SmartAlex AI Usage Policy

Version 1.1 · Effective June 1, 2026 · THERCSGROUP PTE. LTD. (trading as SmartAlex, Singapore Reg. No. 202543608D)

1. Purpose and scope

This AI Usage Policy ("Policy") explains how THERCSGROUP PTE. LTD. (UEN 202543608D), trading as SmartAlex ("SmartAlex", "we", "us" or "our"), uses artificial intelligence in the Services, and what a Customer must do when it configures and operates AI workflows on the Platform. Our registered office is 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914.

This Policy supplements, and forms part of, our Terms of Service, Acceptable Use Policy, Privacy Policy, Telephony and Call Recording Notice, Data Processing Addendum and Subprocessor List. To the extent of any conflict between this Policy and the Terms of Service, the Terms of Service prevail, except that this Policy prevails over the Terms of Service on any matter specific to the use of artificial intelligence that this Policy expressly addresses.

This Policy applies to every Customer, to every End User who interacts with an AI feature of the Services, and to all use of the AI capabilities described below, irrespective of the jurisdiction in which the Customer or its End Users are located. It is drafted to meet the requirements of the data-protection and AI laws of Singapore, the European Economic Area, the United Kingdom, the United States and South Africa, and is governed by the laws of Singapore.

2. Definitions

Capitalised terms used but not defined in this Policy have the meaning given to them in the Terms of Service and the Data Processing Addendum. In this Policy:

• AI Feature means any capability of the Services that relies on machine-learning models, including voice agents, chat agents, transcription, summarisation, contact enrichment, content generation, and analytics.
• AI Output means any text, audio, transcript, summary, classification, score, or other content produced by an AI Feature.
• Customer means the business that contracts for the Services and configures the AI Features.
• Customer Data means data the Customer or its End Users provide or that is generated through the Customer's use of the Services, including call audio, transcripts, contacts, messages, prompts, and knowledge bases.
• End User means an individual whom the Customer interacts with through the Services, such as a call recipient or a person who speaks with a voice agent.
• Foundation Model means a general-purpose, third-party machine-learning model that we access through our speech and language AI providers and do not ourselves train.
• Hallucination means an AI Output that is factually wrong, internally inconsistent, fabricated, or unsupported by the inputs provided to the model.
• Special-category Personal Data means the categories of personal data treated as sensitive under Article 9 of the GDPR and equivalent laws, including biometric data used to identify a person, data revealing health, and data revealing racial or ethnic origin.
• Voice Print means a set of measurable characteristics of a person's voice that can be used to recognise or authenticate that person, and which constitutes biometric data.

3. How the AI in the Services works

The Services offer, among other features, the following AI-driven capabilities:

1. AI voice agents that place and receive telephone calls on behalf of a Customer, using a combination of speech-to-text transcription, large language model reasoning, and text-to-speech synthesis.
2. Conversational chatbot agents embedded on websites or in messaging surfaces.
3. AI-assisted analysis tools for call transcripts, contact enrichment, sentiment and outcome classification, and operational reporting.
4. AI-assisted content generation for prompts, scripts, summaries, and templates used by Customer administrators.

A live voice call follows a real-time pipeline. The End User's speech is captured by our real-time voice infrastructure provider and transcribed to text by a speech-to-text model. The transcript, together with the agent's instructions and the Customer's knowledge base, is processed by a large language model, which decides what the agent should say next and whether to call a tool (such as booking an appointment or transferring the call). The model's response is converted back into audio by a text-to-speech model and played to the End User. The same Foundation Models are also used, outside live calls, to summarise transcripts, enrich contact records, and generate draft content for Customer administrators.

These capabilities are delivered through our speech and language AI providers (speech-to-text, text-to-speech, and large language model inference) and our real-time voice infrastructure provider. The AI and voice-infrastructure providers underlying these capabilities, the personal-data categories each receives, and the transfer safeguards that apply are set out in full in our Subprocessor List, which is the authoritative source. We will give a Customer prior notice of any change to those providers in the manner set out in the Data Processing Addendum, and the Customer may object to a new subprocessor as provided there.

We do not train our own Foundation Models. The general-purpose models that power the AI Features are operated by our speech and language AI providers under contractual terms that we have negotiated to protect Customer Data, including, where offered, zero data-retention and no-training configurations.

4. Roles and responsibilities

SmartAlex provides the AI infrastructure; the Customer decides how to use it. The allocation of responsibility for the AI Features is as follows.

5. Use of Customer Data with AI

5.1 No training on general-purpose models

Customer Data passed to our AI providers in the course of operating the Services is not used to train, retrain, fine-tune, or otherwise improve any provider's public or general-purpose models. Where a provider offers contractual terms preventing such use (for example, a zero data-retention configuration, or enterprise business terms that exclude training on submitted data), we contract on those terms. The specific safeguards for each provider are recorded in our Subprocessor List and Data Processing Addendum. We do not sell Customer Data, and we do not use the content of a Customer's calls, transcripts or contacts to train models that benefit other Customers.

5.2 Use of Customer Data to operate and improve the Services

We process Customer Data through the AI Features only to deliver the Services the Customer has configured. Separately, as an independent controller of service-operations data, we may use aggregated and de-identified information about how the AI Features perform (for example, latency, error rates, transfer rates, and the frequency of fallback behaviours) to monitor, secure and improve the Platform. Such operational analytics do not reconstruct the content of a particular End User's call and are not used to train Foundation Models.

5.3 Customer-elected fine-tuning and custom voices

A Customer may choose to fine-tune a Customer-specific model on its own data, for example by training a custom synthetic voice from samples the Customer provides. Any such fine-tuning is performed only on the Customer's instructions, using Customer-controlled data, and the resulting model artefacts are scoped to that Customer's tenant and are not made available to other Customers. Fine-tuning is not enabled by default and must be configured by the Customer. Where a Customer trains a synthetic voice on, or otherwise clones, the voice of an identifiable natural person, the requirements in the Voice cloning and synthetic voice section below apply in full.

5.4 Logging, retention and deletion

AI request and response payloads are retained only for as long as necessary to deliver the Services, troubleshoot specific issues, and meet the Customer's configured retention policy for the underlying call or conversation. After that period, payloads are deleted on the schedule set out in our Data Processing Addendum. The retention of the source records that feed the AI Features is summarised below; the authoritative periods and criteria are in the Data Processing Addendum and the Privacy Policy.

6. Transparency to data subjects

Where an AI agent (voice or chat) interacts with a natural person, the AI nature of the agent is disclosed to that person as follows:

1. where required by applicable law, including the EU AI Act Article 50 transparency obligation for AI systems that interact directly with natural persons, the California "BOT" disclosure law (California Business and Professions Code section 17941), and similar transparency statutes in other jurisdictions;
2. by default in the standard agent configuration we provide; and
3. whenever the data subject asks whether they are speaking with a human or an AI, in which case the agent will answer truthfully and without qualification.

The synthetic voice produced by a voice agent is artificially generated. Where Article 50(2) of the EU AI Act applies to that output, the artificial nature of the audio is disclosed in line with the transparency described above. The AI disclosure is enabled and configured by the Customer in its tenant settings, and the Customer must permit it; we provide default disclosure language designed to meet the strictest applicable transparency standard. A Customer must not disable, suppress, or weaken the disclosure below that standard, and a Customer that does so acts in breach of this Policy and of the applicable law for which it, as deployer, is responsible.

Transparency about call recording is addressed separately. Where the Services record or transcribe a call, the consents and notices required for that recording are the Customer's responsibility and are described in our Telephony and Call Recording Notice.

7. Voice cloning and synthetic voice

Several capabilities of the Services involve synthetic and cloned voices. The following requirements apply whenever a Customer clones, replicates, or imitates the voice of an identifiable natural person:

1. the Customer must obtain and retain documented, informed, and explicit consent from that person before the voice is cloned or used, and must be able to produce evidence of that consent on request;
2. a Voice Print used to identify or authenticate a person is biometric data and, under Article 9 of the GDPR and equivalent laws (including sections 26 and 27 of South Africa's POPIA), is Special-category Personal Data that requires an Article 9(2) lawful basis, which will ordinarily be the data subject's explicit consent;
3. the Customer, as controller of the underlying personal data, is responsible for establishing that lawful basis, for giving the required notices, and for honouring any withdrawal of consent, including by ceasing use of the cloned voice and instructing us to delete the related artefacts; and
4. the Customer must not clone or imitate the voice of a public figure, a celebrity, or any other person for the purpose of deception, fraud, or misrepresentation of identity.

We process voice and biometric data only on the Customer's documented instructions and as described in our Data Processing Addendum. We do not create Voice Prints for our own purposes, we do not use a Customer's cloned voice for any other Customer, and we apply technical controls to keep custom-voice artefacts scoped to the Customer's tenant.

8. Prohibited use cases

A Customer must not use the AI capabilities of the Services for any of the following:

1. practices prohibited by Article 5 of the EU AI Act, including subliminal or purposefully manipulative techniques, exploitation of the vulnerabilities of a person or group, social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces save where lawfully permitted, and untargeted scraping of facial images to build facial-recognition databases;
2. imitation or impersonation of a specific identifiable natural person without that person's documented consent, including any voice clone created without consent;
3. creation of Voice Prints without a lawful basis, as set out in the Voice cloning and synthetic voice section above;
4. unsolicited automated calls or messages that breach the United States Telephone Consumer Protection Act (including the requirement for prior express written consent for AI or prerecorded marketing calls), the United Kingdom Privacy and Electronic Communications Regulations, the EU ePrivacy rules, or any equivalent law, or that ignore do-not-call registries or internal opt-outs (see also our Telephony and Call Recording Notice);
5. decisions producing legal or similarly significant effects for a data subject (for example, automated denial of credit, employment, housing, or insurance) without meaningful human oversight, unless the lawful basis required by GDPR Article 22 or its local equivalent is in place;
6. generation, with the help of an AI Feature, of content that is unlawful, defamatory, harassing, hateful, sexually exploitative of minors, or that infringes the intellectual-property or other rights of a third party; and
7. any use that would cause us to breach the contractual terms or acceptable-use policies of our AI providers, the relevant terms of which we will make available to the Customer on request.

Using the AI capabilities for any of these purposes is a material breach of our Terms of Service and Acceptable Use Policy, and may result in suspension of the affected AI Feature or of the account.

9. High-risk use cases under the EU AI Act

The Platform is general-purpose voice and conversational AI infrastructure and is not, by default, a "high-risk AI system" under Annex III of the EU AI Act. However, a Customer's use case may bring the Customer's deployment within Annex III scope, for example in recruitment screening, credit assessment, education access, essential public and private services, law enforcement, migration and border control, or the administration of justice.

A Customer deploying the Services in any high-risk use case under Annex III must, before deployment:

1. consult its own legal counsel and satisfy itself that the deployment is lawful;
2. implement the obligations that the EU AI Act imposes on the deployer of a high-risk system, including human oversight, monitoring of operation, retention of logs, a fundamental-rights impact assessment where required of public bodies and certain private deployers, and registration in the EU database where required; and
3. inform us through its account contact so that we can support reasonable compliance-evidence requirements and provide the information about the AI Features that the deployer needs to meet its own obligations.

We will, on reasonable request and subject to confidentiality, provide a Customer with the technical information about the AI Features that the Customer reasonably needs to complete a data-protection impact assessment or a fundamental-rights impact assessment. Our own assessment of the Platform's AI processing is summarised in our published data-protection impact assessment.

10. Human oversight

AI agents operate under Customer-configured human oversight defaults:

1. a live human transfer is available on voice agent calls where the Customer has enabled it. A data subject may at any time ask to be transferred to a human, and the request will be honoured where the Customer has staffed live transfer;
2. where a decision could produce legal or similarly significant effects, the Customer is responsible for configuring human review; SmartAlex does not make such decisions on a solely automated basis, and the Customer may not override this default for an in-scope decision. A data subject affected by such a decision may, through the Customer (who acts as controller), request human intervention, express their point of view, and contest the outcome; and
3. the Customer's tenant administrator can audit AI decisions through the SmartAlex Audit Log, which records the agent configuration in force, the tools the agent invoked, and the outcome of each interaction, to support after-the-fact review.

SmartAlex does not make solely automated decisions producing legal or similarly significant effects on End Users. AI is used for call handling, routing, transcription, qualification, and analytics under Customer control, and the Customer is responsible for any decision it takes on the basis of those outputs. The Customer must ensure that any person exercising human oversight has the authority, competence, and information needed to override or disregard an AI Output where appropriate.

11. Hallucination, accuracy, and limitations

Foundation Models can produce Hallucinations. We provide agents grounded in Customer-supplied knowledge, prompts, and tools to reduce Hallucinations, and we apply default guardrails, but we do not warrant that AI Outputs are free of error, complete, or fit for any particular purpose. Speech-to-text transcription may also contain errors, particularly with strong accents, background noise, overlapping speakers, or specialised terminology, and synthesised speech may mispronounce names or numbers. A Customer must:

1. test agent flows before deployment and on any material configuration change;
2. provide accurate, up-to-date knowledge sources to the agent and keep them current;
3. not rely on a transcript or summary as a verbatim or legally authoritative record without human verification; and
4. not use AI agents to provide regulated professional advice (medical, legal, financial, or similar) unless the Customer has the appropriate professional standing and human review in place.

AI Outputs from the Services are not professional advice. Where a data subject is using an AI agent and an answer would matter (medically, legally, or financially), the data subject should verify the answer with a qualified human professional. The Services are not designed or intended for use in circumstances where the failure or inaccuracy of an AI Output could lead to death, personal injury, or severe environmental or property damage, and must not be relied on to contact emergency services. Our Telephony and Call Recording Notice explains that the Services are not a substitute for, and cannot reliably reach, emergency services such as 911 or 112.

12. Bias, fairness, and safety testing

We take reasonable steps to reduce the risk that the AI Features produce biased or unfair outcomes. In particular, we:

1. monitor the published model evaluations and safety documentation of our AI providers, and take account of known fairness limitations when selecting and configuring Foundation Models;
2. incorporate safety guardrails into our default agent configuration; and
3. act on known model-level fairness issues affecting the Platform, including by adjusting defaults or switching providers where a platform-level bias issue is identified and a reasonable remediation is available.

A Customer configuring custom agents is responsible for testing those agents for bias and fairness in its specific deployment context, because the prompts, knowledge bases, and decision logic that the Customer supplies materially affect outcomes. We provide tooling to support that testing and will, on request, share aggregate evaluation data, subject to the contractual constraints of our providers. If a Customer identifies a fairness concern that appears to arise at the Platform level rather than from its own configuration, it should report it to us so that we can investigate and remediate.

13. Security of the AI Features

We protect Customer Data processed by the AI Features with the technical and organisational measures described in our Trust and Security page and our Data Processing Addendum. Measures specific to the AI Features include:

• encryption of Customer Data in transit to and from our AI providers and at rest in our systems;
• tenant isolation, so that prompts, knowledge bases, custom voices, and AI Outputs of one Customer are not accessible to another;
• contractual no-training and, where available, zero data-retention configurations with our AI providers, so that Customer Data is not retained or learned from beyond what is needed to return a response;
• access controls and logging on the systems that orchestrate the AI Features; and
• controls designed to mitigate prompt-injection and tool-abuse risks, recognising that no such control is perfect and that the Customer should not place secrets or instructions in agent-readable content that it would not want an End User to be able to surface.

We do not hold our own SOC 2 or ISO 27001 attestation; we are working towards SOC 2 readiness, and our infrastructure subprocessors maintain SOC 2 or ISO 27001 attestations. If we become aware of a security incident affecting Customer Data processed by an AI Feature, we will notify the affected Customer in accordance with the Data Processing Addendum.

14. International transfers

The AI Features are operated by providers located principally in the United States, and operating a live voice call necessarily involves processing audio and transcript content in real time wherever the relevant model is hosted. Where this involves a transfer of personal data out of the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, principally the European Commission's standard contractual clauses (Module Two for controller-to-processor transfers, and Module Three for onward transfers to our subprocessors), the UK International Data Transfer Agreement or Addendum, and the Swiss addendum, together with supplementary measures such as encryption in transit and at rest and access controls. A copy of the relevant safeguards is available from privacy@getsmartalex.com. The location of each AI provider and the safeguard that applies to it are set out in the Subprocessor List.

15. Intellectual property in AI Outputs

As between SmartAlex and the Customer, and subject to the rights of the AI providers and of any third party in the underlying models, the Customer owns the AI Outputs generated through its use of the AI Features, on the same basis as the rest of its Customer Data, and we claim no licence to those AI Outputs other than the licence we need to provide and secure the Services. The Customer is responsible for ensuring that its use of an AI Output does not infringe the rights of any third party. Foundation Models may generate outputs that are similar or identical for different users, and an AI Output is not warranted to be original or protectable.

16. Customer obligations summary

In addition to the obligations stated elsewhere in this Policy, a Customer using the AI Features must:

1. enable and maintain AI disclosure to End Users to the standard required by the strictest applicable law;
2. establish a lawful basis, give required notices, and obtain any consent required for the processing of personal data (including Special-category Personal Data and Voice Prints) carried out through the AI Features;
3. obtain all consents required for the recording and transcription of calls, as described in the Telephony and Call Recording Notice;
4. test and supervise its agents, provide accurate knowledge sources, and not deploy the AI Features for a prohibited use case; and
5. comply with the EU AI Act deployer obligations, and any equivalent law, that apply to its use case.

The Customer indemnifies SmartAlex against claims arising from its breach of these obligations to the extent set out in the Terms of Service.

17. Updates and contact

This Policy is reviewed periodically and updated to reflect changes in the law (notably the phased application of the EU AI Act through 2026 and 2027), our subprocessors, or our agent capabilities. The effective date below reflects the most recent revision. Where a change materially reduces the protections in this Policy, we will give the Customer reasonable prior notice through the account contact or the Platform. For questions about this Policy, or to exercise a right described in it, contact privacy@getsmartalex.com, or write to us at the registered office given in the Purpose and scope section above.

This AI Usage Policy is version 1.1 and is effective from 1 June 2026.