Privacy Policy

1. Who we are and our role

The data controller for this website and our customer application is CARTIAMAI LLC, a New Mexico limited liability company, with business address 539 W Commerce St, Ste 7352, Dallas, TX 75208, United States. You can reach us about privacy at carlosvillafuerte@cartiamai.com.

When we provide services to a business client (for example, operating an AI voice agent, an inbound assistant, an automation workflow, or a research job on their behalf), that client is typically the controller of the end-user personal data involved, and we act as their processor or service provider under a separate written agreement. This Policy governs the data for which we are the controller; the client's own privacy notice governs data we process on their behalf.

2. Scope and the laws this Policy is built for

We design this Policy to align with the EU and UK General Data Protection Regulation (GDPR/UK GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA) and other US state privacy laws, Canada's PIPEDA, Brazil's Lei Geral de Proteção de Dados (LGPD), and Mexico's Ley Federal de Protección de Datos Personales en Posesión de los Particulares (LFPDPPP).

A given law applies based on where you are and the nature of the processing. Sections 9 through 12 set out the specific rights and disclosures for California, the EU/UK, Brazil and other regions.

3. Information we collect

We collect the following categories of personal information, depending on how you interact with us:

• Identifiers and contact data you provide: name, business name, email address, phone number, and the contents of messages you send through our forms, email or chat.
• Account data: if you create an account, your email, a securely hashed password, or a Google sign-in identifier, plus your role and account activity.
• Customer-support and messaging data: the threads, messages and attachments you exchange with us or with an AI assistant through the customer application.
• Billing and transaction data: subscription status, plan, and payment records. Card payments are processed by Stripe; we do not store full card numbers on our servers.
• Service-delivery data: information you or your authorized users provide so we can deliver an engagement, including business records, target or research subjects you ask us to investigate, and configuration for automations and agents.
• Voice and call data (where you engage our voice products): call audio, recordings where lawfully made, transcripts, phone numbers, call metadata, and the disposition of each call.
• Technical and usage data collected automatically: IP address, approximate location derived from IP, device and browser type, pages viewed, referring URLs, and similar diagnostics.
• Cookies and similar technologies: see Section 8.

4. Sensitive information and children

We do not seek to collect special-category or sensitive personal information (such as government IDs, health, biometric, precise geolocation, or financial account credentials) through this website, and we ask that you not send it to us through public forms.

Our services and website are intended for businesses and adults. They are not directed to children, and we do not knowingly collect personal information from anyone under 18 (or under the age of majority where you live). If you believe a child has provided us information, contact us and we will delete it.

5. How we use information and our legal bases

We use personal information to operate our business and, where the GDPR/UK GDPR or LGPD applies, on the legal bases noted:

• To respond to inquiries, schedule discovery calls, prepare proposals and manage commercial follow-up (legal basis: steps taken at your request prior to a contract, and our legitimate interest in responding to you).
• To provide, operate, secure and improve our products, the customer application and the services you engage us for (legal basis: performance of a contract, and legitimate interest).
• To process payments, manage subscriptions and prevent payment fraud through Stripe (legal basis: performance of a contract, and compliance with legal obligations).
• To send you service, security and transactional communications (legal basis: performance of a contract and legitimate interest).
• To send marketing communications where permitted, from which you can opt out at any time (legal basis: consent where required, otherwise legitimate interest).
• To comply with law, enforce our agreements, and establish, exercise or defend legal claims (legal basis: legal obligation and legitimate interest).

6. AI processing, calls and automated interactions

Some of our products use artificial intelligence to generate text or synthetic voice, to qualify and route messages, and to conduct or assist conversations. Where you interact with one of our AI agents, we and our clients aim to disclose that you are communicating with an automated system as required by applicable law.

We do not use the content of your communications to train third-party foundation models, and our agreements with model and infrastructure providers are intended to prevent your data from being used to train their models. We may use aggregated or de-identified information to evaluate and improve our own systems.

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a lawful basis and, where required, human review. You can ask us about the logic involved by contacting us.

7. How we share information

We do not sell your personal information for money. We share it only as described here:

• Service providers and processors that help us operate, under contracts that limit their use of the data, including: Stripe (payments), our database and hosting providers, email delivery providers (such as Resend), authentication providers (such as Google sign-in), and AI model and telephony providers used to deliver our products.
• Our business clients, where we process data on their behalf as part of an engagement.
• Professional advisers (lawyers, accountants, auditors) and, where applicable, insurers, bound by confidentiality.
• Authorities and other parties where we believe in good faith that disclosure is necessary to comply with law, legal process, or a lawful request, or to protect rights, safety or the integrity of our services.
• A successor entity in connection with a merger, acquisition, financing or sale of assets, subject to this Policy.

8. Cookies and analytics

We use strictly necessary cookies to run the site and keep you signed in, and we may use limited analytics to understand and improve usage. Where required by law, we request consent for non-essential cookies and honor recognized opt-out preference signals such as Global Privacy Control (GPC).

You can control cookies through your browser settings. Disabling some cookies may affect how the site works.

9. International data transfers

We operate from the United States and may process information in the US and other countries whose laws may differ from yours. Where we transfer personal data out of the EEA, the UK, Brazil or another protected region, we rely on a lawful transfer mechanism such as the European Commission's Standard Contractual Clauses, the UK Addendum, or an equivalent safeguard, and we apply additional protections where appropriate.

10. Data retention

We keep personal information only as long as necessary for the purposes described here: for the life of your account or engagement, plus the period needed to meet legal, tax, accounting and dispute-resolution obligations. Call recordings and transcripts are retained for the period agreed with the relevant client and then deleted or de-identified. When information is no longer needed, we delete or anonymize it.

11. How we protect information

We use technical and organizational measures appropriate to the risk, including encryption in transit (HTTPS) and at rest, hashed passwords, role-based access controls, least-privilege access and logging. No method of transmission or storage is completely secure, but we work to protect your information and to notify you and regulators of a breach where the law requires.

12. Your rights

Subject to your location and applicable law, you may have the right to access, correct, delete, or receive a portable copy of your personal information; to object to or restrict certain processing; to withdraw consent; and to lodge a complaint with a supervisory authority. To exercise any right, contact carlosvillafuerte@cartiamai.com. We will verify your request and respond within the timeframe required by the applicable law. We will not discriminate against you for exercising your rights.

13. California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know the categories and specific pieces of personal information we collect, the right to delete and to correct it, and the right to opt out of any sale or sharing of personal information and of targeted advertising. We do not sell or share personal information as those terms are defined under the CPRA. You may exercise these rights, including through an authorized agent, by contacting carlosvillafuerte@cartiamai.com, and we honor Global Privacy Control signals.

14. EU/UK, Brazil, Canada and Mexico

For the EEA and UK, the legal bases are described in Section 5, and you may contact your local data protection authority. For Brazil (LGPD), you may exercise the rights granted by Articles 18-22 and contact the ANPD. For Canada (PIPEDA) and Mexico (LFPDPPP), you may exercise access, rectification, cancellation and objection (ARCO) rights, and in Mexico you may submit an ARCO request to carlosvillafuerte@cartiamai.com. Where a representative or data protection officer is legally required, we will designate one and update this Policy with their contact details.

15. Third-party links

Our site and deliverables may link to third-party websites and tools we do not control. Their privacy practices are governed by their own policies, and we are not responsible for them.

16. Changes to this Policy

We may update this Policy to reflect changes in our practices or the law. The 'last updated' date above reflects the latest revision, and material changes will be highlighted on this page. Your continued use of the site after an update means you accept the revised Policy.

17. Contact us

Questions, requests or complaints about privacy can be sent to CARTIAMAI LLC, 539 W Commerce St, Ste 7352, Dallas, TX 75208, United States, or by email to carlosvillafuerte@cartiamai.com. We aim to respond to every privacy request within the period required by applicable law.

Reach us

CARTIAMAI LLC · 539 W Commerce St, Ste 7352, Dallas, TX 75208, United States · carlosvillafuerte@cartiamai.com