SmartAlex Telephony & Call Recording Notice

Version 1.1 · Effective June 1, 2026 · THERCSGROUP PTE. LTD. (trading as SmartAlex, Singapore Reg. No. 202543608D)

1. Purpose and scope

This Telephony and Call Recording Notice (the "Notice") explains how THERCSGROUP PTE. LTD., trading as SmartAlex ("SmartAlex", "we", "us", or "our"), and the business customers who use the SmartAlex platform ("Customers", and individually "you" where the context is the Customer) make, receive, record, transcribe, and otherwise process telephone calls through the SmartAlex platform, websites, applications, and APIs (the "Services").

It supplements our Privacy Policy, our Data Processing Addendum, and our Acceptable Use Policy. Where there is a conflict between this Notice and any of those documents on a telephony or recording question, the more specific provision in this Notice applies. Where there is a conflict between this Notice and the negotiated agreement between SmartAlex and a Customer, that agreement prevails as between SmartAlex and the Customer.

This Notice is addressed primarily to the individuals who speak with a SmartAlex-powered voice service, so that it is clear what happens on the call, and secondarily to Customers, to set out their obligations when using the Services. It covers calls in any direction (calls placed by the Services and calls received by the Services), calls handled by a human agent, calls handled by an AI voice agent, and calls handled by a combination of the two, as well as the recordings, transcripts, and call metadata generated from those calls.

This Notice does not itself create a lawful basis for any call, recording, or processing. The lawful basis for each call rests with the Customer, as set out below.

2. Definitions

The following defined terms are used in this Notice. Terms defined in our Privacy Policy or Data Processing Addendum and used here have the same meaning unless stated otherwise.

• AI voice agent means an automated, software-driven caller operated through the Services that converses using synthesized or artificial speech rather than a live human voice.
• Call audio means the recorded or streamed sound of a telephone call, including the voices of all participants.
• Call metadata means information generated about a call rather than the spoken content, including the calling and called numbers, the date, time, and duration of the call, call direction, carrier and routing information, disposition (for example answered, voicemail, or no answer), and the identifier of the Customer campaign or agent that handled the call.
• Controller and Processor have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679) (the "GDPR"), and equivalent terms ("responsible party" and "operator" under the South African Protection of Personal Information Act 4 of 2013 ("POPIA"); "business" and "service provider" under the California Consumer Privacy Act as amended ("CCPA")) are construed accordingly.
• Customer Data means data the Customer or its End Users provide, or that is generated through the Customer's use of the Services, including call audio, transcripts, contacts, messages, and call metadata.
• End User means an individual the Customer interacts with through the Services, such as the person at the other end of a call. In data-protection terms the End User is the data subject.
• Personal Data means information relating to an identified or identifiable individual.
• Recording means the capture of call audio to durable storage. Transcription means the conversion of call audio to text.
• Special-category data means the categories of data described in Article 9(1) of the GDPR and the corresponding special personal information under section 26 of POPIA.
• Subprocessor means a third party engaged by SmartAlex to process Personal Data, as listed in the SmartAlex Subprocessor List.

3. Roles in a SmartAlex call

For each telephone call processed through the Services, the parties have the following roles:

1. The Customer is the Controller in respect of the call. The Customer decides why and how the call happens, what is said, what data is collected during it, and how that data is used after the call ends. The Customer also decides whether the call is recorded, whether it is transcribed, and how long the resulting records are kept.
2. SmartAlex is the Processor. We operate the Services that place, receive, record, transcribe, and route the call on the Customer's documented instructions. We are an independent Controller only for account, billing, security, fraud-prevention, and product-analytics data, as described in our Privacy Policy. We do not decide the content or purpose of a Customer's calls.
3. Each Subprocessor that processes call audio, transcripts, or call metadata does so as a sub-processor on SmartAlex's instructions, under terms required by our Data Processing Addendum. The Subprocessors engaged for telephony connectivity and for speech and language processing are identified in the SmartAlex Subprocessor List.
4. The called or calling individual at the other end of the call (the End User) is the data subject.

This allocation of roles is the same allocation used in our Privacy Policy, our Data Processing Addendum, and our regional notices. Because the Customer is the Controller, the Customer is responsible for the lawfulness of each call and for the notices and consents the law requires. SmartAlex acts on the Customer's instructions and provides the tooling described in this Notice to help the Customer meet those obligations, but does not assume them.

Call audio and transcripts can contain special-category data, and a voice may constitute biometric data where it is used to identify a person. SmartAlex processes this data only on the Customer's instructions. The Customer is responsible for establishing a lawful condition for that processing (under the GDPR this is typically explicit consent under Article 9(2); under POPIA an authorisation under section 27) and for giving any notices the law requires to End Users.

4. What happens on a call

4.1 Voice agents

A call handled through the Services may be conducted by a human agent, by an AI voice agent, or by a combination of the two, for example where an AI voice agent answers and then transfers to a human, or where a human agent uses AI assistance during the call. Where a call is conducted by an AI voice agent, the agent identifies itself as such at the start of the call where required by applicable law, as described in the section on AI disclosure, below.

4.2 Recording and transcription

A call handled through the Services may be recorded and transcribed. Recording and transcription are configured by the Customer at the level of the tenant, the campaign, or the individual agent, and not every call is recorded or transcribed. Where a call is recorded, the End User is informed at or before the start of the call as required by applicable law, as described in the section on notice and consent before recording, below. Where only a transcript is produced and no audio is retained, the same notice requirements apply because a transcript is itself a record of the conversation.

4.3 AI processing

Call audio and transcripts may be processed by our speech and language AI providers, for purposes that include speech-to-text transcription, natural-language understanding, response generation, text-to-speech synthesis, summarisation, and contact enrichment. The specific providers engaged for these purposes are named in the SmartAlex Subprocessor List, which is available on that page or on request from privacy@getsmartalex.com. Customer Data sent to these providers is not used to train any provider's public or foundation models. We contract for "no training on Customer Data" terms wherever the provider offers them, and we record the outcome in our Subprocessor List. Our broader position on how the Services use artificial intelligence is set out in our AI Usage Policy.

SmartAlex does not create biometric voiceprints from call audio for the purpose of identifying individuals, and does not perform voice-based identity verification as a standard feature of the Services. If a Customer enables any voice-biometric feature, the Customer is responsible for the separate notice and consent required by laws such as the Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14), the Texas Capture or Use of Biometric Identifier Act, the Washington biometric-privacy statute, and comparable voiceprint laws, and for establishing the Article 9 or section 27 condition required where biometric processing engages special-category rules.

4.4 Call metadata and signalling

Independently of whether a call is recorded, the Services generate call metadata in order to connect, route, bill, and report on the call. Call metadata is processed by our telephony provider and our cloud infrastructure providers, and is retained as described in the schedule of retention periods, below. Call metadata is Customer Data and is subject to the same role allocation and the same End User rights as call audio and transcripts.

5. Calls placed and received through the Services

5.1 Calls you receive from a SmartAlex-powered service

If you receive a call from a SmartAlex-powered service, the following applies.

1. You are told who is calling and on whose behalf at the start of the call. The voice agent identifies the Customer (the business that initiated the call) and, where it is an AI voice agent, identifies itself as such.
2. You are informed if the call is being recorded. You may decline recording. If you decline and the Customer's configuration permits, the call continues without being recorded. If recording is contractually required (for example, in a regulated financial-services context), the call may be ended rather than continued unrecorded.
3. You may at any time ask to be transferred to a human, ask for the call to end, or ask to be removed from the Customer's contact list. These requests are honoured as described in the section on opting out, below.

5.2 Calls you place to a SmartAlex-powered service

If you call a telephone number that a Customer has connected to the Services, the same recording-notice and AI-disclosure rules apply to the inbound leg of the call. You are informed at or before the start of the call if it is recorded and, where the call is answered by an AI voice agent, that you are speaking with an automated system. Inbound callers retain the same rights set out in this Notice, including the right to ask to speak with a human and the right to ask that a recording or transcript be deleted.

5.3 Caller identification and anti-spoofing

Outbound calls placed through the Services use authenticated caller identification, including STIR/SHAKEN attestation where it is supported by the originating carrier, in line with the framework established by the U.S. TRACED Act and the Federal Communications Commission's caller-identification rules (47 CFR Part 64). SmartAlex does not permit Customers to spoof, falsify, or misrepresent the calling number, and Customers must use only telephone numbers they own or are otherwise authorised to use, and which they have, where required, verified with the relevant carrier or numbering authority. Misrepresenting caller identification with intent to defraud, cause harm, or wrongfully obtain anything of value may breach laws such as the U.S. Truth in Caller ID Act and equivalent rules in other jurisdictions, and is a breach of our Acceptable Use Policy.

5.4 Outbound automated calls and consent (United States)

Outbound calls that use an AI or prerecorded voice are treated as "artificial or prerecorded voice" calls under the U.S. Telephone Consumer Protection Act, 47 U.S.C. § 227 (the "TCPA"), in line with the Federal Communications Commission's declaratory ruling of February 2024 confirming that calls using AI-generated or cloned voices fall within the existing prohibitions on artificial or prerecorded voice calls. For any such call placed to a U.S. recipient, the Customer warrants that, before the call:

1. it has obtained the recipient's prior express written consent where the call is for marketing or telemarketing, meeting the signed-writing, clear-and-conspicuous-disclosure, and no-condition-of-purchase requirements of the TCPA and the Federal Trade Commission's Telemarketing Sales Rule (16 CFR Part 310);
2. it has obtained the recipient's prior express consent where the call is informational and non-marketing; or
3. another lawful exception under the TCPA applies, such as the limited exemptions for certain informational calls.

The Customer is responsible for retaining evidence of consent and for honouring any revocation of consent, as described in the section on opting out, below. Calls to wireless numbers, calls outside permitted calling hours, and calls to numbers on a Do Not Call register attract additional restrictions for which the Customer is responsible.

5.5 Do-Not-Call and contact-list screening

The Customer is responsible for screening its outbound contact lists against every Do-Not-Call register that applies to the call, and for honouring any internal opt-out, contact-frequency, and time-of-day restrictions. Applicable registers include, without limitation:

• the Singapore Do Not Call Registry maintained under Part 9 of the Personal Data Protection Act 2012 ("PDPA");
• the U.S. National Do Not Call Registry and any applicable state do-not-call lists;
• the U.K. Telephone Preference Service and Corporate Telephone Preference Service operated under the Privacy and Electronic Communications Regulations; and
• national equivalents in the EU and elsewhere.

SmartAlex provides screening and suppression tooling, but the Customer remains the Controller of its contact list and is responsible for its lawful use, including maintaining its own internal do-not-call and suppression records.

6. Notice and consent before recording

Where a call is recorded, the legal basis for recording depends on the jurisdiction or jurisdictions involved. The summary below is illustrative and is not legal advice. Recording-consent rules change and vary by call type, and the Customer is responsible for determining the standard that applies to each call and configuring disclosure accordingly. Where a call involves participants in more than one jurisdiction, the Customer should apply the most protective applicable standard.

6.1 Single-party-consent jurisdictions

In jurisdictions where one party's consent is sufficient to record a call (for example, most U.S. federal contexts, many U.S. states, and Singapore), the Customer's consent to record is sufficient at law. SmartAlex nonetheless requires the End User to be notified at or before the start of the call, because notification is good practice, reduces dispute, and is often required by sector rules even where the underlying recording-consent standard is single-party.

6.2 Two-party and all-party-consent jurisdictions

In jurisdictions that require every party to a call to consent to recording, all parties must consent. In the United States, these are commonly understood to include California (Cal. Penal Code § 632), Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington, among others. The exact status of some states is contested or limited to certain call types: for example, Connecticut's all-party rule under Conn. Gen. Stat. § 52-570d is a civil statute with carve-outs, and Nevada is treated as a single-party-consent jurisdiction for a participant to the conversation under Nevada case law. This list is illustrative and not exhaustive, all-party-consent rules also apply outside the United States (including in much of the EEA and the United Kingdom, in Australian state surveillance-devices laws, and in parts of Canada), and the position changes over time. The Customer is responsible for determining the recording-consent standard for each call.

SmartAlex provides Customer-configurable disclosure language, such as "This call may be recorded and transcribed for quality and compliance purposes. Please confirm to continue.", which is played at the start of a recorded call where the called or calling number is associated with an all-party-consent jurisdiction. If you are in such a jurisdiction and do not consent to recording, you may decline at the disclosure prompt. The call then continues without being recorded, or, if recording is contractually required, the call is ended.

6.3 EU/EEA, United Kingdom, and Switzerland

Calls placed to or received from individuals in the European Economic Area, the United Kingdom, or Switzerland are processed under our Data Processing Addendum and applicable law (the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection, and the ePrivacy rules). These jurisdictions do not use a single-party or two-party-consent model, and recording must not be characterised in those terms. Instead, recording must rest on a lawful basis under data-protection law, which is one of:

1. the individual's freely given, specific, informed, and unambiguous consent, obtained at or before the start of the call;
2. performance of a contract to which the individual is party, or steps taken at the individual's request before entering a contract; or
3. a legitimate interest of the Customer that is not overridden by the individual's interests, rights, or freedoms, supported by a documented balancing test.

Where call content includes special-category data, an additional condition under Article 9 of the GDPR (or the corresponding UK GDPR provision) is required. The Customer determines which basis and condition apply and is responsible for documenting them and for providing the transparency information required by Articles 13 and 14 of the GDPR.

6.4 South Africa, the UAE, and other jurisdictions

For South Africa, recording and processing of call content must meet the conditions for lawful processing under POPIA, including the consent, justification, and notification requirements in sections 9 to 18 and, for special personal information, sections 26 and 27. For the United Arab Emirates (Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data), and for other jurisdictions where the Services are used, SmartAlex provides pre-recording notice designed to meet the local notification standard. The Customer is responsible for confirming that its use case meets the local lawful-processing standard. Our specific South African disclosures are set out in our POPIA Notice.

7. Purpose and lawful basis for telephony processing

The table below sets out the principal purposes for which call data is processed and the lawful basis on which SmartAlex relies, in its capacity as Controller, for its own processing of telephony-related data. For call content processed on a Customer's instructions, the lawful basis is established by the Customer as Controller, as described above.

SmartAlex does not use call content for its own marketing and does not sell call content, transcripts, or call metadata.

8. AI disclosure

Where a call is conducted by an AI voice agent rather than a human, the AI nature of the agent is disclosed as follows:

1. Always, where applicable law requires it. This includes the California "bot" disclosure law (Cal. Bus. and Prof. Code § 17941), the EU AI Act transparency obligation in Article 50(1) requiring that natural persons be informed when they are interacting with an AI system (which applies to AI voice agents), and similar U.S. state and other statutes that require disclosure of automated callers.
2. By default in our recommended agent configuration. The Customer is responsible for enabling and verifying AI disclosure for each campaign or deployment, and must not configure the Services to conceal that an End User is interacting with an AI system.

An End User may at any time ask whether they are speaking with a human or an AI, and the agent answers truthfully. SmartAlex does not make solely automated decisions that produce legal or similarly significant effects on End Users; the Services use AI for call handling, routing, transcription, qualification, and analytics under the Customer's control, and the Customer is responsible for any decision it takes on the basis of that processing.

9. Emergency calls

The Services are not a telephone service for emergencies and must not be relied on to contact emergency services, such as 911 in the United States or 112 in the European Union and the United Kingdom. The Services do not support emergency calling, do not transmit location information to emergency call-takers, and may not function during a power or network outage. If you have an emergency, dial your local emergency number directly from a device capable of reaching emergency services. AI voice agents do not recognise or route emergency requests and may end or transfer the call. Customers must not deploy the Services as a means of reaching emergency services and must not represent to End Users that the Services can do so. Customers that operate the Services in environments where End Users might reasonably expect emergency-calling capability are responsible for making the limitation in this section clear to those End Users.

10. Opting out of calls

If you receive calls placed through the Services, you may opt out of further calls at any time. You can do this by telling the agent "stop", "do not call", or "remove me", or by any other reasonable method, including asking to be transferred to a human and making the request there. Opt-out and consent-revocation requests are honoured within a reasonable time, and in any event no later than ten (10) business days, in line with Federal Communications Commission rules on the revocation of consent. The Customer is responsible for suppressing your number across its campaigns once you opt out, and for ensuring that an opt-out given on one channel is respected across the channels for which you have opted out.

An opt-out from calls does not by itself delete a recording or transcript of an earlier call. If you also want an earlier recording or transcript deleted, you may exercise the rights set out in the section on your rights, below.

11. International calls and transfers

Call audio, transcripts, and call metadata may be processed by Subprocessors located outside the country where the call took place, including our cloud infrastructure providers, our telephony provider, and our speech and language AI providers. Where this involves a transfer of personal data out of the European Economic Area, the United Kingdom, or Switzerland, the transfer is made under an approved safeguard:

1. the EU Standard Contractual Clauses (Module Two for controller-to-processor transfers and Module Three for onward processor-to-processor transfers);
2. the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses;
3. the Swiss addendum to the EU Standard Contractual Clauses; or
4. an applicable adequacy decision,

together with supplementary measures such as encryption in transit and at rest and access controls. These safeguards are set out in our Data Processing Addendum and SmartAlex Subprocessor List, and a copy of the relevant safeguards is available from privacy@getsmartalex.com. For transfers of personal information out of South Africa, SmartAlex relies on the conditions in section 72 of POPIA, as described in our POPIA Notice.

12. Retention of call data

We retain call audio, transcripts, and call metadata for no longer than is necessary for the purposes for which they were collected, and in line with the Customer's configuration and contract. Because the Customer is the Controller of call content, the Customer sets the retention period for recordings and transcripts within the limits the Services allow. Where the Customer has not set a period, the default in the Customer's tenant configuration applies. An End User can ask the Customer for the specific retention period that applies to their call, or contact privacy@getsmartalex.com and we will route the request to the responsible Customer. The following table sets out the retention approach for each category of call data.

On termination of a Customer's account, call data is deleted or returned in accordance with our Data Processing Addendum, subject to any retention required by law.

13. Security of call data

SmartAlex maintains technical and organisational measures designed to protect call audio, transcripts, and call metadata against unauthorised access, alteration, disclosure, loss, or destruction. These measures include:

• encryption of call data in transit using current transport-layer security and encryption of recordings and transcripts at rest;
• role-based access controls and the principle of least privilege, so that access to call audio and transcripts is limited to personnel and Subprocessors that require it to operate the Services;
• tenant isolation, so that one Customer's call data is logically separated from another's;
• authentication controls, including multi-factor authentication for administrative access to systems that store call data;
• logging and monitoring of access to call data and of call traffic for fraud and toll-fraud detection; and
• contractual security obligations on every Subprocessor that processes call data, as set out in our Data Processing Addendum.

SmartAlex does not currently hold its own SOC 2 or ISO 27001 attestation and is working towards SOC 2 readiness. Our infrastructure subprocessors maintain SOC 2 and ISO 27001 attestations. Further detail on our security programme is set out in our Trust and Security page. If we become aware of a personal-data breach affecting call data, we will notify the affected Customer without undue delay so that the Customer, as Controller, can meet its own breach-notification obligations.

14. Your rights

If you have spoken with a SmartAlex-powered service and want to exercise your rights, including access to a recording or transcript of your call, deletion of the recording or transcript, correction of inaccurate data, restriction of processing, objection to processing, or portability, please refer to our Data Subject Access Request Procedure. Because the Customer is the Controller for the call, SmartAlex routes your request to that Customer and assists them in fulfilling it to the extent we are able. Where SmartAlex is the Controller (for example, for call metadata used for our own billing and security purposes), we respond to your request directly.

Depending on your location, your rights may include the rights of access, correction, deletion, restriction, objection, and data portability under the GDPR and UK GDPR; the rights to know, delete, correct, and opt out under the CCPA; the rights of access and correction and the right to object under POPIA; and the rights of access and correction under the Singapore PDPA. The exercise of these statutory rights is free in most cases and is handled through the procedure linked above.

If you have a complaint about how a Customer has used the Services to call you, you may contact the relevant supervisory authority. These include the Singapore Personal Data Protection Commission, the South Africa Information Regulator (POPIA complaints to complaints.ir@inforegulator.org.za, JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001, South Africa), the U.K. Information Commissioner's Office, and the data-protection authority for your country in the EU/EEA. These statutory complaint routes are separate from any commercial dispute-resolution process in our agreements with Customers, and an End User is never required to use commercial arbitration to pursue a statutory data-protection right.

15. Customer obligations

A Customer that uses the Services to make or receive calls warrants and represents that:

1. it has a lawful basis for placing or receiving each call;
2. it has obtained any consent required for recording the call, for conducting the call by AI, and for any later processing of the recording or transcript, including any condition required where call content is special-category or biometric data;
3. it has obtained any TCPA consent required for outbound AI or prerecorded-voice calls to U.S. recipients, as described in the section on outbound automated calls, above, and retains evidence of that consent;
4. it has screened its outbound contact lists against every applicable Do-Not-Call register and respects all internal opt-outs, contact-frequency, time-of-day, and jurisdictional restrictions;
5. it uses only telephone numbers it is authorised to use and does not spoof, falsify, or misrepresent caller identification;
6. it configures the pre-recording disclosure prompt and the AI-disclosure setting to reflect its lawful basis and the End User's jurisdiction;
7. it does not deploy the Services as a means of reaching emergency services and does not represent that the Services can do so; and
8. it responds to data-subject requests within the time limits required by applicable law (for example, one month under the GDPR and UK GDPR, forty-five (45) days under the CCPA, and as soon as reasonably possible under the Singapore PDPA, where the PDPC expects organisations to respond within 30 days or to notify the requester if more time is needed).

Failure to comply with these obligations is a material breach of our Terms of Service and our Acceptable Use Policy, and may result in suspension or termination of the Services.

16. Updates and contact

This Notice is reviewed periodically and updated to reflect changes in law, the Services, or our Subprocessors. The effective date below reflects the most recent revision. Where a change is material, we will take reasonable steps to inform Customers in advance through the platform or by email. For questions about this Notice, contact privacy@getsmartalex.com.

This Notice is issued by THERCSGROUP PTE. LTD. (UEN 202543608D), 160 Robinson Road, #14-04 Singapore Business Federation Center, Singapore 068914, and is governed by the laws of the Republic of Singapore.

This Telephony and Call Recording Notice is version 1.1 and is effective from 1 June 2026.