A
AVADesk

Privacy Policy

Last updated: March 28, 2026

AVADesk is operated by FACC IT CONSULTING INC. (“we”, “us”, or “our”), a corporation registered in Ontario, Canada. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with the AVADesk platform — a multi-tenant AI-powered phone receptionist service for businesses.

We are committed to full compliance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy regulations. This policy applies to all personal information we collect, whether from businesses that use our platform (“Tenants”) or from the callers and end-users those businesses serve (“End-Users”).

By using AVADesk, you acknowledge that you have read and understood this Privacy Policy. Tenants who deploy AVADesk to interact with their own customers accept responsibility for those interactions as described in Section 3 below.

Privacy Officer

In accordance with PIPEDA Principle 1 (Accountability), FACC IT CONSULTING INC. has designated a Privacy Officer responsible for our organization's compliance with privacy legislation and this Privacy Policy.

Privacy Officer — FACC IT CONSULTING INC.

Email: privacy@avadesk.ca

Mailing Address: Ontario, Canada

Our Privacy Officer handles inquiries, complaints, access requests, and correction requests. We will respond to all privacy-related requests within 30 days, as required by PIPEDA.

1. Who This Policy Covers

This Privacy Policy applies to two distinct categories of individuals:

  • Tenants — businesses and their authorized staff who register for and use the AVADesk platform (the portal at avadesk.ca). Tenants are primarily responsible for the configuration of the AI receptionist and for their own compliance obligations toward their customers.
  • End-Users — members of the public who call a business that has deployed an AVADesk AI receptionist. End-Users interact with the service indirectly; their personal information is processed on behalf of the Tenant whose phone number they called.

Tenants as Data Controllers: For End-User data, the Tenant is the primary data controller under PIPEDA. FACC IT CONSULTING INC. acts as a data processor on the Tenant's behalf. End-Users who wish to exercise their rights regarding data collected through a specific business's AI receptionist should contact that business directly. We will also assist where we are able — see Section 11.

2. Information We Collect

2.1 Tenant Account Data

When a business registers for AVADesk, we collect:

  • Business name, industry type, and business address
  • Account holder name and email address
  • Hashed account password (we do not store plaintext passwords)
  • Google account information if you use Google OAuth to sign in (name, email address, profile photo — no access to Gmail or other Google services beyond what you explicitly authorize)
  • Staff names and roles configured for receptionist routing
  • Business services, service descriptions, pricing, and operating hours
  • FAQs and other business knowledge configured for the AI
  • Google Calendar OAuth access tokens (encrypted at rest) — only if the Tenant enables Google Calendar integration
  • Billing metadata (subscription plan, billing cycle) — payment card data is handled exclusively by our payment processor and is never stored by AVADesk
  • Support communications and correspondence with our team

2.2 End-User (Caller) Data

When a caller interacts with an AVADesk-powered AI receptionist, we may collect and store on behalf of the Tenant:

  • Caller phone number (transmitted by Twilio via caller ID)
  • Caller name (if provided verbally or in a form during the call)
  • Appointment booking details: requested service, preferred date/time, any special instructions provided
  • Lead capture information: reason for calling, contact preferences, follow-up needs
  • Intake form responses: any structured information collected by the AI during the call (e.g., medical intake questions, client intake forms — per the Tenant's configuration)
  • A text transcript of the conversation, generated from the real-time speech-to-text process
  • The timestamp and duration of the call

2.3 Voice Data — What We Do NOT Store

Important: Voice Audio Is Not Retained by AVADesk

Caller voice audio is processed entirely in real-time through Twilio's ConversationRelay infrastructure. Speech-to-text conversion and text-to-speech synthesis are performed by third-party voice providers integrated through Twilio. AVADesk does not store any caller voice audio. Call recordings may be retained by Twilio subject to their own data retention policies. Tenants who wish to understand Twilio's call recording practices should review Twilio's Privacy Policy.

2.4 AI Processing Data

To generate AI receptionist responses during a call, conversation context (including the transcript of the ongoing conversation and the Tenant's configured business knowledge) is sent to one or more AI language model providers, depending on the Tenant's configuration. This context includes the current conversation and relevant business information but does not include unrelated Tenant account data. We do not instruct these providers to use this data to train their general models; data is processed solely to generate a response for the current call.

2.5 Technical and Usage Data

  • IP addresses, browser type, and device information when you access the portal
  • Access logs and timestamps for security monitoring and debugging
  • Session authentication tokens (see Section 9 — Cookies)
  • API call logs (internal, for service reliability and error tracking)

3. How We Use Your Information

We use the personal information we collect for the following purposes, as permitted under PIPEDA:

3.1 Service Delivery

  • Operating the AI receptionist: answering inbound calls, understanding caller intent, providing business information, booking appointments, capturing leads, and completing intake forms on behalf of Tenants
  • Generating and storing call transcripts in the Tenant's AVADesk portal
  • Syncing appointment bookings with Google Calendar where the Tenant has authorized this integration
  • Sending email notifications to Tenants and their staff (via our email delivery service) regarding new bookings, missed calls, lead captures, and call activity
  • Sending SMS notifications (via Twilio) where configured by the Tenant
  • Authenticating Tenant accounts and maintaining secure sessions

3.2 Account Management and Billing

  • Creating and managing Tenant accounts
  • Processing subscription payments through our payment processor
  • Communicating with Tenants about billing, subscription changes, and account status

3.3 Service Improvement and Safety

  • Monitoring system performance, diagnosing errors, and improving service reliability
  • Detecting and preventing fraud, abuse, and violations of our Terms of Service
  • Aggregated and anonymized analytics to understand how the platform is used and where it can be improved (no individual re-identification)

3.4 Legal and Compliance

  • Complying with applicable Canadian laws and regulations
  • Responding to lawful requests from government authorities
  • Enforcing our Terms of Service and protecting our legal rights

What we do NOT do:

  • We do not sell personal information to any third party
  • We do not use caller or End-User data for advertising or marketing
  • We do not use personal information for any purpose not described in this policy without obtaining fresh consent

4. Google API Data and Limited Use

AVADesk offers an optional integration with Google Calendar. Tenants who enable this feature authorize AVADesk to access their Google Calendar through OAuth 2.0. Our use of Google user data is strictly limited to:

  • Reading calendar events to check availability for appointment booking
  • Creating new calendar events when a caller books an appointment through the AI receptionist
  • Updating or cancelling calendar events as directed by the Tenant or a caller within the platform

We do not use Google Calendar data for any purpose other than the scheduling functionality described above. We do not share Google user data with any third party for advertising, profiling, or any other purpose. Google OAuth access tokens are encrypted at rest in our database and are never shared with parties other than Google's own APIs.

Tenants may revoke Google Calendar access at any time from within the AVADesk settings or directly through their Google Account security settings. Upon revocation, we will cease all access to Google Calendar and delete the stored OAuth tokens.

Our use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements.

5. Third-Party Service Providers and Data Processors

We engage the following third-party processors to deliver the AVADesk service. Each processor receives only the data necessary for their specific function. We maintain data processing agreements or equivalent contractual safeguards with each processor.

Amazon Web Services (AWS) — ca-central-1, Montreal, Canada

Our primary infrastructure provider. All AVADesk application servers run on AWS in the ca-central-1 (Canada — Central) region. All primary Tenant and End-User data is stored in Amazon RDS PostgreSQL databases located in Canadian data centres. Data at rest is encrypted using AES-256. Data in transit is protected by TLS. AWS Privacy Policy

Twilio Inc. — United States

Provides the telephony infrastructure for inbound calls, including call routing, phone number provisioning, and real-time audio streaming via Twilio ConversationRelay. Caller phone numbers and call audio streams are processed through Twilio's infrastructure. Twilio may retain call metadata and potentially call recordings subject to their own policies. Twilio processes data in the United States. Twilio Privacy Policy

Speech-to-Text Provider(s) — United States

We use one or more third-party speech-to-text (STT) providers integrated through Twilio ConversationRelay to convert caller voice audio into text in real-time. Audio is streamed to the provider's API during the call; we do not instruct the provider to store voice audio beyond what is required for the immediate transcription. Data is processed in the United States.

Text-to-Speech Provider(s) — United States

We use one or more third-party text-to-speech (TTS) providers integrated through Twilio ConversationRelay to convert AI-generated text responses into natural-sounding speech streamed back to the caller. Data is processed in the United States.

AI Language Model Provider(s) — United States

We use one or more third-party AI language model providers to generate receptionist responses during calls. Conversation context — the transcript of the current call and the Tenant's configured business knowledge — is sent to the provider's API to generate an appropriate response. We operate under API usage policies that restrict the use of submitted data for model training. The specific provider(s) used may be configurable per Tenant. Data is processed in the United States.

Calendar Integration and Authentication Service — United States / Global

We integrate with a third-party calendar service for optional appointment synchronization when authorized by the Tenant (see Section 4 for our full Limited Use commitments). The same provider may also be used for OAuth-based Tenant sign-in where you choose that option — in which case we receive only your name, email address, and profile photo, with no access to other data in your account. Data may be processed globally.

Email Delivery Service — United States

We use a third-party transactional email delivery service to send Tenants and their staff notifications about new bookings, missed calls, lead captures, and account-related communications. Recipient email addresses and notification content are transmitted through this service. Data is processed in the United States.

Payment Processor — United States

We use a third-party payment processor to handle subscription payments on behalf of FACC IT CONSULTING INC. The payment processor handles all payment card data directly and is PCI-DSS Level 1 certified. We do not receive or store raw card numbers, CVV codes, or full payment card details — only billing metadata (subscription plan, billing cycle, and last four digits of card for display purposes). Data is processed in the United States.

All third-party processors are contractually restricted from using personal information for any purpose other than providing the specific services described above. A current list of sub-processors is available upon request by contacting privacy@avadesk.ca. We review our processor relationships periodically to ensure ongoing compliance.

6. Cross-Border Data Transfers

While our primary data storage infrastructure is located in Canada (AWS ca-central-1), several of our third-party processors — including Twilio and our speech-to-text, text-to-speech, AI language model, calendar integration, email delivery, and payment processing providers — are based in and process data in the United States. As a result, certain personal information is transferred to and processed in the United States as part of service delivery.

Under PIPEDA, organizations transferring personal information across borders must use contractual or other means to provide a comparable level of protection. We ensure the following safeguards are in place:

  • Data processing agreements with each US-based processor restricting use to specified service purposes
  • Selecting processors that maintain appropriate security certifications (SOC 2, ISO 27001, PCI-DSS where applicable)
  • Ensuring minimal data is sent to each processor — only what is necessary for their function

By using AVADesk, you acknowledge and consent to this cross-border transfer of personal information as necessary for the delivery of the service. If you have concerns about cross-border transfers, please contact our Privacy Officer at privacy@avadesk.ca.

7. Data Retention

We retain personal information only as long as necessary for the purposes for which it was collected, subject to the following schedules:

Data TypeRetention Period
Call transcripts90 days from date of call (Tenant may request earlier deletion)
Booking records and lead captures1 year from date of creation, or until deleted by Tenant
Intake form submissions1 year from date of submission, or until deleted by Tenant
Tenant account dataDuration of active account, plus 90 days after account closure (for recovery), then permanently deleted
Google Calendar OAuth tokensDeleted immediately upon disconnection or account closure
Billing and payment records7 years, as required by Canadian accounting and tax law
Server and access logs90 days, for security and debugging purposes
Support and correspondence records3 years from last interaction

Upon expiry of the applicable retention period, personal information is securely deleted or anonymized. Tenants may request earlier deletion of End-User data through the AVADesk portal or by contacting privacy@avadesk.ca.

8. Data Security

We implement the following technical and organizational security measures to protect personal information:

  • Encryption in transit: All communications between users, our servers, and third-party processors use TLS 1.2 or higher
  • Encryption at rest: All data stored in our AWS RDS PostgreSQL databases is encrypted using AES-256
  • OAuth token security: Google Calendar OAuth tokens are encrypted at rest and stored separately from other account data
  • Password hashing: Tenant passwords are hashed using a strong, salted algorithm — we do not store plaintext passwords
  • Access controls: Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis
  • Multi-tenant isolation: Each Tenant's data is logically isolated so that one Tenant cannot access another's data
  • Security monitoring: We monitor for unusual access patterns and potential security incidents

No system is 100% secure. While we take reasonable measures to protect personal information, we cannot guarantee absolute security against all possible threats. In the event of a security breach affecting your personal information, we will notify you as described in Section 12.

9. Cookies and Tracking

AVADesk uses cookies minimally and only for essential platform functionality. We do not use advertising trackers, behavioural analytics cookies, or third-party tracking pixels within the portal application.

Essential Cookies (Required)

  • Session authentication cookie: A secure, HTTP-only cookie that keeps you logged in to the AVADesk portal. This cookie does not track you across other websites, contains no personally identifiable information beyond a session token, and is cleared when you log out or the session expires.

Analytics

If analytics tools are used on the AVADesk marketing website (avadesk.ca), they will be disclosed separately with a cookie consent mechanism. No analytics cookies are set within the authenticated portal application.

You may configure your browser to refuse cookies, but note that disabling the session cookie will prevent you from logging into the AVADesk portal.

10. Children's Privacy

AVADesk is a business-to-business service intended for use by organizations and adults aged 18 or older. We do not knowingly collect personal information from individuals under the age of 13, and the platform is not directed at children.

If a Tenant deploys AVADesk in a context where minors may interact with the AI receptionist, the Tenant is responsible for obtaining any required parental or guardian consent under applicable law and for ensuring compliance with laws protecting children's privacy, including Canada's PIPEDA and any applicable provincial requirements.

If you believe we have inadvertently collected personal information from a minor, please contact us immediately at privacy@avadesk.ca and we will promptly delete it.

11. Your Rights Under PIPEDA

Canada's PIPEDA grants individuals the following rights with respect to their personal information held by organizations subject to the Act:

Right of Access

You may request a copy of the personal information we hold about you, including how it was collected, how it has been used, and to whom it has been disclosed. We will respond within 30 days. A reasonable fee may be charged for extensive requests.

Right to Correction

If personal information we hold about you is inaccurate, incomplete, or out of date, you may request that we correct it. Where we disagree about the accuracy, we will note your correction request alongside the information.

Right to Withdraw Consent

You may withdraw consent to the collection, use, or disclosure of your personal information at any time, subject to legal and contractual restrictions. Withdrawal of consent for core service functions may mean we are unable to continue providing the service.

Right to Deletion

You may request deletion of your personal information, subject to our legal obligation to retain certain records (such as billing records required by tax law). We will fulfill deletion requests within a reasonable time and confirm when deletion is complete.

Right to Challenge Compliance

You have the right to challenge our compliance with PIPEDA. If you are not satisfied with our response to a privacy concern, you may escalate your complaint to the Office of the Privacy Commissioner of Canada.

To exercise any of these rights: Contact our Privacy Officer at privacy@avadesk.ca. We will acknowledge your request promptly and respond within 30 days, as required by PIPEDA.

Note for Callers (End-Users)

If you called a business that uses AVADesk and wish to access, correct, or delete data collected during that interaction (such as a booking record or lead capture), we recommend contacting that business directly — they are the primary data controller for your information. You are also welcome to contact us at privacy@avadesk.ca and we will assist in coordinating your request with the relevant Tenant.

12. Breach Notification

In the event of a breach of security safeguards involving personal information that creates a real risk of significant harm to individuals, FACC IT CONSULTING INC. will comply with the mandatory breach notification requirements under PIPEDA, which include:

  • Notifying affected individuals as soon as feasible after it is determined that a breach creating a real risk of significant harm has occurred
  • Reporting to the Office of the Privacy Commissioner of Canada as soon as feasible
  • Notifying affected Tenants so they can fulfill their own notification obligations to their End-Users if applicable
  • Maintaining breach records for a minimum of 24 months, as required by the Breach of Security Safeguards Regulations

Breach notifications to affected individuals will include: a description of the breach, the type of personal information involved, steps we have taken to mitigate harm, and recommended steps affected individuals can take to protect themselves.

If you believe your personal information held by AVADesk may have been compromised, please contact our Privacy Officer immediately at privacy@avadesk.ca.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other legitimate business reasons. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify active Tenants by email or through a notice in the AVADesk portal
  • For significant changes affecting your rights, request renewed consent where required by PIPEDA

Continued use of AVADesk after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms. We encourage you to review this policy periodically.

14. Contact Our Privacy Officer

For any questions, concerns, access requests, or complaints regarding this Privacy Policy or our handling of personal information, please contact:

Privacy Officer

FACC IT CONSULTING INC.

Operating as AVADesk

Ontario, Canada

Email: privacy@avadesk.ca

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada:

Office of the Privacy Commissioner of Canada

30 Victoria Street, Gatineau, Quebec K1A 1H3

www.priv.gc.ca · Toll-free: 1-800-282-1376