Cloza Privacy Policy (California/CPRA & GDPR)

1) Information We Collect

We collect information in the following categories:

A. Account & Contact

• Name, business name, email (e.g., legal@usecloza.com / your login email), phone, password or passkey info, roles.

B. Service Use & Configuration

• AI crew templates, prompts/scripts, call flows, calendars you connect, routing rules, handoff settings.

C. Communications & Call Data

• Call/SMS/email metadata (time, duration, numbers/addresses, status) and, if you enable it, call recordings and transcripts (subject to consent—see §8).

D. Transaction & Billing

• Plan, invoices, payment method tokens (via our processor), and outcome events used for usage billing (e.g., `booking_confirmed`, `lead_verified`).

E. Technical & Usage

• Device/browser, IP address, identifiers, pages viewed, referral URLs, cookies, SDK logs, error and performance data.

F. Support & Feedback

• Messages you send to support, survey responses, beta feedback.

G. Integration Data (from third parties you connect)

• Examples: Google Calendar events/availability, Gmail headers/body (scoped), Slack channel/message metadata, Stripe Payment Links, telephony carrier events.

2) How We Use Information (Purposes)

We use personal information to:

1. Provide, maintain, and improve the Services, including AI crew operations.
2. Authenticate users; secure accounts; prevent abuse and fraud.
3. Power features such as answering, intake, scheduling, notifications, and human handoff.
4. Process payments and usage-based/outcome billing.
5. Provide support, troubleshoot, and analyze performance.
6. Send important notices (service changes, security, billing). You may opt out of non‑essential marketing messages.
7. Comply with law, enforce Terms, and protect our rights and users.

3) Our AI & Model Providers

• We use AI models to power voice, transcription, and reasoning. We may process your prompts, call audio, and outputs to operate features you enable.
• Model training: By default, Cloza does not use your Content to train Cloza models for others' benefit. If we offer an opt‑in program, we will clearly ask for your permission.
• Third‑party models: When we use third‑party models or speech providers, your data may be processed by them as our processors under contracts requiring confidentiality and security. Their privacy practices may also apply (e.g., for logs required to operate their service). Where available, we disable training on your data.

4) Legal Bases (EEA/UK only)

If you are in the EEA/UK, we process personal data on these legal bases: contract (to provide the Services), legitimate interests (safety, improvement, analytics), consent (where required, e.g., marketing cookies/recording notices), and legal obligation.

5) Sharing of Information

We share personal information with:

• Service Providers/Processors: cloud hosting, telephony carriers, payment processors, email/SMS gateways, analytics, logging, security, AI/speech providers, and customer support tools.
• Integrations You Connect: Google, Slack, Gmail, Stripe, etc., per your settings. You control these connections.
• Professional Advisors & Compliance: auditors, lawyers, regulators, or to comply with legal process.
• Business Transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

We do not sell personal information for money. For California, see §7 regarding "sale or sharing" for cross‑context behavioral advertising.

6) Retention

We keep personal information only as long as necessary for the purposes above, to comply with law, resolve disputes, and enforce agreements. You can request deletion (subject to exceptions) via §11.

• Call recordings (if enabled) are retained per your settings; you can delete them in the product or by contacting support. Backups may persist for a limited time.
• Logs/telemetry are retained for a limited period for security and operations.

7) California Privacy (CPRA)

This section applies to California residents.

A. Notice at Collection — Categories

We collect identifiers, commercial information, internet activity, audio/electronic data (if enabled), inferences (limited, e.g., risk/abuse scores), and professional information, as described in §§1–2.

B. Sensitive Personal Information

We do not use or disclose sensitive personal information for purposes other than those permitted by Cal. Civ. Code §1798.121 (e.g., to provide the Services, ensure security, prevent fraud, or verify identity).

C. "Sale" or "Sharing"

We do not sell personal information for money. If we engage in cross‑context behavioral advertising that constitutes "sharing," you may opt out via cookie preferences or by contacting us at legal@usecloza.com.

D. Your CPRA Rights

• Right to Know/Access what we collect and how we use/share it.
• Right to Delete personal information (subject to exceptions).
• Right to Correct inaccurate data.
• Right to Opt Out of sale/sharing.
• Right to Limit use/disclosure of sensitive data.
• Non‑discrimination for exercising your rights.

To exercise rights, email privacy@usecloza.com or use in‑product tools. We may verify your request and, where applicable, respond within 45 days. Authorized agents may submit requests with proof of authority.

8) Call Recording, Transcription & Consent

• You control whether to record or transcribe calls. You are responsible for obtaining consent from all required parties (e.g., two‑party consent states like California). We provide tools to play a consent notice at call start and to disable recording when a caller declines.
• Do not collect payment card numbers or other sensitive data during recorded calls unless you have a lawful basis and appropriate safeguards.

9) Cookies & Analytics

We use cookies, local storage, and similar technologies for: authentication, settings, security, performance, and (with consent, where required) analytics and marketing.

• Manage preferences via the site's cookie banner or your browser settings. If you disable certain cookies, some features may not work.

10) Security

We use administrative, technical, and physical safeguards designed to protect personal information (e.g., encryption in transit, access controls, monitoring). No method is 100% secure. Report security issues to security@usecloza.com.

11) Your Choices & Rights

• Access, deletion, correction: Use in‑product tools or contact privacy@usecloza.com.
• Marketing communications: You can opt out using unsubscribe links or in settings.
• Recording: Toggle recording features; provide appropriate notices.
• Integrations: Connect only what you need; revoke access any time in your provider's console and in Cloza.

12) International Transfers

We are based in the United States and may process data in the U.S. and other countries. Where required, we use appropriate safeguards for cross‑border transfers (e.g., SCCs for EEA/UK).

13) Children

The Services are not directed to children under 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children.

14) Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will provide notice (e.g., via the Service or email) and update the Effective Date. Continued use after changes means you accept the updated Policy.

15) Contact Us

• Website: https://usecloza.com
• Email (general privacy): privacy@usecloza.com
• Email (legal): legal@usecloza.com
• Mail: Doppi, Inc., 447 Sutter Street Suite 506 #1154, San Francisco, CA 94108, USA

If you are in the EEA/UK and we appoint an EU/UK representative or DPO, we will update this section with their contact details.

16) Supplemental Terms

• Data Processing Addendum (DPA): Available for business customers on request; covers controller/processor roles, SCCs, and security.
• Telephony & Messaging Compliance: You must comply with applicable consent/notice rules (e.g., TCPA, Do‑Not‑Call, A2P 10DLC). See our Terms and Acceptable Use Policy.