Privacy Policy

This Policy applies to:

• Customers — businesses or organizations subscribing to the Services
• End-Users — individuals who interact with Customers through the Services (e.g., callers, SMS recipients, booking users)
• Website Visitors

This Policy describes:

• When Bitbrains determines the purposes and means of processing Personal Information; and
• When Bitbrains processes Personal Information solely on behalf of a Customer under documented instructions.

• Legal Entity: Bitbrains Inc. (Ontario corporation)
• Head Office: Ottawa, Ontario, Canada
• Privacy Officer: Privacy Officer, Bitbrains Inc.
• Contact Email: studio@bitbrains.ca

Bitbrains acts strictly as a Data Controller for Account Data (e.g., Customer billing and administrative information). Customer is the sole Data Controller of all End-User Data. Bitbrains acts exclusively as a Data Processor (or Service Provider) for End-User Data, processing such data strictly on the documented instructions of the Customer. We limit collection, use, and disclosure of Personal Information to what is reasonably necessary for identified purposes or as otherwise permitted or required by law.

Canadian privacy law does not formally use "controller" and "processor" terminology. For clarity under this Policy and applicable agreements:

Bitbrains is the Data Controller for Account Data. For End-User Personal Data processed through the Services, Customer is the Data Controller and Bitbrains is the Data Processor acting only on documented Customer instructions.

Bitbrains acts exclusively as a Service Provider (Processor) when Customers use the Services to communicate with End-Users (including missed-call recovery SMS, messaging, booking, call routing, and automation workflows). In these cases, Customers determine lawful purposes, obtain required consents (including CASL compliance), define retention periods, and respond to End-User rights requests.

3.1 Bitbrains Acts as Controller When:

This information is defined as Account Data in our MSA. We process Personal Information for our own business purposes, including:

• Customer account registration information
• Business contact details
• Billing and subscription records
• Payment transaction metadata (payment processing handled by PCI-compliant providers; raw card numbers are not stored)
• Support communications
• Vendor and partner records
• Website analytics and system monitoring

Purposes include:

• Providing and managing subscriptions
• Delivering support
• Maintaining billing and accounting records
• Fraud prevention and security
• Service reliability and improvement
• Legal compliance

We do not sell Personal Information.

3.2 Bitbrains Acts as Processor When:

This information is defined as End-User Data in our MSA. Customers use the Services to communicate with End-Users (including missed-call recovery SMS, messaging, booking, call routing, automation workflows).

In these cases:

• Customers determine lawful purposes and legal bases.
• Customers obtain and maintain required consents (including CASL compliance).
• Customers define retention periods.
• Customers respond to End-User rights requests.

Bitbrains processes Customer Data solely under documented Customer instructions and the DPA.

Bitbrains does not independently determine message recipients, communication content, or Customer engagement strategies.

Certain platform features generate automated service insights, maintenance suggestions, follow-up reminders, or feedback prompts that appear within the interfaces used by Customers and their End-Users. These features operate as part of the Services provided to Customers and process Customer Data solely on behalf of Customers to assist them in managing their services, appointments, and communications.

4.1 Controller Data (Business Information)

• Business name
• Contact name
• Email address
• Telephone number
• Billing address
• Subscription details
• Payment transaction metadata
• Support communications
• Website usage analytics

4.2 Customer Data (Processed on Behalf of Customers)

• Telephone numbers and caller ID
• Call metadata (timestamps, duration, status)
• SMS/MMS message content and metadata
• Delivery receipts and carrier response codes
• Opt-out and unsubscribe records
• Booking submissions
• Consent logs
• Audit and system logs
• IP addresses and device metadata associated with interactions
• Voice recordings and audio transcripts (processed via AI voice synthesis features)

Note on Biometric & AI Data: Bitbrains processes voice recordings solely on the documented instructions of the Customer. Bitbrains will not use identifiable End-User Personal Information or voice recordings to train third-party or internal foundational AI models without the Customer's express written consent.

4.3 Automatically Collected Data

• IP address
• Device and browser type
• Operating system
• Referring URLs
• Session identifiers

Cookies are used for session management, security, analytics, and fraud prevention.

4.4 Platform Analytics and De-Identified Information

Bitbrains may generate statistical and analytical information derived from interactions with the Services. Such information is aggregated and de-identified so that it does not identify any individual End-User or Customer.

This information may be used to:

• understand how the Services are used;
• improve platform functionality and reliability;
• develop new features and capabilities;
• analyze industry usage patterns; and
• develop artificial intelligence or machine learning systems used to improve the Services.

4.5 Promotional Materials and Screen Recordings

Bitbrains may occasionally use screenshots or screen recordings of the Services for marketing, instructional, or promotional purposes. In accordance with our commitment to privacy, Bitbrains will strictly de-identify, blur, or populate with dummy data any End-User Data or Personal Information before such visual materials are published. Bitbrains will never expose identifiable End-User Personal Information in public marketing materials.

Certain features of the Services involve automated processing or rule-based workflows configured by Customers.

The platform may generate automated service insights, maintenance suggestions, service recommendations, or feedback prompts displayed within interfaces provided through the Services.

These insights may analyze Customer Data, service requests, vehicle information, booking activity, and aggregated platform usage patterns to improve service delivery and assist Customers in managing their operations.

5.1 Aggregated & De-Identified Data

Bitbrains may generate aggregated or de-identified operational data derived from Customer Data for purposes including platform analytics, system reliability, service improvement, and training machine learning systems used to enhance the Services.

For the purposes of this Policy, "de-identified data" means data from which all direct and indirect identifiers have been removed, and which has been subject to a technical risk assessment (e.g., achieving a k-anonymity threshold or differential privacy standard) demonstrating it cannot reasonably be re-identified. Bitbrains will not use identifiable End-User Personal Information to train foundational AI models. De-identified data may be used by Bitbrains for product improvement subject to this technical test. Bitbrains does not independently contact End-Users or market products or services to End-Users without the authorization of the relevant Customer.

5.2 Aggregated and De-Identified Analytics

Bitbrains may generate aggregated or de-identified statistical information derived from operational use of the Services.

Aggregated data does not identify individual End-Users or Customers and cannot reasonably be used to identify any person or organization.

Bitbrains may use such aggregated information to:

• Analyze platform usage patterns
• Improve the functionality of the Services
• Develop analytics and benchmarking tools
• Publish industry reports or market insights
• Support research or commercial analytics offerings

Aggregated insights may be shared with partners, customers, or third parties provided that no individual Customer, End-User, or personal information can be identified.

5.3 Automated Insights and Recommendations

The Services may generate automated insights, reminders, or recommendations intended to assist Customers and End-Users in managing service interactions.

These automated outputs may be based on operational data, aggregated usage patterns, or information provided through Customer service requests (for example, vehicle type, service history, or booking information).

Automated insights generated by the Services:

• Are informational in nature;
• Are designed to assist Customers and End-Users in managing services; and
• Do not constitute professional advice, safety guarantees, or mandatory service requirements.

The Services do not make automated decisions that produce legal or similarly significant effects for individuals without human oversight by the Customer. Customers remain responsible for determining how such recommendations are used in connection with their services.

Customers are generally the legal "Sender" of Commercial Electronic Messages transmitted through the Services.

Customers are responsible for:

• Obtaining required consent
• Maintaining sender identification
• Honouring unsubscribe requests
• Ensuring compliance with CASL and related laws

Bitbrains provides:

• Automated unsubscribe mechanisms
• Consent and opt-out logging
• Secure audit logs
• Delivery metadata logging

6.1 Carrier Disclosures

Message content is disclosed only where technically necessary for delivery, or for troubleshooting (e.g., investigating carrier block-codes, resolving delivery failures, or identifying fraudulent traffic patterns) as part of the standard provision of the Services, or where required by legal obligation.

Carriers may independently retain logs.

6.2 Metadata Retention

Consent and opt-out logs: retained for up to three (3) years to assist with Customer compliance and legal defense.

Delivery metadata and carrier response codes: retained for up to three (3) years for compliance, audit, and troubleshooting purposes.

Delivery cannot be guaranteed due to carrier filtering policies.

Certain service insights, feedback prompts, or service recommendations may be displayed within the platform interfaces used by Customers and End-Users. These notifications are part of the functionality of the Services and are not independent electronic messages sent by Bitbrains.

Bitbrains engages subprocessors for hosting, infrastructure, telecommunications services, analytics, and payment processing.

A current list of subprocessors, including processing locations and processing purposes, is publicly available at: https://measy.ca/subprocessors

7.1 Subprocessor Governance

Bitbrains will update the subprocessor registry at least fifteen (15) days prior to authorizing any new material subprocessor to process Customer Data. In emergency circumstances where a subprocessor must be immediately replaced to maintain platform security or Service availability, Bitbrains will update the registry and provide notice to Customers as soon as commercially practicable following the change. It is the Customer's responsibility to periodically review the registry for updates.

Personal Information may be processed, hosted, or stored outside of the province of Québec and outside of Canada, primarily in Canada and the United States.

When transferring Personal Information, Bitbrains:

• Remains accountable for Personal Information under its control
• Conducts transfer impact assessments where required by applicable law
• Implements contractual safeguards with subprocessors
• Uses encryption in transit
• Applies encryption at rest for all Personal Information
• Enforces least-privilege access controls

Personal Information is retained only as long as necessary to:

• Provide Services
• Fulfill contractual obligations
• Comply with legal requirements
• Resolve disputes

9.1 Standard Examples (Controller Data)

• Billing records: 7 years
• Account data: duration of subscription

9.2 Data Deletion (Customer Data)

Customer Data is accessible exclusively via the Measy dashboard while a customer maintains an active subscription. Upon termination or expiration of Services, Customer access is revoked. Bitbrains will securely delete End-User Data from production systems within thirty (30) days, except for delivery metadata, consent logs, and audit records, which are retained for up to three (3) years to support Customer compliance and legal defense as described in Section 6.2. Archival backups containing End-User Data will be securely overwritten or destroyed in accordance with our standard backup rotation schedule, not to exceed ninety (90) days from termination, except where retention is required by applicable law, legal hold, or regulatory preservation order.

Data retrieval is strictly self-service via the Measy dashboard. Customer must utilize their access to the self-serve dashboard to view and manually retrieve their records independently. Bitbrains does not provide automated export tools, CSV downloads, specific structured file formats, or human-facilitated data extracts. In accordance with our self-serve operational model and the MSA, Bitbrains will not fulfill requests for discretionary assistance or manual data extraction for regulatory audits under any circumstances.

Bitbrains maintains a comprehensive security program that includes:

• Encryption in transit
• Encryption at rest for all Personal Information and Customer Data
• Role-based access controls
• Multi-factor authentication for administrative access
• Logging and continuous monitoring
• Vendor risk management
• Vulnerability management processes
• Periodic independent security assessments

Where applicable, Bitbrains maintains or is progressing toward industry-recognized security certifications.

Audit rights and security review mechanisms are governed by the DPA.

No system can be guaranteed to be completely secure.

If Bitbrains becomes aware of a confirmed Security Incident involving Customer Data, Bitbrains will:

• Notify the affected Customer in accordance with the timelines and procedures set out in the DPA;
• Provide technical information reasonably necessary for the Customer to assess whether a "real risk of significant harm" exists under applicable law;
• Provide commercially reasonable assistance in investigation and remediation.

Regulatory and individual notification responsibilities are allocated in the DPA.

Bitbrains will not notify regulators or affected individuals regarding Customer Data without Customer authorization, except where required by law.

Bitbrains maintains an incident register as required under applicable law, including Québec Law 25.

12.1 Controller Data

Customers may access, update, or request correction of account information by contacting us.

12.2 Customer Data (Processor Role)

End-Users should direct rights requests to the relevant Customer. Bitbrains does not provide support to End-Users. If Bitbrains receives an inquiry or rights request from an End-User, Bitbrains may, but is not obligated to, provide an automated response directing the End-User to contact the Customer. Bitbrains has no obligation to manually forward, track, or manage End-User communications.

Where Personal Information of Québec residents are processed:

• Transfer impact assessments are conducted where required;
• Confidentiality incidents are recorded in an incident register;
• Cooperation is provided to Customers to support their compliance obligations.

Customers remain responsible for consumer-facing disclosures and French language requirements.

The Services are intended for business use and are not directed to individuals under 18. We do not knowingly collect Personal Information from minors.

This Policy does not apply to third-party websites not operated by Bitbrains.

Bitbrains may modify this Privacy Policy from time to time. If we make material changes to how we process Personal Information, we will provide at least fifteen (15) days' prior notice by emailing the contact on file or posting a prominent notice within the platform. Non-material changes will be effective immediately upon posting.

Continued use of the Services after the effective date of any updates constitutes acknowledgment of the updated Policy, where permitted by law. Customers' rights regarding material changes are governed by the MSA.