SmartAlex California Privacy Notice

Version 1.1 · Effective June 1, 2026 · THERCSGROUP PTE. LTD. (trading as SmartAlex, Singapore Reg. No. 202543608D)

1. About this Notice and notice at or before collection (section 1798.100)

This California Privacy Notice (this "Notice") supplements our Privacy Policy and applies to personal information we process about residents of California ("you") under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (together, the "CCPA"). Terms defined in the CCPA have the meanings given to them by the CCPA when used in this Notice, and section 2 below defines the further terms we use.

The business responsible for the personal information described here is THERCSGROUP PTE. LTD. (UEN 202543608D), a company incorporated in the Republic of Singapore, trading as SmartAlex ("SmartAlex", "we", "us", or "our"). At or before the point at which we collect personal information from you, we inform you, through this Notice and the notices that appear at the point of collection, of the categories of personal information we collect, the purposes for which the information is used, whether each category is sold or shared, and the length of time we intend to retain each category. The detail is in sections 3 to 13 below.

This Notice describes how we handle personal information that we collect and process for our own business purposes, where SmartAlex acts as the "business" within the meaning of the CCPA. Where you interact with the Services because a business customer ("Customer") operates a SmartAlex account, that Customer is the business responsible for the personal information processed through its deployment, including the contents of calls it places or receives and the contacts it loads. In that situation SmartAlex acts as the Customer's "service provider" and processes the personal information only on the Customer's documented instructions and for the limited purposes set out in our service-provider agreement. If you are an End User of a Customer's deployment and you wish to exercise rights over the personal information that Customer controls, you should contact that Customer; we will assist the Customer in responding, and we explain the routing of such requests in section 11.

2. Definitions used in this Notice

The following defined terms are used throughout this Notice. Capitalised terms not defined here have the meaning given to them in the CCPA or in our Privacy Policy.

Services or Platform means the SmartAlex platform, websites, applications, and APIs through which Customers configure and operate AI voice agents that place and receive telephone calls, run outbound campaigns, manage contacts, and view analytics.
Customer means the business that contracts for the Services and operates a SmartAlex account.
End User means an individual whom a Customer interacts with through the Services, including a person who places or receives a call handled by an AI voice agent.
Personal information has the meaning given by Cal. Civ. Code section 1798.140(v): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California resident or household.
Sensitive personal information has the meaning given by Cal. Civ. Code section 1798.140(ae).
Service provider and contractor have the meanings given by Cal. Civ. Code sections 1798.140(ag) and 1798.140(j).
Sell and share have the meanings given by Cal. Civ. Code sections 1798.140(ad) and 1798.140(ah). "Share" refers specifically to disclosure for cross-context behavioural advertising.
De-identified means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer, and that we maintain and use in accordance with section 1798.140(m).

3. Categories of personal information we collect (section 1798.110)

In the twelve months preceding the effective date of this Notice, we have collected the following statutory categories of personal information about California residents. The illustrative examples are not exhaustive, and not every example is collected about every individual.

Identifiers: name, postal address, unique personal identifier, online identifier, internet protocol (IP) address, email address, telephone number, and account name.
Customer records covered by California Civil Code section 1798.80(e): billing address and payment card information processed by our payment processor on our behalf. We do not store full payment card numbers; these are handled by our payment processor, Stripe.
Commercial information: records of products or services purchased, obtained, or considered, and subscription and usage history.
Internet or other electronic network activity information: browsing history on our websites, information regarding interaction with our Services, and advertisement interaction data.
Geolocation data: approximate location derived from IP address. We do not collect precise geolocation.
Audio, electronic, visual, or similar information: voice recordings and call transcripts where you, or a Customer that operates the SmartAlex account, capture them through the Services, together with related call metadata such as call duration and timestamps.
Professional or employment information: job title and business affiliation where you provide them.
Inferences drawn from the foregoing: preferences and characteristics drawn from your interactions with the Services, including call-qualification outcomes generated by our speech and language AI providers.

We do not knowingly collect the following statutory categories about California residents in the ordinary course of providing the Services: biometric information processed for the purpose of uniquely identifying a consumer (see section 5 for how voice data is treated), education information governed by the Family Educational Rights and Privacy Act, or genetic data. Where any such information reaches us, it does so only as part of the contents of a communication that a Customer has configured the Services to record or transcribe, and we process it solely as that Customer's service provider.

4. Sources of personal information

We collect personal information from the following categories of sources:

you directly, when you create an account, configure or use the Services, make a payment, or contact us for support;
the Customer that operates the SmartAlex account under which your information is processed, where you are an End User of that Customer's deployment, including contact records the Customer uploads and calls the Customer directs;
your device and browser when you interact with our websites and Services, including cookies and similar technologies described in our Cookie Policy;
our service providers and contractors, including our cloud infrastructure providers, our telephony provider, and our speech and language AI providers, who help us deliver, secure, and improve the Services;
third parties from whom we obtain fraud-prevention and security signals, such as device and abuse indicators used to protect the signup process.

5. Sensitive personal information and voice data (section 1798.121)

The CCPA defines sensitive personal information narrowly. The categories of sensitive personal information we may process, with the purpose for each, are:

Account log-in in combination with a password or credential allowing access to an account, collected to authenticate you and to secure your account.
Contents of communications sent or received through the Services, including the contents of mail, email, and text messages, where you, or the Customer that operates the account, configure the Services to record or transcribe them. We collect this content solely to deliver the requested service.

We use sensitive personal information only for the purposes set out in section 1798.121(a) and 11 CCR section 7027(m): performing the services reasonably expected by an average consumer, providing the Services requested, helping to ensure security and integrity, preventing, detecting, and investigating fraud, and the other purposes permitted without the right to limit. We do not use or disclose sensitive personal information to infer characteristics about you, and we do not use it for advertising.

Voice recordings and call transcripts can contain sensitive personal information, and a recording of a voice may constitute biometric information where it is used to uniquely identify an individual. The Services do not use voice for unique identification. Where SmartAlex processes call audio and transcripts, it does so on behalf of a Customer and on that Customer's documented instructions; the Customer is responsible for establishing a lawful basis for the recording and processing of that content and for giving any notices its End Users require, including any notice required before a call is recorded. Our handling of call recording is described further in our Telephony and Call Recording Notice.

You have the right to direct us to limit our use of any sensitive personal information that we process as a business to the permitted purposes above. We describe how to exercise that right in section 9 and how to submit a request in section 10.

6. Purposes for which we use personal information (section 1798.140(e))

We collect, use, and disclose personal information for the business and commercial purposes set out below. The following table maps each purpose to the relevant CCPA business-purpose category and to the categories of personal information used for it.

Purpose	CCPA business purpose	Categories of personal information used
Providing, operating, and maintaining the Services, including processing calls, transcripts, and contacts on behalf of Customers	Performing services on behalf of the business or a Customer (section 1798.140(e)(2))	Identifiers, audio or visual information, commercial information, inferences
Creating and administering accounts and authenticating users	Performing services; verifying account information	Identifiers, sensitive personal information (log-in credentials)
Billing, invoicing, and collecting payment	Performing services; auditing related to financial transactions (section 1798.140(e)(1))	Customer records, commercial information, identifiers
Detecting, preventing, and investigating security incidents, fraud, and abuse	Helping to ensure security and integrity (section 1798.140(e)(2)); detecting and protecting against malicious or fraudulent activity (section 1798.140(e)(3))	Identifiers, internet activity, geolocation, device and abuse signals
Debugging and repairing errors that impair intended functionality	Debugging (section 1798.140(e)(4))	Internet activity, identifiers, application data
Internal research, analytics, and product development	Internal research for technological development (section 1798.140(e)(7))	Internet activity, inferences, commercial information
Quality and safety verification and improvement of the Services	Undertaking activities to verify or maintain quality or safety (section 1798.140(e)(8))	Audio or visual information, internet activity, inferences
Communicating with you about the Services and responding to requests	Performing services; short-term, transient use (section 1798.140(e)(5))	Identifiers, customer records
Complying with legal obligations and establishing, exercising, or defending legal claims	Compliance with applicable law	All categories as necessary

We do not use AI within the Services to make decisions producing legal or similarly significant effects on you without human involvement. AI is used for call handling, routing, transcription, qualification, and analytics under Customer control, and the Customer remains responsible for any decisions it takes using the outputs of the Services. We will not collect additional categories of personal information, or use the personal information we collected for materially different, unrelated, or incompatible purposes, without first providing you notice.

7. Disclosure to service providers, contractors, and third parties (section 1798.115)

We disclose personal information to our service providers and contractors, each of whom is bound by a written contract that limits the use of that information to the business purposes we specify, prohibits its sale or sharing, prohibits its retention, use, or disclosure outside the direct business relationship, and otherwise complies with sections 1798.140(ag) and 1798.140(j) of the CCPA.

In the twelve months preceding the effective date of this Notice, we disclosed the categories of personal information listed below for a business purpose to the categories of recipients shown, for the business purposes set out in section 6.

Category of personal information	Disclosed for a business purpose to
Identifiers	Cloud infrastructure providers; telephony provider; email delivery provider; payment processor; fraud-prevention provider
Customer records (section 1798.80(e))	Payment processor; cloud infrastructure providers
Commercial information	Cloud infrastructure providers; payment processor
Internet or network activity information	Cloud infrastructure providers; analytics and fraud-prevention providers
Geolocation data	Cloud infrastructure providers; fraud-prevention provider
Audio, electronic, visual, or similar information	Cloud infrastructure providers; real-time voice infrastructure provider; speech and language AI providers
Professional or employment information	Cloud infrastructure providers
Inferences	Cloud infrastructure providers; speech and language AI providers

The full list of the third parties we engage, the legal name of each, and the categories of personal information we disclose to each, is published in our Subprocessor List. We also disclose personal information where required to comply with law, to respond to lawful requests from public authorities, to enforce our agreements, or to protect the rights, property, or safety of SmartAlex, our Customers, or others, and in connection with a merger, acquisition, financing, or sale of assets, in which case the recipient will be bound to honour this Notice.

We do not sell personal information for monetary or other valuable consideration. We do not share personal information for cross-context behavioural advertising. We have not sold or shared any category of personal information about California residents, including any sensitive personal information, in the twelve months preceding the effective date of this Notice. If this ever changes, we will update this Notice before doing so, provide a "Do Not Sell or Share My Personal Information" link in our website footer, and treat Global Privacy Control browser signals as a valid opt-out request.

8. De-identified and aggregated information

Where we derive de-identified or aggregated information from personal information, we maintain and use that information only in de-identified or aggregated form, take reasonable measures to ensure it cannot be associated with a consumer or household, publicly commit to maintaining and using it only in that form, and contractually oblige any recipient to comply with the same requirements. De-identified and aggregated information is not personal information and is not subject to the rights described in this Notice.

9. Your California privacy rights (sections 1798.105 to 1798.125)

As a California resident you have the following rights, subject to the exceptions and verification requirements in the CCPA:

The right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting it, the categories of third parties to whom we disclose it, and the categories of personal information we have disclosed for a business purpose.
The right to delete personal information that we have collected from you, subject to the exceptions in section 1798.105(d), such as where retention is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or exercise or defend legal claims.
The right to correct inaccurate personal information that we maintain about you, taking into account the nature of the information and the purposes of processing it.
The right to opt out of the sale or sharing of personal information. We do not currently sell or share, so there is nothing to opt out of. Should that change, the opt-out link will appear in our website footer and we will honour Global Privacy Control signals.
The right to limit the use and disclosure of sensitive personal information to the purposes permitted by section 1798.121(a). Because we already limit our use of sensitive personal information to those permitted purposes, exercising this right does not change how we process it, but you may still submit a limit request through the channels in section 10.
The right to non-discrimination for exercising your CCPA rights. We do not deny goods or services, charge different prices or rates, or provide a different level or quality of goods or services because you have exercised a right. We do not offer financial incentives, or price or service differences, in exchange for the retention, sale, or sharing of personal information, so no notice of financial incentive under section 1798.125(b) applies.

These rights are not absolute, and we may decline a request, in whole or in part, where the CCPA permits or requires us to do so. Where we decline a request, we will tell you the reason and, where applicable, how you may complain.

10. How to submit a verifiable consumer request (section 1798.130)

To submit a request to know, delete, correct, opt out, or limit, use either of the following methods. We provide at least two designated methods so that you can choose the one that suits you.

Email: write to privacy@getsmartalex.com and include "CCPA Request" in the subject line.
Data Subject Access Request Procedure: follow the steps in our Data Subject Access Request Procedure, which sets out the information to provide and how we handle your request.

Because SmartAlex operates AI voice agents that may call California residents who do not have a direct online relationship with us, we do not rely on the exemption that lets an exclusively online business with a direct relationship offer only an email address. You may make a request by either method above. If a toll-free telephone option becomes required for the personal information we handle as a business, we will provide one and update this Notice.

10.1 How we verify your request

We verify the requestor's identity by matching information you provide in the request against information we already hold about you. We may ask for additional information sufficient to verify your identity, proportional to the sensitivity of the personal information and the risk of harm from unauthorised disclosure. We will not disclose specific pieces of personal information, or act on a deletion or correction request, until we have verified you to the standard the CCPA requires. For a request to know specific pieces of personal information, we apply a higher level of verification. We use any personal information you provide for verification only to verify you, and we delete it promptly afterwards unless we are required to retain it.

10.2 Our timing

We confirm receipt of your request within 10 business days and, in that confirmation, describe how we will verify and process it. We respond to a verified request within 45 calendar days of receipt and may extend by a further 45 days where reasonably necessary, after notifying you of the extension and the reason for it. A request to know covers the twelve-month period preceding the request unless you ask, and we are able, to cover a longer period. There is no charge for a verifiable request unless it is manifestly unfounded or excessive, in which case we may charge a reasonable fee or decline to act, and we will tell you why.

10.3 Requests we cannot fully satisfy

Where we cannot verify you, or where an exception applies, we will tell you and, for a request to know, we will provide the categories of personal information we hold even if we cannot disclose specific pieces. If we deny a deletion or correction request in reliance on an exception, we will explain the basis and, where you remain dissatisfied, you may complain to the California Privacy Protection Agency as described in section 17.

11. End Users of a Customer deployment

If your personal information was collected because a Customer operates a SmartAlex account, that Customer is the business responsible for it, and SmartAlex acts as the Customer's service provider. We will not respond directly to a rights request over that personal information; instead, we will, without undue delay, notify the Customer and assist the Customer in responding, as our service-provider agreement requires. To exercise your rights over personal information a Customer controls, please contact that Customer. Where you are unsure which Customer controls your personal information, you may contact us at privacy@getsmartalex.com and we will help direct your request to the right business.

12. Authorised agents (section 1798.135(c))

You may use an authorised agent to submit a request on your behalf. We will require:

signed permission from you authorising the agent to act on your behalf, or a valid power of attorney under the California Probate Code;
verification of your own identity directly with us; and
confirmation from you that the agent is authorised to act for you.

We may deny a request from an agent who does not submit proof of authorisation. These verification steps do not apply where the agent acts under a valid power of attorney.

13. Retention (section 1798.100(a)(3))

We retain each category of personal information for the period necessary to fulfil the purpose for which it was collected, plus any further period required for: (a) compliance with a legal obligation; (b) establishing, exercising, or defending legal claims; and (c) protecting against fraud and abuse. We do not retain personal information for longer than is reasonably necessary for each disclosed purpose. The retention period or criteria that apply to each category are set out below.

Category	Retention period or criteria
Account identifiers and profile data	For the active life of your account, then deleted or anonymised within a reasonable period after closure.
Account log-in and credentials	For the active life of your account; credentials are stored in hashed form and removed on account closure.
Voice recordings and call transcripts	Per the Customer's configuration for the deployment in which they were captured. Where SmartAlex sets a default, that default applies until the Customer changes it or the account closes.
Commercial information and inferences	For the active life of your account, then deleted or anonymised within a reasonable period after closure.
Billing and payment records	For the period required by applicable tax, accounting, and audit law after the relevant transaction, typically up to seven years.
Internet activity and geolocation data	For the period the underlying logs or analytics are retained, as described in our Cookie Policy.
Support and request records	For as long as needed to handle your request and to evidence our handling of it, and thereafter as required to defend legal claims.
Backups	Held on a rolling basis and overwritten in the ordinary backup cycle; personal information deleted from live systems is removed from backups as those backups expire.

Further detail on default retention periods is set out in our Privacy Policy.

14. Children under 16 (section 1798.120(c))

The Services are intended for use by businesses and are not directed to children. We do not knowingly sell or share the personal information of consumers under the age of 16, and we have not done so. If we learn that we have collected the personal information of a child without the appropriate authorisation, we will delete it. A consumer aged 13 to 16, or the parent or guardian of a consumer under 13, may contact us at privacy@getsmartalex.com.

15. California Shine the Light (Civil Code section 1798.83)

California's Shine the Light law permits California residents to request information about a business's disclosure of personal information to third parties for those third parties' own direct marketing purposes. We do not disclose personal information to third parties for those third parties' own direct marketing purposes. Because of this, no Shine the Light request is necessary.

16. Accessibility and changes to this Notice

We aim to make this Notice accessible to consumers with disabilities. If you use assistive technology and have difficulty accessing this Notice, contact us at privacy@getsmartalex.com and we will provide the information in an alternative format. We review this Notice at least every twelve months, as the CCPA requires, and we may update it from time to time. When we make a material change, we will revise the version and effective date below and, where appropriate, give additional notice. Your continued use of the Services after an update takes effect indicates that you have read the updated Notice.

17. Contact and complaints

For questions about this Notice or to exercise a right, write to privacy@getsmartalex.com or to THERCSGROUP PTE. LTD. (UEN 202543608D), Attn: Privacy, 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914. You may also file a complaint with the California Privacy Protection Agency at https://cppa.ca.gov.

This California Privacy Notice is version 1.1 and is effective from 1 June 2026.