Privacy Policy.

For purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), and analogous statutes in other United States jurisdictions:

Laddr as Business (controller)

With respect to Personal Information of Customer personnel (including account administrators, billing contacts, and authorized users), and with respect to Personal Information collected directly by Laddr from visitors to the Sites, Laddr acts as a Business (controller) and determines the purposes and means of Processing.

Laddr as Service Provider (processor)

With respect to Personal Information of End Users that is submitted to, generated by, or Processed through the Service in the course of a Customer's communications with its End Users, including call audio, call transcripts, chat transcripts, voicemail recordings, SMS message bodies, email content, contact records, lead records, appointment data, and review submissions (collectively, "Customer Data"), Laddr acts as a Service Provider (processor) to the Customer, and the Customer is the Business (controller). Laddr Processes such Personal Information only on the documented instructions of the Customer, subject to the terms of the applicable order form, the Terms of Service, and any executed Data Processing Addendum.

End Users seeking to exercise rights with respect to Personal Information Processed by Laddr on behalf of a Customer should direct their requests to the Customer. Laddr will, on Customer's instruction and to the extent reasonably necessary, assist Customer in responding to verified consumer-rights requests as required by applicable law.

In the preceding twelve (12) months, Laddr has collected the following categories of Personal Information enumerated in California Civil Code Section 1798.140.

Identifiers

Name, postal address, business name, telephone number, email address, IP address, account identifier, device identifier, and online identifier. Collected from the Customer, from End Users, and automatically from the Sites and the Service. Used for account administration, Service delivery, security, and analytics.

Customer records (Cal. Civ. Code § 1798.80(e))

Billing address and payment-method tokenization references. Laddr does not collect full payment-card numbers. Collected from the Customer and from Stripe, Inc. acting as the Customer's payment processor. Used for billing, taxation, and fraud prevention.

Commercial information

Subscription tier, transaction history, and support tickets. Collected from the Customer. Used for Service delivery and billing.

Internet or other electronic network activity

Browsing history within the Service, interaction logs, error reports, telemetry, and cookie identifiers. Collected automatically. Used for product analytics, security, and debugging.

Geolocation data (coarse)

City-level and country-level inference from IP address. Collected automatically. Used for fraud prevention and analytics.

Audio, electronic, visual, or similar information

Call audio recordings of telephone calls handled by LARA on Customer's behalf; voicemail recordings; chat-session transcripts; and SMS message bodies. Collected from the Customer's End Users through the Service at Customer's direction. Used for Service delivery on behalf of Customer.

Professional or employment-related information

Job title and employer of Customer's authorized users. Collected from the Customer. Used for account administration.

Inferences

Lead-quality scoring, intent classification, and routing inferences generated by artificial-intelligence and machine-learning models from the foregoing categories. Derived by the Service and used for Service delivery.

Laddr does not knowingly collect Sensitive Personal Information as defined in California Civil Code Section 1798.140(ae) beyond such information as may be incidentally captured within a recorded call or chat transcript (for example, precise geolocation volunteered by an End User during a service call). Laddr does not use Sensitive Personal Information for purposes other than those permitted by California Civil Code Section 1798.121.

We collect Personal Information from the following sources:

• The Customer, during account creation, configuration, and ongoing administration of the Service.
• Customer's End Users, by way of inbound calls, inbound chats, opt-in forms, voicemail submissions, and replies to outbound SMS and email originated through the Service.
• Our service providers, including telecommunications carriers (call metadata), payment processors (transaction confirmations), and email and SMS deliverability vendors (engagement events).
• Integrated third-party platforms authorized by the Customer, including Google Calendar, Microsoft 365 Calendar, Jobber, Housecall Pro, ServiceTitan, Google Business Profile, Yelp, and Slack.
• Automatically, through cookies, server logs, and similar telemetry deployed on the Sites and within the Service.

We Process Personal Information for the following business and commercial purposes within the meaning of California Civil Code Section 1798.140(e):

• To provide, operate, maintain, and support the Service, including answering inbound calls and chats, transmitting outbound SMS and email at Customer's instruction, generating transcripts, persisting lead and contact records, and synchronizing data with Customer-authorized third-party integrations.
• To authenticate users and administer the security of the Service, including the detection of fraudulent, malicious, deceptive, or illegal activity, the prosecution of those responsible for such activity, and the protection of the Service against the same.
• To bill Customers and to collect payment for the Service, including by transmitting tokenized payment-method references to, and receiving transaction events from, our payment processor.
• To communicate with Customer personnel regarding the Service, including transactional notifications, security alerts, billing communications, support correspondence, product-update announcements, and, where the recipient has not opted out, commercial messages relating to the Service.
• To undertake internal research, analytics, debugging, error correction, performance monitoring, and quality assurance, and to develop, enhance, and improve the Service, provided that, with respect to Customer Data, such Processing is performed solely as a Service Provider to Customer and in accordance with the section titled "Customer Data; no training without opt-in" below.
• To comply with applicable legal obligations, including those relating to taxation, accounting, anti-money-laundering, telecommunications consumer protection, and civil process.
• To establish, exercise, and defend legal claims.
• For such other purposes as are described to the data subject at the time of collection or as the data subject has otherwise consented.

In the preceding twelve (12) months, Laddr has disclosed each category of Personal Information identified above to the following categories of recipients, for the business purposes identified above:

• Affiliates of Laddr, under contractual confidentiality and security obligations no less protective than this Policy.
• Service providers and processors engaged by Laddr to perform functions on its behalf, including the categories of subprocessors enumerated below.
• Third-party integrations authorized by the Customer, including those identified below.
• Professional advisors, including counsel, auditors, accountants, and insurers, under duties of confidentiality.
• Government authorities, courts, and other parties where Laddr in good faith believes that such disclosure is required by applicable law, legal process, or to protect the rights, property, or safety of Laddr, its Customers, End Users, or the public.
• Acquirers in connection with a merger, acquisition, reorganization, divestiture, or sale of all or substantially all of the assets of Laddr, subject to customary confidentiality undertakings and to the requirements of applicable law.

Laddr does not "sell" Personal Information as that term is defined in California Civil Code Section 1798.140(ad). Laddr does not "share" Personal Information for cross-context behavioral advertising as that term is defined in California Civil Code Section 1798.140(ah). Laddr has not engaged in such sale or sharing in the preceding twelve (12) months and has no actual knowledge of selling or sharing the Personal Information of consumers under sixteen (16) years of age.

Laddr engages the following categories of subprocessors to deliver the Service. Each subprocessor is bound by a written agreement that imposes confidentiality, security, and limited-purpose obligations consistent with applicable law. A current list, including the legal name, jurisdiction, and processing purpose of each subprocessor, is maintained on our website and is updated upon material change.

Infrastructure and platform

Vercel Inc. (United States) provides cloud hosting and application runtime, including all Service traffic and logs. Supabase Inc. (United States) provides database, authentication, and object-storage services for Account Data and Customer Data. Inngest Inc. (United States) provides background job execution and durable workflows, including job payloads. Functional Software, Inc. (operating as Sentry) (United States) provides error monitoring and performance telemetry, including stack traces, scrubbed user identifiers, and request metadata.

Voice and messaging

Vapi Inc. (United States) provides voice-AI orchestration and call handling, including call audio, transcripts, and metadata. Twilio Inc. (United States) provides telephony, SMS origination, and number provisioning, including call metadata, SMS content, and assigned phone numbers. Resend, Inc. (United States) provides transactional email delivery, including recipient address, subject, body, and delivery events.

Artificial intelligence

Anthropic, PBC (United States) provides large-language-model inference for reasoning components. Anthropic does not train models on Customer Data submitted through Laddr, and Laddr configures zero-data-retention controls where available. OpenAI, L.L.C. (United States) provides large-language-model inference for structured extraction and embeddings, with training opt-out enabled.

Payments

Stripe, Inc. (United States) provides payment processing, including payment-method tokens, billing address, and transaction history.

Laddr will provide Customers with not less than thirty (30) days' prior notice of the addition of, or replacement of, a subprocessor that materially Processes Customer Data, by updating the subprocessor list and, where Customer has subscribed to such notices, by email. Customer may object to such addition or replacement as set forth in the applicable Data Processing Addendum.

The Service may be configured by Customer to exchange data with third-party platforms, including: Google LLC (Calendar; Business Profile; Search Console; OAuth identity); Microsoft Corporation (Outlook Calendar; Microsoft 365); Jobber (GoFor Industries Inc.); Housecall Pro (Codefied Inc.); ServiceTitan, Inc.; Slack Technologies, LLC; and Yelp Inc. Such exchanges occur pursuant to OAuth credentials or API keys furnished by Customer, are governed by the terms of service and privacy policies of the applicable third party, and are made at Customer's direction. Laddr is not responsible for, and does not assume liability for, the data-handling practices of any such third party.

Notwithstanding any other provision of this Policy, Laddr will not:

• Sell, rent, or release Customer Data to any third party for monetary or other valuable consideration;
• Retain, use, or disclose Customer Data outside of the direct business relationship between Laddr and Customer;
• Retain, use, or disclose Customer Data for any purpose other than the specific purpose of performing the Service set forth in the Terms of Service, including for any "commercial purpose" as defined in CCPA other than performing the Service; or
• Use Customer Data to train, fine-tune, or otherwise improve any artificial-intelligence or machine-learning model owned by Laddr or any third party, except (i) where expressly authorized in writing by Customer through an opt-in mechanism provided in the Service, or (ii) for the limited and de-identified purpose of detecting, repairing, and improving the security, reliability, and quality of the Service in a manner that is consistent with Customer's instructions and applicable law.

Laddr hereby certifies that it understands the foregoing restrictions and will comply with them. (Service Provider Certification, CCPA § 1798.140(ag)(1).)

Where Customer enables LARA or any other call-handling feature of the Service, Customer instructs Laddr to record, transcribe, and persist the audio and transcribed content of telephone calls placed to or received from End Users at the Customer's telephone numbers.

Customer represents and warrants that it has obtained, or will obtain prior to the recording event, all consents required by applicable federal and state wiretap, eavesdropping, and call-recording statutes, including the Federal Wiretap Act, 18 U.S.C. § 2510 et seq., and applicable state laws including California Penal Code §§ 631 and 632, Florida Statutes § 934.03, 720 Illinois Compiled Statutes § 5/14-2, Massachusetts General Laws Chapter 272 § 99, Connecticut General Statutes § 52-570d, Maryland Courts and Judicial Proceedings § 10-402, Pennsylvania Wiretap Act 18 Pa.C.S. § 5701 et seq., Washington Privacy Act, RCW 9.73, and corresponding statutes in any other jurisdiction in which an End User is located.

The Service is configured by default to play a recorded disclosure at the commencement of each inbound call and to honor End User requests to discontinue recording. Customer is responsible for not disabling such disclosure where applicable law requires it.

The Boost outbound-messaging service, and any other feature of the Service that originates SMS or voice traffic to End Users, is provided as a transmission facility on Customer's behalf.

Customer represents and warrants that it has obtained, prior to each transmission, the consent required by the Telephone Consumer Protection Act, 47 U.S.C. § 227, the implementing regulations of the Federal Communications Commission, and the published standards of CTIA and applicable wireless carriers, including prior express written consent for marketing messages sent using an automatic telephone dialing system or an artificial or prerecorded voice.

The Service supports STOP, UNSUBSCRIBE, QUIT, CANCEL, END, and HELP keywords. Customer shall not interfere with or circumvent such functionality.

Outbound email originated through the Service on Customer's behalf shall comply with the CAN-SPAM Act, 15 U.S.C. § 7701 et seq., and the implementing regulations at 16 C.F.R. Part 316, including accurate sender identification, non-deceptive subject lines, a functioning unsubscribe mechanism, and a valid physical postal address. Customer is the "sender" within the meaning of 16 C.F.R. § 316.2(m) with respect to messages originated at its direction and is responsible for compliance.

The Sites and the authenticated Service set first-party cookies, local-storage entries, and similar identifiers strictly necessary for session management, authentication, security, fraud prevention, and load balancing. The Sites also set a limited number of analytics identifiers used to measure aggregate usage.

Laddr does not deploy third-party advertising cookies, cross-site tracking pixels, or cross-context behavioral-advertising identifiers on the Sites or within the authenticated Service. Browser-level "Do Not Track" and Global Privacy Control signals are honored as opt-outs of sale and sharing where applicable.

Personal Information is retained only for as long as is necessary to fulfill the purposes set forth in this Policy or as required or permitted by applicable law. Standard retention windows are as follows:

• Active-account Customer Data: duration of the subscription, plus ninety (90) days following termination, after which Customer Data is purged from production systems.
• Backups containing Customer Data: up to thirty-five (35) days, after which backups are cycled out and Customer Data is unrecoverable.
• Activity and event logs: 180 days.
• Audit-event records: 365 days.
• Widget-impression events: 90 days.
• Notifications: 60 days following read receipt.
• Finished background-job records: 90 days.
• Rate-limit slot records: 24 hours.
• Billing and tax records: seven (7) years from the close of the applicable tax year, in accordance with 26 U.S.C. § 6001 and corresponding state-law requirements.
• Aggregated and de-identified data: indefinite, in a form that does not reasonably permit re-identification.

Laddr maintains an information-security program that includes administrative, technical, and physical safeguards reasonably designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Such safeguards include encryption of Personal Information in transit (TLS 1.2 or higher) and at rest (AES-256), least-privilege access controls, multi-factor authentication for privileged access, audit logging, vulnerability scanning, dependency-supply-chain monitoring, network segmentation, and incident-response procedures.

No security control is perfect, and no method of electronic transmission or storage can be guaranteed to be one-hundred-percent secure; Laddr therefore does not warrant absolute security. In the event of a Security Incident (as defined in the applicable Data Processing Addendum) involving Customer Data, Laddr will notify Customer without undue delay and in any event within seventy-two (72) hours of confirmation, and will provide such information and cooperation as Customer reasonably requires to discharge its own notification obligations.

The Service is not directed to, and Laddr does not knowingly collect Personal Information from, children under the age of thirteen (13). If Laddr learns that it has collected Personal Information from a child under thirteen (13) without verifiable parental consent, Laddr will promptly delete such information.

Subject to verification of identity and to the exemptions and limitations set forth in applicable law, a consumer who is a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, New Hampshire, Maryland, Minnesota, Tennessee, Indiana, Kentucky, or Rhode Island, or of any other United States jurisdiction that affords substantially similar rights, may exercise the following rights with respect to Personal Information for which Laddr acts as a Business or Controller:

• Right to Know and Right of Access. To confirm whether Laddr is Processing Personal Information about the consumer and to obtain a copy of the specific pieces of Personal Information Processed, the categories of sources, the business or commercial purposes of Processing, and the categories of third parties to which Personal Information has been disclosed.
• Right to Delete. To request the deletion of Personal Information about the consumer, subject to the exemptions set forth in California Civil Code Section 1798.105(d) (including completion of the transaction, security and integrity, legal compliance, and exercise or defense of legal claims).
• Right to Correct. To request the correction of inaccurate Personal Information.
• Right to Data Portability. To receive a copy of Personal Information in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out of Sale, Sharing, and Targeted Advertising. Although Laddr does not sell or share Personal Information and does not engage in targeted advertising, the consumer may submit such an opt-out election and Laddr will record it.
• Right to Limit Use of Sensitive Personal Information. Pursuant to California Civil Code Section 1798.121, although Laddr does not use Sensitive Personal Information for purposes other than those permitted without such limitation.
• Right to Non-Discrimination. Laddr will not discriminate against a consumer for the exercise of any of the foregoing rights.
• Right to Appeal. In Virginia, Colorado, Connecticut, and other states that so provide, if Laddr declines a request, the consumer may appeal by replying to the determination email within sixty (60) days.

Submitting a request

A consumer may submit a verifiable consumer request by emailing privacy@useladdr.com or by writing to the postal address set forth below. An authorized agent may submit a request on a consumer's behalf upon presentation of (i) a written authorization signed by the consumer, or (ii) a power of attorney granted pursuant to California Probate Code Sections 4000-4465. Laddr will respond to verifiable requests within forty-five (45) days, subject to an additional forty-five-day extension where reasonably necessary and disclosed to the requester.

End Users

Where the Personal Information is Processed by Laddr as a Service Provider to a Customer, Laddr will, upon receipt of an End User request, direct the End User to the relevant Customer and will reasonably assist the Customer in responding.

A California resident may request information regarding Laddr's disclosure of Personal Information to third parties for those third parties' direct marketing purposes. Laddr does not disclose Personal Information to third parties for such purposes.

Laddr is established in the United States and the Service is operated from the United States. Laddr does not target the Service to residents of the European Economic Area, the United Kingdom, or Switzerland and does not undertake to comply with the General Data Protection Regulation. Personal Information submitted to the Service is processed and stored in the United States. Persons who do not consent to such processing should not use the Service.

Laddr may amend this Policy from time to time. Material changes will be announced not less than thirty (30) days in advance by email to Customer's notice address and by in-application banner. The "Last Updated" date at the head of this Policy reflects the date of the most recent revision. Continued use of the Service following the effective date of any amendment constitutes acceptance of the amended Policy.

Privacy inquiries and consumer-rights requests: privacy@useladdr.com

Legal notices: legal@useladdr.com

Postal address: LADDR, LLC, Attn: Privacy Officer, 14747 N Northsight Blvd., Suite 111-467, Scottsdale, AZ 85260, United States

Statutory agent (Arizona service of process): Mark D. Svejda, 14747 N Northsight Blvd., Suite 111-467, Scottsdale, AZ 85260