Privacy Policy

Information We Collect

When you create an account, we collect information about your business including your business name, contact person name, email address, phone number, billing address, and business website URL. We use this information to provision your account, communicate with you, and process payments.

When callers contact your business through Aria, we collect the caller's phone number, the date and time of the call, and the content of the conversation (voice recording and transcript). If a caller provides additional information during the call — such as their name, address, appointment preferences, or reason for calling — that information is also captured and stored in your account. You, as the business operator, are responsible for ensuring your callers are appropriately informed about the use of Aria on your business phone lines.

All calls handled by Aria are recorded and transcribed. Call recordings are processed by Retell AI (our voice AI provider) and stored in accordance with your account settings. Transcripts are stored in your Aria dashboard. See Section 3 for full details on how call recordings are handled.

We automatically collect information about how you use the Service, including pages viewed in the dashboard, features used, configuration changes made, call volume, and session data such as your IP address, browser type, and operating system. We use this data to improve the Service, diagnose technical issues, and understand aggregate usage patterns.

Payment card details are collected and processed by Stripe, our payment processor. We do not store full credit card numbers on our servers. We retain only a Stripe-generated customer token, the last four digits of the card on file, card type, and billing address for invoice and account management purposes.

If you contact us by email, chat, or support ticket, we retain records of those communications to assist you and improve our support quality.

How We Use Information

We use the information we collect for the following purposes:

• Providing the Service: Operating the Aria AI receptionist on your behalf, routing calls, generating transcripts, and making call data available in your dashboard.
• Account management: Creating and maintaining your account, processing subscription payments, sending invoices, and communicating billing matters.
• Improving AI performance: Aggregate, de-identified call data may be used to improve the quality of Aria's responses, voice naturalness, and intent classification. We do not use your customers' personally identifiable information to train AI models without your explicit opt-in.
• Customer support: Responding to your questions, troubleshooting technical issues, and providing onboarding assistance.
• Analytics and product development: Understanding usage trends, identifying popular features, and planning new capabilities.
• Security and fraud prevention: Monitoring for unauthorized access, detecting abuse, and enforcing our Terms of Service.
• Legal compliance: Fulfilling our legal obligations under applicable law, including PIPEDA, CASL, HIPAA, and PHIPA where applicable.
• Marketing (with consent): Sending product updates, newsletters, and promotional communications where you have provided consent as required by CASL. See Section 8.

Call Recording & AI Processing

Aria processes voice calls using Retell AI's voice conversation platform. When a caller contacts your business through Aria:

• The call audio is transmitted to Retell AI's servers in real time for speech recognition and AI response generation.
• A recording of the call and a text transcript are generated and stored in your Aria dashboard.
• Caller intent, key information provided during the call (name, appointment time, reason for call), and any action taken by Aria (booking, message, escalation) are extracted and logged.

For accounts where PII redaction is enabled (available on all plans, required for healthcare-configured accounts), Aria automatically identifies and redacts sensitive personal information — including government ID numbers, financial account numbers, and full dates of birth — from stored transcripts. This does not affect real-time call processing but reduces sensitive data in stored records.

Call recordings are retained for the duration of your account plus 30 days following account termination. You can delete individual call recordings from your dashboard at any time. If you have a contractual data retention obligation (for example, certain healthcare or legal requirements to retain records for a specified period), you should export and retain records accordingly before deleting them from Aria.

Data Sharing & Sub-Processors

We do not sell your personal information or your customers' personal information to third parties. We share data only with the sub-processors necessary to operate the Service, under contractual obligations that require them to protect data at least as rigorously as we do.

Our current sub-processors are:

We may also disclose personal information: (a) to comply with applicable law, legal process, or a lawful government request; (b) to enforce our Terms of Service; (c) to protect the rights, property, or safety of BMBT Studio, our customers, or the public; or (d) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case we will notify you and your data will remain subject to this Privacy Policy.

Data Storage & Cross-Border Transfers

BMBT Studio is incorporated in Toronto, Ontario, Canada. However, our infrastructure — including Retell AI, Twilio, Supabase, and Stripe — is hosted in the United States. As a result, personal information collected through the Service is transferred to and stored in the United States.

We take contractual and technical steps to protect data in transit and at rest, including encryption using TLS 1.2 or higher for data in transit and AES-256 encryption for data at rest. We require all sub-processors to maintain data security practices consistent with or exceeding applicable legal standards.

PIPEDA Compliance

As a Canadian company, BMBT Studio complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, substantially similar provincial privacy legislation. PIPEDA's ten fair information principles guide our data practices:

• Access: You have the right to request access to the personal information we hold about you and your account. We will respond to access requests within 30 days.
• Correction: You may request that we correct inaccurate or incomplete personal information in your account. Updates to account information can be made directly in your dashboard settings.
• Withdrawal of Consent: Where we rely on your consent to process personal information, you may withdraw that consent at any time. Withdrawal of consent may prevent us from being able to provide the Service to you.
• Complaint: If you believe we have not handled your personal information in accordance with PIPEDA, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca.

We collect, use, and disclose personal information only with your knowledge and consent, except where the law permits otherwise. Consent may be express (such as checking a box) or implied (such as providing your information when signing up for the Service). You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.

BMBT Studio is responsible for the personal information under our custody and control. Our Privacy Officer can be reached at privacy@bmbtstudio.com. We have implemented policies and practices to give effect to the principles in PIPEDA and have designated an individual accountable for compliance.

We collect only the personal information that is necessary for the identified purposes. We do not collect information indiscriminately.

HIPAA & PHIPA (Healthcare Clients)

BMBT Studio is prepared to enter into a Business Associate Agreement (BAA) with covered entities and their business associates subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA). A BAA must be executed before you deploy Aria in a HIPAA-covered context. To request a BAA, contact privacy@bmbtstudio.com.

We have executed a Business Associate Agreement with Retell AI, our voice processing provider, covering the handling of Protected Health Information (PHI) transmitted through voice calls. This BAA is in effect for all healthcare-configured Aria accounts.

For healthcare providers in Ontario subject to the Personal Health Information Protection Act (PHIPA), Aria constitutes a service provider relationship. We handle personal health information (PHI) only as directed by you, the health information custodian. We do not use PHI for purposes other than those specified by you. We maintain safeguards consistent with our obligations under your service provider agreement.

PII redaction is enabled by default on all healthcare-configured accounts. This means sensitive identifiers are automatically redacted from stored transcripts after processing. Additionally, Aria's healthcare agent configurations include an automatic call-recording disclosure at the beginning of each call, informing callers that the call is handled by an AI system and may be recorded.

We apply the HIPAA minimum necessary standard: we access, use, and disclose only the minimum PHI required to perform the contracted service. Our staff with access to PHI are trained on privacy obligations and bound by confidentiality obligations.

In the event of a breach of unsecured PHI, we will notify you without unreasonable delay and in any case within the timeframes required by applicable law, to allow you to meet your own breach notification obligations under HIPAA or PHIPA.

CASL Compliance

Canada's Anti-Spam Legislation (CASL) governs the sending of commercial electronic messages. We comply with CASL in our marketing communications practices.

We send marketing emails only to individuals who have provided express consent to receive such communications — for example, by checking an opt-in box when signing up for a trial or subscribing to our newsletter. We maintain records of all consents obtained.

We may send commercial electronic messages based on implied consent where permitted by CASL, such as to existing customers within two years of their last transaction, or to individuals who have made a business inquiry to us within six months.

Every marketing email we send includes a clear and functional unsubscribe mechanism. Unsubscribe requests are honored within 10 business days. To unsubscribe from marketing communications at any time, click the unsubscribe link in any of our emails or contact us at privacy@bmbtstudio.com.

Service emails such as account confirmation, invoices, password resets, and critical service notifications are not marketing messages and are sent regardless of marketing consent status. These are necessary for the operation of your account.

If you use Aria's SMS follow-up or email features to communicate with your own customers, you are responsible for ensuring those communications comply with CASL. You must have obtained appropriate consent from your customers before using Aria's automated SMS or email features to send commercial messages to them. BMBT Studio is not responsible for CASL violations arising from your use of the platform to contact your customers.

Data Retention

We retain personal information only as long as necessary for the purposes described in this policy, or as required by applicable law.

• Active accounts: We retain all account data, call records, transcripts, and recordings for the duration of your active subscription.
• After account termination: Your data is retained for 30 days following account closure, during which time you may export your data or request deletion. After 30 days, your data is permanently deleted from our production systems.
• Billing records: Transaction and billing records are retained for 7 years as required by Canadian tax law.
• Backup systems: Data may persist in encrypted backup systems for up to 90 days following deletion from production systems, after which it is permanently purged.
• Legal holds: If your data is subject to a legal hold, litigation, or regulatory investigation, we may retain it beyond the standard retention periods until the matter is resolved.
• Healthcare records: If you are a healthcare provider, you are responsible for your own record-keeping obligations. Export records from Aria before account termination if applicable regulations require you to retain them.

You may request deletion of specific call records from your dashboard at any time. To request deletion of all personal information associated with your account (including upon account cancellation), contact privacy@bmbtstudio.com. We will confirm deletion within 30 days, subject to any legal retention obligations.

Security Measures

We implement technical and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption in transit: All data transmitted between your browser, our servers, and our sub-processors is encrypted using TLS 1.2 or higher.
• Encryption at rest: Data stored in our databases is encrypted at rest using AES-256.
• Access controls: Access to personal data is restricted to authorized employees on a need-to-know basis. All staff with access to personal data are bound by confidentiality obligations.
• Authentication: Multi-factor authentication is required for all administrative access to production systems.
• Sub-processor security: Our sub-processors maintain independent security certifications. Supabase and Stripe maintain SOC 2 Type II certifications. Retell AI and Twilio maintain security programs aligned with industry standards.
• Vulnerability management: We conduct regular security reviews and promptly remediate identified vulnerabilities.
• Incident response: We maintain an incident response plan and will notify affected customers of security breaches as required by applicable law.

No security system is impenetrable. While we take reasonable steps to protect your information, we cannot guarantee absolute security. We encourage you to use a strong, unique password for your Aria account and to notify us immediately at privacy@bmbtstudio.com if you suspect unauthorized access.

Children's Privacy

The Aria Service is a business-to-business platform intended for use by businesses and their adult employees. It is not directed at individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have inadvertently collected personal information from an individual under 18, we will delete that information promptly. If you believe we have collected such information, please contact us at privacy@bmbtstudio.com.

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our Service, or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send an email notification to the primary account email address on file.
• Where required by law, seek your renewed consent before applying material changes to how we process your data.

Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the changes. We encourage you to review this page periodically. The previous version of this policy is available upon request.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact our Privacy Officer:

If you are not satisfied with our response to a privacy concern, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or by phone at 1-800-282-1376.