EngageCloud

Privacy Policy

Effective Date: April 2026 | Last Updated: May 2026

1. Overview

ENGAGECLOUD AI INC (“we,” “our,” or “us”) provides AI-enabled communication and customer engagement services. This Privacy Policy explains what personal data we collect, how we use and share it, the choices available to individuals, and how we protect personal data. This Policy applies globally; where relevant we call out practices and rights specific to the United States.

2. Scope and Roles

Scope

This Policy describes ENGAGECLOUD AI INC’s data practices for users worldwide and includes dedicated sections for U.S.-specific rights and obligations. Where we process or transfer personal data outside the United States, we do so under appropriate safeguards described in the DPA and the “International Transfers” section below.

Controller / Processor Roles

  • Controller: ENGAGECLOUD AI INC is the controller for account, billing, marketing, and employment data.
  • Processor: ENGAGECLOUD AI INC acts as a processor/service provider for Customer Data processed on behalf of customers. Processing of Customer Data is governed by the DPA available at ENGAGECLOUD AI INC DPA.

3. Categories of Personal Data Collected

  • Account and Billing: name, email, phone, company, billing details, and payment method information.
  • Customer Content: SMS, voice, chat, email content; call recordings; transcripts; contact and lead records (processed on behalf of customers).
  • End-User Information: phone numbers, message content, interaction metadata for individuals contacted by customers.
  • Usage and Technical Data: IP address, device identifiers, logs, cookies, analytics, error reports.
  • Marketing Data: preferences, communications history, event attendance.
  • Payment and Billing Data: payment card information processed by our third party payment processor (we do not store raw card numbers on our systems), billing address, invoicing history, and subscription details. See Section 3d for details.

3a. Facebook / Meta Platform Data

engagecloud.ai integrates with the Meta (Facebook) Marketing API to provide campaign management and analytics features. When you connect your Facebook Ad account to engagecloud.ai:

  • We collect and store your Facebook access token to authenticate API requests on your behalf.
  • We retrieve ad campaign data including campaign names, impressions, reach, and call-action metrics from your Facebook Ad account.
  • This data is used solely to display campaign performance within your engagecloud.ai dashboard.
  • We do not sell, share, or transfer your Facebook data to any third parties.
  • Facebook data is retained only for as long as your account remains active on engagecloud.ai.
  • You may disconnect your Facebook account at any time from your engagecloud.ai settings, which will revoke our access and delete your stored access token.
  • To request deletion of all Facebook data we have collected, contact us at privacy@engagecloud.ai.

We request only the following Meta API permissions: ads_read and ads_management. We do not use Meta data for any purpose other than providing the service features you have requested.

3b. Google Platform Data

engagecloud.ai integrates with Google Ads and related Google APIs to provide lead capture and campaign analytics features. When you connect your Google account to engagecloud.ai:

  • We access your Google Ads account data, including campaign names, lead form submissions, and performance metrics, solely to display this data within your engagecloud.ai dashboard.
  • We do not sell, share, or transfer your Google data to any third parties.
  • Any data accessed via Google APIs is used in compliance with the Google API Services User Data Policy, including the Limited Use requirements.
  • Google data is retained only for as long as your account remains active on engagecloud.ai.
  • You may disconnect your Google account at any time from your engagecloud.ai settings.
  • To request deletion of all Google data we have collected, contact us at privacy@engagecloud.ai.

Google API Services — Limited Use Disclosure

engagecloud.ai’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only access Google API data to provide or improve user-facing features of the Service — never for advertising, data brokering, or any purpose unrelated to the user’s explicit request.
  • We do not allow humans to read your Google data unless you give us affirmative agreement, doing so is necessary for security purposes (e.g., investigating abuse), or we are required by law.
  • We do not use Google data to train machine learning models.

The above applies to all scopes accessed through the Google OAuth flow. Full details of Google’s policy are available at: https://developers.google.com/terms/api-services-user-data-policy

3c. End-User / Contact Data

When customers use engagecloud.ai to communicate with their own customers or prospects (“End Users”), we process End-User Data (phone numbers, message content, interaction metadata) as a data processor on behalf of our customer. End Users seeking to exercise data rights should contact the engagecloud.ai customer that collected their data. engagecloud.ai will assist customers in responding to such requests as required by the DPA.

3d. Payment and Billing Data

engagecloud.ai uses a third-party payment processor to handle all payment transactions. When you provide payment information:

  • Payment card details are transmitted directly to our payment processor via their secure checkout system and are not stored on engagecloud.ai’s servers.
  • engagecloud.ai stores only tokenized references, the last four digits of your card, card type, and billing address for display and rebilling purposes.
  • Our payment processor is certified as a PCI DSS Level 1 Service Provider. Processing of your payment data is governed by the payment processor’s own privacy policy and PCI DSS compliance program.
  • Billing and invoice records are retained for seven years as required for tax and accounting purposes, even after account deletion.

Subscription fees, billing cycles, and applicable taxes are clearly outlined at the time of purchase or in the applicable Order Form.

4. How We Use Personal Data

We use personal data to:

  • Provide and operate the Service, including processing communications on behalf of customers.
  • Authenticate accounts, manage subscriptions, and bill customers.
  • Fulfill product orders, provide hosting services, offer technical support, and assess service quality.
  • Detect and prevent fraud, abuse, spam, and unauthorized access.
  • Improve product performance, reliability, and user experience through aggregated analytics.
  • Send transactional communications (receipts, account alerts, support responses).
  • Send marketing communications where you have consented or where we have a legitimate interest (with opt-out available at all times).
  • Comply with legal obligations, court orders, and regulatory requirements.

We do not sell personal data for cross-context behavioral advertising. We do not use Customer Content to train our general foundation models or third-party base models without explicit, opt-in consent from the Customer.

5. AI Automated Processing and Model Training

  • Service use: Conversational AI powers automated initial replies, intent detection, routing, and analytics.
  • Model training stance: We do NOT use Customer Content to train our general foundation models or third-party base models without explicit, opt-in consent from the Customer. Aggregated and de-identified usage metrics may be used to improve product performance.
  • Limitations and human review: AI outputs may be inaccurate and should be validated by humans where accuracy is required. Customers can configure handoff thresholds that route warm leads to agents.
  • Third-party AI providers: Third-party AI providers are engaged as subprocessors under contractual data protection obligations; details are on the Subprocessors page.

6. Subprocessors and Hosting Providers

We publish and maintain a current subprocessors page at [Subprocessors Page URL]. That page lists provider name, role, country, and a link to the provider’s privacy/security page.

We remain responsible for our subprocessors’ compliance with contractual obligations and will notify customers of material changes to our subprocessor list.

7. How to Access, Manage, and Delete Your Data

You may request access, correction, or deletion of your engagecloud.ai data by:

Processing timeline: Requests are processed within 30 days. You will receive written confirmation once deletion is complete.

Meta data deletion: To remove Meta-connected data, revoke access via Facebook Settings: https://www.facebook.com/settings?tab=applications

Google data deletion: To remove Google-connected data, revoke access via Google Account Permissions: https://myaccount.google.com/permissions

Default retention (unless Customer configures otherwise):

  • Call recordings — 90 days
  • Transcripts — 180 days
  • Interaction logs — 365 days
  • Account and billing data — retained while account is active plus 90 days backup
  • Billing and invoicing records — 7 years (regulatory requirement)
  • Backups — 90 days

Customer control: Customers may request custom retention settings or export their data in common machine-readable formats. Export timelines and procedures are described in the DPA.

Deletion: Upon termination or per Customer instructions, we will delete or return Customer Content as set out in the DPA and applicable agreements, subject to legal hold obligations.

8. Security Measures and Trust Center Summary

We maintain administrative, technical, and physical safeguards including:

  • TLS 1.2+ for data in transit and AES-256 for data at rest.
  • Role-based access controls and least-privilege principles.
  • Multi-factor authentication for administrative access.
  • Centralized logging and SIEM monitoring.
  • Quarterly vulnerability scans and annual third-party penetration testing.
  • A formal incident response program.
  • SOC 2 Type II roadmap; reports available under NDA upon request.

9. Security Incident Notification

We will notify affected customers of a qualifying security incident within 72 hours of becoming aware, and provide updates until resolution. Notifications will include the nature of the incident, affected data categories, and remediation steps taken.

10. Cookies and Tracking

We use the following categories of cookies and tracking technologies:

  • Strictly Necessary: Required for the platform to function. Cannot be disabled.
  • Functional: Remember your preferences and settings.
  • Analytics: Understand how you use the platform (g., Google Analytics, Mixpanel).
  • Advertising: Used for retargeting and measuring ad performance (can be opted out).

Consent: Non-essential cookies require consent via a cookie banner; users can manage preferences in the cookie settings panel at any time.

Cookie Inventory: We maintain a cookie inventory mapping cookie name, provider, purpose, and retention on our Cookie Policy page at [Cookie Policy URL].

Do Not Track: Our website responds to Do Not Track (DNT) signals by not tracking users for advertising purposes when DNT is enabled.

11. Messaging, Telecom Compliance, and E911

Customer Responsibility

Customers are responsible for obtaining valid opt-in consent, honoring opt-out requests, accurate E911 provisioning for numbers they provision, and complying with TCPA, CAN-SPAM, 10DLC/A2P registration, and other applicable laws.

Company Support

We provide tools, templates, and onboarding guidance for compliance and log opt-out events. We are not responsible for Customer’s failure to comply.

Opt-In Template

By providing your phone number you agree to receive messages from [Company Name] at this number for account and marketing purposes. Msg & data rates may apply. Reply STOP to opt out.

Opt-Out Handling

All STOP requests will be honored immediately and logged; opt-out exports are available to customers.

12. U.S. Privacy Rights — CCPA, CPRA, and Other State Rights

California residents and residents of other U.S. states with applicable privacy laws may have the following rights:

  • Right to Know: Request disclosure of the categories and specific pieces of personal data we have collected about you.
  • Right to Delete: Request deletion of your personal data (subject to certain exceptions).
  • Right to Correct: Request correction of inaccurate personal data.
  • Right to Opt Out: Opt out of the sale or sharing of your personal data for cross-context behavioral advertising. (We do not sell personal data.)
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
  • Right to Limit Use of Sensitive Personal Information (CPRA): Limit the use or disclosure of sensitive personal information to what is necessary to provide the services.

 

To exercise these rights, contact privacy@engagecloud.ai. We will acknowledge requests within 5 business days and respond per applicable law. We honor applicable local rights in other jurisdictions as required by law.

13. Children’s Data

Our services are not directed to children under 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly. Parents or guardians who believe their child’s data has been collected may contact us at privacy@engagecloud.ai.

14. International Transfers

We are headquartered in the United States and may transfer personal data to countries that may not provide the same level of data protection as your home country. Where we transfer personal data outside the United States or European Economic Area, we do so under appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Adequacy decisions where applicable.
  • Binding Corporate Rules or other legally recognized transfer mechanisms.

Full details of our transfer mechanisms are described in the DPA available at ENGAGECLOUD AI INC DPA.

15. Data Subject Request Process

How to submit a request: Email privacy@engagecloud.ai with subject line “Data Subject Request” and include: full name, email address, description of your request, and proof of identity if required.

Acknowledgement and timing: We will acknowledge receipt within 5 business days and respond in accordance with applicable law. Complex requests may require additional verification and time; we will notify you of any extension.

 

Escalation: If you are unsatisfied with our response, contact legal@engagecloud.ai for escalation, or file a complaint with your applicable data protection authority.

16. Changes to This Policy

ENGAGECLOUD AI INC reserves the right to modify, update, or replace this Privacy Policy at any time to reflect changes in our data practices, legal requirements, or business operations.

When material changes are made, we will make reasonable efforts to notify you, which may include:

  • Posting the updated Policy on our website with a revised Effective Date.
  • Providing notice via email to registered account holders.
  • Displaying a notice within the platform.

Continued use of the platform after any updates constitutes your acceptance of the revised Policy. If you do not agree with the revised Policy, you must discontinue use of the platform and may cancel your subscription in accordance with the cancellation policy.

17. Contact