Privacy Policy

• Full name and business name
• Email address (personal and business)
• Business telephone number and mobile number
• Business address and service area
• Business category and industry type
• Account username and password (stored in hashed, encrypted form — never in plain text)
• Profile photograph or business logo (if uploaded)

• Subscription plan selection and billing history
• Invoice records and payment receipts
• Billing address and country of residence
• Note: ProFox does not collect or store credit card numbers, bank account details, or other payment instrument data. All payment card data is handled exclusively by Stripe, Inc. under their PCI DSS-compliant infrastructure.

• Login timestamps and session durations
• Features accessed and actions performed within the Platform
• Messages sent and received through the unified inbox (SMS, email, Facebook Messenger, Instagram DMs, Google Business Profile messages, and web chat)
• Campaign messages created, sent, and engagement data (opens, clicks, replies)
• CRM records created, modified, or deleted, including customer contact information entered by the Client
• Review request records, review receipt confirmations, and private feedback submissions
• Device type, operating system, browser type, and IP address used to access the Platform

• Inbound and outbound call records including caller number, date, time, call duration, and call outcome
• Call source attribution data (the marketing channel that generated each call)
• Call recordings for all calls to and from the Client's dedicated business number (subject to applicable call recording laws)
• Voicemail recordings and transcriptions where applicable
• Missed call records and automated text-back delivery confirmations
• AI Voice Agent conversation transcripts and call summaries (Plan 3 only)

• Pages visited on the ProFox website, time spent on each page, and navigation paths
• Referring websites and search terms used to find the ProFox website
• IP address, approximate geographic location derived from IP address (country and city level only), and browser language settings
• Cookie data as described in Section 13 of this Policy
• Web chat conversations initiated via the website chat widget

When a Client uses the ProFox CRM, inbox, messaging tools, or phone system, they may upload or generate data relating to their own customers. This may include their customers' names, phone numbers, email addresses, postal addresses, job history, conversation records, review submissions, and any other information the Client enters into the CRM. ProFox processes this data solely on the Client's instructions as a Data Processor and does not use it for any independent purpose.

• Emails and messages sent to ProFox support, legal, or sales teams
• Support ticket records and resolution history
• Feedback and survey responses submitted by Clients or Users
• Social media interactions with ProFox's official accounts

• Account registration and onboarding: Data provided when creating a ProFox account, completing the onboarding form, or subscribing to a plan
• Free trial activation: Data provided when starting a free trial
• Payment processing: Billing data provided when setting up a payment method
• Support communications: Data provided when contacting ProFox support, raising a complaint, or sending an enquiry
• Marketing communications: Data provided when subscribing to ProFox's newsletter, downloading resources, or registering for webinars

• Platform activity logging: Actions performed within the Platform are automatically logged to provide security, analytics, and support capabilities
• Call system: Call records, call recordings, and call source attribution are captured automatically by the telephony infrastructure when calls are made to or from the Client's business number
• Website analytics: Cookies and analytics tools collect browsing data from visitors to the ProFox website as described in Section 13
• AI agent interactions: Conversations handled by AI Live Chat or AI Voice Agents are automatically transcribed and logged

• Meta (Facebook and Instagram): Message content and sender identifiers for messages received through Facebook Messenger and Instagram DMs
• Google: Message data from Google Business Profile messages, analytics data from Google Analytics integrations, and call data from Google Ads call tracking
• Twilio: Caller identification data, call metadata, and SMS delivery status data from the telephony infrastructure
• Stripe: Payment confirmation data, subscription status updates, and billing event notifications

Under the Digital Personal Data Protection Act 2023 and DPDP Rules 2025, consent is the primary and general lawful basis for processing personal data of Indian data principals. ProFox obtains specific, informed, and freely given consent from Indian data principals before processing their personal data, as required by the DPDP Act. Consent notices are provided in clear and plain language as mandated by Rule 3 of the DPDP Rules 2025. You may withdraw your consent at any time without detriment, as described in Section 12 of this Policy.

Processing that is necessary to deliver the Services under the ProFox subscription agreement is carried out on the basis of contract performance. This includes account creation, platform operation, billing, onboarding, and all core feature delivery.

ProFox processes personal data where required by applicable law, including tax and accounting obligations, data breach notification requirements, responses to lawful requests by courts or regulatory authorities, and anti-money laundering or fraud prevention obligations.

For UK and Australian data subjects, ProFox may process personal data on the basis of legitimate interests where such processing is necessary for ProFox's reasonable operational purposes and those interests are not overridden by the data subject's rights and freedoms. Legitimate interest processing activities are limited to platform security, fraud detection, service improvement using anonymised analytics, and direct marketing to existing Clients where a soft opt-in applies.

• The full audio content of both sides of every telephone call to and from the Client's business number
• Call metadata including caller number, date, time, call duration, and call outcome
• AI Voice Agent call transcripts and structured call summaries (Plan 3 only)
• Voicemail messages left on the Client's business number

The ProFox system plays a configurable notification message or tone at the commencement of each recorded call to inform all parties that the call is being recorded. The Client is responsible for configuring an appropriate notification for their jurisdiction. In all-party consent jurisdictions (certain US states including California, Florida, and Illinois), the Client is responsible for ensuring that callers are adequately notified and that any required consent is obtained before the recording commences.

Call recordings are stored securely on ProFox's managed infrastructure with encryption at rest. Access to recordings is restricted to the Client (through their authenticated Platform account) and ProFox support staff where access is necessary to resolve a technical issue. ProFox does not listen to or review Client call recordings except where: (a) a support ticket specifically requests investigation of a recording; (b) a legal obligation or regulatory requirement mandates review; or (c) ProFox has reasonable grounds to investigate a suspected breach of the Terms and Conditions or applicable law.

Call recordings are retained for the standard data retention period applicable to the Client's account, as described in Section 11. Clients may download individual recordings at any time during their active subscription. Recordings are permanently deleted following account termination and the applicable 30-day post-termination retention window.

• The AI Live Chat Agent processes the content of conversations initiated by website visitors in real time to generate contextually relevant responses
• Conversation transcripts are stored against the CRM record of any identified or subsequently identified contact
• The AI processes only the data explicitly provided by the visitor during the conversation — it does not access any external data sources or make inferences about the visitor beyond the conversation context
• Conversations escalated for human response are flagged in the Client's unified inbox with the full conversation transcript attached

• The AI Voice Agent processes audio from inbound telephone calls in real time to generate speech responses. The audio is transcribed and the transcript is processed to determine the appropriate response
• Call transcripts and AI-generated call summaries are stored against the caller's CRM record
• The AI Voice Agent does not make automated decisions with legal or similarly significant effects on individuals

ProFox does not use Client Data, call recordings, conversation transcripts, or any other data generated through a Client's use of the Platform to train, fine-tune, or improve any AI model used by ProFox or any third party. Client data processed by AI features is used solely to generate responses within the context of the specific interaction for which it was submitted.

ProFox does not use automated decision-making systems to make decisions about individuals that produce legal effects or similarly significant effects without human review. All decisions affecting the Client's business relationships remain with the human Client. If you believe you have been subject to a fully automated decision that significantly affects you, contact our Data Protection Officer using the details in Section 19.

For transfers of personal data of UK data subjects to countries not covered by a UK adequacy regulation, ProFox implements appropriate transfer safeguards, including UK International Data Transfer Agreements (IDTAs) or UK Addendum to EU Standard Contractual Clauses with relevant processors.

The DPDP Act 2023 permits cross-border data transfers to all countries except those specifically restricted by the Government of India via notification. ProFox monitors the Government of India's published restricted country list and will not transfer personal data of Indian data principals to any country on that list.

For transfers of personal data of Australian individuals, ProFox complies with Australian Privacy Principle 8 (APP 8) regarding cross-border disclosure. Before transferring personal data of Australian individuals to overseas processors, ProFox takes reasonable steps to ensure that the receiving party will handle the information consistently with the Australian Privacy Principles.

• Data processing agreements with all sub-processors incorporating applicable international transfer clauses
• Technical security measures including end-to-end encryption in transit and AES-256 encryption at rest for all stored personal data
• Contractual obligations requiring sub-processors to implement security measures equivalent to those required by the most stringent applicable data protection law
• Ongoing due diligence reviews of sub-processor security and compliance certifications

To exercise any of the rights described above, submit a written request to our Data Protection Officer at contact@profoxwebdesigner.com. Please include your full name, the email address associated with your ProFox account, the specific right you wish to exercise, and sufficient information to enable us to identify you and locate your data.

ProFox will acknowledge your request within 48 hours and respond substantively within the timeframe required by applicable law — within 30 days under the DPDP Act 2023 and UK GDPR, and within 45 days under CCPA/CPRA. We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive.

Cookies are small text files placed on your device by a website when you visit it. They allow the website to remember information about your visit — such as your login status, language preference, or how you navigated the site — and to provide a consistent experience across pages and sessions.

• Essential cookies cannot be disabled as they are required for the Platform to function.
• Functional and analytics cookies require your consent before being placed on your device. A cookie consent banner is displayed on your first visit.
• You can manage or withdraw your cookie consent at any time by clicking the "Cookie Preferences" link in the footer of any ProFox web page, or by clearing cookies in your browser settings.
• You can also control cookies through your browser settings. Instructions for managing cookies are available at aboutcookies.org.

• Encryption in transit: All data transmitted between your device and the ProFox Platform is encrypted using TLS 1.2 or higher. All API communications between ProFox and its third-party processors use encrypted HTTPS connections.
• Encryption at rest: All personal data stored on ProFox's servers is encrypted at rest using AES-256 encryption.
• Multi-factor authentication (MFA): MFA is available and strongly recommended for all Platform accounts. ProFox's administrative infrastructure requires mandatory MFA for all ProFox team members.
• Role-based access controls: Access to personal data within ProFox's internal systems is restricted to employees and contractors who have a legitimate operational need to access it.
• Infrastructure security: The ProFox Platform is hosted on enterprise-grade cloud infrastructure (AWS) with dedicated security groups, network firewall rules, and regular automated vulnerability scanning.
• Password security: All account passwords are stored as salted hashes using bcrypt or equivalent one-way hashing algorithms. Plain-text passwords are never stored or transmitted.
• Automated threat detection: ProFox employs automated systems for detecting suspicious login activity, abnormal data access patterns, and potential credential compromise events.

• All ProFox team members and contractors with access to personal data are subject to binding confidentiality agreements
• Access to production systems and client data is reviewed and audited on a regular basis, with access removed promptly when no longer required
• ProFox conducts periodic security training for all team members handling personal data
• Third-party sub-processors are subject to security due diligence review before engagement and are required to maintain appropriate security certifications

Upon detection or notification of a suspected data breach, ProFox's response protocol is activated immediately. This includes: (a) containment of the breach to prevent further unauthorised access; (b) forensic assessment to determine the scope, nature, and severity of the breach; (c) engagement of relevant technical resources to remediate the vulnerability; and (d) escalation to ProFox's Data Protection Officer for regulatory assessment and notification decisions.

• India (DPDP Act 2023 / CERT-In Rules): ProFox will report significant personal data breaches to the Data Protection Board of India and/or CERT-In within the prescribed timeframe (currently within 6 hours of discovery for certain categories under CERT-In rules)
• United Kingdom (UK GDPR): Where a breach is likely to result in a risk to the rights and freedoms of UK data subjects, ProFox will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
• United States: ProFox will comply with applicable state data breach notification laws, which vary by state. Most US state breach notification laws require notification within 30 to 90 days of discovery
• Australia: Where a breach is likely to result in serious harm, ProFox will report to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme, as required by Part IIIC of the Privacy Act 1988

Where a data breach involves Client Data, ProFox will notify affected Clients without undue delay and in any event within the timeframes required by applicable law. The notification will include: (a) a description of the nature of the breach; (b) the categories and approximate volume of personal data affected; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address the breach and mitigate its effects.

If you discover or suspect a security vulnerability in the ProFox Platform, or if you believe your account has been compromised, please report it immediately to support@profoxwebdesigner.com. ProFox operates a responsible disclosure policy and will acknowledge all valid security reports within 24 hours.

• Data Fiduciary designation: ProFox acts as a Data Fiduciary under the DPDP Act 2023 in respect of personal data of Indian data principals collected for the purposes of providing the Services. ProFox has appointed a Data Protection Officer as the point of contact for Indian data principals to exercise their rights and raise grievances.
• Consent notices under DPDP Rules 2025: Pursuant to Rule 3 of the DPDP Rules 2025 (notified 13 November 2025), ProFox issues consent notices to Indian data principals before collecting their personal data. These notices describe: (a) the personal data to be collected; (b) the purpose of processing; (c) how to withdraw consent; and (d) how to contact the Data Protection Officer.
• Rights of Indian data principals: Indian data principals have the following rights under the DPDP Act 2023: (a) the right to access information about their personal data (Section 11); (b) the right to correction and erasure of personal data (Section 12); (c) the right to nominate a nominee to exercise data rights on their behalf in case of death or incapacity (Section 14); and (d) the right to grievance redressal through ProFox's grievance mechanism (Section 13) and escalation to the Data Protection Board of India (Section 20).
• Grievance redressal: ProFox's Data Protection Officer will acknowledge grievances submitted by Indian data principals within 48 hours and resolve them within 30 days as required by the DPDP Rules 2025. If you are not satisfied with ProFox's response, you may escalate your grievance to the Data Protection Board of India through the Board's digital portal.
• Children's personal data under DPDP Act: ProFox does not process personal data of children (persons under 18) and does not process personal data in a manner that is likely to cause harm to children. ProFox will implement verifiable parental consent mechanisms as required under Section 9 of the DPDP Act and Rule 10 of the DPDP Rules 2025 if the scope of Services is expanded to include platforms accessible to children.

• UK Representative: ProFox is an Indian company processing personal data of UK data subjects. Where required under Article 27 of the UK GDPR, ProFox maintains or will appoint a UK-based representative. Contact details for ProFox's UK representative are available on request from the Data Protection Officer.
• UK data subject rights: UK data subjects have all rights described in Section 12, including rights under Articles 15 to 22 of the UK GDPR. Requests will be responded to within one calendar month, extendable by two further months where the request is complex or numerous.
• Right to lodge a complaint with the ICO: UK data subjects have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time. The ICO's contact details are: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone: 0303 123 1113. Website: ico.org.uk.
• UK International Data Transfer Agreements (IDTAs): Where personal data of UK data subjects is transferred to countries outside the UK, ProFox uses UK IDTAs or equivalent UK-approved transfer mechanisms to ensure that data subjects' rights and protections travel with the data.

• California Consumer Privacy Act (CCPA) and CPRA rights: California residents have the following rights: (a) the right to know what personal information is collected about them and how it is used; (b) the right to delete personal information; (c) the right to correct inaccurate personal information; (d) the right to opt-out of the sale or sharing of personal information; (e) the right to limit the use and disclosure of sensitive personal information; and (f) the right to non-discrimination for exercising their privacy rights.
• ProFox does not sell personal data: ProFox does not sell, rent, or trade personal data to any third party for monetary or other valuable consideration. ProFox does not share personal data with third parties for cross-context behavioural advertising.
• Categories of personal information collected: Under CCPA disclosure requirements, ProFox collects the following categories of personal information from California residents: identifiers (name, email, phone, IP address); commercial information (subscription and billing records); internet or other electronic network activity information; geolocation data (country and city-level IP-derived data only); audio and electronic data (call recordings); and professional or employment-related information (business name and category).
• Submitting CCPA requests: California residents may submit verified consumer requests by emailing contact@profoxwebdesigner.com with the subject line "CCPA Data Request". ProFox will respond within 45 days, extendable by a further 45 days where reasonably necessary.
• Other US state privacy laws: ProFox monitors the evolving landscape of US state privacy legislation, including the VCDPA, CPA, CTDPA, TDPSA, and other enacted state laws, and will extend equivalent rights to residents of states with enacted comprehensive privacy legislation.

• Australian Privacy Principles (APPs): ProFox handles personal information of Australian individuals in accordance with the 13 Australian Privacy Principles set out in Schedule 1 of the Privacy Act 1988 (Cth). These include obligations around open and transparent management of personal information, anonymity options, collection of solicited personal information, dealing with unsolicited personal information, notification of collection, use or disclosure, direct marketing, cross-border disclosure, quality, security, access, and correction.
• Direct marketing to Australian individuals: ProFox will not use personal information of Australian individuals for direct marketing purposes unless the individual has provided express consent or a soft opt-in applies. All marketing communications to Australian individuals include a functional opt-out mechanism. Opt-out requests will be honoured within 5 business days of receipt.
• Right to access and correction under APPs 12 and 13: Australian individuals may request access to or correction of their personal information by contacting our Data Protection Officer. ProFox will respond to access requests within 30 days.
• Notifiable Data Breaches (NDB) scheme: Where a data breach involving personal information of Australian individuals is likely to result in serious harm, ProFox will notify the OAIC and affected individuals as required under the NDB scheme (Part IIIC, Privacy Act 1988).
• Lodging a complaint with the OAIC: Australian individuals who are not satisfied with ProFox's handling of a privacy complaint may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.