Privacy Notice & Global Compliance Framework

This Notice describes how eVamb Technologies Inc. ("eVamb", "we", "us") collects, uses, stores, shares, and protects personal information processed through evamb.com, neekos.evamb.com, connext.evamb.com, connextdoctors.evamb.com, connextrefer.evamb.com, and any product workspace operated under those domains (collectively, the "Service"). It also documents the operational safeguards we apply globally — encryption, access, audit, retention, residency, and voice-recording compliance — and the shared-responsibility model that governs customer obligations and AI limitations.

1 · Who we are

eVamb Technologies Inc. is the data controller for marketing-site visitors and the data processor for customer workspaces. Registered in Toronto, Canada.

• General privacy questions: privacy@evamb.com
• Data subject rights requests (access, deletion, portability, opt-out): privacy@evamb.com
• Security incident reporting: security@evamb.com
• Super-Admin escalation: niket@evamb.com
• EU/UK Representative: available on request via privacy@evamb.com

2 · What we collect

• Account data — name, email, password hash, phone (optional), profile photo if you sign in with a federated provider.
• Usage data — pages visited, features used, anonymised performance metrics. Loaded only after you accept analytics cookies.
• Product data per surface:
  • neekOS Business AI Suite — listing inputs and generated marketplace output; conversation transcripts you ask us to handle.
  • Connext — business profile, posts, follows, direct messages.
  • Connext Doctors — clinic + practitioner profile, referral records, patient consent flags. Patient personally-identifying data is end-to-end encrypted in transit (TLS 1.3) and at rest (AES-256).
  • Connext Refer — résumés you upload, run history, generated documents, job matches.
• Voice / call data — Aria voice agent records calls only with an explicit disclosure played at the start of each call; recordings retained 90 days then deleted.
• Communications — emails you send us, contact-form submissions.

3 · Lawful basis

• Contract — to provide the Service you signed up for.
• Legitimate interest — to keep the Service running, secure, and improving.
• Consent — for analytics cookies, marketing email, voice-call recording, and processing of any special-category data (e.g. Connext Doctors health information).
• Legal obligation — to comply with tax, accounting, anti-fraud, and lawful disclosure requests.

4 · Regulatory matrix (operational safeguards)

We map our controls to the following frameworks. Each regime has dedicated platform safeguards — they are not aspirational, they are how the product runs.

4.1 · TCPA — Telephone Consumer Protection Act (USA)

Applies wherever we or our customers place or receive outbound telephone or SMS traffic to/from the United States.

• Outbound controls. No outbound calls or texts unless the recipient has provided prior express written consent. Consent records are stored per-recipient with timestamp, source, and disclosure text shown.
• Consent workflows. Double opt-in for marketing channels; single opt-in only for transactional. Withdrawal is honoured in under 10 business days (we target 24 hours).
• Time-based restrictions. Outbound calling windows enforced per recipient time zone — no calls before 08:00 or after 21:00 local time, no calls on regulated holidays.

4.2 · GDPR / UK GDPR — General Data Protection Regulation (EU / EEA / UK)

• Privacy governance. Data Processing Agreement (DPA) available for every customer. ROPA (Record of Processing Activities) maintained internally. DPIAs run before any new high-risk processing.
• Retention controls. Per-category retention defaults (see § 6 below). User-initiated deletion honoured within 30 days; full purge from backups within 90.
• Audit logging. All access to personal data is logged with timestamp, actor, action, and reason. Retained 7 years.
• SCCs & supplementary measures. EU 2021/914 Standard Contractual Clauses with transfer-impact assessments for any out-of-EEA processing.
• UK addendum. ICO International Data Transfer Addendum executed for UK personal data.

4.3 · CASL — Canada's Anti-Spam Legislation

• Sender identification. Every commercial electronic message includes our legal name, Toronto address, and a working unsubscribe link.
• Unsubscribe handling. One-click unsubscribe honoured within 10 business days (we target same-day). Suppression list maintained and synced across product surfaces.

4.4 · Law 25 (Quebec) — An Act to modernize legislative provisions as regards the protection of personal information

• Tenant onboarding. Privacy-by-design checklist completed before any Quebec customer is provisioned. Privacy Impact Assessment template provided.
• Consent management. Granular per-purpose consent surfaces; consent must be clear, free, informed, and specific. Withdrawal as easy as granting.
• Right to portability and de-indexing honoured within 30 days.

4.5 · DNC — Do Not Call Registry (USA / Canada)

• Call screening. Every outbound dial is screened against the federal DNC registry (USA: National DNC Registry; Canada: National DNC List) and against any internal suppression list.
• Suppression workflows. Suppression entries propagate within 24 hours across all dialers. Verbal "do not call" requests captured on-call create suppression records automatically.

4.6 · CCPA / CPRA — California Consumer Privacy Act (as amended)

• Right to know, delete, correct, opt-out of "sale/sharing," and limit use of sensitive personal information honoured for California residents.
• Verifiable consumer requests answered within 45 days (90 with extension notice).
• Global Privacy Control (GPC) signal honoured as a valid opt-out automatically.
• "Do Not Sell or Share My Personal Information" link surfaced on every page footer.

4.7 · Other US state laws

Rights described above are extended in substantively similar form to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Iowa (ICDPA), Montana (MCDPA), Tennessee (TIPA), Indiana (ICDPA), Florida (FDBR), Delaware (DPDPA), New Hampshire (NHPA), New Jersey (NJDPA), Maryland (MODPA), Minnesota (MCDPA), and Rhode Island (RIDTPPA).

4.8 · International equivalents

• Canada — PIPEDA (federal) and provincial private-sector laws.
• Brazil — LGPD (Lei Geral de Proteção de Dados).
• Singapore — PDPA.
• India — DPDP Act (Digital Personal Data Protection Act 2023).
• South Africa — POPIA.
• Japan — APPI.
• South Korea — PIPA.
• China — PIPL (with sectoral data-export approval where required).
• Australia / New Zealand — Privacy Act 1988 / Privacy Act 2020.
• Switzerland — FADP.

Subject rights — access, correction, deletion, portability, restriction, objection — are honoured globally regardless of jurisdiction.

5 · Platform controls

5.1 · Data security

• Encryption at rest. AES-256 on all customer data at the storage layer. Patient-identifying fields (Connext Doctors) are end-to-end encrypted with per-clinic keys.
• Role-based access. Least-privilege engineering access. Production reads/writes require hardware MFA + audit-logged session.
• Time-limited authentication. Session tokens expire after 12 hours of inactivity (8 hours for privileged roles). MFA tokens rotate every 24 hours. Magic-link auth expires in 15 minutes.

5.2 · Voice recording

• Disclosure messages. Every recorded call begins with a clear, language-appropriate disclosure ("This call may be recorded for quality and training. Press 9 at any time to opt out.")
• Opt-out functionality. Mid-call opt-out is captured by DTMF and immediately stops the recording pipeline. The opt-out is preserved as a metadata flag on the call record.
• Metadata maintenance. Call metadata (caller, callee, duration, agent ID, consent flag, language) retained per § 6.3. Audio content retained 90 days then deleted.

5.3 · Audit records

• Event sequencing. Every event in the agent loop — Signal, Ground, Act, Deliver — is timestamped, sequenced, and immutable. Replay-capable for post-incident review.
• Policy evaluations. Every output produced by an agent records which compliance gate(s) it passed and at what threshold.
• Operator activities. Customer-side operator actions (login, role change, data export, deletion) recorded with timestamp, actor, IP, and reason.

6 · Data governance

6.1 · Retention defaults

• Conversation transcripts — 365 days, then deleted.
• Voice audio — 90 days, then deleted (metadata kept per audit-record retention).
• Audit records — 7 years (regulatory minimum for health, financial, and provincial-college obligations).
• Operational records (billing, tax, accounting) — 3 years (extendable to 7 where local law requires).
• Account data — kept while account is active plus 30 days after deletion request.
• Backups — 30-day rolling.

Customer-configured retention overrides are available on Enterprise plans and documented in the workspace's Data Retention Policy artifact.

6.2 · Data residency

Personal data is processed and stored in the regional partition the customer selects at onboarding, with cross-region replication only for disaster recovery to a same-region pair.

• Americas — us-east, ca-central (Toronto), sa-east (São Paulo).
• Europe — eu-west (Dublin), eu-central (Frankfurt), uk-south (London).
• Asia Pacific — ap-south (Mumbai), ap-southeast (Singapore), ap-northeast (Tokyo), ap-southeast-2 (Sydney).

Where regulatory residency is required (Quebec Law 25, India DPDP critical categories, China PIPL, EU GDPR for special-category data), data is pinned to in-region partitions and never replicated outside.

7 · Shared responsibility

7.1 · Customer obligations

eVamb provides compliance-aware infrastructure; the customer remains responsible for:

• Legal advice. Configuration choices and content uploaded by the customer must comply with the customer's own legal obligations. eVamb does not provide legal advice; we provide tools and defaults.
• Platform configuration. The customer is responsible for choosing the correct retention, residency, role assignments, and consent mechanisms for their use case.
• Consent mechanisms. Where the customer is the data controller, the customer is responsible for obtaining and documenting end-user consent before invoking processing.

7.2 · AI limitations

• Output inaccuracies. AI-generated outputs are produced by language models and may contain errors. Customers are responsible for reviewing outputs before relying on them for any business or clinical decision.
• Human review required. Outputs that affect legal status, medical care, employment, or financial position require human review before being acted upon. eVamb's five compliance gates are a guardrail, not a substitute.

8 · Health data (Connext Doctors)

Connext Doctors is operated to PIPEDA · PHIPA · provincial-college standards in Canada and HIPAA-aware standards in the US. We are not a covered entity under HIPAA but operate as a Business Associate where required, with a Business Associate Agreement executed at customer onboarding. Patient records are end-to-end encrypted and accessible only to the originating clinic and the receiving specialist. Audit log retained 7 years.

9 · Children

The Service is not directed at children under 16. We do not knowingly collect data from minors. If you believe a minor has created an account, email privacy@evamb.com and we will delete the account and associated data within 7 days.

10 · Cookies

See the dedicated Cookie Policy. We use essential cookies (to keep you signed in) and, with your consent, functional, analytics, and marketing cookies. We do NOT use advertising cookies or cross-site tracking. The cookie preferences banner re-appears on every page refresh so you can change your choice at any time. Open cookie settings now →

11 · Subject rights — how to exercise them

Email privacy@evamb.com from the email address on file. We respond within 30 days (45 days for CCPA verifiable consumer requests, with one 45-day extension where complexity warrants). For Quebec residents we honour the 30-day Law 25 timeline. Rights honoured globally:

• Access · Correction · Deletion · Portability · Restriction of processing · Objection
• Opt-out of "sale/sharing" (CCPA/CPRA) and behavioural advertising
• Withdrawal of consent (without affecting lawful pre-withdrawal processing)
• Right to lodge a complaint with your supervisory authority

12 · Changes

We notify you of material changes by email (for account holders) and by an in-app banner. The "Effective" date at the top reflects the most recent revision. Historical versions are archived and available on request.

13 · Contact & supervisory authorities

For any privacy, data, or account question: privacy@evamb.com. For Super-Admin escalation: niket@evamb.com. EU/UK Representative details available on request.

You have the right to lodge a complaint with your local supervisory authority — examples include the European Data Protection Board (EU), the Information Commissioner's Office (UK), the Office of the Privacy Commissioner of Canada, the Commission d'accès à l'information (Quebec), the California Privacy Protection Agency, the Information Regulator of South Africa, the Personal Information Protection Commission (Japan and Korea), and equivalents in your jurisdiction.

← Back to the lab