What we collect, why, and how to control it

Squawker Inc. ("Squawker", "we", "our", or "us") is a Delaware corporation that builds the Squawker AI Sales Agent Platform, including our AI voice agent Polly. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when:

• You visit our website at squawker.ai or any Squawker-operated subdomain
• You use the Squawker platform as a customer or as an authorized user of a customer
• You communicate with a Squawker customer by phone, SMS, WhatsApp, or web chat that is routed through Squawker (we refer to you as an "end-caller" in this policy)

We comply with applicable US federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), the Illinois Biometric Information Privacy Act ("BIPA") where applicable, the Telephone Consumer Protection Act ("TCPA"), and other state privacy statutes. We also comply with the European Union General Data Protection Regulation ("GDPR") and the UK GDPR for personal data of individuals in the EU and UK.

This policy is incorporated into our Terms & Conditions by reference.

Squawker's role depends on whose data is being processed:

• For Squawker customer accounts (business contacts, payment details, account configuration): Squawker is a controller under GDPR / a business under CCPA. We decide how this data is used.
• For end-callers (people who phone, message, or chat with a Squawker customer's business): Squawker is a processor under GDPR / a service provider under CCPA. Our customer (the business the end-caller is contacting) is the controller / business. Squawker processes end-caller data on documented instructions from the customer and per the Data Processing Agreement executed with that customer.

If you are an end-caller and want to exercise rights regarding your data, you may contact us at legal@squawker.ai and we will route your request to the customer who controls your data, or assist them in responding directly.

We take data sovereignty and security seriously.

Data residency: Customer data is hosted in-region per the customer's account configuration. Our default options are EU (Netherlands), United Kingdom, and United States. Data residency may be adjusted for enterprise customers; contact legal@squawker.ai for region requests not on this list.

Encryption: We use TLS 1.3 for data in transit and AES-256 (or equivalent) for data at rest where supported by the underlying services.

Access controls: Multi-tenant data isolation is enforced at the database layer using Row-Level Security. Access by Squawker personnel is limited to those with a documented business need, logged, and subject to access reviews.

International transfers: When personal data of EU or UK individuals is transferred to the United States or other jurisdictions, we rely on Standard Contractual Clauses (2021 EU SCCs) and complete Transfer Impact Assessments where required. Where a subprocessor is certified under the EU-US Data Privacy Framework, we may rely on that framework.

To provide the website, the platform, and Polly, we may collect and process:

Account data (about Squawker customers and their authorized users)

• Name, business email, phone number, role, and company details
• Account credentials (encrypted)
• Configuration settings (Polly DNA, prompt rule overrides, knowledge base content)
• Billing and payment details (handled by Stripe; we do not store full card numbers)
• Account activity logs and audit trails

Lead intelligence data (about end-callers and conversation participants)

• Voice recordings of calls made to or received from a Squawker customer's number where Polly is active
• Voicemail recordings and transcripts
• Real-time and post-call transcripts of conversations
• SMS and WhatsApp message contents and metadata
• Web chat transcripts
• Caller name (where provided), phone number, and any other personal information shared during a conversation
• Intent classification, qualification scores, and outcome categorization
• CRM records generated from conversations (prospect, lead, task, handoff, follow-up history)

Technical data (website visitors and platform users)

• IP address
• Browser type and version
• Device information
• Pages visited, links clicked, and session duration
• Referring URL
• Contact form verification and challenge metadata used to prevent spam and abuse

Information from third parties

• Authentication providers (where you log in via SSO)
• Subprocessor metadata (e.g., call routing data from Twilio, transcription confidence scores from Deepgram)

We do not knowingly collect personal information from children under 13. If a Squawker customer's calls might involve minors and the customer is subject to COPPA, the customer must configure their use of the Service accordingly and is responsible for COPPA compliance. Contact legal@squawker.ai if you believe a child has provided us with personal information.

Because Polly records phone conversations, this section receives special treatment.

What we record: When a caller phones a number where Polly is active for a Squawker customer, Polly may record the audio of the call and generate a written transcript. The recording and transcript capture the caller's voice, the words spoken, and the conversation context (caller phone number, time, date, channel).

Consent disclosure: Squawker requires each customer using Polly to obtain all consents required by applicable law before calls are recorded. Squawker's default Polly configuration includes a recording disclosure at the start of each call (substantially similar to: "This call is being recorded and transcribed for training and monitoring purposes."). The customer is responsible for ensuring this disclosure is enabled and is appropriate for the states where they accept calls, including the 13 US jurisdictions that require all-party consent: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, and Washington.

Use of recordings: Recordings and transcripts are used to:

• Provide the Service (qualification, escalation, follow-up, attribution)
• Create CRM records for the customer
• Allow the customer to review, coach, and audit their team's call handling
• Support customer compliance with regulated industries (where the customer requires retention)
• Investigate security incidents and abuse
• Defend Squawker or the customer in litigation when properly subpoenaed
• Train and improve Squawker's models, only as described in §06 below

Biometric information: Squawker does not intentionally extract voiceprints, faceprints, or other biometric identifiers from recordings for the purpose of identifying a specific individual. Where applicable law (including Illinois BIPA) treats voice recordings as biometric information regardless of intent, Squawker complies with applicable notice, consent, retention, and destruction requirements. Squawker does not sell biometric data.

Retention of recordings: Voice recordings are retained according to the customer's account configuration and applicable law. Transcripts are retained for the same period. After the retention period expires, recordings and transcripts are deleted from production storage; backups follow the retention policy in §08.

End-caller opt-out: An end-caller who does not consent to recording may decline the call after Polly's disclosure, request a transfer to a human, or hang up. If a Squawker customer offers a non-recorded path, Polly can be configured to route to that path.

The Service uses artificial intelligence to process conversation content. Our current subprocessors (full list and notice mechanism at /subprocessors):

• Twilio: telephony infrastructure (voice, SMS, WhatsApp routing)
• Deepgram: real-time speech-to-text during live calls
• OpenAI: voicemail and post-call transcription (Whisper API) and intent classification, qualification scoring, and summarization (GPT API)
• ElevenLabs: voice synthesis (Polly's spoken responses)
• Supabase: database, authentication, and Row-Level Security
• Vercel: frontend and serverless function hosting
• Railway: WebSocket server for live voice calls (polly-websocket)
• Cloudflare Turnstile: bot mitigation and contact form abuse prevention
• Google: website analytics, Google Ads conversion measurement, and enhanced conversion lead matching where marketing consent is granted
• Sentry: error tracking and observability
• Stripe: billing (when active)

We use Data Processing Agreements with all subprocessors and conduct due diligence on their security and privacy posture before engagement.

AI training: Squawker uses customer conversation data to improve Polly's qualification, knowledge handling, and call quality for the customer who generated the data. Squawker does not use one customer's conversation data to train models that benefit other customers without that customer's explicit consent. Squawker has confirmed with its subprocessors that customer-identifiable conversation data sent to OpenAI, Deepgram, and ElevenLabs is not used to train those subprocessors' general-purpose models under our current agreements.

Human review: Squawker personnel may review recordings or transcripts on a limited basis for: security investigations, abuse response, customer-requested support, debugging service errors, and improving the accuracy of automated systems. All such access is logged.

Our website uses cookies and similar technologies to operate the site, remember your preferences, and measure performance. We use the following categories:

You can manage your cookie preferences at any time via the "Cookie preferences" link in our footer. Strictly necessary cookies cannot be disabled because the site cannot function without them.

For users in the EU, UK, and other jurisdictions requiring opt-in consent for non-essential cookies, our consent banner asks you to opt in before any non-essential cookies are set.

We retain personal information only as long as needed for the purposes described in this policy or as required by law. Specific retention periods:

After the retention period expires, data is deleted from production systems within 30 days. Backups follow the rotation schedule above.

Depending on where you live and your relationship with Squawker, you may have the following rights. Squawker honors all rights granted by applicable law to you.

Under GDPR / UK GDPR

• Right of access (Art. 15): obtain a copy of the personal data we hold about you
• Right to rectification (Art. 16): ask us to correct inaccurate or incomplete data
• Right to erasure (Art. 17): ask us to delete personal data ("right to be forgotten")
• Right to restriction of processing (Art. 18)
• Right to data portability (Art. 20): receive your data in a structured, machine-readable format
• Right to object to processing (Art. 21), including processing based on legitimate interests
• Rights related to automated decision-making and profiling (Art. 22): you may request human review of any automated decision that significantly affects you
• Right to withdraw consent (where consent is the lawful basis for processing)
• Right to lodge a complaint with a supervisory authority

Under CCPA / CPRA (for California residents)

• Right to know what personal information we collect, use, share, or sell
• Right to delete personal information
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of personal information (Squawker does not sell personal information; "share" includes cross-context behavioral advertising, and Squawker does not currently engage in this either)
• Right to limit use of sensitive personal information (voice recordings are sensitive personal information under CPRA)
• Right to non-discrimination for exercising your rights
• A "Do Not Sell or Share My Personal Information" link is available in the footer of every page

Under other US state privacy laws

• Squawker honors comparable rights granted by the privacy laws of Virginia, Connecticut, Colorado, Utah, Texas, Oregon, and other states with active privacy statutes, as applicable to residents of those states.

How to exercise your rights

Email legal@squawker.ai from the address associated with your account, or use the contact form and indicate the right you wish to exercise. We will verify your identity before fulfilling the request. We will respond within the time required by law (typically 30 days for GDPR; 45 days for CCPA, extendable to 90).

You may authorize an agent to make requests on your behalf. We require written authorization and may verify directly with you.

We do not charge for rights requests unless they are excessive or manifestly unfounded, in which case we may charge a reasonable fee or refuse the request per applicable law.

We do not sell your personal information. We share personal information only:

• With our subprocessors listed in §06 and at /subprocessors, under DPAs that restrict their use
• With the Squawker customer whose phone number you contacted (if you are an end-caller)
• With legal, tax, accounting, and consulting professionals who advise Squawker under confidentiality
• To comply with law, valid subpoenas, court orders, or government requests
• To enforce our Terms & Conditions or Acceptable Use Policy, prevent fraud, or address security threats
• In connection with a merger, acquisition, financing, or sale of substantially all assets (the acquiring party will be subject to this policy or a similar one)

We use industry-standard administrative, technical, and physical safeguards to protect personal information, including:

• TLS 1.3 in transit, AES-256 at rest (where supported)
• Role-based access control with least-privilege defaults
• Multi-factor authentication for Squawker personnel
• Tenant isolation via database Row-Level Security
• Automated monitoring and logging via Sentry
• Regular security reviews and dependency updates

We are pursuing SOC 2 Type II attestation; status is currently "in preparation."

If you discover a vulnerability, please report it to legal@squawker.ai. We commit to acknowledging reports within 5 business days and will not pursue legal action against good-faith security research that follows responsible disclosure practices.

Breach notification: In the event of a security incident affecting your personal information, we will notify you and any applicable supervisory authorities without undue delay and in any event within 72 hours of becoming aware, where required by law.

The Service is intended for business use and is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact legal@squawker.ai and we will delete it.

If a Squawker customer operates in a way that might result in calls or messages from minors (for example, a dealer-model business where a parent calls about a product, booking, or service need and a minor speaks during the call), the customer is responsible for COPPA compliance and for configuring the Service appropriately.

We may update this policy from time to time. When we make material changes, we will post the updated policy here, update the "Last updated" date, and where required by law, notify customers by email at least 30 days before the change takes effect.

Previous versions may be made available on request.

For privacy questions, requests, or complaints:

Squawker Inc. (a Delaware corporation) 8 The Green, STE R, Dover, DE 19901, USA legal@squawker.ai

For EU/UK data subjects, we encourage you to contact us first; you also have the right to lodge a complaint with your local supervisory authority.