Privacy Policy

1. Who We Are

AYBIZA LLC is a Wyoming limited liability company. We provide the AYBIZA platform — an AI-native business platform with three integrated capabilities: Agents (AI Business Agents), Parties (Business Platform for CRM, sales, support, projects, HR, and finance), and Bridges (internal team workspace for agent chat and MCP tool connections) — to businesses worldwide. References to "AYBIZA," "we," "us," or "our" in this policy refer to AYBIZA LLC.

Privacy inquiries: [email protected]

2. Controller and Processor Roles

AYBIZA acts in two legally distinct roles:

• Data Controller: AYBIZA is the controller for data we collect about our business customers — account registration data, business verification (KYB) data, billing records, and platform usage analytics. We determine the purpose and means of processing this data.
• Data Processor: When you deploy AI agents through Agents to interact with your end-customers, or when you store contact and business records in Parties, AYBIZA processes conversation data, contact records, CRM data, and related personal data exclusively on your documented instructions. You are the controller of your end-customers' data. Our Data Processing Agreement (DPA), available at aybiza.com/dpa and incorporated into our Terms of Service, governs this processing relationship.

3. Information AYBIZA Collects

3.1 Account and Registration Data

When you create an account, AYBIZA collects your name, work email address, job title, company name, and authentication credentials. If you register via a third-party identity provider (Google, GitHub, or Microsoft), we receive the profile information you authorize that provider to share. A work email address from a verified business domain is required. Consumer email addresses (Gmail, Yahoo, Outlook personal, and similar) are not accepted.

3.2 Business Verification Data (KYB)

To activate production access, we collect your legal business name, EIN or equivalent tax identification number, registered business address, authorized representative details (full name, title, direct phone number), declared use cases, estimated usage volumes, and geographic markets served. This data is required for telecommunications carrier registration (STIR/SHAKEN, A2P 10DLC), fraud prevention, and regulatory compliance.

3.3 Legal Acceptance Records

When you accept our Terms of Service, this Privacy Policy, the DPA, or any other legal agreement, we record the agreement version accepted, timestamp, and IP address of the accepting device. These records are retained to demonstrate regulatory compliance.

3.4 Platform Usage Data

We automatically collect information about your use of the AYBIZA platform (Agents, Parties, and Bridges), including feature usage, API call volumes, credit consumption, session activity, IP addresses, browser type, device information, and system performance metrics. On the marketing website, we collect only the request metadata and abuse-prevention signals needed to keep the site secure and available. This data is used to deliver, secure, and operate the relevant service.

3.5 Customer Interaction Data (Processed on Your Behalf)

When your AI agents conduct conversations through Agents, AYBIZA stores conversation transcripts, voice recordings (when enabled by you), contact metadata, and interaction outcomes. When you use Parties, AYBIZA stores CRM records, deal data, support tickets, project information, and other business records you enter. When you use Bridges, AYBIZA stores internal chat messages and workspace activity. This data belongs to you. AYBIZA processes it only to deliver the contracted service. AYBIZA does not use your customer interaction data or business records to train AI models or for any secondary purpose without your explicit written consent.

3.6 Voice and Speech Data

When you enable voice capabilities through Agents, audio data is processed by our speech-to-text (STT) and text-to-speech (TTS) sub-processors to enable real-time agent conversations. Audio may be temporarily buffered in memory during processing and is not retained by sub-processors beyond the duration of the request unless you have enabled call recording, in which case recordings are stored in accordance with your configured retention settings.

3.7 Support and Communications

If you contact our support team or submit a public website contact or demo request, we retain records of those communications to respond to you, prevent abuse, and improve our service operations. We do not use those submissions for model training or model improvement by default.

3.8 Cookies and Tracking Technologies

AYBIZA uses cookies and similar technologies as follows:

• Essential cookies (always active): The AYBIZA marketing website (aybiza.com) uses only the cookies and browser storage required for core site functionality, CSRF protection, LiveView operation, and security controls.
• No analytics or advertising cookies: AYBIZA does not use analytics cookies, advertising cookies, cross-site tracking pixels, or third-party behavioral advertising technologies on the marketing website.
• Human verification: Public forms may use Cloudflare Turnstile or similar abuse-prevention services. Those services may process browser and device signals to distinguish human traffic from automated abuse. They are used for security, not advertising.

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the platform from functioning correctly.

4. How We Use Information

• To create and manage your account and organization workspace
• To verify your business identity and activate production platform access
• To deliver AYBIZA platform services (Agents, Parties, and Bridges) under our agreement
• To process billing, credit allocation, and subscription management
• To send service communications: account alerts, usage notifications, security updates, and material policy changes
• To provide customer and technical support
• To respond to public website contact and demo requests
• To detect and prevent fraud, abuse, and unauthorized access
• To comply with legal obligations, including telecommunications regulations (TCPA, FCC rules, STIR/SHAKEN), carrier registration requirements, and sanctions screening (OFAC)
• To improve platform performance and develop new features, using aggregated and non-identifying analytics only

AYBIZA does not use personal data for automated decision-making or profiling that produces legal effects concerning you.

5. Legal Basis for Processing (GDPR)

For customers and data subjects whose data is subject to the EU General Data Protection Regulation or UK GDPR, AYBIZA relies on the following lawful bases:

• Contract performance (Article 6(1)(b)): Processing account data, KYB data, and billing information is necessary to provide the services you have contracted for.
• Legal obligation (Article 6(1)(c)): Processing required for compliance with telecommunications law, carrier registration, sanctions screening, and applicable financial regulations.
• Legitimate interests (Article 6(1)(f)): Platform security monitoring, fraud prevention, and aggregated product analytics, where these interests are not overridden by your fundamental rights. You may object to processing based on legitimate interests at any time (see Section 9).
• Processor relationship: Customer interaction data processed on your behalf is governed by the DPA. You as controller are responsible for establishing the lawful basis for processing your end-customers' personal data.

AYBIZA does not rely on consent as a legal basis for processing business customer data. Where consent is required (for example, for optional analytics cookies), it is obtained separately and can be withdrawn at any time.

6. Sub-Processors and Data Sharing

AYBIZA does not sell personal data. AYBIZA does not share personal data for cross-context behavioral advertising. We engage the following categories of sub-processors to deliver our services:

6.1 Infrastructure

• Amazon Web Services, Inc. (AWS) — Cloud infrastructure, relational databases (PostgreSQL), object storage, caching (Redis), and transactional email (SES). Primary region: us-east-1 (Northern Virginia, USA).
• Fly.io, Inc. — Marketing website hosting (aybiza.com only). Public website traffic, public contact submissions, and demo qualification forms may be processed on Fly.io infrastructure. Production platform workloads do not run on Fly.io.

6.2 Payments

• Payment Processors — Payment processing and subscription billing are handled by PCI DSS certified third-party processors. AYBIZA does not store raw payment card data. Current processor: Stripe, Inc.

6.3 Communications

• Twilio Inc. — Voice call routing, SMS delivery, and telephony infrastructure for agent communications.
• Additional licensed telephony providers — Voice routing and PSTN connectivity. A full list of current telephony sub-processors is available on request at [email protected].

6.4 AI and Language Models

• OpenAI, L.L.C. — Large language model processing for agent conversations and text generation.
• Anthropic, PBC — Large language model processing for agent conversations and text generation.
• Google LLC (Gemini) — Large language model processing for agent conversations and text generation.
• Groq, Inc. — Large language model inference for agent conversations.
• Amazon Web Services, Inc. (AWS Bedrock) — Large language model processing via managed model hosting.

All platform-managed LLM providers process data under data processing agreements with AYBIZA. AYBIZA's agreements with these providers prohibit the use of customer data for model training.

BYOK (Bring Your Own Keys): When you supply your own API keys for third-party LLM providers, data flows directly to your chosen provider under your separate agreement with them. Those providers are not AYBIZA sub-processors in that configuration. You are the controller of that processing relationship and are responsible for ensuring your provider's data practices comply with applicable law.

6.5 Speech and Voice Processing

• Deepgram, Inc. — Speech-to-text (STT) and text-to-speech (TTS) processing for voice agent conversations.
• AssemblyAI, Inc. — Speech-to-text (STT) processing for voice agent conversations.
• ElevenLabs, Inc. — Text-to-speech (TTS) voice synthesis for agent conversations.
• Cartesia AI, Inc. — Text-to-speech (TTS) voice synthesis for agent conversations.
• Fixie AI, Inc. (Ultravox) — Speech-to-speech (S2S) real-time voice processing for agent conversations.

6.6 Browser and Meeting Processing

• Steel Inc. — Browser automation infrastructure for web-based agent tasks. Processes web page content accessed by agents on behalf of customers.
• Recall.ai, Inc. — Meeting transcription and analysis processing. Processes meeting audio and video content for agent-assisted meeting workflows.

6.7 Creative and Video Processing

• Black Forest Labs (Flux) — Image generation for creative agent workflows.
• HeyGen, Inc. — AI avatar and video generation for agent-created video content.
• Tavus, Inc. — Personalized AI video generation for agent-created video content.
• Runway ML, Inc. — Video generation for creative agent workflows.
• Ideogram, Inc. — Image generation for creative agent workflows.

6.8 Legal and Regulatory Disclosure

AYBIZA may disclose information where required by applicable law, valid court order, or regulatory authority demand, or where necessary to protect the rights, property, or safety of AYBIZA, its customers, or the public. Where legally permitted, AYBIZA will notify you before disclosing your data in response to legal process.

6.9 Business Transfers

If AYBIZA is involved in a merger, acquisition, or sale of all or a portion of its assets, personal data may be transferred as part of the transaction. We will notify you via email and a prominent notice on our website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your data.

7. International Data Transfers

AYBIZA's primary infrastructure is located in the United States (AWS us-east-1, Northern Virginia). If you are based in the European Economic Area (EEA), United Kingdom, or another jurisdiction with restrictions on international data transfers, your data is transferred to the US under the following safeguards:

• EEA transfers: Governed by Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor), as adopted by the European Commission (Commission Implementing Decision 2021/914), incorporated into our DPA at aybiza.com/dpa.
• UK transfers: Governed by the UK International Data Transfer Addendum (UK IDTA) to the EU SCCs, as issued by the UK Information Commissioner's Office, also incorporated into our DPA.
• Supplementary measures: In addition to the SCCs and UK IDTA, AYBIZA implements supplementary technical measures including encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization where feasible, and access controls limiting data access to authorized personnel only.

AYBIZA conducts transfer impact assessments for international data transfers and will suspend transfers if the safeguards described above can no longer be maintained.

8. Data Retention

AYBIZA retains personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

• Account data: Retained for the duration of your active subscription plus 30 days after account closure to allow data export, then permanently deleted.
• KYB and compliance records: Retained for 7 years from account closure to satisfy telecommunications regulatory retention obligations.
• Legal acceptance records: Retained for 7 years as evidence of contractual agreement and regulatory compliance.
• Customer interaction data (conversation transcripts, CRM records): Retention period is configurable by you within your account settings. Default: duration of service. You may reduce retention periods at any time.
• Call recordings: Retention period is configurable by you within your account settings. You control whether recordings are enabled and for how long they are stored.
• Billing records: Retained for 7 years as required by applicable tax and financial regulations.
• Platform logs and audit trails: Retained for 90 days (operational logs) to 12 months (security audit logs).
• Support communications: Retained for 3 years from last contact.
• Support-access audit records: When you request erasure, AYBIZA deletes the content of your account including support-channel messages. For security and regulatory reasons, AYBIZA retains an immutable record of who inside AYBIZA accessed your data, what they accessed, and when, for 7 years. The record contains access metadata only — never the content that was accessed.

When retention periods expire, data is permanently deleted or irreversibly anonymized. Deletion is performed using secure methods appropriate to the storage medium.

9. Your Rights

To exercise any of the rights below, contact [email protected]. We will verify your identity before processing your request. We respond within 30 days (extendable by 60 days for complex requests, with notification) and will not charge a fee for reasonable requests.

9.1 Rights Under GDPR (EEA and UK Residents)

• Access (Article 15): Request a copy of the personal data AYBIZA holds about you as controller, including information about the purposes of processing, categories of data, recipients, and retention periods.
• Rectification (Article 16): Request correction of inaccurate or incomplete personal data.
• Erasure (Article 17): Request deletion of your personal data, subject to our legal retention obligations.
• Portability (Article 20): Request your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Restriction (Article 18): Request that we restrict processing of your data in certain circumstances.
• Objection (Article 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing performed before withdrawal.
• Complaint: You have the right to lodge a complaint with your national data protection authority. EEA residents may also contact our EU Representative (Section 12). UK residents may contact the Information Commissioner's Office (ICO) at ico.org.uk or our UK Representative (Section 13).

9.2 Rights Under CCPA/CPRA (California Residents)

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) provides you with the following rights:

• Right to know: You have the right to know what personal information AYBIZA collects, the sources of that information, the business purposes for collection, the categories of third parties with whom we share information, and the specific pieces of personal information we hold about you.
• Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions (legal obligations, completing transactions, security, etc.).
• Right to correct: You have the right to request correction of inaccurate personal information.
• Right to opt out of sale/sharing: AYBIZA does not sell personal information and does not share personal information for cross-context behavioral advertising. There is no need to opt out, but you may submit such a request for the record.
• Right to non-discrimination: AYBIZA will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to limit use of sensitive personal information: AYBIZA does not use sensitive personal information for purposes beyond those permitted under CCPA/CPRA.

To submit a California privacy request, contact [email protected] with the subject line "California Privacy Request." You may also designate an authorized agent to submit requests on your behalf, provided the agent presents written authorization and we can verify your identity.

9.3 Categories of Personal Information (CCPA Disclosure)

In the preceding 12 months, AYBIZA has collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email address, phone number, IP address, account ID.
• Commercial information: Subscription plans, billing history, credit usage, purchase records.
• Internet/electronic activity: Platform usage data, session activity, feature usage, API call volumes.
• Professional/employment information: Job title, company name, business address.
• Geolocation: IP-derived approximate location (country/region level only).

AYBIZA has not sold personal information in the preceding 12 months and does not have actual knowledge that it sells the personal information of consumers under 16 years of age.

9.4 End-Customer Data

These rights apply to data for which AYBIZA is the controller. For requests from your end-customers about data that AYBIZA processes on your behalf as processor, those requests should be directed to you as their data controller. AYBIZA will assist you in fulfilling valid data subject requests as required by our DPA.

10. Do Not Track

AYBIZA does not track users across third-party websites or services. The AYBIZA platform does not respond to Do Not Track (DNT) browser signals because we do not engage in the type of cross-site tracking that DNT is designed to prevent.

11. Security

AYBIZA implements technical and organizational security measures appropriate to the nature and risk of processing, including:

• TLS 1.3 encryption for all data in transit
• AES-256 encryption for all data at rest
• Organization-level data isolation enforced at the database layer
• Role-based access controls with least-privilege principles
• Mandatory multi-factor authentication for administrative access
• Immutable audit logging of all administrative actions and data access events
• VPC isolation with private subnets for databases
• Regular dependency auditing and static code security analysis
• Periodic security assessments
• Documented incident response procedures

AYBIZA's infrastructure is designed to support SOC 2 and HIPAA requirements on qualifying configurations. Full security details are available at aybiza.com/security. To report a security vulnerability, contact [email protected].

12. EU and UK Data Protection Contact

EU Representative (Article 27 GDPR): Pursuant to Article 27 of the GDPR, AYBIZA LLC has designated Ian Pablo Britto as its representative in the European Union. EU data subjects and supervisory authorities may contact the EU Representative directly at [email protected] regarding AYBIZA's data processing activities.

UK Contact: For data protection inquiries from the United Kingdom, contact us at [email protected].

13. Children

AYBIZA services are designed exclusively for businesses and professionals. Account registration requires verified business information. AYBIZA does not knowingly collect personal data from individuals under the age of 18. If we become aware that we have inadvertently collected personal data from a person under 18, we will promptly delete such data.

14. Changes to This Policy

AYBIZA may update this Privacy Policy periodically. We will notify you of material changes by email to your registered work address at least 30 days before the change takes effect. Non-material changes (formatting, clarifications) may be made without advance notice. The current version is always available at aybiza.com/privacy. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of AYBIZA services after the effective date of a material change constitutes acceptance of the updated policy. If you do not agree to the updated policy, you may terminate your account before the effective date.

15. Contact

Privacy inquiries: [email protected]
Security inquiries: [email protected]
General inquiries: [email protected]
AYBIZA LLC
32222 Tamina Rd Ste A5-11, The Woodlands, TX 77354
Registered Agent: Registered Agents Inc, 30 N Gould St Ste R, Sheridan, WY 82801