PRIVACY POLICY

BridgeDesk AI Privacy Policy

Effective date: May 21, 2026

Last updated: May 21, 2026

This Privacy Policy explains how BridgeDesk AI ("BridgeDesk AI," "we," "us," "our") collects, uses, discloses, and protects personal information when you use our website, request a demo, or use our AI receptionist services for chat, qualification, and booking workflows.

This policy is intended to comply with applicable U.S. privacy laws including, without limitation, the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Texas Data Privacy and Security Act (TDPSA), and other applicable U.S. state privacy laws. It is provided as a business disclosure and does not constitute legal advice.

1. Scope and Roles

This policy applies to information processed through bridgedeskai.com and all related service touchpoints, including our APIs, mobile applications, and integrations.

  • Business / Controller: For website visitors, marketing, and lead forms, BridgeDesk AI is the "business" (under CCPA/CPRA) or "controller" (under applicable U.S. state privacy laws).
  • Service Provider / Processor: For customer workspace data processed on behalf of a business client, BridgeDesk AI acts as a "service provider" (under CCPA/CPRA) or "processor" (under applicable U.S. state laws). We process such data only under documented instructions from the customer and pursuant to our Data Processing Agreement (DPA).
  • Our customers are independently responsible for providing appropriate notices to their end users, establishing valid legal bases for processing, and configuring the platform in compliance with applicable law.
  • A copy of our standard DPA is available upon request at privacy@bridgedeskai.com. Enterprise customers may request a countersigned DPA as part of their subscription agreement.

2. Information We Collect

Depending on how you engage with us, we may collect the following categories of personal information:

A. Information You Provide Directly

  • Identity and contact data: name, work email address, phone number, company name, job title, and role.
  • Service inquiry data: selected inquiry type, project context, and other information you voluntarily share in forms, demos, or onboarding flows.
  • Account credentials: username, hashed password, and multi-factor authentication data for registered users.
  • Billing information: payment card details, billing address, and transaction history (processed by our PCI-compliant payment processor; we do not store raw card data).
  • Support and communications data: emails, chat messages, and other correspondence sent to our team.

B. Information Collected Automatically

  • Usage and operational data: event logs, feature interactions, session duration, diagnostics, and error reports.
  • Device and browser data: IP address, browser type and version, operating system, device identifiers, and time zone.
  • Cookies and tracking data: see Section 7 (Cookies and Similar Technologies) for details.

C. Customer-Provided Workflow Data

  • Conversation transcripts, scheduling requests, qualification responses, routing metadata, and any other content submitted to the platform by customers or their end users.

D. Sensitive Personal Information

We do not intentionally collect sensitive personal information (as defined under CPRA and similar laws, including Social Security numbers, financial account credentials, health data, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, or contents of private communications) unless strictly required for a specific contracted workflow. Where such processing is necessary, we will maintain appropriate safeguards and, where required by law, provide a separate disclosure and opt-in mechanism. Customers must not submit sensitive data beyond what is expressly authorized by the applicable DPA.

3. How We Use Information

We use personal information for the following purposes:

  • Service delivery: Provide, maintain, monitor, and improve our AI receptionist platform, including qualification, booking, and escalation workflows.
  • Account and customer management: Create and manage accounts, process payments, and respond to demo, onboarding, or support inquiries.
  • Communications: Send transactional messages (e.g., booking confirmations, password resets) and, where you have opted in or we have a lawful basis, product updates and marketing communications.
  • Security and integrity: Detect, investigate, and prevent fraud, abuse, unauthorized access, and other security incidents.
  • Analytics and improvement: Analyze usage patterns, conduct research, and improve service reliability and performance using de-identified or aggregated data where possible.
  • AI model operation: Power AI-driven response generation, lead scoring, and workflow recommendations as described in Section 6.
  • Legal compliance: Comply with applicable laws and regulations, respond to lawful requests, and enforce our Terms of Service and other agreements.
  • Business transactions: Evaluate or execute mergers, acquisitions, restructurings, or asset sales as described in Section 9.

We will not use personal information for purposes materially different from those described here without providing prior notice and, where required, obtaining consent.

4. Legal Bases for Processing (GDPR / UK GDPR)

Where the GDPR or UK GDPR applies, we rely on one or more of the following lawful bases:

  • Contract (Art. 6(1)(b)): Processing necessary to perform our contract with you or to take steps at your request before entering a contract (e.g., account creation, service delivery, billing).
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate interests, including operating and securing our platform, preventing fraud, analyzing usage, and sending direct marketing to existing customers, provided those interests are not overridden by your rights and freedoms.
  • Consent (Art. 6(1)(a)): Where we rely on your freely given, specific, informed, and unambiguous consent, including for certain marketing communications, non-essential cookies, and any sensitive data processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law (e.g., tax, fraud prevention, regulatory requirements).
  • Vital interests (Art. 6(1)(d)): In rare circumstances where processing is necessary to protect someone's life.

For special category data (Art. 9 GDPR), we rely on explicit consent or another applicable exception under Art. 9(2). You may request details of the specific legal basis applicable to any processing activity by contacting us.

5. California Privacy Rights (CCPA / CPRA)

This section applies to California residents. In the preceding 12 months, we have collected the categories of personal information described in Section 2 for the business and commercial purposes described in Section 3.

Sale and Sharing of Personal Information

We do not sell personal information for monetary consideration. We may "share" (as defined under CPRA) certain identifiers and usage data with advertising partners for cross-context behavioral advertising purposes. California residents may opt out of such sharing by clicking "Do Not Share My Personal Information" in our cookie preference center or by submitting a request using the contact details in Section 15.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Sensitive Personal Information

Where we collect sensitive personal information as defined by CPRA, we use and disclose it only as necessary to provide the requested service, as authorized by CPRA Section 1798.121. We do not use sensitive personal information for inferring characteristics about you. You have the right to limit our use of sensitive personal information.

Your California Rights

California residents have the right to:

  • Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, and the categories of sources, business/commercial purposes, and third parties involved.
  • Delete: Request deletion of your personal information, subject to certain exceptions.
  • Correct: Request correction of inaccurate personal information we hold about you.
  • Opt out of sale/sharing: Opt out of the sale or sharing of your personal information.
  • Limit use of sensitive PI: Limit our use and disclosure of sensitive personal information.
  • Non-discrimination: Not be discriminated against for exercising any of these rights.

To submit a verifiable consumer request, contact us at privacy@bridgedeskai.com. We will respond within 45 days (extendable by an additional 45 days with notice). You may designate an authorized agent to submit requests on your behalf.

6. AI and Automated Processing

  • We use AI models and automation to support response generation, lead qualification, scheduling, and workflow recommendations.
  • Automated decision-making (GDPR Art. 22): Where our platform makes automated decisions that produce legal or similarly significant effects on individuals, we will provide a specific disclosure and, where required, obtain explicit consent or rely on another Art. 22(2) exception. Individuals have the right to request human review, contest the decision, and obtain an explanation of the logic involved. Contact us to exercise these rights.
  • Automated outputs may contain errors or incomplete information and should be reviewed by a qualified human where accuracy is critical (e.g., healthcare, legal, or financial contexts).
  • Customers are responsible for configuring appropriate escalation, human-in-the-loop approval, and policy controls for their industry and applicable regulatory requirements.
  • Model training: We do not use customer personal data to train our core AI models without explicit contractual authorization. We may use de-identified or aggregated operational data to improve service reliability and performance, subject to applicable agreements and law.
  • Third-party AI providers: We may utilize third-party AI model providers (e.g., large language model APIs) as subprocessors. These are listed in our subprocessor register, available upon request. We require all AI subprocessors to maintain appropriate confidentiality and data protection obligations.
  • EU AI Act: We are committed to compliance with the EU AI Act as applicable to our services and will update our disclosures accordingly as requirements take effect.

7. Cookies and Similar Technologies

We use cookies, pixel tags, local storage, and similar technologies on our website and platform. We categorize these as follows:

  • Strictly necessary: Required for core site functionality, security, and authentication. These cannot be disabled.
  • Functional / preference: Remember your settings and preferences to improve your experience.
  • Analytics / performance: Help us understand how visitors interact with the site (e.g., pages visited, error rates). Data is typically aggregated or pseudonymized.
  • Marketing / advertising: Used to deliver relevant advertising and measure campaign performance across sites. These may involve sharing data with advertising partners.

Where required by law (e.g., under the EU ePrivacy Directive / Cookie Law), we will obtain your consent before placing non-essential cookies via our cookie consent banner. You can manage or withdraw consent at any time through our cookie preference center (accessible via the "Cookie Settings" link in the site footer) or through your browser settings. Note that disabling certain cookies may affect site functionality.

We honor Global Privacy Control (GPC) signals as an opt-out of sale/sharing for California residents.

8. Sharing and Disclosure

We may disclose personal information to the following categories of recipients:

  • Service providers and subprocessors: Vendors providing hosting, cloud infrastructure, analytics, communications, CRM, security, payment processing, and support services, acting under written data processing agreements.
  • AI model providers: Third-party AI API providers used to power our automated features, bound by appropriate confidentiality and data protection obligations. A current subprocessor list is available upon request.
  • Professional advisors: Auditors, insurers, legal counsel, and financial advisors as needed for business operations, under confidentiality obligations.
  • Law enforcement and regulators: Where required by applicable law, legal process, court order, or governmental authority, or to protect the rights, property, or safety of BridgeDesk AI, our customers, or the public.
  • Business transfers: A successor entity in connection with a merger, financing, acquisition, restructuring, bankruptcy, or sale of all or a portion of our assets, subject to standard confidentiality protections.
  • With your consent: To any other party with your prior consent.

No sale for monetary consideration. We do not sell personal information in exchange for money. As noted in Section 5, we may share data for cross-context behavioral advertising purposes; California residents may opt out of this sharing.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this policy, including to provide our services, comply with legal obligations (e.g., tax, accounting, and regulatory requirements), resolve disputes, enforce agreements, and maintain business records.

Typical retention periods by data type:

  • Account and billing data: Duration of the customer relationship plus 7 years (for tax and accounting purposes).
  • Conversation and workflow data: As specified in the applicable customer DPA or, in the absence of agreement, up to 24 months following contract termination, after which data is deleted or anonymized.
  • Usage and log data: Generally up to 12 months, subject to security and compliance needs.
  • Marketing contact data: Until you opt out or withdraw consent, or as required by applicable law.
  • Support records: Up to 3 years after ticket closure.

Upon termination of a customer account, we will delete or return customer data in accordance with our DPA and applicable contractual terms.

10. Security

We implement reasonable and appropriate administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, or destruction. These include (but are not limited to) encryption of data in transit and at rest, access controls and least-privilege principles, security monitoring and logging, regular vulnerability assessments, and vendor security reviews.

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly addressing vulnerabilities and incidents.

Data breach notification: In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will notify affected customers and, where required by law, relevant supervisory authorities, within the timeframes required by applicable law (e.g., 72 hours under GDPR). We will provide affected individuals with notice as required by applicable state and international breach notification laws.

To report a security vulnerability, please contact security@bridgedeskai.com.

11. International Data Transfers

BridgeDesk AI is based in the United States. We and our service providers may process personal information in countries other than the country in which you are located. These countries may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal information from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not received an adequacy decision from the European Commission or relevant authority, we use appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs): The European Commission-approved SCCs (2021) and, where applicable, the UK International Data Transfer Addendum (IDTA).
  • Adequacy decisions: Where the European Commission or UK ICO has determined that the destination country provides adequate protection.
  • Other appropriate safeguards as permitted under applicable law (e.g., Binding Corporate Rules, derogations under Art. 49 GDPR).

You may request a copy of the applicable transfer mechanism by contacting us at privacy@bridgedeskai.com.

12. Your Privacy Rights

Depending on your location, you may have some or all of the following rights regarding your personal information:

  • Access / Know: Obtain confirmation of whether we process your personal information and receive a copy of it, along with information about how it is used.
  • Correction / Rectification: Request correction of inaccurate or incomplete personal information.
  • Deletion / Erasure ("right to be forgotten"): Request deletion of your personal information, subject to exceptions (e.g., where retention is required by law or for legitimate business purposes).
  • Restriction of processing: Request that we limit how we use your personal information in certain circumstances.
  • Data portability: Receive a copy of your personal information in a structured, commonly used, machine-readable format, and transmit it to another controller, where technically feasible (GDPR Art. 20).
  • Object to processing: Object to processing based on legitimate interests or for direct marketing purposes at any time.
  • Withdraw consent: Where processing is based on consent, withdraw consent at any time without affecting the lawfulness of prior processing.
  • Opt out of sale / sharing / targeted advertising: Opt out of the sale or sharing of your personal information or its use for targeted advertising (applicable in California, Virginia, and other states with similar laws).
  • Limit use of sensitive personal information: Request that we restrict the use of sensitive personal information to what is necessary to provide the requested service (CPRA).
  • Not be subject to solely automated decisions: Request human review of automated decisions that produce legal or similarly significant effects (GDPR Art. 22).
  • Non-discrimination: Not receive discriminatory treatment for exercising your privacy rights.
  • Lodge a complaint: Lodge a complaint with your local data protection supervisory authority. EU/EEA residents may contact the relevant national authority (a list is available at edpb.europa.eu). UK residents may contact the ICO at ico.org.uk.

How to exercise your rights: Submit a request to privacy@bridgedeskai.com or use our contact form (select "Privacy Rights Request"). We will respond within the timeframes required by applicable law — generally within 30 days under GDPR (extendable by 2 months for complex requests) and 45 days under CCPA/CPRA (extendable by an additional 45 days with notice).

We may need to verify your identity before processing certain requests. We will not charge a fee for reasonable requests but may charge a reasonable fee for repetitive or manifestly unfounded requests. California residents may designate an authorized agent to submit requests on their behalf.

Note for customer end users: If you interacted with an AI receptionist operated by one of our business customers (not BridgeDesk AI directly), please direct your privacy request to that business. We will assist our customers in responding to end-user requests as required by our DPA.

13. Children's Privacy

Our services are directed to businesses and professionals and are not intended for use by children. We do not knowingly collect personal information from children under 13 (or under 16 where required by applicable law, such as in most EU member states under GDPR Art. 8 and the UK Age Appropriate Design Code).

If we become aware that we have collected personal information from a child without verified parental consent where required, we will take steps to delete that information. If you believe we have inadvertently collected information from a child, please contact us at privacy@bridgedeskai.com.

14. Marketing Communications

We may send you marketing emails about our products and services where we have a lawful basis to do so (e.g., your consent or our legitimate interest as an existing customer, in accordance with applicable law including CAN-SPAM and CASL).

Every marketing email includes an unsubscribe link. You may opt out of marketing communications at any time by:

  • Clicking the "unsubscribe" or "manage preferences" link in any marketing email.
  • Emailing privacy@bridgedeskai.com with "Unsubscribe" in the subject line.

Opting out of marketing emails will not affect transactional communications necessary to provide our services (e.g., booking confirmations, password resets, service notices).

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated version on this page and update the "last updated" date at the top.

For material changes, we will provide additional notice as appropriate — for example, by sending an email to registered account holders or displaying a prominent notice on our website prior to the change taking effect. Your continued use of our services after an update constitutes acceptance of the revised policy, to the extent permitted by law.

16. Contact Us

For privacy questions, rights requests, or concerns about our data practices, please contact us:

BridgeDesk AI

[Company legal name]

[Street Address, City, State, ZIP]

Email: privacy@bridgedeskai.com

Data Protection Officer (DPO): If you are located in the EEA or UK and wish to contact our Data Protection Officer directly, please email dpo@bridgedeskai.com. [If a DPO is not formally appointed under GDPR Art. 37, replace with: "We have designated a privacy point of contact reachable at the above email address."]

EU Representative (GDPR Art. 27): [If BridgeDesk AI does not have an EU establishment but offers services to EU residents, insert EU representative name and contact here. This is legally required under GDPR Art. 27 for controllers/processors not established in the EU.]

UK Representative: [If applicable, insert UK representative contact here per UK GDPR Art. 27.]

View Security and Consent