LEGAL
Privacy Policy
Last updated: May 20, 2026
1. Introduction & Who We Are
KenaVox LLC ("KenaVox," "we," "us," "our") operates kenavox.com and provides the KenaVox AI voice receptionist and AI SMS assistant. We are based in the Commonwealth of Virginia, United States. This Privacy Policy explains what personal information we collect from website visitors, leads, and signed-up clients; how we use it; who we share it with; how long we keep it; and what choices you have.
2. Scope of This Policy
This Policy covers personal information about: (a) visitors to kenavox.com; (b) people who fill out our contact form, request a demo, or test our AI through the marketing site; and (c) signed-up clients who use our dashboard, billing, and integrations.
This Policy does NOT cover personal information of "Callers" — the third parties who phone or text the AI agents operated by our clients. That data is governed by the client's own privacy policy. As described in §25 of our Terms of Service, KenaVox processes Caller data on behalf of the client; the client is the controller and we are the processor. If you are a Caller looking for information about how a specific business handles your data, please contact that business directly.
3. Personal Information We Collect
We collect the following categories of personal information:
- Identification & contact: name, business name, email address, phone number, industry, and the message content you submit through our contact form, signup flow, or demo flow.
- Account & billing: Stripe customer ID, plan, billing email and address. Your full card number, CVV, and expiration date are collected and stored by Stripe — not by us.
- Demo AI interactions: when you use a "Try the AI" voice or SMS feature on our marketing site, we collect and store the call audio recording, the transcript, the AI's responses, the phone number you used, and timestamps.
- Dashboard usage: when you sign up as a client, we collect login records, agent configurations you set, business information you place in the AI knowledge base, and your interactions with the dashboard.
- Calendar integration credentials & data: when you connect Google Calendar (OAuth), Microsoft Outlook / Microsoft 365 Calendar (OAuth), or Apple Calendar (CalDAV via an app-specific password you generate at appleid.apple.com), we store OAuth refresh tokens or encrypted CalDAV credentials and the calendar event data needed to schedule, reschedule, and notify on appointments. You can disconnect at any time from your dashboard.
- Device & technical: IP address, user-agent string, browser type, referrer URL, requested URLs, and timestamps. These are written to our server access logs.
- Cookies & SDKs: pseudonymous identifiers and event data from Google Analytics 4 (analytics) and Meta Pixel (advertising). See §6.
- Communications: emails you send us at hello@kenavox.com, support correspondence, and A2P / 10DLC registration content you submit through onboarding.
4. Sensitive Information We Do Not Want
Please do not submit through our contact form, demo flows, dashboard, or AI agents: payment card numbers, government-issued IDs, Social Security numbers, protected health information (PHI), financial-account credentials, or other sensitive personal information.
KenaVox is not a HIPAA-covered entity and the Service is not designed to receive PHI. If you accidentally send us sensitive information, email hello@kenavox.com and we will delete it.
5. Why We Collect — Purposes & EU Lawful Bases
We use personal information for the following purposes. For EU/UK residents, the lawful basis under the GDPR is noted in parentheses.
- Operate and deliver the Service (contract performance).
- Respond to inquiries and demo requests (legitimate interest; pre-contractual steps).
- Send transactional and billing emails (contract performance).
- Send marketing emails (consent at signup, or legitimate interest where permitted; you may opt out at any time).
- Analytics and advertising via Google Analytics 4 and Meta Pixel (consent where required by state or EU law; legitimate interest elsewhere).
- Improve the Service and the AI, including by reviewing demo call recordings and transcripts (legitimate interest; speakers are notified at the start of each demo call).
- Comply with legal obligations and defend legal claims (legal obligation; legitimate interest).
6. Cookies & Tracking Technologies
- Essential cookies: session cookies, security cookies, and load-balancing cookies. These cannot be turned off because the site will not function without them.
- Analytics cookies: we use Google Analytics 4 to understand how visitors move through the site. GA stores pseudonymous identifiers and event data, with a 14-month default retention.
- Advertising cookies: we use Meta Pixel to measure the effectiveness of advertising and to support retargeting. Meta Pixel fires browser-side events on page views, button clicks, and form submits. Under California law (CCPA/CPRA) and several similar state laws, sending Meta Pixel events is considered "sharing" personal information for cross-context behavioral advertising. You can opt out — see §13.
- Global Privacy Control (GPC): if your browser sends the GPC signal, we treat it as a valid request to opt out of sale and sharing on that browser. You do not need to take any other action.
- Do Not Track (DNT): we do not currently respond to legacy DNT headers, which is the industry standard given that DNT has no agreed-upon legal meaning. GPC is the supported signal.
7. Demo AI Calls & SMS — Recording, Transcripts, and Voice Data
If you are not comfortable with your voice or message being recorded and stored, do not use the "Try the AI" demo features on this site.
When you use a "Try the AI" voice feature on our marketing site, the AI's greeting discloses that the call is recorded before the call proceeds. Continuing the call after that disclosure constitutes your consent to be recorded.
We store the audio recording, the transcript, the AI's responses, the phone number you used, and timestamps for the purpose of product improvement and abuse prevention. There is no fixed deletion date — these records may be retained until you ask us to delete them.
Voice recordings include vocal characteristics that may constitute biometric information under certain state laws, including the Illinois Biometric Information Privacy Act (BIPA). We do not use this data to identify, authenticate, or distinguish individuals, and we do not generate a "voiceprint" or speaker model.
If you want your demo call deleted, email hello@kenavox.com with the phone number you used and the approximate time of the call. We will delete the recording, transcript, and associated phone number within 45 days.
8. How We Share Your Information — Sub-Processors
We share personal information with the following sub-processors, which provide infrastructure and services that the Service depends on. Each sub-processor is contractually required to handle personal information only on our instructions and to apply reasonable security safeguards.
- We do not sell personal information for money.
- Some advertising-related "sharing" with Meta (via Meta Pixel) is treated as a "sale" or "share" under California and similar state laws. See §13 to opt out.
- We may disclose personal information when required by law (subpoena, court order, valid legal process), to defend our legal rights, or in connection with a merger, acquisition, or sale of assets.
- We may add or change sub-processors at our discretion; material changes will be reflected in this table and the "Last updated" date above will be updated.
| # | Provider | Category | What we send | Privacy policy |
|---|---|---|---|---|
| 1 | Vercel, Inc. | Hosting, serverless functions, edge | Page requests, request metadata, server logs | vercel.com/legal/privacy-policy |
| 2 | Supabase, Inc. | Database, auth, storage | Account data, contact-form submissions, dashboard data, demo-call records, transcripts | supabase.com/privacy |
| 3 | Stripe, Inc. | Payments, billing | Name, billing email, billing address, payment method (PCI scope is Stripe's, not ours) | stripe.com/privacy |
| 4 | Twilio Inc. | Voice telephony, SMS infrastructure | Phone numbers, call audio routing, message bodies | twilio.com/legal/privacy |
| 5 | SimpleTexting (Sinch) | SMS campaigns and outbound messages | Phone numbers, message bodies, opt-out status | simpletexting.com/privacy-policy |
| 6 | ElevenLabs Inc. | Voice AI (text-to-speech, speech-to-text, voice agents) | Call audio, transcripts, voice prompts | elevenlabs.io/privacy |
| 7 | Retell AI, Inc. | Voice AI orchestration | Call audio, transcripts, voice prompts | retellai.com/legal/privacy-policy |
| 8 | OpenAI, L.L.C. (via Vercel AI Gateway) | Large-language-model inference | Conversation messages and system prompts (OpenAI does not train on API data by default) | openai.com/policies/privacy-policy |
| 9 | Cal.com, Inc. | Scheduling | Appointment data, attendee names, emails, times | cal.com/privacy |
| 10 | Resend | Transactional email delivery | Recipient email address, message content, delivery telemetry | resend.com/legal/privacy-policy |
| 11 | Google LLC | Google Calendar OAuth, Gmail OAuth, Google Analytics 4, Google sign-in | OAuth tokens, calendar events, pseudonymous analytics events | policies.google.com/privacy |
| 12 | Microsoft Corporation | Microsoft 365 / Outlook Calendar OAuth (Microsoft Graph) | OAuth tokens, calendar events | privacy.microsoft.com/en-us/privacystatement |
| 13 | Apple Inc. | Apple Calendar via iCloud CalDAV | Calendar events using an app-specific password you generate, and the iCloud account email associated with that password | apple.com/legal/privacy |
| 14 | Meta Platforms, Inc. | Meta Pixel (advertising and analytics) | Pseudonymous browser-side events: page views, button clicks, form submits | facebook.com/privacy/policy |
| 15 | Cloudflare, Inc. | DNS, DDoS protection, web application firewall | Network metadata, IP addresses, requested URLs | cloudflare.com/privacypolicy |
9. How Long We Keep Your Information
We retain personal information only as long as needed for the purposes described above and as required by law. Specific windows:
| Data category | Retention window |
|---|---|
| Contact-form leads (not converted to clients) | 24 months after last activity, then deleted or anonymized |
| Demo call recordings + transcripts | No fixed deletion date; retained for product improvement until you ask us to delete |
| Active client account data (profile, agent config, dashboard) | Lifetime of the account, plus 90 days after termination |
| Billing & invoice records | 7 years (United States tax-record retention) |
| Calendar OAuth refresh tokens / CalDAV credentials | Until you disconnect from the dashboard; we revoke the token at the provider on disconnect |
| Analytics (Google Analytics 4) | 14 months (GA default) |
| Server access logs | 30 days |
| Backups | Rolling 30-day retention; deletion requests propagate via natural rotation |
10. Your Privacy Rights
Regardless of which US state you live in, we grant you the following rights with respect to the personal information we hold about you:
- Access — request a copy of the personal information we have about you.
- Correct — ask us to fix inaccurate personal information.
- Delete — ask us to delete your personal information. Some information may be retained where required by law (for example, tax records) or to defend legal claims.
- Portability — receive a copy of your data in a structured, commonly used, machine-readable format.
- Opt out of sale or sharing for cross-context behavioral advertising — see §13.
- Opt out of profiling that produces legal or similarly significant effects about you. We do not currently engage in such profiling.
- Non-discrimination — we will not deny services, charge different prices, or provide a different quality of service for exercising any of these rights.
- Appeal — if we refuse to act on a request, you may appeal by replying to our refusal email; we will respond within 60 days.
11. How to Exercise Your Rights
- Email hello@kenavox.com with the request, the right you are exercising, and the email of record we should associate with the request.
- We verify identity by sending a confirmation to the email of record. For sensitive requests (such as deletion), we may ask for additional confirmation.
- We respond within 45 days. If we need more time, we will tell you and may extend by an additional 45 days, as permitted by law.
- Exercising a right is free. We may charge a reasonable fee or refuse a request that is manifestly unfounded, repetitive, or excessive, as permitted by law.
- Authorized agents may submit requests on your behalf with your written permission and proof of identity.
12. Global Privacy Control (GPC)
If your browser sends the Global Privacy Control signal, we treat it as a valid request to opt out of sale and sharing for that browser. You do not need to send a separate email. If you use a different browser or device, you will need to set GPC there as well.
13. Do Not Sell or Share My Personal Information
You can opt out of the only "sharing" we engage in — Meta Pixel advertising signals — by sending Global Privacy Control from your browser (§12) or by emailing hello@kenavox.com with the subject "Do Not Sell or Share."
We do not sell personal information for money. We do use Meta Pixel, which under California and several similar state laws counts as "sharing" for cross-context behavioral advertising.
To opt out, either: (1) enable Global Privacy Control in your browser — we honor it automatically; or (2) email hello@kenavox.com with the subject "Do Not Sell or Share" and the email of record. We will suppress advertising signals associated with your address within 15 days.
14. Security
No system is perfectly secure. If you believe your account has been compromised, email hello@kenavox.com immediately.
- Encryption in transit using TLS for all browser-to-server and server-to-sub-processor traffic.
- Encryption at rest for sensitive fields, including OAuth refresh tokens and Apple CalDAV app-specific passwords.
- Role-based access control inside our dashboard and admin tools, with least-privilege access for staff.
- Audit logging of administrative actions on client data.
- Annual review of access permissions and removal of dormant accounts.
15. International Data Transfers
KenaVox is a United States business and our Service is operated primarily from the United States. If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States, where data-protection law may differ from the law of your jurisdiction.
For transfers of personal information from the European Economic Area, United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) and on supplementary measures with our sub-processors where required. Many of our sub-processors operate global infrastructure that may also process data outside the United States.
16. EU/UK Residents
If you are in the European Economic Area or the United Kingdom, the controller of your personal information is KenaVox LLC, the entity identified in §21. We do not currently have a designated representative in the EU under Article 27 GDPR.
In addition to the universal rights in §10, you have GDPR-specific rights: access, rectification, erasure ("right to be forgotten"), restriction of processing, portability, objection to processing based on legitimate interest, and the right to withdraw consent at any time (without affecting the lawfulness of processing before withdrawal).
You have the right to lodge a complaint with the data-protection authority in your country if you believe we have not handled your personal information lawfully.
17. Children
Our Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us personal information, email hello@kenavox.com and we will delete it.
Separately, our Terms of Service require all account holders to be at least 18 years old (or the age of majority where you live, if higher).
18. California "Shine the Light" (Civil Code §1798.83)
California residents may request information about disclosures of personal information to third parties for those parties' own direct marketing purposes in the preceding calendar year. We do not disclose personal information to third parties for those parties' own direct marketing purposes.
19. Data Breach Notification
If we determine that your personal information was acquired by, or accessed by, an unauthorized person, we will notify you and the applicable regulators in accordance with state and federal breach-notification laws, including any timing, content, and substitute-notice requirements that apply.
20. Changes to This Policy
We may update this Policy from time to time. If we make material changes — such as adding a new category of personal information we collect, changing a sub-processor that materially affects how data is processed, or expanding how we share data for advertising — we will post a notice on the site for at least 30 days and email active clients at the address on file.
Non-material changes will be reflected by an updated "Last updated" date at the top of this page. Your continued use of the Service after the effective date of the change constitutes acceptance of the updated Policy.
21. Contact Us
KenaVox LLC
[Mailing address — placeholder, replace before publish]
Email: hello@kenavox.com
Privacy requests, rights requests, and "Do Not Sell or Share" opt-outs: hello@kenavox.com
22. Effective Date
This Privacy Policy is effective as of May 20, 2026.