Privacy Policy

3.1 Information You Provide Directly

When you sign up for, configure, or use the Services, we collect:

• Identifiers: name, business name, billing and service address, email address, telephone number(s)
• Account credentials: username, password (stored hashed), security questions, multi-factor authentication tokens
• Payment information: credit card number, ACH/bank account details, billing history. Payment card data is processed by our PCI-DSS compliant payment processor; we do not retain full card numbers on our systems.
• Identity verification information: for porting numbers, fraud prevention, or regulatory compliance, we may collect tax IDs, EINs, or government-issued identifiers
• Communications with us: support tickets, chat logs, recordings of support calls, survey responses

3.2 Communications Content

Depending on which Services you use, we may have access to or transmit:

• Voice call audio during the time the call is in transit through our network
• Voicemail recordings stored in your voicemail box
• Call recordings that are created either (a) when a Customer's authorized user elects to record a call through our applications, or (b) when a Customer's systems instruct our API to record an outbound call placed by the Customer (see Section 6)
• SMS and MMS message content that you send or receive through our Services (see Section 7)
• Fax content transmitted through our fax-over-IP service, if used

3.3 Communications Metadata (Including CPNI)

We collect and generate Call Detail Records (CDRs) and messaging metadata, including:

• Originating and terminating phone numbers
• Date, time, and duration of calls and messages
• Call disposition (answered, missed, busy, voicemail)
• Routing and signaling information
• Geographic and network information about the calling and called parties
• Service tier, features used, and call quality metrics

3.4 Location Data

• Service address / Registered Location: the physical address you provide for E911 purposes (see Section 8)
• Network-derived location: approximate location from IP address and network topology, used for routing, fraud detection, and emergency services
• Device location (if enabled): if you use our softphone or mobile application and grant location permissions, we may collect device GPS or network-based location to support nomadic E911 dispatch

3.5 Device and Technical Data

When you use our applications, web portal, or website, we automatically collect:

• IP address and ISP
• Device type, operating system, browser type and version
• Application version and configuration
• Session identifiers and authentication logs
• Performance, diagnostic, and error data
• For desk phones and ATAs: MAC address, firmware version, configuration data

3.6 Cookies and Similar Technologies

Our website and customer portal use cookies, local storage, pixels, and similar technologies. See Section 10 for details.

3.7 Information from Third Parties

We may receive information about you from:

• Resellers and channel partners who sell our Services
• Carriers and number administrators during number porting, CNAM lookups, and call routing
• Credit bureaus and fraud prevention services for new account underwriting and fraud screening
• Public sources such as business directories, social media, and government databases
• Marketing partners who provide lead information (only where you have consented to receive such marketing)

3.8 Information We Do Not Knowingly Collect

We do not knowingly collect sensitive personal information categories (such as health, biometric, or precise geolocation data) beyond what is described above. We do not knowingly collect personal information from children under 13 (see Section 13).

5.1 How We Use CPNI

We use CPNI without additional customer approval to:

• Provide the telecommunications services from which the CPNI is derived
• Initiate, render, bill, and collect for those services
• Protect our rights or property, or protect users and other carriers from fraudulent, abusive, or unlawful use of the services
• Provide inbound telemarketing, referral, or administrative services in response to your call
• Provide call location information for emergency services or to your designated emergency contacts

5.2 Marketing Use of CPNI

We will not use, disclose, or permit access to your CPNI to market services outside the categories of service to which you already subscribe without first obtaining your opt-in consent. For marketing of services within the categories to which you subscribe, we may use CPNI on an opt-out basis, and you have the right to opt out at any time.

To opt out of CPNI use for marketing, contact us at compliance@hcvoip.com or 415-200-0400. Your opt-out will remain in effect until you revoke it.

5.3 Disclosure of CPNI

We disclose CPNI only:

• To you or to persons you authorize in writing
• To our agents and contractors who need it to provide the Services (under confidentiality obligations)
• As required by law or court order
• For emergency services as described in Section 8

5.4 CPNI Security and Authentication

We authenticate customers before disclosing CPNI by telephone, online, or in person, in accordance with FCC rules. We will not release call detail information over the phone except (a) to a customer who provides a pre-established password, (b) by sending the information to the customer's address of record, or (c) by calling the customer at the telephone number of record.

We notify customers of account changes (password, address of record, online account) as required by 47 C.F.R. § 64.2010(f). We notify customers and law enforcement of CPNI breaches as required by 47 C.F.R. § 64.2011.

6.1 Recording Modes

Our Services support two recording modes, both initiated by the Customer:

• User-initiated recording: A Customer's authorized user starts and stops recording during a call through our applications or controls.
• API-initiated automated recording: The Customer's systems instruct our API to place outbound calls to specified numbers and to record those calls automatically. The Customer's systems determine when calls are placed, which numbers are dialed, when recording starts and stops, and what is done with the resulting recording.

In both modes, HCVOIP operates the recording infrastructure on the Customer's instruction. The Customer determines the purpose of the call, the identity of the called party, and the consent obtained from that party. HCVOIP does not select call recipients, originate calls on its own initiative, or use the content of Customer recordings for its own purposes.

6.2 Use Cases

Customers use our recording features for purposes including, but not limited to, language proficiency testing and assessment, quality assurance, training, dispute resolution, and regulatory recordkeeping. Some Customers operate scheduled-appointment models in which the called party has enrolled with the Customer, scheduled a call in advance, and received written disclosure of recording before the call takes place.

6.3 Consent and Disclosure — Customer Responsibility

Recording laws vary by jurisdiction. Federal law (18 U.S.C. § 2511) permits recording with the consent of at least one party. The following states generally require the consent of all parties to a call: California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan (case law varies), Montana, Nevada (case law varies), New Hampshire, Oregon (for in-person communications; one-party for electronic), Pennsylvania, and Washington. Some states require disclosure of the purpose of recording in addition to the fact of recording. Sector-specific rules (financial services, healthcare, education) may impose additional requirements.

Consent does not need to be obtained on the call itself. In most jurisdictions, prior written or electronic disclosure — for example, in an enrollment form, terms of service, appointment confirmation, or candidate handbook — is sufficient to establish consent if the called party proceeded with the call after receiving that disclosure. A small number of jurisdictions (notably Massachusetts) impose stricter contemporaneous-knowledge requirements that may warrant additional confirmation at the start of the call.

The Customer is solely responsible for:

• Determining which laws apply to each call
• Obtaining the consent required under those laws, whether through written pre-disclosure, audible announcement, or another lawful method
• Verifying the identity of the called party where required (e.g., that the person who answered is the enrolled or expected participant)
• Maintaining documentation of consent
• Honoring requests to stop recording or to delete recordings
• Complying with TCPA, Do Not Call rules, and any other restrictions on outbound calling

By using our API or other recording features to initiate a call, the Customer represents and warrants that all required consents have been obtained. HCVOIP does not independently verify, on a per-call basis, that consent has been obtained, that the called number is correct, or that the person answering is the intended participant. Customers acknowledging these terms agree to indemnify HCVOIP for claims arising from recordings they cause to be made.

6.4 Recording Announcements

Our API does not, by default, play an automated "this call may be recorded" announcement before recording begins. Customers who require such an announcement must either (a) configure their own pre-recorded message to play at the start of the call, or (b) deliver the disclosure through other means (e.g., a live agent introduction, prior written notice). Customers operating in all-party-consent jurisdictions should carefully consider whether their disclosure method is sufficient.

6.5 Notice to Called and Calling Parties

If you have been called or scheduled for a call by a Customer using our Services and you have questions about whether and how that call is recorded, contact the Customer directly. The Customer — not HCVOIP — controls the call, holds the recording, and determines how it is used. HCVOIP processes such recordings as a service provider on the Customer's behalf.

6.6 How We Handle Recordings

Recordings made through our Services are:

• Transmitted using encrypted media protocols where supported by the endpoints
• Encrypted at rest using industry-standard algorithms
• Stored in our cloud infrastructure in the United States
• Accessible only to authorized users on the Customer's account, to HCVOIP personnel as needed for support, security, or legal compliance, and to subprocessors bound by confidentiality
• Retained according to the Customer's configured retention period (default: 30 days), subject to legal hold requirements

We do not access the content of recordings except: (a) as authorized by the Customer, (b) for technical troubleshooting at the Customer's request, (c) to investigate suspected abuse, fraud, or violations of our Acceptable Use Policy, or (d) as required by law. We do not use the content of recordings to train artificial intelligence or machine learning models.

6.7 Suspension for Abuse

HCVOIP may suspend a Customer's access to recording features or to the Services generally if we receive credible reports of unconsented recording, regulator inquiries, abnormally high opt-out or complaint rates, or other indicators that the Customer may not be obtaining required consents. We are not obligated to do so, and our right to suspend does not reduce the Customer's responsibility for compliance.

7.1 Message Handling

When you send or receive SMS/MMS messages through our Services, we transmit, route, and may temporarily store message content and metadata to deliver the message. Message content and delivery metadata are part of the Services and are handled with the same protections as voice communications.

7.2 A2P 10DLC Registration

Application-to-Person (A2P) messaging through 10-digit long codes is subject to The Campaign Registry (TCR) requirements. To send A2P messages, Customers must register their brand and campaigns and may be required to provide business information, use-case descriptions, and sample messages. This information is shared with TCR, mobile carriers, and connectivity partners to enable message delivery.

7.3 TCPA Compliance — Customer Responsibility

The Telephone Consumer Protection Act (47 U.S.C. § 227) and FCC implementing rules restrict marketing and informational messages sent to wireless numbers. Customers are solely responsible for obtaining the prior express written consent (for marketing messages) or prior express consent (for informational messages) required by the TCPA before sending messages through our Services. Customers must also honor opt-out requests (typically "STOP") within the timeframes required by law and CTIA guidelines.

7.4 Carrier Filtering

Mobile carriers and intermediary providers may filter, block, or rate-limit messages based on content, sender reputation, or compliance signals. We share aggregated and message-level data with these parties as necessary to deliver messages and to combat spam and fraud.

8.1 How VoIP 911 Differs

VoIP 911 service operates differently from traditional landline 911. You must register a Service Address (Registered Location) for each line and keep it current. When you dial 911, your call is routed to the Public Safety Answering Point (PSAP) responsible for the Registered Location you have provided. If the Registered Location is incorrect or outdated, emergency responders may be sent to the wrong location.

8.2 Limitations

911 service may be unavailable or impaired:

• During power outages affecting your equipment or internet connection
• During internet service disruptions
• If you have not paid your bill and service has been suspended
• If you use the Service from a location other than your Registered Location and have not updated it
• If you are using a mobile or softphone client outside coverage areas

We strongly recommend that you maintain an alternative means of contacting emergency services (such as a wireless phone).

8.3 Location Disclosure for Emergency Services

When you place a 911 call, we will disclose your Registered Location, callback number, and other available location information to the PSAP, emergency dispatchers, and emergency responders. This disclosure is mandatory under FCC rules and is not subject to your opt-out.

8.4 RAY BAUM'S Act / Kari's Law Compliance

Where applicable, our Services support:

• Kari's Law: direct dialing of 911 without an access code from multi-line telephone systems
• RAY BAUM'S Act: provision of dispatchable location information to PSAPs
• Notification: simultaneous notification to a designated on-site contact when 911 is dialed (where configured)

9.1 Service Providers and Subprocessors

We engage third parties to perform services on our behalf under written contracts that require them to protect your information and use it only for the purposes we specify. Categories of service providers include:

• Underlying carriers and interconnection partners (for call origination, termination, and porting)
• Cloud infrastructure providers (for hosting our platform)
• Payment processors (for billing and payment)
• Email and customer messaging providers
• Analytics and product monitoring providers
• Customer support tooling and ticketing systems
• Fraud detection and security providers
• Identity verification and KYC providers
• Tax calculation and regulatory fee remittance providers
• The Campaign Registry and messaging aggregators (for SMS/MMS)
• STIR/SHAKEN certificate authorities and signing services
• Professional advisors (legal, accounting, audit)

A current list of material subprocessors is available in Section 16 of our Trust page or upon request.

9.2 Law Enforcement, Government, and Legal Process

We disclose information when we have a good-faith belief that disclosure is required by:

• A subpoena, court order, search warrant, or other valid legal process
• The Communications Assistance for Law Enforcement Act (CALEA) and lawful intercept obligations
• Mandatory reporting requirements (e.g., child exploitation, terrorism)
• Federal, state, or local regulators (FCC, FTC, state PUCs, state attorneys general)
• National Security Letters and FISA process

We attempt, where lawful and consistent with the request, to notify customers of legal process directed at their account before producing information. Aggregated information about the volume of legal demands we receive may be made available upon written request.

9.3 Protection of Rights and Safety

We may share information when we believe it is necessary to:

• Investigate, prevent, or take action regarding suspected fraud, security incidents, or violations of our policies
• Protect the rights, property, or safety of HCVOIP, our Customers, or others
• Enforce our Terms of Service or other agreements

9.4 Business Transfers

If HCVOIP is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to the successor entity, subject to the same protections described in this policy or, where required by law, with notice and an opportunity to object.

9.5 With Your Consent or at Your Direction

We share information with third parties when you direct us to do so (for example, when you enable a third-party integration or authorize an agent to manage your account).

9.6 Aggregated and De-Identified Information

We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you. We commit to maintaining and using such information only in de-identified form and not to attempt to re-identify it, except to test our de-identification methods.

10.1 What We Use

We do not currently use third-party analytics, advertising, or behavioral tracking cookies on hcvoip.com. If we add such technologies in the future, we will update this policy and obtain consent where required by law.

10.2 Your Choices

You can control cookies through your browser settings. You can opt out of analytics and marketing cookies through our cookie banner. We honor the Global Privacy Control (GPC) signal as a request to opt out of sale or sharing of personal information for cross-context behavioral advertising under applicable state laws.

10.3 Do Not Track

Because there is no industry consensus on how to respond to "Do Not Track" browser signals, we do not currently respond to them. We do honor GPC as described above.

14.1 Rights Available to All Customers

Regardless of location, all Customers may:

• Access and obtain a copy of personal information in their account
• Correct inaccurate information
• Close their account and request deletion of personal information not subject to legal retention
• Opt out of marketing communications
• Submit a CPNI opt-out (Section 5.2)

To exercise these rights, log in to your account or contact compliance@hcvoip.com.

14.2 California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code §§ 1798.100 et seq.):

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collecting it, and the categories of third parties with whom we share it
• Right to delete personal information we have collected from you, subject to exceptions
• Right to correct inaccurate personal information
• Right to opt out of sale or sharing. We do not sell personal information for monetary consideration and we do not "share" personal information for cross-context behavioral advertising as those terms are defined under the CCPA.
• Right to limit the use and disclosure of sensitive personal information. We use sensitive personal information (such as account credentials and precise geolocation) only for purposes permitted under CCPA § 7027(m) and do not use it for inferring characteristics about you
• Right to non-discrimination for exercising your rights
• Right to designate an authorized agent to make requests on your behalf

CCPA Disclosures — Information Collected in the Last 12 Months

How to Submit a Request

• Email: compliance@hcvoip.com
• Toll-free: 415-200-0400
• Mail: Headland Communications, PO Box 7775 #23630, San Francisco, CA 94120-7775

We will verify your identity before processing requests. We respond within 45 days, with one 45-day extension where reasonably necessary.

Shine the Light

California Civil Code § 1798.83 permits California residents to request information about disclosures of personal information to third parties for direct marketing. We do not disclose personal information to third parties for their direct marketing purposes.

14.3 Other State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Indiana, Kentucky, or Rhode Island, and a comprehensive state privacy law applies to you, you may have the following rights (the specific rights, thresholds, and exceptions vary by state):

• Right to access / know what personal data we process about you
• Right to correct inaccuracies
• Right to delete personal data
• Right to data portability in a usable format
• Right to opt out of: sale of personal data; targeted advertising; certain profiling decisions that produce legal or similarly significant effects
• Right to appeal a denial of a privacy request

Sensitive data: Where required (e.g., Virginia, Colorado, Connecticut, Maryland), we obtain opt-in consent before processing sensitive personal data, or in Utah, provide an opt-out where required.

Universal opt-out mechanisms: Where required by state law (e.g., Colorado, Connecticut, Texas), we honor Global Privacy Control as an opt-out of sale and targeted advertising.

To submit a request: use the same channels listed in Section 14.2. We will verify your identity and respond within the timeframe required by your state's law (typically 45 days, extendable).

To appeal a denial: reply to our response with "Appeal" in the subject line, or email compliance@hcvoip.com. We will respond to appeals within 60 days. If we deny your appeal, we will provide instructions for contacting your state attorney general.

14.4 Nevada Residents

Nevada law (NRS 603A.340) gives Nevada residents the right to opt out of the sale of certain "covered information" for monetary consideration. We do not sell personal information as defined under Nevada law. To submit a verified Nevada opt-out request, email compliance@hcvoip.com.

14.5 Individuals Outside the United States

The Services are operated from and intended for use in the United States. If you access the Services from outside the United States, your information will be transferred to and processed in the United States, which has different data protection laws than your country. By using the Services, you consent to this transfer.