Privacy Policy

Last Updated: April 23, 2026

Your privacy is fundamental to our mission. This Privacy Policy explains how Pandacat Inc. ("Pandacat," "we," "us," or "our") collects, uses, discloses, retains, and protects your personal information when you access or use the Talki Talki communications platform (the "Service"). Please read this policy carefully alongside our Terms of Service.

1. Who We Are and How to Reach Us

Pandacat Inc. is a Canadian corporation and the data controller for personal information collected through the Service. For privacy-related inquiries, requests, or complaints, contact our Privacy Officer at:

Privacy Officer — Pandacat Inc.

Email: privacy@pandacat.ca

Website: talkitalki.ca

We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and applicable provincial privacy legislation in Canada, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Where we collect personal information from individuals located in the European Economic Area or United Kingdom, we act as a data controller under the General Data Protection Regulation (GDPR) and UK GDPR. For California residents, additional rights are described in Section 10.

2. Information We Collect

We collect only the information reasonably necessary to provide a stable, lawful, and professional cloud communications service. This includes:

  • Account Information: Your name, business name, email address, physical business address (required for E911 regulatory compliance), legal business structure, tax identification number (if provided for A2P carrier compliance), and business website.
  • Identity Verification Data: Photographs you submit during our Know Your Customer (KYC) process, including selfie images in which you hold a government-issued photo identification document. Data extracted or inferred from these images (such as full name, identification type, expiry date, and issuing jurisdiction) is also retained. See Section 3 for important details.
  • Communications Data: Call logs including timestamps, duration, direction, and participating numbers; SMS and MMS message content (inbound and outbound); voicemail audio recordings; and call routing configurations you create.
  • AI-Generated Data: Text transcriptions of voicemail audio generated by our AI processing systems.
  • Payment Information: Billing name, billing address, and payment method details. We do not directly store full payment card numbers; all payment data is handled by Stripe, Inc. under their Privacy Policy.
  • Technical and Device Data: IP addresses, browser type and version, operating system, device identifiers, referring URLs, pages visited, session duration, and diagnostic and error logs. We maintain a rolling security log of your recent login attempts (IP address and timestamp) to detect and prevent unauthorized access.
  • Communications You Send to Us: Support requests, emails, and any other communications you voluntarily provide to our team.

We do not knowingly collect personal information from individuals under the age of 18. See Section 11.

3. Identity Verification and Biometric Information

Before you may purchase or activate a phone number, we require you to complete an identity verification process. This process involves capturing an image of your face alongside a government-issued photo identification document.

3.1 What We Collect. We collect the photograph you submit, the Firebase Storage URL at which it is stored, and structured data extracted from the image by AI, including your full name, identification document type, expiry date, and issuing jurisdiction. We also record the submission timestamp and verification outcome.

3.2 How It Is Processed. Submitted photographs are transmitted to Google LLC's Gemini AI API for automated analysis. Google processes this data as a sub-processor under our data processing agreement. The AI assesses whether the image is sufficiently clear, whether the document appears genuine and unexpired, and extracts the relevant fields listed above. Pandacat's administrative staff may also manually review submissions where automated verification is unsuccessful.

3.3 Biometric Notice. To the extent that your submitted photograph constitutes biometric data under applicable law (including but not limited to the Illinois Biometric Information Privacy Act (BIPA) or similar statutes), by submitting the photograph you expressly and knowingly consent to the collection, processing, storage, and use of such data for identity verification purposes as described herein. We do not sell, lease, trade, or profit from biometric identifiers or biometric information.

3.4 Purpose Limitation. Identity verification data is used exclusively for: verifying your identity before granting access to phone number provisioning; fraud prevention and compliance; and fulfilling our legal obligations under applicable telecommunications and anti-money laundering regulations.

3.5 Storage and Retention. Verification photographs are stored in Google Firebase Storage, secured to your account. Extracted metadata is stored in Google Firestore. We retain this data for the duration of your account and for a minimum of five (5) years thereafter, or such longer period as required by applicable law, carrier agreements, or regulatory obligations.

3.6 Access. Verification data is accessible to authorized Pandacat administrative personnel only. It is not shared with third parties except as required by law or described in Section 6.

4. How We Use Your Information

We use your personal information only for the following purposes:

  • To create, maintain, and authenticate your account.
  • To provide the Service, including routing calls, delivering messages, storing voicemails, and enabling all features of the platform.
  • To verify your identity in compliance with our Know Your Customer (KYC) obligations and carrier requirements.
  • To process payments and manage your Subscription through Stripe.
  • To generate AI-powered features such as voicemail-to-text transcriptions using Google Gemini.
  • To comply with legal obligations, including telecommunications regulations (TCPA, CASL), anti-fraud requirements, and law enforcement requests.
  • To detect, investigate, and prevent fraudulent, abusive, or unlawful activity.
  • To provide customer support, respond to your inquiries, and resolve disputes.
  • To improve the Service, troubleshoot technical issues, and ensure platform reliability.
  • To send you service-related notifications (account alerts, billing, policy updates). We do not send marketing communications without your explicit opt-in consent.
  • To enforce our Terms of Service and protect the rights, property, and safety of Pandacat, our users, and the public.

5. Legal Bases for Processing

Where the GDPR or UK GDPR applies, we process your personal data on the following legal bases:

  • Contract Performance (Article 6(1)(b)): Processing necessary to provide the Service to you under our Terms of Service — including account management, call routing, billing, and identity verification.
  • Legal Obligation (Article 6(1)(c)): Processing required to comply with telecommunications regulations, anti-money laundering rules, law enforcement requests, and carrier compliance mandates.
  • Legitimate Interests (Article 6(1)(f)): Processing for fraud prevention, security monitoring, service improvement, and protecting the integrity of our platform, where these interests are not overridden by your rights.
  • Consent (Article 6(1)(a) / Article 9(2)(a)): For biometric or special category data processing (such as identity verification photographs), and for any optional marketing communications. You may withdraw consent at any time without affecting the lawfulness of prior processing.

Under PIPEDA and Quebec's Law 25, we collect, use, and disclose personal information with your knowledge and consent, except where permitted by law.

6. Data Sharing and Third-Party Processors

We do not sell, rent, or trade your personal information to any third party. We share information only with the following trusted service providers who are contractually bound to use it solely to provide services on our behalf:

  • Twilio, Inc. (San Francisco, California, USA): Provides global telephony infrastructure, SMS/MMS delivery, phone number provisioning, call recording, and related services. Your phone numbers, call data, and message content are processed by Twilio to deliver the Service. Twilio is subject to U.S. data protection law and the EU-U.S. Data Privacy Framework.
  • Google LLC (Mountain View, California, USA): Provides Firebase (database, authentication, storage, and hosting) and Gemini AI (voicemail transcription and identity verification analysis). Google processes data under its data processing terms and is subject to the EU-U.S. Data Privacy Framework and Standard Contractual Clauses.
  • Stripe, Inc. (San Francisco, California, USA): Processes all payment transactions and subscription billing. Stripe handles your payment card data under its own Privacy Policy and PCI-DSS compliance program. We do not store full payment card numbers.

Other Disclosures. We may also disclose your personal information: (a) to comply with applicable laws, regulations, court orders, or lawful requests from government authorities; (b) to enforce our Terms of Service or protect our rights, property, or safety; (c) in connection with a merger, acquisition, corporate restructuring, or sale of all or substantially all of our assets, provided the acquiring party agrees to protect your information under terms no less protective than this policy; or (d) with your explicit prior consent.

7. International Data Transfers

Pandacat Inc. is headquartered in Canada. By using the Service, you acknowledge that your personal information may be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those of your country of residence.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms. Where we transfer personal data from Canada to service providers in the United States, we do so in accordance with PIPEDA's transborder flow provisions and ensure contractual data protection obligations are in place.

8. Data Retention

We retain personal information for as long as your account is active and for a reasonable period thereafter, or as required by applicable law. Specific retention periods include:

  • Account and profile information: Duration of account plus up to 7 years after termination for compliance purposes.
  • Identity verification photographs and extracted data: Duration of account plus minimum 5 years, or longer if required by applicable law or carrier agreements.
  • Call logs and SMS records: Duration of account; may be permanently deleted upon account termination at our discretion.
  • Voicemail recordings: Until deleted by you or upon account termination.
  • Payment records: Retained as required by tax and accounting law (typically 7 years).
  • Security logs (IP/login history): Rolling 90-day window for security monitoring purposes.

Upon account termination, we reserve the right to immediately and permanently delete your communication data (call logs, messages, voicemails, and configurations). This deletion is irreversible. We strongly recommend exporting or archiving any data you wish to retain before closing your account.

9. Your Privacy Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:

9.1 Rights Under PIPEDA (All Canadian Users)

You have the right to: access personal information we hold about you; request correction of inaccurate information; withdraw consent to certain processing (subject to legal or contractual restrictions); file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.

9.2 Rights Under Quebec's Law 25 (Quebec Residents)

In addition to PIPEDA rights, Quebec residents have the right to: data portability (receive your data in a structured, commonly used format); request that automated decisions made about you be reviewed by a human; be informed of any privacy incident affecting your data; and file a complaint with the Commission d'accès à l'information (CAI).

9.3 Rights Under the GDPR (EEA, UK, and Switzerland Residents)

You have the right to: access (Article 15); rectification (Article 16); erasure / "right to be forgotten" (Article 17); restriction of processing (Article 18); data portability (Article 20); object to processing (Article 21); and withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.

9.4 Rights Under the CCPA/CPRA (California Residents)

California residents have the right to: know what personal information is collected, used, shared, or sold; request deletion of personal information; opt out of the sale or sharing of personal information (we do not sell your data); non-discrimination for exercising your privacy rights; and correct inaccurate personal information. To exercise these rights, contact privacy@pandacat.ca with the subject line "California Privacy Request." We will respond within 45 days. We do not knowingly sell the personal information of California residents.

9.5 Other U.S. State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other U.S. states with comprehensive privacy laws may have rights similar to those listed above. To submit a request, contact privacy@pandacat.ca. We will assess each request under the applicable law for your state of residence.

To exercise any privacy right, please contact us at privacy@pandacat.ca. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law (30 days under PIPEDA; 30 days under GDPR; 45 days under CCPA). We reserve the right to deny requests that are manifestly unfounded, repetitive, or that conflict with our legal obligations.

10. Cookies and Tracking Technologies

Talki Talki is a web application that uses cookies and similar technologies (local storage, session tokens) to operate the Service, maintain your authenticated session, and ensure security. We do not use third-party advertising cookies or tracking pixels for behavioral advertising.

  • Essential/Functional Cookies: Required for authentication, session management, and core Service functionality. These cannot be disabled without breaking the Service.
  • Security Cookies: Used for fraud detection, CSRF protection, and reCAPTCHA verification (Google).
  • Analytics: We may use aggregated, anonymized analytics to understand Service usage patterns. Individual users are not identified in analytics reports.

You may configure your browser to refuse cookies, but doing so may prevent you from logging in or using core features of the Service.

11. Children's Privacy

The Service is not directed to or intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact privacy@pandacat.ca immediately. Upon verification, we will take prompt steps to delete that information and, if applicable, terminate the associated account. If we learn we have inadvertently collected data from a minor, we will delete it as quickly as practicable.

For users located in the United States, we comply with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.

12. Communications and Marketing

Service Notices. We may send you transactional and service-related communications (billing notices, account alerts, policy updates, security notifications). These are necessary for operating the Service and cannot be opted out of while you hold an active account.

Marketing. We do not send marketing or promotional emails without your explicit, freely given, prior consent. If you have opted in to marketing communications, you may withdraw consent at any time by clicking "unsubscribe" in any marketing email or by emailing privacy@pandacat.ca. Withdrawal of consent will be processed within 10 business days.

13. Data Security

We implement commercially reasonable technical, administrative, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, destruction, and loss. These measures include:

  • Encryption of data in transit using TLS/HTTPS.
  • Encryption of data at rest via Google Cloud infrastructure.
  • Firebase App Check and reCAPTCHA Enterprise to prevent unauthorized API access.
  • Granular Firestore security rules restricting data access to authorized users only.
  • Role-based access control limiting internal access to personal data on a need-to-know basis.
  • Stripe PCI-DSS compliance for all payment card data.

No Absolute Security. Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control, including your own failure to protect your account credentials. You are responsible for maintaining the confidentiality of your login credentials and for all activity occurring under your account.

Data Breach Notification. In the event of a data breach that poses a real risk of significant harm to you, we will notify you and applicable regulatory authorities as required by PIPEDA, Quebec's Law 25, the GDPR, and applicable U.S. state notification laws, within the timeframes prescribed by those laws.

14. Do Not Sell or Share My Personal Information

Pandacat Inc. does not sell, rent, trade, or share your personal information with third parties for their own marketing or advertising purposes. We do not engage in the "sale" or "sharing" of personal information as defined under the California Consumer Privacy Act (CCPA/CPRA) or any equivalent state law.

If this practice changes in the future, we will provide prominent notice and, where required, an opt-out mechanism before any such sharing begins.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will update the "Last Updated" date at the top of this page whenever changes are made. While we will try to let you know about meaningful changes when we reasonably can, we are not obligated to provide advance notice — updates may take effect as soon as they are posted. We encourage you to review this page from time to time. Your continued use of the Service after any changes are posted constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this Privacy Policy periodically. Previous versions are available upon request at privacy@pandacat.ca.

Privacy concerns or data subject requests? Contact our Privacy Officer at privacy@pandacat.ca

Canadian users may also contact the Office of the Privacy Commissioner of Canada with complaints.