Privacy Policy

Last updated: May 4, 2026

AVADesk is operated by FACC IT CONSULTING INC. (“we”, “us”, or “our”), a corporation registered in Ontario, Canada. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the AVADesk platform, which includes an AI-powered phone receptionist service and the AVA Engage outbound marketing module.

We are committed to full compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy regulations. This policy applies to all personal information we collect, whether from businesses that use our platform (“Tenants”) or from the callers, contacts, and end-users those businesses serve (“End-Users”).

By using AVADesk, you acknowledge that you have read and understood this Privacy Policy. Tenants who deploy AVADesk to interact with their own customers accept responsibility for those interactions as described in Section 3 below.

Privacy Officer

In accordance with PIPEDA Principle 1 (Accountability), we have designated a Privacy Officer responsible for our organization's compliance with privacy legislation and this Privacy Policy.

Privacy Officer - AVADesk

Email: privacy@avadesk.ca

Mailing Address: Ontario, Canada

Our Privacy Officer handles inquiries, complaints, access requests, and correction requests. We will respond to all privacy-related requests within 30 days, as required by PIPEDA.

1. Who This Policy Covers

This Privacy Policy applies to two distinct categories of individuals:

  • Tenants - businesses and their authorized staff who register for and use the AVADesk platform (the portal at avadesk.ca). Tenants are primarily responsible for the configuration of the AI receptionist and AVA Engage, and for their own compliance obligations toward their customers.
  • End-Users - members of the public who interact with a business that has deployed AVADesk. This includes callers who reach a Tenant's AI receptionist, contacts who receive outbound email, SMS, or voice campaigns through AVA Engage, website visitors who use a Tenant's web chat widget, and recipients of messages through connected Instagram or Facebook accounts. End-Users interact with the service on behalf of the Tenant whose platform they are engaging with.

Tenants as Data Controllers: For End-User data, the Tenant is the primary data controller under PIPEDA. AVADesk acts as a data processor on the Tenant's behalf. End-Users who wish to exercise their rights regarding data collected through a specific business's AVADesk deployment should contact that business directly. We will also assist where we are able - see Section 11.

2. Information We Collect

2.1 Tenant Account Data

When a business registers for AVADesk, we collect:

  • Business name, industry type, and business address
  • Account holder name and email address
  • Hashed account password (we do not store plaintext passwords)
  • Google account information if you use Google OAuth to sign in (name, email address, profile photo - no access to Gmail or other Google services beyond what you explicitly authorize)
  • Staff names and roles configured for receptionist routing
  • Business services, service descriptions, pricing, and operating hours
  • FAQs and other business knowledge configured for the AI
  • Google Calendar OAuth access tokens (encrypted at rest) - only if the Tenant enables Google Calendar integration
  • Billing metadata (subscription plan, billing cycle) - payment card data is handled exclusively by our payment processor and is never stored by AVADesk
  • Support communications and correspondence with our team

2.2 End-User (Caller) Data

When a caller interacts with an AVADesk-powered AI receptionist, we may collect and store on behalf of the Tenant:

  • Caller phone number (transmitted by Twilio via caller ID)
  • Caller name (if provided verbally or in a form during the call)
  • Appointment booking details: requested service, preferred date/time, any special instructions provided
  • Lead capture information: reason for calling, contact preferences, follow-up needs
  • Intake form responses: any structured information collected by the AI during the call (e.g., medical intake questions, client intake forms - per the Tenant's configuration)
  • A text transcript of the conversation, generated from the real-time speech-to-text process
  • The timestamp and duration of the call

2.3 Voice Data - What We Do NOT Store

Important: Voice Audio Is Not Retained by AVADesk

Caller voice audio is processed entirely in real-time through Twilio's ConversationRelay infrastructure. Speech-to-text conversion and text-to-speech synthesis are performed by third-party voice providers integrated through Twilio. AVADesk does not store any caller voice audio. Call recordings may be retained by Twilio subject to their own data retention policies. Tenants who wish to understand Twilio's call recording practices should review Twilio's Privacy Policy.

2.4 AI Processing Data

To generate AI receptionist responses during a call, conversation context (including the transcript of the ongoing conversation and the Tenant's configured business knowledge) is sent to one or more AI language model providers, depending on the Tenant's configuration. This context includes the current conversation and relevant business information but does not include unrelated Tenant account data. We do not instruct these providers to use this data to train their general models; data is processed solely to generate a response for the current call.

2.5 Technical and Usage Data

  • IP addresses, browser type, and device information when you access the portal
  • Access logs and timestamps for security monitoring and debugging
  • Session authentication tokens (see Section 9 - Cookies)
  • API call logs (internal, for service reliability and error tracking)

2.6 Marketing Campaign Data (AVA Engage)

When a Tenant uses AVA Engage to contact their leads or customers, we collect and process on behalf of the Tenant:

  • Recipient contact information (email addresses, phone numbers) as provided by the Tenant or collected through the platform
  • Campaign metadata: message content, send timestamps, delivery status, open events, click events, bounce events
  • Opt-out and unsubscribe records: the date, channel, and method by which a contact opted out of communications
  • Lead scores: engagement-based scores calculated from opens, clicks, call outcomes, form submissions, and other signals
  • Segment membership: which audience segments a contact belongs to, based on Tenant-defined criteria

2.7 CSV-Imported Contact Data

Tenants may upload contact lists via CSV file. Imported contacts are processed as Tenant Data under the Tenant's instruction. By importing a contact list, the Tenant warrants that all contacts were lawfully obtained and that required consents for the intended communications are in place. AVADesk does not independently verify consent for imported contacts.

2.8 Web Chat Data

If a Tenant enables the AVA Engage web chat widget on their website, we collect:

  • Chat message content from website visitors
  • Session identifiers used to maintain persistent chat history
  • Metadata: page URL where chat was initiated, browser type, timestamps
  • Email address or name if voluntarily provided by the visitor during chat

2.9 Instagram and Facebook Direct Messages

If a Tenant connects their Instagram or Facebook account to AVA Engage for AI-powered auto-reply, message content, sender identifiers, and timestamps are processed through Meta's API and stored in AVADesk on behalf of the Tenant. Message data is subject to Meta's Platform Terms in addition to this Privacy Policy.

2.10 Event Attendance Data (RSVP and Check-in)

For Tenants using RSVP and event check-in features, we collect:

  • Contact name and identifier for RSVP records
  • Check-in timestamp and event identifier
  • Attendance status (registered, attended, no-show)

3. How We Use Your Information

We use the personal information we collect for the following purposes, as permitted under PIPEDA:

3.1 Service Delivery

  • Operating the AI receptionist: answering inbound calls, understanding caller intent, providing business information, booking appointments, capturing leads, and completing intake forms on behalf of Tenants
  • Generating and storing call transcripts in the Tenant's AVADesk portal
  • Syncing appointment bookings with Google Calendar where the Tenant has authorized this integration
  • Sending email notifications to Tenants and their staff (via our email delivery service) regarding new bookings, missed calls, lead captures, and call activity
  • Sending SMS notifications (via Twilio) where configured by the Tenant
  • Authenticating Tenant accounts and maintaining secure sessions

3.2 Account Management and Billing

  • Creating and managing Tenant accounts
  • Processing subscription payments through our payment processor
  • Communicating with Tenants about billing, subscription changes, and account status

3.3 Service Improvement and Safety

  • Monitoring system performance, diagnosing errors, and improving service reliability
  • Detecting and preventing fraud, abuse, and violations of our Terms of Service
  • Aggregated and anonymized analytics to understand how the platform is used and where it can be improved (no individual re-identification)

3.4 Legal and Compliance

  • Complying with applicable Canadian laws and regulations
  • Responding to lawful requests from government authorities
  • Enforcing our Terms of Service and protecting our legal rights

3.5 AVA Engage - Marketing Campaign Processing

Tenants who use the AVA Engage module may send commercial electronic messages (email, SMS, and outbound voice calls) to their contacts. When a Tenant uses AVA Engage, we process the following data on the Tenant's behalf:

  • Email campaigns: Recipient email addresses, campaign content, send timestamps, open events, click events, and unsubscribe actions are processed on behalf of the Tenant. Open tracking uses a 1x1 tracking pixel embedded in HTML emails; click tracking uses redirected URLs. Recipients who load images or click links in campaign emails acknowledge this tracking. Recipients can reduce email tracking by blocking images in their email client.
  • SMS campaigns: Recipient phone numbers, message content, delivery status, and opt-out responses (STOP keywords) are processed via Twilio. Opt-outs are recorded in a per-Tenant suppression list and are automatically honoured for all future campaigns.
  • Outbound voice campaigns: Recipient phone numbers and call outcomes (answered, no answer, opted out) are logged. Call transcripts are stored subject to the retention schedule in Section 7. Calls are initiated via Twilio and subject to Twilio's data practices.
  • Web chat: Website visitor messages are processed in real time by our AI and stored for the Tenant to review. See Section 2.8 for the data types collected.
  • Instagram and Facebook DMs: Messages are received through Meta's API, processed by our AI, and stored in the Tenant's account. See Section 2.9 for details.

Our role as data processor: AVADesk processes campaign data only on the Tenant's instruction and as their data processor. The Tenant is the data controller. The Tenant is solely responsible for holding valid, lawfully obtained consent (under CASL, CAN-SPAM, TCPA, CRTC DNCL, and any other applicable law) for every recipient before using AVA Engage to contact them. AVADesk does not validate the provenance of Tenant contact lists and cannot substitute for the Tenant's legal obligations.

Opt-outs and suppression: AVADesk automatically processes unsubscribe requests (email) and STOP keyword responses (SMS). Opted-out contacts are added to a per-channel suppression list and will not receive future campaigns in that channel unless the recipient provides fresh consent directly to the Tenant. Tenants must not attempt to circumvent suppression lists.

Lead scoring: AVADesk may compute engagement scores for contacts based on signals such as email opens, link clicks, call history, and form responses. These scores are used by Tenants to prioritize outreach. Contacts have the right to request access to or deletion of their lead score data by contacting the Tenant, or by reaching us at privacy@avadesk.ca.

What we do NOT do:

  • We do not sell personal information to any third party
  • We do not use caller or End-User data for AVADesk's own advertising or marketing. We do process contact data on behalf of Tenants who use AVA Engage to conduct their own marketing campaigns, as described in Section 3.5 above
  • We do not use personal information for any purpose not described in this policy without obtaining fresh consent

4. Google API Data and Limited Use

AVADesk offers an optional integration with Google Calendar. Tenants who enable this feature authorize AVADesk to access their Google Calendar through OAuth 2.0. Our use of Google user data is strictly limited to:

  • Reading calendar events to check availability for appointment booking
  • Creating new calendar events when a caller books an appointment through the AI receptionist
  • Updating or cancelling calendar events as directed by the Tenant or a caller within the platform

We do not use Google Calendar data for any purpose other than the scheduling functionality described above. We do not share Google user data with any third party for advertising, profiling, or any other purpose. Google OAuth access tokens are encrypted at rest in our database and are never shared with parties other than Google's own APIs.

Tenants may revoke Google Calendar access at any time from within the AVADesk settings or directly through their Google Account security settings. Upon revocation, we will cease all access to Google Calendar and delete the stored OAuth tokens.

Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party Service Providers and Data Processors

We engage the following third-party processors to deliver the AVADesk service. Each processor receives only the data necessary for their specific function. We maintain data processing agreements or equivalent contractual safeguards with each processor.

Amazon Web Services (Canada)

Our primary infrastructure provider. All AVADesk application servers and primary Tenant and End-User data are hosted in Canadian data centres. Data at rest is encrypted using AES-256. Data in transit is protected by TLS. AWS Privacy Policy

Twilio Inc.

Provides the telephony infrastructure for inbound and outbound calls, including call routing, phone number provisioning, real-time audio streaming via Twilio ConversationRelay, and SMS delivery for both transactional notifications and AVA Engage campaigns. Caller and recipient phone numbers and call audio streams are processed through Twilio's infrastructure. Twilio may retain call metadata and potentially call recordings subject to their own policies. Twilio Privacy Policy

Resend, Inc.

We use Resend as our email delivery service for both transactional notifications (booking confirmations, account alerts) and AVA Engage bulk email campaigns. Resend processes recipient email addresses, message content, and campaign engagement data (opens, clicks, bounces) on our behalf. Data is processed in the United States. Resend Privacy Policy

Meta Platforms, Inc.

For Tenants who connect Instagram or Facebook accounts to AVA Engage for DM automation, message content is transmitted through Meta's API. Meta acts as a data processor (and in some contexts a joint controller) for DM data. Meta's own data retention and processing practices apply to messages transiting their infrastructure, and AVADesk has limited visibility into what Meta retains independently. Meta Privacy Policy

Speech-to-Text Provider(s)

We use one or more third-party speech-to-text (STT) providers integrated through Twilio ConversationRelay to convert caller voice audio into text in real-time. Audio is streamed to the provider's API during the call; we do not instruct the provider to store voice audio beyond what is required for the immediate transcription.

Text-to-Speech Provider(s)

We use one or more third-party text-to-speech (TTS) providers integrated through Twilio ConversationRelay to convert AI-generated text responses into natural-sounding speech streamed back to the caller.

AI Language Model Provider(s)

We use one or more third-party AI language model providers to generate receptionist responses during calls and to power AVA Engage features such as web chat auto-reply, DM automation, and personalized campaign content. Conversation context - the transcript of the current call and the Tenant's configured business knowledge - is sent to the provider's API to generate an appropriate response. We operate under API usage policies that restrict the use of submitted data for model training. The specific provider(s) used may be configurable per Tenant.

Calendar Integration and Authentication Service

We integrate with a third-party calendar service for optional appointment synchronization when authorized by the Tenant (see Section 4 for our full Limited Use commitments). The same provider may also be used for OAuth-based Tenant sign-in where you choose that option - in which case we receive only your name, email address, and profile photo, with no access to other data in your account. Data may be processed globally.

Payment Processor

We use a third-party payment processor to handle subscription payments on our behalf. The payment processor handles all payment card data directly and is PCI-DSS Level 1 certified. We do not receive or store raw card numbers, CVV codes, or full payment card details - only billing metadata (subscription plan, billing cycle, and last four digits of card for display purposes).

All third-party processors are contractually restricted from using personal information for any purpose other than providing the specific services described above. A current list of sub-processors is available upon request by contacting privacy@avadesk.ca. We review our processor relationships periodically to ensure ongoing compliance.

6. Cross-Border Data Transfers

While our primary data storage infrastructure is located in Canada (AWS ca-central-1), several of our third-party processors - including Twilio, Resend, Meta, and our speech-to-text, text-to-speech, AI language model, calendar integration, and payment processing providers - are based in and process data in the United States. As a result, certain personal information is transferred to and processed in the United States as part of service delivery.

Under PIPEDA, organizations transferring personal information across borders must use contractual or other means to provide a comparable level of protection. We ensure the following safeguards are in place:

  • Data processing agreements with each US-based processor restricting use to specified service purposes
  • Selecting processors that maintain appropriate security certifications (SOC 2, ISO 27001, PCI-DSS where applicable)
  • Ensuring minimal data is sent to each processor - only what is necessary for their function

By using AVADesk, you acknowledge and consent to this cross-border transfer of personal information as necessary for the delivery of the service. If you have concerns about cross-border transfers, please contact our Privacy Officer at privacy@avadesk.ca.

7. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, subject to the following schedules:

Data TypeRetention Period
Call transcripts (inbound)90 days from date of call (Tenant may request earlier deletion)
Booking records and lead captures1 year from date of creation, or until deleted by Tenant
Intake form submissions1 year from date of submission, or until deleted by Tenant
Tenant account dataDuration of active account, plus 90 days after account closure (for recovery), then permanently deleted
Google Calendar OAuth tokensDeleted immediately upon disconnection or account closure
Billing and payment records7 years, as required by Canadian accounting and tax law
Server and access logs90 days, for security and debugging purposes
Support and correspondence records3 years from last interaction
Campaign send records (email/SMS/voice)2 years from send date, or until deleted by Tenant
Email open and click tracking events2 years from event date
Opt-out and unsubscribe recordsIndefinitely (or 3 years post-account closure) - required to enforce suppression across future campaigns
Web chat transcripts90 days from session date, or until deleted by Tenant
Instagram and Facebook DM history90 days from message date, or until deleted by Tenant
CSV-imported contact listsDuration of active account, plus 30 days after account closure
Lead score history1 year from last update, or until contact deleted by Tenant
Event attendance records (RSVP/check-in)2 years from event date, or until deleted by Tenant

Upon expiry of the applicable retention period, personal information is securely deleted or anonymized. Tenants may request earlier deletion of End-User data through the AVADesk portal or by contacting privacy@avadesk.ca.

8. Data Security

We implement the following technical and organizational security measures to protect personal information:

  • Encryption in transit: All communications between users, our servers, and third-party processors use TLS 1.2 or higher
  • Encryption at rest: All data stored in our databases is encrypted using AES-256
  • OAuth token security: Google Calendar OAuth tokens are encrypted at rest and stored separately from other account data
  • Password hashing: Tenant passwords are hashed using a strong, salted algorithm - we do not store plaintext passwords
  • Access controls: Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis
  • Multi-tenant isolation: Each Tenant's data is logically isolated so that one Tenant cannot access another's data
  • Security monitoring: We monitor for unusual access patterns and potential security incidents

No system is 100% secure. While we take reasonable measures to protect personal information, we cannot guarantee absolute security against all possible threats. In the event of a security breach affecting your personal information, we will notify you as described in Section 12.

9. Cookies and Tracking

AVADesk uses cookies minimally and only for essential platform functionality. Within the authenticated portal application, we do not use advertising trackers or behavioural analytics cookies.

Essential Cookies (Required)

  • Session authentication cookie: A secure, HTTP-only cookie that keeps you logged in to the AVADesk portal. This cookie does not track you across other websites, contains no personally identifiable information beyond a session token, and is cleared when you log out or the session expires.

Analytics

If analytics tools are used on the AVADesk marketing website (avadesk.ca), they will be disclosed separately with a cookie consent mechanism. No analytics cookies are set within the authenticated portal application.

Email Tracking Technologies (AVA Engage)

AVA Engage marketing emails sent on behalf of Tenants may contain the following tracking technologies:

  • Open tracking pixels: A 1x1 transparent image that records when an email is opened, if images are loaded by the recipient's email client. This is used to provide Tenants with campaign open-rate analytics.
  • Click-tracking redirects: Links in marketing emails may be routed through a tracking redirect URL before reaching the destination. This records that a link was clicked and contributes to engagement analytics and lead scoring.

These tracking mechanisms operate on behalf of Tenants. Recipients who do not wish to be tracked via open pixels may disable automatic image loading in their email client. Click tracking is embedded in links and cannot be disabled while receiving HTML email campaigns. Recipients may opt out of all future campaign emails by using the unsubscribe link included in every marketing email.

You may configure your browser to refuse cookies, but note that disabling the session cookie will prevent you from logging into the AVADesk portal.

10. Children's Privacy

AVADesk is a business-to-business service intended for use by organizations and adults aged 18 or older. We do not knowingly collect personal information from individuals under the age of 13, and the platform is not directed at children.

If a Tenant deploys AVADesk in a context where minors may interact with the AI receptionist or receive AVA Engage communications, the Tenant is responsible for obtaining any required parental or guardian consent under applicable law and for ensuring compliance with laws protecting children's privacy, including Canada's PIPEDA and any applicable provincial requirements.

If you believe we have inadvertently collected personal information from a minor, please contact us immediately at privacy@avadesk.ca and we will promptly delete it.

11. Your Rights Under PIPEDA

Canada's PIPEDA grants individuals the following rights with respect to their personal information held by organizations subject to the Act:

Right of Access

You may request a copy of the personal information we hold about you, including how it was collected, how it has been used, and to whom it has been disclosed. We will respond within 30 days. A reasonable fee may be charged for extensive requests.

Right to Correction

If personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it. Where we disagree about the accuracy, we will note your correction request alongside the information.

Right to Withdraw Consent

You may withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions. If you receive marketing communications from a business using AVA Engage, you may withdraw consent by using the unsubscribe or opt-out mechanism included in those communications. Withdrawal of consent for core service functions may mean we are unable to continue providing the service.

Right to Deletion

You may request deletion of your personal information, subject to our legal obligation to retain certain records (such as billing records required by tax law, and opt-out records required for suppression enforcement). We will fulfill deletion requests within a reasonable time and confirm when deletion is complete.

Right to Challenge Compliance

You have the right to challenge our compliance with PIPEDA. If you are not satisfied with our response to a privacy concern, you may escalate your complaint to the Office of the Privacy Commissioner of Canada.

To exercise any of these rights: Contact our Privacy Officer at privacy@avadesk.ca. We will acknowledge your request promptly and respond within 30 days, as required by PIPEDA.

Note for Callers and Campaign Recipients (End-Users)

If you called a business that uses AVADesk, or if you received an email, SMS, or outbound call through AVA Engage and wish to access, correct, or delete data collected during that interaction, we recommend contacting that business directly - they are the primary data controller for your information. You are also welcome to contact us at privacy@avadesk.ca and we will assist in coordinating your request with the relevant Tenant.

12. Breach Notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals, we will comply with the mandatory breach notification requirements under PIPEDA (Division 1.1 of Part 1 and the Breach of Security Safeguards Regulations), including the following commitments:

Notification to Affected Individuals

We will notify affected individuals as soon as feasible after determining that a breach creating a real risk of significant harm has occurred. Notifications will be sent directly to affected individuals by email to the address associated with their account. If email is unavailable or unreliable, we may supplement notification via conspicuous notice within the AVADesk portal, telephone, or other direct means reasonably likely to reach the affected individual.

Content of Notifications

Breach notifications to affected individuals will include:

  • A description of the breach and the date or estimated date it occurred
  • A description of the type of personal information involved
  • A description of the steps AVADesk has taken or intends to take to reduce the risk of harm
  • Steps the affected individual can take to reduce the risk of harm or mitigate potential consequences
  • A toll-free number or email address through which the individual can obtain further information about the breach
  • Information about the individual’s right to file a complaint with the Office of the Privacy Commissioner of Canada

Notification to Tenants

Where a breach involves End-User data processed on behalf of a Tenant, we will notify the affected Tenant(s) as soon as feasible so they can fulfill their own notification obligations to their End-Users under applicable law.

Report to the Privacy Commissioner

We will report any qualifying breach to the Office of the Privacy Commissioner of Canada as soon as feasible, in accordance with the prescribed form and content requirements.

Breach Record-Keeping

We maintain a record of every breach of security safeguards involving personal information under our control, regardless of whether the breach meets the “real risk of significant harm” threshold. These records are maintained for a minimum of 24 months from the date we determine the breach occurred, as required by the Breach of Security Safeguards Regulations (SOR/2018-64), and are available to the Privacy Commissioner upon request.

If you believe your personal information held by AVADesk may have been compromised, please contact our Privacy Officer immediately at privacy@avadesk.ca.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify active Tenants by email. We may also provide notice through the AVADesk portal (such as a banner or dashboard notification) where available.
  • For significant changes affecting your rights, request renewed consent where required by PIPEDA

Continued use of AVADesk after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. We encourage you to review this policy periodically.

14. Contact Our Privacy Officer

For any questions, concerns, access requests, or complaints regarding this Privacy Policy or our handling of personal information, please contact:

Privacy Officer

AVADesk (FACC IT CONSULTING INC.)

Ontario, Canada

Email: privacy@avadesk.ca

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada

30 Victoria Street, Gatineau, Quebec K1A 1H3

www.priv.gc.ca · Toll-free: 1-800-282-1376