# Privacy Policy

**Last Updated: May 13, 2026**

iMash, Inc. (“iMash,” “we,” “us,” or “our”) is a Florida-headquartered company (Miami) providing AI-powered voice, SIP (Session Initiation Protocol), CRM, and workflow-automation services on a multi-tenant Software-as-a-Service (“SaaS”) platform (collectively, the “Services”).

This Privacy Policy describes how we collect, use, share, retain, and protect personal information when you visit our websites (including `imash.io` and tenant white-label domains operating on our platform), use the Services, or otherwise interact with us. It also describes the rights and choices available to individuals whose personal information we process.

This Privacy Policy is incorporated into and forms part of our [Terms of Service](./terms-of-service.md). Our security practices, certifications, and current sub-processor list are published at our trust center: `https://dashboard.imash.io/security`.

By accessing our websites or using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please do not use the Services.

—

## 1. Scope and Roles (Controller vs. Processor)

iMash plays different privacy roles depending on the data involved:

– **iMash as Controller.** With respect to information collected directly from website visitors, prospects, customer account contacts (such as administrators, agents, and billing contacts), and our own marketing, support, and operational data, iMash is the **controller** (or “business” under U.S. state laws) and this Privacy Policy governs.

– **iMash as Processor / Service Provider.** With respect to content and metadata that our customers ingest, store, transmit, or generate through the Services on behalf of their own end users (for example: call audio, transcripts, CRM records, contact lists, messages, AI prompts and outputs, and similar “Customer Data”), iMash acts as a **processor** (or “service provider” under U.S. state laws). The customer is the controller. End users with questions or requests about Customer Data should first contact the customer (the controller) directly. iMash will assist customers in responding to data subject requests as required by applicable law and the parties’ data processing agreement (“DPA”).

When you are an end user of a customer’s white-label or branded deployment, the customer’s own privacy notice (not this one) generally governs the processing of your personal data carried out through that customer’s instance.

—

## 2. Information We Collect

### 2.1 Information You Provide

– **Contact and account information** (name, business email, phone number, company, role, login credentials, profile photo).

– **Billing information** (billing contact, billing address, last four digits of payment card and card brand, tax ID; full payment card data is collected and stored by our payment processor, not by iMash).

– **Communications** (messages you send us through web forms, support tickets, email, chat, or telephone, including transcripts and recordings of those communications).

– **Service configuration data** (AI assistant prompts, smart-flow nodes, dispatch rules, telephony configuration, integrations and credentials, custom variables, and similar settings).

– **Customer Data** uploaded or otherwise submitted to the Services by you or your organization.

### 2.2 Information Collected Automatically

– **Usage data** (pages and features used, clicks, session duration, referrer, search terms, error logs).

– **Device and log data** (IP address, browser type and version, operating system, device identifiers, time zone, language, crash reports).

– **Mobile data** if you use our mobile applications (including the technician application), such as device model, OS version, and crash diagnostics.

– **Approximate location** (derived from IP address). Precise device-level location is collected only where the technician application is used and only with the user’s operating-system-level location permission.

– **Cookies and similar technologies.** We use first- and third-party cookies, local storage, pixels, and SDKs for authentication, session management, security, preferences, analytics, and limited marketing. You can manage cookies through your browser and, where required, through our cookie consent banner / preference center.

### 2.3 Information from Third Parties

We may receive information from identity providers (e.g., Supabase Auth, single sign-on), payment processors (Stripe), enrichment vendors, CRM importers, telecom carriers, and integration partners (such as messaging platforms and calendar providers) where you authorize the connection.

### 2.4 AI Inputs and Outputs

When the Services generate or process AI-driven content (e.g., voice agent conversations, transcriptions, summaries, lead extraction, or workflow outputs), the underlying inputs and outputs are treated as Customer Data and routed to the AI sub-processors selected and configured by the customer. See Section 7 (AI-Specific Disclosures).

—

## 3. How We Use Information

We use personal information to:

– Provide, operate, maintain, secure, and improve the Services.

– Authenticate users, provision accounts, and enforce tenant isolation.

– Process payments, manage subscriptions, calculate usage-based fees, and prevent billing fraud.

– Provide customer support and respond to inquiries.

– Send service-related communications (security alerts, billing notices, policy changes, and similar transactional messages, which are not subject to opt-out).

– Send marketing communications about iMash products and features, where permitted, with the ability to opt out at any time.

– Monitor performance, debug, conduct analytics, and develop new features.

– Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our [Terms of Service](./terms-of-service.md).

– Comply with legal obligations and enforce our agreements.

– Carry out other purposes disclosed at the time of collection or with your consent.

We will not use Customer Data for purposes outside the scope of providing the Services to our customer, except as required by law or as instructed by the customer.

—

## 4. How We Share Information

We do **not** sell personal information for monetary consideration. We may share information as follows:

– **Sub-processors.** We engage vetted vendors to host, store, transmit, analyze, and process data on our behalf — including cloud infrastructure, telephony, AI model providers, speech-to-text, text-to-speech, messaging platforms, payment processing, and developer tooling. Our **current sub-processor list is maintained on our trust center** at `https://dashboard.imash.io/security`. We sign data processing agreements (and, where applicable, business associate agreements) with sub-processors that handle personal data on our behalf. Customers may request a copy of the current list at `privacy@imash.io`.

– **Customers and their authorized users.** Data within a customer tenant is accessible to that customer’s administrators and users in accordance with the customer’s configured roles and permissions.

– **Affiliates.** We may share information with iMash subsidiaries and corporate affiliates under terms consistent with this Privacy Policy.

– **Business transfers.** In connection with a merger, acquisition, financing, reorganization, bankruptcy, sale, or similar transaction, information may be transferred, subject to standard confidentiality protections and continued application of this Privacy Policy or successor terms.

– **Legal and safety.** We may disclose information when we reasonably believe disclosure is required to comply with applicable law, legal process, or governmental request; to enforce our agreements; to protect the rights, property, safety, or security of iMash, our users, or the public; or to investigate fraud or abuse.

– **With your consent.** We may share information for other purposes with your consent or at your direction.

– **Aggregated or de-identified data.** We may share information that has been aggregated or de-identified such that it cannot reasonably be used to identify an individual.

### 4.1 Targeted Advertising / “Sharing”

We do not engage in cross-context behavioral advertising in a way that would constitute a “sale” or “sharing” of personal information for targeted advertising under most U.S. state laws. If our practices change, we will update this Privacy Policy and provide an opt-out mechanism, available via `privacy@imash.io` or a dedicated path on our website (e.g., `/privacy/do-not-sell`).

—

## 5. Cookies and Similar Technologies

We use cookies and similar technologies for:

– **Strictly necessary** functions (authentication, session security, load balancing, tenant routing).

– **Preferences** (language, theme, time zone, regional settings).

– **Analytics** (understanding feature usage and improving the platform).

– **Limited marketing** (measuring the effectiveness of our own marketing campaigns).

Where required by law, we present a cookie consent banner / preference center on first visit and on request. You can also manage cookies through your browser settings. Because there is no industry-standard interpretation of browser “Do Not Track” signals, we do not currently respond to DNT signals. We do honor Global Privacy Control (“GPC”) signals where required by applicable U.S. state law.

—

## 6. Data Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. Safeguards include:

– Encryption in transit (TLS 1.2+) and at rest (AES-256 or equivalent) for data stored in supported sub-processors.

– Role-based access control, least-privilege access, and audit logging for production systems.

– Multi-factor authentication (“MFA”) available to customer administrators and required for iMash personnel with privileged access.

– Network segmentation, secrets management, and key rotation.

– Secure software development practices, vulnerability management, and dependency monitoring.

– Background screening for personnel with production access, and confidentiality obligations.

Additional detail about our security program, certifications, and shared-responsibility model is published at the trust center: `https://dashboard.imash.io/security`.

No system can be guaranteed 100% secure, and we cannot guarantee absolute security. You are responsible for safeguarding your account credentials and enabling MFA where available.

### 6.1 Security Incident Notification

In the event of a confirmed personal data breach affecting Customer Data, we will notify the affected customer without undue delay after becoming aware of the breach, and in any event within the timeframes required by applicable law and our DPA. Notice will describe, to the extent then known, the nature of the incident, the categories of data affected, the likely consequences, and the measures taken or proposed to address it. Our incident response program is summarized on the trust center.

—

## 7. AI-Specific Disclosures

The Services include AI-powered features (voice agents, transcription, summarization, lead extraction, workflow automation, RAG-based question answering, and similar). The following disclosures apply:

– **Sub-processed AI providers.** Customer prompts, audio, transcripts, and related metadata may be transmitted to third-party AI providers (large language model providers, speech-to-text, text-to-speech, embedding providers, and similar) listed on the trust center. Each customer is responsible for selecting and configuring which AI providers to use for its tenant.

– **No training on Customer Data by iMash.** iMash does **not** train its own foundation models on Customer Data and does not authorize sub-processors to do so, except where the customer affirmatively opts in. Sub-processors’ default policies on training, retention, and abuse monitoring vary; customers are responsible for reviewing their selected sub-processors’ policies and configuring opt-outs where appropriate.

– **Probabilistic outputs.** AI outputs are probabilistic and may be incomplete, inaccurate, or fabricated (“hallucinations”). Customers and end users must independently verify AI outputs before relying on them for medical, legal, financial, safety, employment, housing, credit, or other high-stakes decisions.

– **Voice cloning and synthetic media.** Where the Services produce synthetic or cloned voices, customers must obtain all required consents from the individuals whose voices are used, including consents required under Florida’s statute prohibiting unauthorized use of a person’s likeness and similar laws in other jurisdictions, the general right of publicity, and applicable consumer-protection law.

– **AI in telemarketing.** Customers using AI-generated voices for outbound calls are responsible for complying with the FCC’s 2024 declaratory ruling treating AI-generated voices as “artificial or prerecorded” under the TCPA, requiring prior express written consent for marketing calls, and with applicable state mini-TCPA statutes (including the Florida Telephone Solicitation Act).

—

## 8. Data Retention

We retain personal information for as long as needed to fulfill the purposes for which it was collected, to comply with legal, tax, accounting, audit, and reporting obligations, to resolve disputes, and to enforce our agreements. When information is no longer needed, we delete, de-identify, or aggregate it.

Indicative retention periods (subject to customer configuration, legal hold, and applicable law):

| Data Category | Retention |

|—|—|

| Account and tenant configuration | Life of the account |

| Billing, invoicing, tax records | 7 years from creation (or longer if required by tax law) |

| Customer Data (calls, transcripts, CRM records) | Per customer configuration; default per the Order Form / Services configuration |

| Usage and access logs | Up to 24 months, then aggregated or deleted |

| Security and audit logs | Up to 24 months (longer where required for investigations) |

| Support tickets and correspondence | 3 years from closure |

| Marketing prospect data | Until opt-out plus 30 days, or longer where required for suppression lists |

| Cookies | As described in our cookie banner / preference center |

Customers may delete Customer Data at any time through the platform; deleted data is purged from primary stores promptly and from backups in the ordinary course of backup rotation.

—

## 9. International Data Transfers

iMash is headquartered in the United States, and personal information we process may be transferred to, stored in, or processed in the United States and other countries where we or our sub-processors operate. Laws in those countries may differ from those in your country.

Where we transfer personal data out of the European Economic Area (“EEA”), the United Kingdom, or Switzerland, we rely on lawful transfer mechanisms, which may include:

– The European Commission’s **Standard Contractual Clauses (“SCCs”)**.

– The UK Information Commissioner’s **International Data Transfer Agreement (“IDTA”)** or the UK Addendum to the SCCs.

– The **Swiss Federal Act on Data Protection (“FADP”)** approved transfer mechanisms.

– Our participation, where applicable, in the **EU-U.S. Data Privacy Framework**, the **UK Extension to the EU-U.S. DPF**, and the **Swiss-U.S. DPF**. <!– TODO: confirm whether iMash will self-certify under the DPF; remove if not pursuing certification. –>

– Other valid mechanisms such as your explicit consent or transfers necessary for the performance of a contract.

A copy of the SCCs / IDTA / our DPA is available on request at `privacy@imash.io`.

—

## 10. Your Privacy Rights

Subject to applicable law and verification, you may have the right to:

– Access personal information we hold about you.

– Correct or update inaccurate or incomplete personal information.

– Delete personal information.

– Restrict or object to certain processing.

– Receive a portable copy of certain personal information.

– Opt out of “sale” or “sharing” of personal information, targeted advertising, and certain profiling.

– Limit use and disclosure of sensitive personal information.

– Withdraw consent where processing is based on consent.

– Appeal a denial of a privacy request.

– Lodge a complaint with a supervisory authority.

– Be free from unlawful discrimination for exercising these rights.

### 10.1 European Economic Area, United Kingdom, and Switzerland (GDPR, UK GDPR, FADP)

If you are located in the EEA, UK, or Switzerland, you have the rights listed above under the GDPR, UK GDPR, and FADP, and the right to lodge a complaint with your local data protection authority. Our lawful bases for processing typically include performance of a contract, legitimate interests (such as operating, securing, and improving the Services), compliance with legal obligations, and your consent where required.

### 10.2 California (CCPA / CPRA)

If you are a California resident, you have the rights to know, access, correct, delete, opt out of sale or sharing, and limit the use of sensitive personal information, and to be free from discrimination for exercising those rights. We do not “sell” personal information for monetary consideration. Where a request would interfere with our legal obligations, security operations, fraud prevention, or similar exceptions enumerated under the CCPA/CPRA, we may decline or partially fulfill the request and will explain why.

### 10.3 Other U.S. State Privacy Laws

Residents of states that have enacted comprehensive consumer privacy laws — including **Virginia (VCDPA)**, **Colorado (CPA)**, **Connecticut (CTDPA)**, **Utah (UCPA)**, **Texas (TDPSA)**, **Oregon (OCPA)**, **Montana (MCDPA)**, **Florida (FDBR)**, **Iowa**, **Tennessee (TIPA)**, and **Delaware (DPDPA)** — have, subject to law-specific eligibility and exceptions:

– the right to confirm processing and access personal data,

– the right to correct inaccurate personal data,

– the right to delete personal data,

– the right to a portable copy,

– the right to opt out of the sale of personal data, targeted advertising, and certain profiling that produces legal or similarly significant effects, and

– the right to appeal a denial of a request.

To exercise these rights, contact `privacy@imash.io`. Where iMash acts as a processor or service provider with respect to your personal data, we will direct you to the controller (typically our customer) or forward your request to them.

### 10.4 Submitting a Request and Verification

To submit a request, email `privacy@imash.io` with the words “Privacy Request” in the subject and a description of your request. We will:

– Acknowledge receipt within the timeframe required by applicable law (typically within 10 business days).

– Verify your identity using a risk-based approach. For account holders, we may rely on existing authentication; for non-account holders, we may request additional information (such as matching email, phone number, or recent service-related data) sufficient to verify your identity. We will not use verification information for any other purpose.

– Honor authorized agent requests where the agent provides valid written authorization (or, in California, a valid power of attorney) and the consumer can be verified.

– Respond within the timeframe required by applicable law.

We may deny or limit requests where: identity cannot be verified; the request is manifestly unfounded, excessive, or repetitive; honoring the request would violate law or compromise the rights of others; the data is subject to legal hold; or an exception applies.

—

## 11. Children’s Privacy

The Services are not directed to children. We do not knowingly collect personal information from children under 13 (or under 16 in the EEA/UK, or such higher age as required by local law) without verifiable parental consent. We comply with COPPA in the United States and equivalent GDPR-K provisions in the EEA/UK. Where the Florida Digital Bill of Rights and similar U.S. state laws impose heightened obligations on the processing of minors’ data, we apply those obligations to U.S. residents in the applicable states. If we learn that we have collected personal information from a child in violation of this policy, we will delete it promptly. Parents or guardians who believe a child has provided us with personal information may contact `privacy@imash.io`.

—

## 12. Third-Party Websites and Services

The Services may link to, or interoperate with, third-party websites, applications, integrations, and AI providers. Their privacy practices are governed by their own policies. We are not responsible for the privacy practices of any third party, and we encourage you to review their notices.

—

## 13. White-Label, Affiliate, and Reseller Deployments

The Services may be deployed under a customer’s own brand (“white-label”), or by a reseller, affiliate, or partner (“Operator”). When you interact with a white-label or Operator-branded deployment:

– The Operator is generally the **controller** of personal data processed through its tenant, and the Operator’s own privacy notice governs.

– iMash typically acts as a **processor / service provider** to the Operator.

– The Operator is independently responsible for: conducting and maintaining its own security audits and penetration tests; performing its own regulatory compliance assessments (including under HIPAA/HITECH, GDPR/UK GDPR, CCPA/CPRA and other U.S. state privacy laws, PCI DSS, GLBA, SOX, TCPA and state mini-TCPAs, CAN-SPAM, and the FTC Act); configuring tenant-level access controls and retention; obtaining all end-user consents (including for call recording, marketing communications, AI voice usage, and the use of personal data for training or analytics); and the lawful collection, handling, and disposal of all data ingested via the platform.

Use of the Services under a non-iMash brand constitutes the Operator’s and its end users’ acceptance of this responsibility allocation.

—

## 14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last Updated” date at the top and, where appropriate, provide additional notice (such as via email, in-product notification, or a banner on our website). Your continued use of the Services after the updated policy takes effect constitutes acceptance, to the extent permitted by applicable law.

—

## 15. Contact Us

Questions, requests, or complaints concerning this Privacy Policy can be directed to:

– **Privacy:** `privacy@imash.io`

– **Legal / disputes:** `legal@imash.io`

– **DMCA agent:** `dmca@imash.io`

– **General support:** `support@imash.io`

– **Security disclosure / catch-all:** `contact@imash.io`

– **Trust center (security, sub-processors, certifications):** `https://dashboard.imash.io/security`

**Mailing address:**

iMash, Inc.

Attn: Privacy Officer

<!– TODO: fill in street address –>

Miami, FL [ZIP — TBD]

United States

—

© 2026 iMash, Inc. All rights reserved.

*This is the canonical version of the iMash Privacy Policy and supersedes all prior versions, including the version dated March 14, 2024.*