How KAITALK collects, uses, and protects personal data for clinical participant recruitment, eConsent, and retention — aligned with GDPR, LGPD, LFPDPPP, and CCPA.
KAITALK is a governed AI platform for clinical participant recruitment, eConsent, and retention, used by sponsors, CROs, and research sites across the United States, Mexico, and beyond. The service is provided by Chany Ventures, S. de R.L. de C.V., a company organized under the laws of Mexico, operating under the trade name KAITALK.
KAITALK is a Q Bridge product. For company information, see qbridge.ai.
This Privacy Notice describes how we collect, use, disclose, and safeguard personal information when you use our platform, website, or participant outreach services. It applies to account holders, participants who interact with our AI, and visitors to kaitalk.online.
If you have any questions about this policy, please contact us:
We collect only the personal data necessary to deliver and improve the KAITALK service. The table below describes each category, what is included, and the source from which we collect it.
| Category | Data Elements | Source |
|---|---|---|
| Identity | Name, company name | Account registration |
| Contact | Email address, phone number | Account registration; inbound calls |
| Call data | Caller phone number, call transcript, call duration, audio recording (when enabled by account holder) | Via Twilio — generated during call handling |
| Billing | Billing email address. Card data is processed exclusively by Stripe — KAITALK never stores card numbers, CVV, or full PAN. | Stripe payment processor |
| Analytics | IP address (hashed, never stored in plaintext), pages visited, browser language, UTM source/medium/campaign | Server logs; client-side UTM tracker (consent-gated) |
We do not collect sensitive personal data (special categories under GDPR Art. 9), government ID numbers, or financial account credentials.
The legal basis for processing your personal data depends on your jurisdiction:
We retain personal data only as long as necessary for the stated purpose or as required by law:
| Data Type | Retention Period | Notes |
|---|---|---|
| Call audio recordings | 30 days (default) | Account holders can configure this to 0 days for immediate auto-deletion after transcription |
| Call transcripts | 12 months | Encrypted at rest; used for quality scoring and AI improvement |
| Account data | Duration of subscription + 90 days | Exported within 30 days of written request after termination |
| Billing records | 7 years | Required by Mexican tax law (SAT) and US/international accounting standards |
| Analytics events (hashed IP) | 24 months | IP stored only as SHA-256 hash; never linked back to identity |
| Session tokens | 30 days | Invalidated on logout or password change |
| Audit logs | 7 years | Immutable INSERT-only log with SHA-256 hash chain for integrity |
We engage the following third-party service providers (sub-processors) who may process personal data on our behalf. Each is bound by a Data Processing Agreement or equivalent legal instrument.
| Sub-Processor | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Twilio Inc. | Voice calls, SMS, WhatsApp Business API | USA | twilio.com/legal/privacy |
| Stripe Inc. | Payment processing (USD & MXN) | USA / Mexico | stripe.com/privacy |
| Neon Inc. | PostgreSQL database hosting | USA | neon.tech/privacy |
| Render Inc. | Application hosting & infrastructure | USA (Oregon) | render.com/privacy |
| Postmark (Wildbit) | Transactional email delivery | USA | postmarkapp.com/privacy-policy |
| Cloudflare Inc. | CDN, DDoS protection, edge routing | USA | cloudflare.com/privacypolicy/ |
AI inference note: AI model inference (LLM responses) is processed by Polsia AI, our parent platform provider, under its own Data Processing Agreement. Polsia AI does not use your call data to train foundation models.
A complete, up-to-date sub-processor list is maintained at /subprocessors.
Depending on your jurisdiction, you have the following rights regarding your personal data:
Access your data, Rectify inaccurate data, Cancel processing, and Oppose certain processing. We respond within 15 business days.
Access, Rectification, Erasure ("right to be forgotten"), Portability, Restriction of processing, Objection, and rights related to automated decision-making. We respond within 30 days.
Know what data is collected, Delete personal information, Opt-out of sale (we do not sell), and Non-discrimination for exercising rights.
Withdraw consent at any time (does not affect prior lawful processing). Lodge a complaint with your relevant supervisory authority (INAI for Mexico, relevant DPA for EU).
To exercise any of these rights, contact privacy@kaitalk.online or submit a request through your dashboard at /account/compliance.
You may submit a Data Subject Request (DSR) by either:
All requests are logged in our data_subject_requests table with jurisdiction-specific deadlines enforced. We may require identity verification before processing requests involving deletion or portability.
KAITALK is headquartered in Mexico and uses sub-processors primarily located in the United States. Personal data may be transferred outside Mexico when processed by these sub-processors.
KAITALK is a business-to-business service directed exclusively at small and medium businesses and their adult employees. We do not knowingly collect personal data from individuals under the age of 16.
If you believe we have inadvertently collected personal data from a minor, please contact privacy@kaitalk.online immediately and we will delete the data promptly.
In the event of a personal data breach that is likely to result in risk to individuals' rights and freedoms, we will:
security_incidents log.Our full incident response procedure is documented internally at docs/incident-response.md.
We use a minimal set of cookies and browser storage:
We do not use advertising cookies, third-party tracking pixels, or cross-site behavioral profiling. You can withdraw analytics consent at any time by clearing browser storage or using the consent banner preferences link in the page footer.
We may update this Privacy Policy from time to time. For material changes — changes that affect your rights, our data collection practices, or the legal bases for processing — we will provide at least 10 days advance notice by email to registered account holders before the changes take effect.
Non-material changes (such as clarifications or corrections) may be made without advance notice. The "Last updated" date at the top of this page will always reflect the most recent revision.
Continued use of KAITALK after the effective date of a material change constitutes acceptance of the revised policy.
Privacy / Data Protection Officer equivalent:
Email: privacy@kaitalk.online
DPO equivalent / General: vamsy@kaitalk.online
Mailing Address:
Chany Ventures, S. de R.L. de C.V. (KAITALK)
Monterrey, Nuevo León, México
For EU/EEA complaints, you also have the right to contact your local supervisory authority. For Mexico, the relevant authority is INAI (home.inai.org.mx).