process only the minimum data necessary for service delivery

Automated Deletion: Client data automatically purged after retention periods or upon contract termination

Client Control: Clients can request deletion of their data at any time

Breach Notification: Immediate notification to affected clients in case of any security incident (within 24-72 hours)

11.3 Compliance Certifications and Standards

We maintain rigorous security standards through:

SOC 2 Type II compliance (if applicable - add actual certifications)

ISO 27001 Information Security Management (if applicable)

Annual third-party security audits and penetration testing

Regular vulnerability scanning and patch management

Compliance with OWASP Top 10 security standards

Industry-specific security frameworks for telecommunications and messaging

11.4 Business Continuity and Disaster Recovery

Redundant data backups across geographically distributed locations

Regular backup testing and recovery drills

Business continuity plan with defined recovery time objectives (RTO)

Failover systems to ensure service availability

12. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Voice AI and Recording

When you interact with our voice AI systems:

Calls may be recorded for quality assurance, training, and compliance purposes

You will be notified at the beginning of the call if recording is occurring

Voice recordings are stored securely and retained according to our retention policy

Transcripts may be generated and stored for analysis purposes

14. Automated Decision-Making

Our AI systems may make automated decisions, such as:

Routing conversations to appropriate agents

Qualifying leads based on responses

Scheduling appointments based on availability

Providing automated responses to common inquiries

You have the right to request human review of automated decisions that significantly affect you.

15. Cookie Policy

Our web interfaces may use cookies and similar technologies. You can control cookie preferences through your browser settings. Essential cookies necessary for service functionality cannot be disabled.

16. Third-Party Links

Our services may contain links to third-party websites or platforms. We are not responsible for the privacy practices of these third parties. Please review their privacy policies separately.

17. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of material changes by:

Posting the updated policy on our website

Sending notification via email or SMS (for significant changes)

Updating the "Last Updated" date at the top of this policy

Continued use of our services after changes constitutes acceptance of the updated policy.

18. Contact Us

To exercise your privacy rights, ask questions, or raise concerns:

Instinct Growth Solutions
Email: [email protected]

19. Supervisory Authorities

EU/UK Residents:
You have the right to lodge a complaint with your local data protection authority. A list of EU authorities is available at: https://edpb.europa.eu/about-edpb/board/members_en

Canadian Residents:
Office of the Privacy Commissioner of Canada
Website: https://www.priv.gc.ca
Phone: 1-800-282-1376

US Residents:
While there is no federal data protection authority, you may file complaints with:

Federal Trade Commission (FTC): For unfair or deceptive practices - https://www.ftc.gov

Federal Communications Commission (FCC): For TCPA violations - https://www.fcc.gov

State Attorneys General: Your state's Attorney General enforces state privacy laws

California Privacy Protection Agency (CPPA): For California residents - https://cppa.ca.gov

19A. US State-Specific Disclosures

19A.1 California Residents (CCPA/CPRA)

Categories of Personal Information We Collect:

Identifiers (name, phone number, email address)

Commercial information (interaction history, lead status)

Internet activity (device information, IP addresses)

Audio, electronic, or similar information (voice recordings, message content)

Inferences drawn from the above to create consumer profiles

Business or Commercial Purposes for Collection:

Providing AI-powered communication services

Lead qualification and appointment scheduling

Service improvement and analytics

Fraud prevention and security

Categories of Third Parties We Share With:

Business clients who engage our services

Service providers (cloud hosting, messaging platforms, analytics)

Legal authorities when required by law

Sale and Sharing of Personal Information: We do not "sell" personal information in the traditional sense. However, under California law, sharing data for targeted advertising may be considered a "sale" or "sharing." If applicable, you have the right to opt-out.

Retention Period: We retain personal information for as long as necessary to fulfill purposes outlined in this policy, typically no longer than [specify retention period].

Do Not Sell or Share My Personal Information: California residents can opt-out by [describe opt-out method - link, email, phone].

Shine the Light Law: California residents may request information about disclosure of personal information to third parties for direct marketing purposes once per year.

19A.2 Nevada Residents

Nevada residents have the right to opt-out of the "sale" of certain covered information. We do not currently sell covered information as defined by Nevada law. If you wish to exercise this right, contact us at [privacy email].

19A.3 Additional State Notices

For residents of Virginia, Colorado, Connecticut, Utah, Montana, Oregon, and other states with comprehensive privacy laws:

We process personal data for the business purposes described in this policy. You have rights to access, delete, correct, and obtain a copy of your data, as well as opt-out of targeted advertising and sales. Exercise these rights by contacting [privacy contact].

State-Specific Applicability Thresholds: Our services may be subject to state privacy laws based on various thresholds, including number of consumers whose data we process and our revenue. We comply with applicable state laws where we meet the threshold requirements.

20. Data Processing Agreements

For our business clients, we enter into comprehensive Data Processing Agreements (DPAs) that include:

Detailed description of processing activities and purposes

Duration of processing and data retention terms

Security measures and technical safeguards

Sub-processor disclosure and approval requirements

Data breach notification procedures

Client audit rights and inspection provisions

Terms for data deletion or return upon contract termination

Liability and indemnification provisions

Cross-border data transfer mechanisms

Clients may request our standard DPA template or propose their own for review.

21. Transparency and Trust

21.1 Our Commitments to Clients

No Data Selling: We never sell, rent, or trade client or end-user data to third parties

Purpose-Specific Processing: Data is used only for the specific services requested by clients

Transparent Sub-Processors: We maintain an up-to-date list of all sub-processors and service providers

Client Data Ownership: Clients retain full ownership of their data and end-user information

Portability Support: We assist clients in exporting their data in standard formats upon request

Security First Culture: Continuous investment in security training, tools, and infrastructure

21.2 Regular Security Reporting

We provide clients with:

Quarterly security posture reports

Incident reports (if any) with remediation actions

Updated sub-processor lists

Compliance certification renewals

Annual security assessment summaries

21.3 Transparency Requests

We publish an annual transparency report detailing:

Number of government data requests received

Number of requests complied with or challenged

Types of data requested

Jurisdictions of the requesting authorities

Acknowledgment: By using our services or providing consent to receive communications, you acknowledge that you have read and understood this Privacy Policy.