This Privacy Policy describes how Legacy Universal Solutions LLC ("LUS," "we," "us," or "our") collects, uses, and discloses information in connection with our provision of an AI-powered voice assistant and related services (collectively, the "Service").
This policy applies to the information we collect from our business clients who subscribe to our Service and to the information we automatically collect through the operation of our Service. It is a public-facing document intended to provide transparency to our clients, their end-users, and regulators.
It is essential to understand our role. LUS provides the Service to our business clients (e.g., dental offices, service companies). These clients are the "Data Controllers" (under laws like the VCDPA) or "Businesses" (under laws like the CCPA/CPRA). They determine the purposes and means of processing personal data through our Service.
LUS acts as a "Data Processor" or "Service Provider," processing personal data on behalf of and at the instruction of our clients. Our clients are responsible for their own privacy practices, including providing appropriate notice to their end-users ("Consumers") and obtaining all necessary consents required by law for us to process the Consumers' personal information through the Service.
If you are a Consumer whose information has been processed by our Service, you should direct any inquiries or requests to exercise your privacy rights to the business that is our client.
We collect and process several categories of information.
Information About Our Clients (Controllers): When a business subscribes to our Service, we collect information necessary to create and manage their account, such as contact name, company name, email address, phone number, account credentials, and billing information.
Information We Process on Behalf of Our Clients (Consumer Data): We process personal information of Consumers only upon the instruction of our clients. The specific information processed depends on what our client provides to us and the nature of the interaction. This may include:
Contact Information: Name, phone number, email address.
Appointment Information: Date, time, purpose, and status of appointments.
Communication Data: Audio recordings of calls made by the Service, transcripts of those calls, and the content of text messages sent and received.
Information Collected Automatically: When anyone interacts with our Service, we automatically collect certain technical information to ensure its security and functionality. This includes device and usage information, IP addresses, browser and device characteristics, operating system, language preferences, and log data.
In accordance with the VCDPA and CCPA/CPRA, this section provides a detailed summary of our practices for processing Consumer data on behalf of our Clients.
Identifiers: We process identifiers such as names, email addresses, phone numbers, and IP addresses. These are collected and used for the business purpose of providing and managing the Service, initiating communications on our Clients' behalf as they instruct, and for securing and monitoring our platform against fraud and abuse. We may disclose this category of information to our Clients (who are the Data Controllers), as well as to our essential service providers like Cloud Hosting Providers and Communication Platform as a Service (CPaaS) Providers.
Audio, Electronic, or Similar Information: We process audio, electronic, or similar information, which includes call recordings, the voiceprints contained within them, and the content of text messages. The business purpose for processing this information is to execute the core functions of the AI Voice Assistant, provide call transcripts and summaries to our Clients, and for internal service improvement and quality assurance, which we perform on a de-identified or aggregated basis where possible. This information may be disclosed to our Clients (the Data Controllers) and to our infrastructure partners, including Cloud Hosting Providers and Speech-to-Text Service Providers.
Sensitive Personal Information: We process certain sensitive personal information as defined under applicable privacy laws. This includes biometric information derived from voice data and information that may implicitly reveal health conditions through appointment details. This data is processed solely on behalf of our Clients to provide the Service as instructed by them, and we do not use this data for any independent purpose. Disclosure of this information is limited to our Clients (the Data Controllers) and the necessary service providers who support the Service's functionality, such as Cloud Hosting and Speech-to-Text providers, under strict confidentiality and security obligations.
Commercial Information: We process commercial information, which includes records of services or appointments that a Consumer has requested from our Client. The business purpose is to facilitate appointment booking, confirmation, and follow-up communications as directed by our Clients. This information is disclosed to our Clients (the Data Controllers).
Internet or Other Electronic Network Activity: We process internet or other electronic network activity information, such as browser and device data, usage logs, and data about interactions with our Service. We collect this for the business purposes of maintaining, securing, and debugging the Service, analyzing and improving its performance, and preventing fraudulent activity. This information may be disclosed to specialized third-party providers, such as Data Analytics and Security Monitoring Service Providers.
Our primary use of personal information is to provide, operate, maintain, and improve the Service for our clients. We state explicitly that we do not use the content of our clients' end-user communications (such as the substance of call recordings or text messages) to train our general AI models that serve other customers. We may use anonymized or aggregated metadata (e.g., call duration, success rates) for system performance analytics and reporting, a standard practice for maintaining service quality.
We do not sell or share Consumer personal information as those terms are defined by the VCDPA and CCPA/CPRA. We may disclose information in the following limited circumstances:
With Our Clients (Data Controllers): We share the information we process on their behalf directly back to them. This includes call recordings, transcripts, and appointment outcomes.
With Our Service Providers (Sub-processors): We engage third-party service providers to support our Service, such as cloud hosting (e.g., AWS, Google Cloud) and communications infrastructure providers. These providers are contractually bound to process data only on our instructions and to implement robust security measures.
For Legal Reasons: We may disclose information if required by law, subpoena, or other legal process, or to protect our rights, property, or safety, or that of our clients or others.
In Connection with a Business Transfer: If LUS is involved in a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.
We have implemented and maintain reasonable administrative, technical, and physical security measures designed to protect the information we process from unauthorized access, destruction, use, modification, or disclosure. These measures include AES-256 encryption for data at rest, TLS 1.2+ encryption for data in transit, strict access controls, and regular security assessments.
We retain Consumer personal information for as long as directed by our client in our contractual agreement, or as long as necessary to comply with our legal obligations. When our client's account is terminated, we will delete or return the Consumer data according to the terms of our agreement.
As we are a Data Processor, Consumers should direct any requests to exercise their privacy rights (such as the right to access, correct, or delete their data) to the business on whose behalf we processed the information (the Data Controller). If you submit a request to us, we will make a reasonable effort to identify the relevant client and forward your request to them. You may contact us for assistance at
stefano@xleadpro.com
If you are a California resident, you have specific rights regarding your personal information, including:
Right to Know: The right to request information about the categories and specific pieces of personal information we have processed.
Right to Delete: The right to request the deletion of your personal information, subject to certain exceptions.
Right to Correct: The right to request the correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information.
Right to Limit Use of Sensitive Personal Information (SPI): The right to limit the use and disclosure of your SPI. As we only process SPI on behalf of our clients, this right should be exercised directly with them.
Right to Non-Discrimination: You have the right not to be discriminated against for exercising your privacy rights.
To exercise these rights, please contact the business (our client) who is the Data Controller of your information.
If you are a Virginia resident, you have specific rights regarding your personal data, including:
Right to Access: The right to confirm if we are processing your personal data and to access it.
Right to Correct: The right to correct inaccuracies in your personal data.
Right to Delete: The right to delete your personal data.
Right to Data Portability: The right to obtain a copy of your data in a portable format.
Right to Opt-Out: The right to opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. We do not sell personal data or use it for targeted advertising.
Right to Appeal: If you make a request to a Data Controller and they deny it, you have the right to appeal their decision.
To exercise these rights, please contact the business (our client) who is the Data Controller of your information.
Our Service is not directed to children under the age of 16. We do not knowingly collect personal information from children. Our clients are contractually obligated to ensure they have obtained verifiable parental consent as required by the Children's Online Privacy Protection Act (COPPA), VCDPA, and CCPA/CPRA before providing us with any personal information of a known child. If we become aware that we have inadvertently processed a child's information without such consent, we will take steps to delete it promptly.
Our Service is operated and hosted in the United States. All information we process is stored and processed in the United States. By using our Service, our clients understand and consent to this transfer and processing.
We may update this Privacy Policy from time to time. The "Last Updated" date at the top of this policy indicates when it was last revised. We encourage you to review it periodically.
For any questions about this Privacy Policy, please contact us at:
Legacy Universal Solutions LLC
Contact: Stefano Devigili
stefano@xleadpro.com