Last Updated: June 2nd, 2026
Your privacy is fundamental to our mission. This Privacy Policy explains how Pandacat Inc. ("Pandacat," "we," "us," or "our") collects, uses, discloses, retains, and protects your personal information when you access or use the Talki Talki communications platform (the "Service"). Please read this policy carefully alongside our Terms of Service.
Pandacat Inc. is a Canadian corporation and the data controller for personal information collected through the Service. For privacy-related inquiries, requests, or complaints, contact our Privacy Officer at:
We are subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), S.C. 2000, c. 5, and applicable provincial privacy legislation in Canada, including Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25). Where we collect personal information from individuals located in the European Economic Area or United Kingdom, we act as a data controller under the General Data Protection Regulation (GDPR) and UK GDPR. For California residents, additional rights are described in Section 10.
We collect only the information reasonably necessary to provide a stable, lawful, and professional cloud communications service. This includes:
We do not knowingly collect personal information from individuals under the age of 18. See Section 11.
Before you may purchase or activate a phone number, we require you to complete an identity verification process. This process involves capturing an image of your face alongside a government-issued photo identification document.
3.1 What We Collect. We collect the photograph you submit, the secure cloud storage URL at which it is stored, and structured data extracted from the image by AI, including your full name, identification document type, expiry date, and issuing jurisdiction. We also record the submission timestamp and verification outcome.
3.2 How It Is Processed. Submitted photographs are transmitted to our AI processing service provider for automated analysis. The provider processes this data as a sub-processor under our data processing agreement. The AI assesses whether the image is sufficiently clear, whether the document appears genuine and unexpired, and extracts the relevant fields listed above. Pandacat's administrative staff may also manually review submissions where automated verification is unsuccessful.
3.2a Biometric Notice. To the extent that your submitted photograph constitutes biometric data under applicable law (including but not limited to the Illinois Biometric Information Privacy Act (BIPA) or similar statutes), by submitting the photograph you expressly and knowingly consent to the collection, processing, storage, and use of such data for identity verification purposes as described herein. We do not sell, lease, trade, or profit from biometric identifiers or biometric information.
3.3 Purpose Limitation. Identity verification data is used exclusively for: verifying your identity before granting access to phone number provisioning; fraud prevention and compliance; and fulfilling our legal obligations under applicable telecommunications and anti-money laundering regulations.
3.4 Storage and Retention. Verification photographs are stored in secure cloud storage, secured to your account. Extracted metadata is stored in our cloud database infrastructure. We retain this data for the duration of your account and for a minimum of five (5) years thereafter, or such longer period as required by applicable law, carrier agreements, or regulatory obligations.
3.5 Access. Verification data is accessible to authorized Pandacat administrative personnel only. It is not shared with third parties except as required by law or described in Section 6.
We use your personal information only for the following purposes:
Talki Talki offers an optional Auto-Email Voicemail feature. When you choose to enable it, your incoming voicemail recordings are automatically delivered to the email address associated with your account as MP3 file attachments, along with call metadata (sender number, recipient number, duration, and timestamp). If you additionally enable the transcription option, an AI-generated text transcript of the recording is also included in the email body.
4b.1 Security Disclosure. Standard email is not end-to-end encrypted. When you enable this feature:
We do not recommend enabling this feature if your voicemails may contain sensitive, confidential, legally privileged, or regulated information. Other providers offer this feature without disclosing these risks. We believe you deserve full transparency.
4b.2 Third-Party Email Processor. Outbound email delivery is powered by our email delivery service provider. Your voicemail audio, metadata, and any transcription text pass through the provider's servers in the course of delivery. The provider processes this data as a contractually bound sub-processor.
4b.3 Consent. This feature is disabled by default. It may only be activated after you are presented with a plain-language security warning and click a confirmation button explicitly marked "I Understand and Will Proceed." Your consent, the timestamp of that consent, and the destination email address are recorded in our systems.
4b.4 No Liability. By enabling this feature, you expressly accept all risks associated with transmitting your voicemail recordings via email. Pandacat Inc. is not responsible or liable for any exposure, interception, unauthorized access, breach of confidentiality, or damages of any kind resulting from your choice to enable email voicemail delivery. You may disable this feature at any time from your Voicemail settings, which will immediately stop future email deliveries.
The Call Recording feature is available exclusively to users subscribed to the Pro Plan. This section describes how we collect, process, store, and protect call recording data and AI-generated transcriptions.
4c.1 What We Collect. When call recording is enabled on a dial plan node, we collect: the audio recording of the telephone call in MP3 format; associated metadata (caller number, recipient number, call direction, call duration, date and timestamp); and, if AI transcription is enabled, a text transcription of the audio generated by our AI processing service provider.
4c.2 How It Is Processed. Call audio is recorded by our telecommunications infrastructure provider and transmitted to our servers for storage. If AI transcription is enabled, the audio is transmitted to our AI processing service provider. The provider processes the audio solely to generate the transcription and does not retain input audio after processing. Transcriptions are stored in our cloud database infrastructure associated with your account.
4c.3 Your Obligations — Inbound Recording. When inbound call recording is enabled via a dial plan node, an automated disclosure is played to the incoming caller before the call connects. You remain solely responsible for ensuring this meets all applicable legal requirements. The automated message is provided as a convenience only and does not constitute legal advice.
4c.3a Your Obligations — Outbound Call Recording. When you enable outbound call recording, the Service plays an automated disclosure to you (the caller) before dialing, and to the called party upon answer before bridging the call. Recording telephone calls you initiate carries heightened legal obligations. In many jurisdictions — including Canada, the United States, the European Union, and others — recording an outbound call without the knowing consent of the called party may constitute a criminal offence regardless of the automated disclosure played. By enabling outbound call recording, you represent that you have independently verified your legal obligations and accept full responsibility for compliance in all applicable jurisdictions. Do not enable outbound recording for calls that may contain protected health information (PHI), attorney-client privileged communications, or other regulated sensitive data.
4c.4 Storage. Call recordings (audio files) are stored on our telecommunications infrastructure provider's servers and referenced in your Talki Talki account. Transcription text is stored in our cloud database infrastructure. Recordings and transcriptions are accessible only to you (the account holder) and authorized Pandacat administrative personnel.
4c.5 Retention. Call recordings and transcriptions are retained until you delete them from the Call Recordings section of your dashboard, or until your account is terminated, at which point they may be permanently and irreversibly deleted. We strongly recommend downloading recordings you wish to retain before closing your account.
4c.6 AI Training Disclosure. By enabling AI transcription, you acknowledge that:
4c.8 Third-Party Processors. Processing of call recordings and transcriptions involves our telecommunications infrastructure provider (recording infrastructure) and our cloud and AI processing service provider (storage and AI transcription), both contractually bound sub-processors. See Section 6 for details.
4c.9 No Liability. Pandacat Inc. is not responsible or liable for: inaccuracies in AI-generated transcriptions; your failure to obtain required call recording consents; unauthorized access resulting from your own security failures; or any regulatory penalties arising from your use of the call recording feature. By enabling call recording or AI transcription, you expressly accept these risks.
4c.10 AI Receptionist — Quality and Liability (VIP Plan). The AI Receptionist feature is provided "AS IS." The accuracy, quality, and appropriateness of AI-generated responses to callers depends entirely on the quality and completeness of the knowledge base and behavioral instructions you provide. Pandacat Inc. collects and processes the content you submit to your knowledge base and the transcripts of AI Receptionist sessions solely to operate and improve the feature. Pandacat Inc. is not responsible for incorrect, incomplete, misleading, or inappropriate AI responses. You are solely responsible for maintaining an accurate knowledge base, reviewing session transcripts, correcting errors, and continuously improving the AI's instructions. We encourage you to use the call transcript feedback loop built into the Service to make the AI Receptionist smarter over time — performance improves in direct proportion to the quality of data you provide. By using this feature, you accept full responsibility for all AI responses made on your behalf.
Where the GDPR or UK GDPR applies, we process your personal data on the following legal bases:
Under PIPEDA and Quebec's Law 25, we collect, use, and disclose personal information with your knowledge and consent, except where permitted by law.
We do not sell, rent, or trade your personal information to any third party. We share information only with the following trusted service providers who are contractually bound to use it solely to provide services on our behalf:
Other Disclosures. We may also disclose your personal information: (a) to comply with applicable laws, regulations, court orders, or lawful requests from government authorities; (b) to enforce our Terms of Service or protect our rights, property, and safety; (c) in connection with a merger, acquisition, corporate restructuring, or sale of all or substantially all of our assets, provided the acquiring party agrees to protect your information under terms no less protective than this policy; or (d) with your explicit prior consent.
Pandacat Inc. is headquartered in Canada. By using the Service, you acknowledge that your personal information may be transferred to, stored in, and processed in the United States and other jurisdictions where our service providers operate. These jurisdictions may have data protection laws that differ from those of your country of residence.
Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, or other legally recognized transfer mechanisms. Where we transfer personal data from Canada to service providers in the United States, we do so in accordance with PIPEDA's transborder flow provisions and ensure contractual data protection obligations are in place.
We retain personal information for as long as your account is active and for a reasonable period thereafter, or as required by applicable law. Specific retention periods include:
Upon account termination, we reserve the right to immediately and permanently delete your communication data (call logs, messages, voicemails, and configurations). This deletion is irreversible. We strongly recommend exporting or archiving any data you wish to retain before closing your account.
Depending on your jurisdiction, you may have some or all of the following rights regarding your personal information:
9.1 Rights Under PIPEDA (All Canadian Users)
You have the right to: access personal information we hold about you; request correction of inaccurate information; withdraw consent to certain processing (subject to legal or contractual restrictions); file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca.
9.2 Rights Under Quebec's Law 25 (Quebec Residents)
In addition to PIPEDA rights, Quebec residents have the right to: data portability (receive your data in a structured, commonly used format); request that automated decisions made about you be reviewed by a human; be informed of any privacy incident affecting your data; and file a complaint with the Commission d'accès à l'information (CAI).
9.3 Rights Under the GDPR (EEA, UK, and Switzerland Residents)
You have the right to: access (Article 15); rectification (Article 16); erasure / "right to be forgotten" (Article 17); restriction of processing (Article 18); data portability (Article 20); object to processing (Article 21); and withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with your local supervisory authority.
9.4 Rights Under the CCPA/CPRA (California Residents)
California residents have the right to: know what personal information is collected, used, shared, or sold; request deletion of personal information; opt out of the sale or sharing of personal information (we do not sell your data); non-discrimination for exercising your privacy rights; and correct inaccurate personal information. To exercise these rights, contact privacy@pandacat.ca with the subject line "California Privacy Request." We will respond within 45 days. We do not knowingly sell the personal information of California residents.
9.5 Other U.S. State Privacy Rights
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other U.S. states with comprehensive privacy laws may have rights similar to those listed above. To submit a request, contact privacy@pandacat.ca. We will assess each request under the applicable law for your state of residence.
To exercise any privacy right, please contact us at privacy@pandacat.ca. We may need to verify your identity before processing your request. We will respond within the timeframe required by applicable law (30 days under PIPEDA; 30 days under GDPR; 45 days under CCPA). We reserve the right to deny requests that are manifestly unfounded, repetitive, or that conflict with our legal obligations.
Talki Talki is a web application that uses cookies and similar technologies (local storage, session tokens) to operate the Service, maintain your authenticated session, and ensure security. We do not use third-party advertising cookies or tracking pixels for behavioral advertising.
You may configure your browser to refuse cookies, but doing so may prevent you from logging in or using core features of the Service.
The Service is not directed to or intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. If you are a parent or guardian and believe your child has provided personal information to us without your consent, please contact privacy@pandacat.ca immediately. Upon verification, we will take prompt steps to delete that information and, if applicable, terminate the associated account. If we learn we have inadvertently collected data from a minor, we will delete it as quickly as practicable.
For users located in the United States, we comply with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506.
Service Notices. We may send you transactional and service-related communications (billing notices, account alerts, policy updates, security notifications). These are necessary for operating the Service and cannot be opted out of while you hold an active account.
Marketing. We do not send marketing or promotional emails without your explicit, freely given, prior consent. If you have opted in to marketing communications, you may withdraw consent at any time by clicking "unsubscribe" in any marketing email or by emailing privacy@pandacat.ca. Withdrawal of consent will be processed within 10 business days.
We implement commercially reasonable technical, administrative, and physical safeguards designed to protect your personal information against unauthorized access, disclosure, alteration, destruction, and loss. These measures include:
No Absolute Security. Despite these measures, no system is completely secure. We cannot guarantee the absolute security of your information and are not responsible for unauthorized access resulting from circumstances beyond our reasonable control, including your own failure to protect your account credentials. You are responsible for maintaining the confidentiality of your login credentials and for all activity occurring under your account.
Data Breach Notification. In the event of a data breach that poses a real risk of significant harm to you, we will notify you and applicable regulatory authorities as required by PIPEDA, Quebec's Law 25, the GDPR, and applicable U.S. state notification laws, within the timeframes prescribed by those laws.
Pandacat Inc. does not sell, rent, trade, or share your personal information with third parties for their own marketing or advertising purposes. We do not engage in the "sale" or "sharing" of personal information as defined under the California Consumer Privacy Act (CCPA/CPRA) or any equivalent state law.
If this practice changes in the future, we will provide prominent notice and, where required, an opt-out mechanism before any such sharing begins.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will update the "Last Updated" date at the top of this page whenever changes are made. While we will try to let you know about meaningful changes when we reasonably can, we are not obligated to provide advance notice — updates may take effect as soon as they are posted. We encourage you to review this page from time to time. Your continued use of the Service after any changes are posted constitutes your acceptance of the updated Privacy Policy.
We encourage you to review this Privacy Policy periodically. Previous versions are available upon request at privacy@pandacat.ca.
Privacy concerns or data subject requests? Contact our Privacy Officer at privacy@pandacat.ca
Canadian users may also contact the Office of the Privacy Commissioner of Canada with complaints.