Privacy Policy

This Privacy Policy explains how KMB Solutions LLC (“Company,” “we,” “us,” or “our”), operating under the trade names Nexus Agent Systems and Stratos Digital (collectively, the “Brands”), collects, uses, discloses, and protects information when you use our AI voice and chat agent web application, websites, and services. ScanPlate.io and CleanBase.io are products operated under the Stratos Digital trade name, and this Privacy Policy applies equally to those products and to any other current or future products operated under the Stratos Digital or Nexus Agent Systems trade names. This Privacy Policy describes our privacy practices and the choices available to you. Your use of our websites, applications, and services is also subject to our applicable Terms of Service or other written agreement with you or your organization.

1. Information We Collect

1.1 Information You Provide Directly

• Contact details: name, email address, phone number, company name
• Payment and billing information processed through Stripe, Inc., which acts as an independent PCI-DSS compliant payment processor.
• The Company does not store raw payment card information.
• Service configuration and agent customization preferences
• Communications you send us via our web application, email, or support channels
• Information submitted through contact forms, demo requests, event registration forms, meeting-booking forms, and similar data-capture interfaces on Company or Brand websites, including free-form text fields, business information, scheduling information, and related communications. This information may be processed and stored in the Company’s customer relationship management, workspace, calendar, and internal operations systems, including HubSpot and Google Workspace.

1.2 Information Collected Automatically

• Call metadata: caller ID, call duration, timestamp, call direction
• Call recordings, where enabled and where permitted by applicable law with required consent
• Customers enabling call recording functionality must ensure that legally sufficient notice and consent are provided to call participants where required under applicable law.
• Where the Company configures or operates AI voice agents on behalf of Customers, the Company may configure such agents to provide verbal disclosures at or near the beginning of recorded interactions. Customers remain responsible for determining whether call recording, call monitoring, AI-agent disclosure, TCPA, consent, or industry-specific notices are required for their particular use case, jurisdiction, callers, and call flows, and for ensuring that their scripts and practices comply with applicable law.
• The Company does not create or store biometric voice identifiers or voiceprints.
• Voice data processed through the platform is used solely to facilitate voice communication and AI voice synthesis functionality.
• SMS message content and delivery metadata
• Voice interaction data processed through our AI voice agent platform
• Interaction context indicating that the user may be communicating with an automated AI voice agent rather than a human representative
• Web application usage: IP address, browser type, pages visited, session data, cookies
• API request logs, error logs, and system performance data

1.3 Information From Third Parties

• Caller identification data from Telnyx LLC as part of telephony services
• Network and traffic data from Cloudflare, Inc. edge infrastructure

1.4 Meeting Recordings and Transcripts

Meetings, calls, consultations, demonstrations, and sales or support sessions between Company personnel and prospective or current customers may be recorded, transcribed, or summarized for note-taking, follow-up accuracy, training, quality assurance, internal operations, and dispute-resolution purposes. Where required by law, the Company will seek consent before recording. Participants may decline to be recorded by notifying the Company before or at the start of the meeting. Meeting recordings and transcripts may be processed by service providers such as Plaud.AI and Google/Gemini, as identified in the sub-processor table below.

2. How We Use Your Information

We use collected information to:

• Deliver, operate, and improve our AI voice and chat agent services
• Process payments and manage billing through Stripe, Inc.
• Route and connect telephone calls and SMS messages via Telnyx LLC
• Generate AI voice responses through ElevenLabs, Inc. voice synthesis
• Automate service workflows through n8n GmbH orchestration
• Send account, service, and support communications
• Comply with legal obligations and enforce our Terms of Service
• Protect platform security and integrity
• Record, transcribe, summarize, and follow up on meetings, calls, demonstrations, and support sessions, where permitted by law and with required consent.

Depending on the context in which the Services are used, the Company may act as either a data controller or a data processor with respect to personal information processed through the platform. Where the Company processes data on behalf of a customer using the Services, the customer acts as the data controller and the Company acts as a service provider or processor.

3. Sub-Processors and Third-Party Disclosures

We use the service providers and sub-processors listed below to provide, operate, secure, support, and improve the Services. These providers may process personal information only for the purposes described in this Policy, the applicable customer agreement, and any applicable data processing terms. Where we process personal information on behalf of a customer, these providers act as sub-processors to the extent applicable.

We do not sell your personal information to third parties. We do not share your information with advertisers or data brokers.

3.1 ElevenLabs Voice Synthesis — Specific Disclosure

When end users interact with a Company AI voice agent, the text content of those interactions is transmitted to ElevenLabs, Inc. in real time for voice synthesis. ElevenLabs processes this data under its own Privacy Policy (elevenlabs.io/privacy) and under our data processing arrangement. Under the Company’s enterprise licensing arrangement with ElevenLabs, voice synthesis inputs transmitted for audio generation are not used by ElevenLabs to train or improve its machine learning models, except where necessary for abuse prevention or platform security as permitted under the applicable service agreement.

Where ElevenLabs functionality is incorporated into Company voice agents or customer-facing services, ElevenLabs may process end-user interaction content to generate or deliver AI voice functionality. Voice agent interactions may also be processed by additional large-language-model providers selected on a per-agent or per-workflow basis, including Anthropic, OpenAI, and Google/Gemini, where configured. Depending on the customer configuration, agent settings, workflow, or service feature, ElevenLabs and/or related AI providers may process prompts, conversation context, system prompts, transcripts, generated responses, generated audio, voice settings, response-generation context, API request metadata, usage logs, and related technical metadata solely to provide the configured service functionality, subject to applicable service terms, privacy policies, and contractual data-protection commitments. The Company does not authorize these providers to use Customer-specific Personal Data to train general-purpose AI models, except as permitted for abuse prevention, safety, security, or legal compliance under applicable service terms. Customers are responsible for providing any end-user notices and obtaining any consents required for their specific call flows, jurisdictions, and use cases.

3.2 Telnyx Telephony — Specific Disclosure

Telephone calls and SMS messages delivered through our services are routed via Telnyx LLC, a licensed telecommunications carrier. Telecommunications data processed through the Services may constitute Customer Proprietary Network Information (CPNI) under applicable U.S. telecommunications regulations. The Company and its telephony service providers process such information solely for the purpose of providing and maintaining the Services. Telnyx processes call metadata, phone numbers, call recordings (where applicable), and SMS content as a sub-processor. Telnyx is subject to CPNI regulations under federal telecommunications law. See telnyx.com/privacy. The Company does not use CPNI for marketing purposes and does not access or use CPNI except as reasonably necessary to provide, maintain, secure, support, or bill for the Services, or as otherwise permitted or required by applicable law.

Customers using the Services are responsible for complying with applicable telecommunications laws, including the Telephone Consumer Protection Act (TCPA) and state call recording consent laws where calls are recorded.

3.3 International Data Transfers

Personal information processed through the Services may be transferred to and processed in the United States, the European Union, the United Kingdom, and other jurisdictions where the Company or its authorized sub-processors operate. Where personal information is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data-transfer restrictions to a country that has not been recognized as providing an adequate level of protection, the Company relies on appropriate safeguards, which may include Standard Contractual Clauses, data-processing agreements, supplementary safeguards, and other lawful transfer mechanisms recognized under applicable data-protection laws.

4. Data Retention

We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law, contract, security needs, dispute resolution, tax/accounting requirements, or customer configuration. Current retention periods generally include:

We may retain de-identified, aggregated, or anonymized information for longer periods where it cannot reasonably be used to identify an individual.

5. Your Privacy Rights

Depending on your location and the nature of your relationship with us, you may have rights to request access to, correction of, deletion of, or portability of your personal information, to object to or restrict certain processing, to withdraw consent where processing is based on consent, or to appeal a privacy-rights decision.

To submit a request, contact us at legal@stratosdigital.ai or any other privacy contact address listed in Section 13. We may need to verify your identity and authority before processing a request. Authorized agents may submit requests where permitted by law, but we may require proof of authorization. We will respond within the timeframe required by applicable law, generally within 45 days unless a different period applies or an extension is permitted.

6. Data Security

• API key and credential management via Doppler Security, Inc.
• TLS encryption for all data in transit
• Access controls limiting data access to authorized personnel
• Cloudflare edge security, DDoS protection, and WAF

The Company maintains an internal security and compliance program and is pursuing SOC 2 Type 1 and Type 2 readiness and attestation. Current security and compliance materials may be made available to customers upon request, subject to appropriate confidentiality restrictions. No security system is impenetrable. We will comply with applicable breach notification laws in the event of a data breach.

7. Children’s Privacy

Our Services are directed to businesses and individuals acting in a business or professional capacity, and are not directed to children. We do not knowingly collect personal information from children under 13 in accordance with COPPA, and we do not knowingly sell or share the personal information of consumers under 16 as those terms are used under the CCPA/CPRA. If you believe a child has provided personal information to us, please contact us so we can review and take appropriate action.

8. Changes to This Policy

We may update this Policy from time to time. Material changes will be posted with an updated effective date. Continued use of our services after the effective date of a revised Policy constitutes acceptance.

9. California Privacy Rights (CCPA / CPRA)

This section applies to residents of the State of California and supplements the rest of this Privacy Policy. It is provided pursuant to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and applies to the extent Company meets applicable CCPA/CPRA thresholds.

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined under the CCPA:

• Identifiers (name, email address, phone number, IP address)
• Commercial information (payment records, subscription history, billing data)
• Internet or other electronic network activity (web app usage, IP logs, session data, cookies)
• Audio and voice data (call recordings and AI voice interaction data, where enabled)
• Professional or employment-related information (company name, business type, job role, where provided)

9.2 Purposes of Collection

We collect the categories of personal information listed above for the business purposes described in Section 2 of this Privacy Policy, including service delivery, payment processing, platform security, and legal compliance. We do not collect personal information for purposes other than those disclosed in this Policy. We disclose personal information only to service providers and vendors that perform functions on our behalf, including telecommunications carriers, cloud infrastructure providers, payment processors, and workflow automation providers.

9.3 Sale or Sharing of Personal Information

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes. Because we do not sell or share personal information as defined under the CCPA/CPRA, we do not offer a “Do Not Sell or Share” opt-out mechanism. If our practices change, we will update this Policy and provide required opt-out mechanisms before any such sharing begins.

9.4 Your California Rights

California residents have the following rights under the CCPA/CPRA, subject to applicable exceptions:

9.5 How to Submit a Request

California residents may submit privacy rights requests by emailing legal@stratosdigital.ai with the subject line “California Privacy Request.” We will acknowledge your request within 10 business days and respond within 45 calendar days. If we require additional time, we will notify you of the extension in writing. We may need to verify your identity before processing your request. Authorized agents may submit requests on your behalf with written authorization.

10. Additional State Privacy Rights

Residents of certain states, including Delaware and Texas, may have additional privacy rights where the applicable state privacy law applies to the Company and the relevant processing activity. These rights may include the right to access, correct, delete, or obtain a copy of personal data, the right to opt out of certain targeted advertising, sale of personal data, or profiling, and the right to appeal a denied request.

We do not sell personal information or share personal information for cross-context behavioral advertising as described in this Policy. To submit a state privacy request, please contact us using the contact information below and include your state of residence and the nature of your request.

11. European Economic Area, United Kingdom, and Switzerland

Where the GDPR, UK GDPR, or similar law applies, the Company processes personal data based on one or more lawful bases, including performance of a contract, legitimate interests, consent, compliance with legal obligations, or processing on behalf of a customer as processor/service provider. Individuals may have rights to access, correct, delete, restrict, object to processing, request portability, or lodge a complaint with a supervisory authority. Where we process personal data on behalf of a customer, we may direct requests to that customer as the applicable controller.

12. Cookies and Tracking Technologies

We and our service providers may use cookies, pixels, tags, local storage, and similar technologies to operate our websites and web applications, secure sessions, remember preferences, understand usage, improve performance, detect abuse, and support analytics or customer relationship management. These technologies may include strictly necessary cookies, functional cookies, analytics cookies, and security-related cookies.

You can control cookies through your browser settings and, where available, through cookie-consent or preference tools on our websites. Disabling some cookies may affect website or application functionality. We do not use cookies to sell personal information or share personal information for cross-context behavioral advertising as described under the CCPA/CPRA.

13. Contact

If the Company establishes brand-specific privacy addresses, those addresses may also be used and routed to the same privacy team.