Privacy Policy

1. Introduction

Zonitel Solutions LLC ("Zonitel," "we," "us," or "our") is a Texas-based provider of cloud-hosted, SIP-based business communications services, including Business VoIP phone systems, SMS/MMS messaging, digital fax, AI call analytics, live call panel, and smart calendar features. We are committed to protecting the privacy and security of your personal and business information.

This Privacy Policy describes how we collect, use, share, and protect information about you when you access our website at zonitel.com, use our products and services, or interact with us in any other way (collectively, the "Services"). It also describes your rights with respect to your information and how you can exercise those rights. This policy covers all customers, visitors to our website, and individuals whose information we process in connection with delivering the Services.

By using our Services or website, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of a business, you represent that you have the authority to bind that entity to this policy. Please read this policy carefully. If you have questions, contact us at info@zonitel.com.

2. Information We Collect

We collect information in several categories depending on how you interact with our Services:

Account Information

When you register for an account or subscribe to a plan, we collect information such as your full name, business name, email address, phone number(s), job title, billing address, and service address(es) for E911 registration. We may also collect information about your business size, industry, and communication needs to help us tailor the Services to you.

Communications Data

In providing our Services, we collect metadata associated with your communications. This includes call logs (date, time, duration, calling and called numbers), SMS/MMS message metadata (sender, recipient, timestamp, message status), and fax transmission records (sender, recipient, page count, status). Unless you or your account administrator explicitly enables call recording, we do not record or store the content of your voice calls. Where recording features are enabled, recordings are stored in accordance with your account settings and this Privacy Policy.

Technical Data

We automatically collect certain technical information when you access our Services, including your IP address, device type and model, operating system version, browser type and version, referring URLs, pages visited, time spent on pages, and other usage and interaction logs. We may also collect SIP device information, network configuration data, and diagnostic logs to help us maintain service quality and troubleshoot technical issues.

Payment Information

Payment transactions are processed through PCI-DSS Level 1 compliant third-party payment processors. We do not store your full credit card number, CVV, or other sensitive cardholder data on our systems. We retain limited payment identifiers (such as the last four digits of your card and card type) for billing reference and fraud prevention purposes. By providing payment information, you authorize our payment processor to charge your designated payment method as described in our Terms of Use.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Providing and Improving Services: To provision, operate, maintain, and enhance the features and functionality of the Services you have subscribed to, including routing calls, delivering messages, processing faxes, generating analytics, and operating AI-powered features.
• Billing and Account Management: To process payments, manage your subscription, send invoices, notify you of billing issues, and maintain accurate financial records.
• Customer Support: To respond to your inquiries, troubleshoot technical issues, and provide onboarding and training assistance.
• Service Communications: To send you important service-related notices, including maintenance alerts, security notifications, feature updates, and changes to our Terms or this Privacy Policy.
• Fraud Prevention and Security: To detect, investigate, and prevent fraudulent transactions, unauthorized access, abuse of the Services, and other security threats.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, including FCC regulations, TCPA requirements, subpoenas, and court orders.
• Analytics and Product Development: To analyze usage patterns and performance metrics to better understand how our Services are used and to develop new features and improvements.
• Marketing (with consent): To send you promotional communications about Zonitel's products and services where you have provided consent or where we have a legitimate interest in marketing our services to existing customers. You may opt out of marketing communications at any time.

4. Call Recording, AI Analytics & Generative AI

Zonitel offers optional call recording and AI analytics features as part of its advanced service tiers. These features are disabled by default and must be explicitly enabled by an authorized account administrator. When enabled, calls may be recorded, transcribed, and analyzed using AI models to generate insights such as sentiment analysis, keyword detection, call summaries, agent performance scoring, and customer interaction trends.

Call recording and AI transcription data is stored for the duration specified in your account settings (the customer-configurable retention period). Customers are solely responsible for complying with all applicable laws regarding call recording and notification requirements, including federal and state wiretapping and eavesdropping laws, many of which require the consent of all parties to a recorded call. Zonitel strongly advises customers to consult with legal counsel before enabling call recording features.

Generative AI Features

Some of Zonitel's AI features use large language models (LLMs) or other generative AI technologies to produce outputs such as call summaries, suggested responses, and automated transcripts. These features operate on your communications data solely to deliver the requested output to you. Zonitel does not use your call recordings, transcriptions, messages, or any other customer content to train, fine-tune, or improve AI or machine learning models — whether Zonitel's own or those of any third-party AI provider — without your express written consent.

AI-generated outputs are not guaranteed to be accurate and should not be relied upon as a substitute for human review in compliance-sensitive, medical, legal, or financial contexts. You may opt out of AI-powered features at any time by disabling them in your account settings or contacting us at info@zonitel.com. Data generated by AI analytics features is subject to the data retention and security practices described in this Privacy Policy.

5. SMS & Messaging Compliance

Zonitel provides SMS/MMS messaging capabilities subject to the requirements of the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, and applicable carrier policies. As a business customer using Zonitel's messaging services, you are responsible for obtaining and maintaining proper opt-in consent from all message recipients before sending them any commercial or marketing messages.

Zonitel maintains records of messaging activity including opt-in timestamps, opt-out requests, and message delivery status to support your compliance obligations. Recipients of your business messages can opt out at any time by replying STOP to any message. Upon receipt of a STOP request, Zonitel's platform automatically processes the opt-out and logs it to your account's compliance records. You may also view and manage opt-out records through your account portal.

Additional opt-out keywords recognized by Zonitel's platform include UNSUBSCRIBE, CANCEL, END, and QUIT. You must not send messages to any number that has opted out. Zonitel reserves the right to suspend or terminate messaging capabilities for accounts that violate messaging compliance requirements or that generate excessive spam complaints or carrier blocks.

6. Information Sharing

We do not sell your personal information to third parties for advertising or marketing purposes. We share your information only in the following circumstances:

• Service Providers and Subprocessors: We engage trusted third-party service providers to assist us in delivering the Services. These include cloud infrastructure providers, payment processors, telephony carriers, email delivery services, analytics platforms, and customer support tools. All subprocessors are contractually required to handle your data in accordance with this Privacy Policy and applicable data protection laws. A list of our current subprocessors is available upon request.
• Legal Requirements: We may disclose your information when required to do so by law, including in response to valid subpoenas, court orders, warrants, or other legal process. We may also disclose information to comply with regulatory obligations (such as FCC requirements), respond to governmental inquiries, or cooperate with law enforcement. Where legally permissible, we will notify you of such disclosures.
• Business Transfers: In the event of a merger, acquisition, sale of assets, reorganization, or other business transfer involving Zonitel, your information may be transferred to the acquiring entity as part of that transaction. We will notify you of any such transfer and the resulting changes to this Privacy Policy via email or prominent notice on our website.
• Safety and Security: We may share information when we have a good-faith belief that doing so is necessary to protect the rights, property, or safety of Zonitel, our customers, or the public, or to prevent fraud, abuse, or illegal activity.
• With Your Consent: We may share your information with other third parties when you have given us explicit consent to do so.

7. CPNI (Customer Proprietary Network Information)

As a provider of telecommunications services, Zonitel is subject to Section 222 of the Communications Act (47 U.S.C. § 222) and FCC regulations governing the protection of Customer Proprietary Network Information (CPNI). CPNI is information that relates to the quantity, technical configuration, type, destination, location, and amount of use of telecommunications services you subscribe to, as well as information contained in bills relating to those services. CPNI does not include the content of your communications.

Zonitel uses CPNI to provision, maintain, and improve the telecommunications services you have subscribed to, to bill you accurately, and to protect you from fraudulent use of your account. We may also use CPNI, with your approval, to market additional Zonitel services that are related to the types of services you already receive. We will not use, disclose, or provide access to your CPNI for any other purpose without your prior express approval or as required by law.

You have the right to restrict Zonitel's use of your CPNI for marketing purposes. To exercise your opt-out right, or to approve use of your CPNI for marketing, please contact us at info@zonitel.com or call 833-966-4835. Your CPNI election will remain in effect until you change it. Restricting use of your CPNI will not affect Zonitel's ability to provide you with the services you have subscribed to, and you will not face any penalties for restricting our use of your CPNI.

8. Data Retention

We retain your information for as long as necessary to fulfill the purposes for which it was collected and to comply with our legal, regulatory, and business obligations. Our general data retention practices are as follows:

• Account Data: Retained for the duration of your active account plus 90 days following account termination, during which time you may request a copy of your data. After 90 days, account data is permanently deleted unless we are required by law to retain it longer.
• Call Logs and Metadata: Retained for a default period of 12 months from the date of the call. Customers may configure shorter retention periods in their account settings. Extended retention may be available for compliance or archiving purposes on applicable plans.
• Call Recordings and Transcriptions: Retained per customer-configured settings (when recording features are enabled). Default retention is 90 days unless the customer selects a longer period.
• SMS/MMS Logs: Retained for 12 months from the date of the message.
• Billing and Financial Records: Retained for a minimum of 7 years from the date of the transaction to comply with applicable tax and financial recordkeeping laws.
• Support Communications: Retained for 3 years from the date of the last interaction.

We may retain certain information longer than the periods listed above where required by law, regulation, or governmental order, or where necessary to resolve disputes or enforce our agreements.

9. Data Security

Zonitel employs a defense-in-depth approach to data security, implementing multiple layers of technical and organizational safeguards to protect your information against unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Encryption in Transit: All data transmitted between your devices and our platform is encrypted using TLS 1.2 or higher. Voice communications are encrypted using SRTP (Secure Real-time Transport Protocol).
• Encryption at Rest: Stored data, including account information, call logs, recordings, and backups, is encrypted using AES-256 encryption.
• Access Controls: Access to customer data is restricted to authorized Zonitel personnel on a need-to-know basis. Role-based access controls (RBAC) and the principle of least privilege are applied throughout our systems.
• Employee Training: All Zonitel employees undergo regular security awareness training and are required to sign confidentiality agreements covering customer data.
• Incident Response: We maintain a documented incident response plan and are committed to notifying affected customers promptly in the event of a confirmed data breach affecting their information.

Despite these measures, no security system is impenetrable. We cannot guarantee absolute security of your information. If you believe your account has been compromised, please contact us immediately at info@zonitel.com. For our full security practices, please see our Security page.

10. Your Rights (CCPA / GDPR)

Depending on your location and applicable law, you may have the following rights with respect to your personal information:

• Right to Know / Access: You have the right to request information about the categories and specific pieces of personal information we have collected about you, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Deletion: You have the right to request that we delete personal information we have collected about you, subject to certain exceptions (such as data we are required to retain for legal compliance).
• Right to Correction: You have the right to request that we correct inaccurate personal information we hold about you.
• Right to Data Portability: You have the right to receive a copy of your personal information in a structured, machine-readable format, where technically feasible.
• Right to Opt Out of Sale: We do not sell your personal information. There is nothing to opt out of in this regard.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights. Exercising these rights will not result in denial of services, different prices, or a lower quality of service.
• Right to Restrict Processing (GDPR): Under certain circumstances, you may have the right to restrict how we process your personal data.
• Right to Object (GDPR): You have the right to object to our processing of your personal data for direct marketing purposes at any time.

To exercise any of these rights, please submit a written request to info@zonitel.com. We will respond to verifiable requests within 45 days (or as required by applicable law). We may need to verify your identity before processing your request.

11. Cookies & Global Privacy Control

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and support marketing efforts. Cookies are small text files stored on your device that allow us to recognize you on return visits and provide a more personalized experience. We use strictly necessary cookies (required for basic site functionality), functional cookies (for preferences and settings), analytics cookies (for understanding site usage), and marketing cookies (for advertising and retargeting).

Global Privacy Control (GPC): We honor the Global Privacy Control signal. If your browser or browser extension has GPC enabled, we will treat that signal as a valid opt-out of the sale and sharing of your personal information for cross-context behavioral advertising purposes, as required by the California Privacy Rights Act (CPRA). You may enable GPC through your browser settings or a compatible browser extension.

For a full description of the cookies we use, their purposes, duration, and how to control them, please see our Cookie Policy.

12. Children's Privacy

Zonitel's Services are designed for business use and are not directed to individuals under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete that information from our systems. If you believe we may have collected information from a child under 13, please contact us immediately at info@zonitel.com.

13. International Transfers

Zonitel is based in the United States, and our primary data processing activities occur within the United States. If you are located outside the United States, please be aware that information you provide to us will be transferred to and processed in the United States, where data protection laws may differ from those in your country.

EU-US Data Privacy Framework (DPF): For transfers of personal data from the European Union, European Economic Area, or United Kingdom to the United States, Zonitel complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Zonitel has certified its compliance with the EU-U.S. DPF Principles with respect to the processing of personal data received from the EU, UK, and Switzerland. If there is any conflict between the terms of this Privacy Policy and the DPF Principles, the Principles shall govern. To learn more about the DPF program, please visit dataprivacyframework.gov.

In addition to DPF compliance, Zonitel relies on Standard Contractual Clauses (SCCs) as approved by the European Commission as a supplementary transfer mechanism where applicable. If you have questions about international data transfers or would like a copy of applicable SCCs, please contact us at info@zonitel.com.

14. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information. These rights include the right to know what personal information we collect, use, and disclose; the right to delete your personal information (subject to certain exceptions); the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of your personal information.

As stated above, Zonitel does not sell personal information within the meaning of the CCPA. We also do not share personal information for cross-context behavioral advertising purposes. California residents may submit privacy rights requests by emailing info@zonitel.com with the subject line "California Privacy Rights Request" or by calling 833-966-4835. We will respond within 45 calendar days. You may designate an authorized agent to submit a request on your behalf; the agent must provide proof of authorization. We will not discriminate against you for exercising your CCPA rights.

For the 12-month period prior to the effective date of this policy, Zonitel collected the categories of personal information described in Section 2 above. This information was used for the purposes described in Section 3 and disclosed to service providers as described in Section 6.

15. Zonitel Click to Call — Chrome Extension

Zonitel offers a browser extension called Zonitel Click to Call (available on the Chrome Web Store, extension ID: eokhioagmhabpagiooklkkmmaedpompc). This section specifically and comprehensively describes all user data the extension collects, how it is used, where it is stored, and with whom it is shared.

The extension provides two primary functions: (1) phone number detection and click-to-call on any web page, and (2) a full WebRTC-based softphone embedded in Chrome's Side Panel, enabling users to make and receive voice calls directly from the browser using the Zonitel phone system.

1. Microphone Access & Real-Time Voice Audio

The extension requests access to your device's microphone. Microphone access is required to make and receive voice calls through the built-in softphone. When you initiate or accept a call, the extension captures real-time audio from your microphone and transmits it to the remote call party via WebRTC (Web Real-Time Communication) using the Secure Real-time Transport Protocol (SRTP).

Audio processing applied to your microphone stream includes echo cancellation, noise suppression, and auto gain control. These are applied locally within your browser before transmission to improve call quality. Zonitel does not record, store, or retain the content of voice calls unless call recording is separately enabled by your account administrator in the Zonitel platform (see Section 4 of this Privacy Policy). The microphone is only active during an active call session.

Before the microphone is first accessed, the extension displays a dedicated permission request screen that explains the purpose of microphone access and asks the user to explicitly grant the permission through the browser's standard consent dialog. Microphone access will not occur without affirmative user consent.

2. WebRTC Network Data & TURN Server

The extension uses WebRTC for voice communication. As part of the WebRTC connection establishment process (ICE — Interactive Connectivity Establishment), the extension contacts Zonitel's TURN (Traversal Using Relays around NAT). During this process, your device's IP address (including local network IP) may be transmitted to the TURN server to establish the media path for your call. This is a standard and necessary part of WebRTC communication. Zonitel's TURN server is operated solely to route your call traffic and does not use IP data for any other purpose.

3. SIP Registration & Incoming Calls

When the softphone panel is open, the extension establishes a persistent, encrypted WebSocket connection (WSS) to Zonitel's SIP (Session Initiation Protocol) infrastructure. This connection registers your Zonitel extension number and enables the reception of incoming calls. Signaling data (call setup, hold, transfer, hang-up instructions) is exchanged over this connection. The connection is maintained only while the softphone Side Panel is open and does not persist after you close it. No audio is transmitted over the SIP signaling channel; audio travels via a separate WebRTC media path.

When an incoming call is received, the extension triggers a browser notification to alert you. These notifications use Chrome's standard notifications API and display the caller's number or name. You may disable these notifications at any time through Chrome's notification settings.

4. Phone Number Detection on Web Pages

The extension's content script runs on all web pages (http:// and https://) to identify phone number patterns in the visible text of each page. This processing occurs entirely within your browser. No page content is transmitted to Zonitel's servers. Detected phone numbers are highlighted and made clickable; when clicked, only the phone number itself is sent to Zonitel's API to initiate a call. Pages on your configured ignore list are excluded from phone number scanning.

5. Account Credentials & Authentication Data

To authenticate with Zonitel's platform, the extension stores the following data locally in chrome.storage.local (This locally stored data is used only to authenticate you, maintain your Zonitel session, and support the extension’s user-facing features. Zonitel does not sell this data or share it with third parties for advertising or marketing. Data from the extension is transferred only to Zonitel-operated infrastructure as necessary to provide the click-to-call and softphone features, for security and abuse prevention, or to comply with applicable law. Users can clear locally stored credentials at any time by signing out of the extension):

• Email address / username
• Authentication token and refresh token
• Token expiration
• ID (your Zonitel account identifier)
• Extension number and display name
• User preferences related to the extension experience

This locally stored data is used only to authenticate the user, maintain the user's Zonitel session, and support the extension's user-facing click-to-call and softphone features. Zonitel does not sell this data or share it with third parties for advertising or marketing. This data is stored locally on the user's device and is transmitted only to Zonitel-operated infrastructure as necessary to authenticate the user, maintain the session, provide the extension's features, support security and abuse prevention, or comply with applicable law. It is not transmitted to unrelated third parties. Users can clear locally stored session data at any time by signing out of the extension.

6. Call History & Contacts

The extension maintains a local call history of calls made and received during your session. This history is held in the extension's runtime memory and is cleared when the softphone panel is closed or the browser is restarted. The extension also retrieves your Zonitel contact list from Zonitel's servers (Api) to display caller names during calls. Contacts are fetched on demand and are not permanently cached locally by the extension.

7. Extension Settings & Preferences

User preferences — including your preferred dial format, ignored domains, ignored URLs, and custom number formats — are stored in chrome.storage.local. These settings do not contain call content or browsing history and are not transmitted to Zonitel's servers.

8. Data NOT Collected by the Extension

• The extension does not collect, transmit, or store your full browsing history or the URLs of pages you visit (only the domain is checked against your ignore list, locally).
• The extension does not read or transmit any page content other than detected phone number strings.
• The extension does not record voice calls unless call recording is explicitly enabled at the account level in the Zonitel platform.
• The extension does not use any third-party advertising, analytics SDKs, or tracking scripts.
• The extension does not access your camera.

9. Data Transmission & Third-Party Servers

The extension communicates exclusively with Zonitel-operated infrastructure:

• API Server — REST API for authentication, call initiation, and contact retrieval. All traffic is encrypted via HTTPS (TLS 1.2+).
• Zonitel SIP servers — SIP signaling via WebSocket Secure (WSS) for call setup and incoming call reception.
• www.zonitel.com — Zonitel's TURN server for WebRTC media relay, accessed via TURNS (TURN over TLS).

No extension data is transmitted to any third-party advertising platforms, data brokers, or analytics services.

10. Data Retention for Extension-Generated Data

Local credentials and settings persist in chrome.storage.local until you sign out. Session-based call history is cleared when the softphone panel is closed. Call log metadata generated by calls placed through the extension is stored on Zonitel's servers and follows the retention schedule in Section 8 (default: 12 months). Zonitel does not retain real-time audio beyond the duration of the call, unless recording is separately enabled.

11. Permissions Used

• storage: Stores authentication credentials, settings, and preferences locally.
• notifications: Displays incoming call alerts via Chrome notifications.
• activeTab: Detects phone numbers on the web page you are currently viewing.
• contextMenus: Adds a "Zonitel Click to Call" option to the browser right-click context menu for selected text.
• sidePanel: Hosts the softphone UI in Chrome's Side Panel.
• host_permissions (https://*/*): Allows the content script to detect phone numbers on any web page you visit.
• host_permissions (wss://*/*): Allows the extension to establish the WebSocket connection to Zonitel's SIP servers.
• Microphone (requested at runtime): Required to capture your voice for making and receiving calls. Requested explicitly before first use with a dedicated permission screen. Not used unless you actively use the softphone.

If you have questions about the extension's data practices, please contact us at info@zonitel.com.

12. Limited Use

Limited Use Disclosure for Zonitel Click to Call: The extension uses visible page text solely to detect phone number strings and uses microphone access, authentication data, signaling data, IP/WebRTC relay data, and contact data solely to provide its click-to-call and browser softphone features. Zonitel does not sell this data, use it for advertising, or transfer it except as necessary to provide these features, for security or abuse prevention, or to comply with applicable law. Zonitel personnel do not read page content, communications content, or other extension-derived user data except when you explicitly request support, when necessary for security investigation, or when required by law.

16. Biometric & Voice Data

Zonitel's platform may process voice data in connection with optional call recording and AI transcription features. Under the Texas Capture or Use of Biometric Identifier Act (CUBI, Tex. Bus. & Com. Code § 503.001 et seq.) and other applicable state biometric privacy laws, a voice recording used to identify an individual may constitute a biometric identifier.

What We Collect

When call recording and AI transcription features are enabled by an account administrator, Zonitel may process voice audio and derived transcriptions. Zonitel does not currently use voice data to generate standalone voiceprint profiles for identity verification purposes. If we introduce voiceprint-based authentication or identification features in the future, we will provide separate notice and obtain required consent before collecting such biometric identifiers.

Consent & Notice

Call recording features require explicit activation by an account administrator. Customers enabling these features are responsible for providing required consent notices to all call participants in accordance with applicable federal and state wiretapping laws and any applicable biometric privacy statutes. Zonitel provides configurable call recording announcement features to assist with this obligation.

Retention & Destruction

Voice recordings and transcriptions are retained per customer-configured settings (default: 90 days) as described in Section 8. We do not sell, lease, trade, or profit from any biometric data. Upon expiration of the applicable retention period or upon account termination, voice recordings are permanently and irreversibly deleted from Zonitel's systems.

Applicable Laws

Our biometric data practices are designed to comply with the Texas CUBI Act, as well as Illinois BIPA (740 ILCS 14/1 et seq.) and other state biometric privacy laws applicable to our customers' jurisdictions. Customers who are subject to stricter state biometric laws should ensure their Zonitel configuration and consent practices align with those requirements.

17. Sensitive Personal Information

Certain categories of personal information are classified as "sensitive" under the California Privacy Rights Act (CPRA), the Texas Data Privacy and Security Act (TDPSA), and other applicable state privacy laws. Zonitel may collect or process the following categories of sensitive personal information in the course of providing its Services:

• Precise geolocation data: Service address(es) and E911 location information collected during account setup.
• Communications content: The content of voice calls (when recording is enabled), SMS/MMS messages, and faxes transmitted through the platform.
• Account login credentials: Usernames, passwords, and authentication credentials used to access the Zonitel platform.
• Financial account information: Payment identifiers retained for billing reference purposes (processed through PCI-DSS Level 1 compliant processors — see Section 2).
• Health information: Only if a customer transmits protected health information (PHI) through the platform in connection with a signed Business Associate Agreement (see Section 20).

How We Use Sensitive Personal Information

Zonitel uses sensitive personal information only to provide and improve the Services you have requested, to ensure security and prevent fraud, to comply with legal obligations, and for other purposes disclosed at the time of collection. We do not use sensitive personal information to infer characteristics about you, and we do not sell or share sensitive personal information for cross-context behavioral advertising.

Right to Limit Use

California residents have the right to direct Zonitel to limit our use and disclosure of sensitive personal information to purposes necessary to perform the Services or as otherwise permitted by the CPRA. To exercise this right, please contact us at info@zonitel.com with the subject line "Limit Use of Sensitive Personal Information."

18. Do Not Sell or Share My Personal Information

Zonitel does not sell your personal information to third parties for monetary or other valuable consideration, and does not share your personal information for cross-context behavioral advertising purposes, within the meaning of the California Privacy Rights Act (CPRA), the Texas Data Privacy and Security Act (TDPSA), and other applicable state privacy laws.

Because we do not sell or share personal information in these ways, there is no opt-out required. However, we provide the following opt-out mechanisms in the interest of transparency:

• Targeted advertising opt-out: We do not use your personal information to serve you targeted advertising based on your activity across third-party websites or applications. If any analytics or marketing tools we use create a profile for advertising purposes, you may opt out by contacting us at info@zonitel.com.
• Global Privacy Control (GPC): We honor GPC signals as described in Section 11.
• CPNI marketing opt-out: You may restrict our use of your Customer Proprietary Network Information (CPNI) for marketing purposes as described in Section 7.

If you have questions about our data sharing practices, please contact us at info@zonitel.com.

19. Texas & Other US State Privacy Rights

Texas Residents — Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (TDPSA), effective July 1, 2024, grants Texas residents the following rights with respect to their personal data processed by Zonitel:

• Right to Access: You may confirm whether Zonitel processes your personal data and request access to the specific personal data we hold about you.
• Right to Correction: You may request that we correct inaccuracies in your personal data.
• Right to Deletion: You may request that we delete personal data we have collected from or about you, subject to applicable exceptions.
• Right to Data Portability: You may request a copy of your personal data in a portable and, to the extent technically feasible, readily usable format.
• Right to Opt Out of Sale: You may opt out of the sale of your personal data. Zonitel does not sell personal data.
• Right to Opt Out of Targeted Advertising: You may opt out of the processing of your personal data for targeted advertising. Zonitel does not engage in such processing.
• Right to Opt Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you. Zonitel does not engage in such profiling.
• Right to Appeal: If we decline to take action on your privacy rights request, you may appeal that decision by submitting a written appeal to info@zonitel.com. We will respond to your appeal within 60 days. If your appeal is denied, you may submit a complaint to the Texas Attorney General.

To exercise your TDPSA rights, please submit a verifiable request to info@zonitel.com with the subject line "Texas Privacy Rights Request." We will respond within 45 days, with a possible 45-day extension where reasonably necessary.

Residents of Other US States

Residents of the following states have privacy rights that Zonitel honors to the extent applicable: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (CDPA), Indiana (CDPA), Tennessee (TIPA), New Hampshire (NHPA), New Jersey (NJDPA), Nebraska (NDPA), Minnesota (MCDPA), Maryland (MODPA), Rhode Island (DPPCA), and Kentucky (KCDPA).

While the specific rights and thresholds vary by state, these laws generally grant residents similar rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of the sale of personal data, targeted advertising, and certain profiling. Zonitel does not sell personal data, share it for cross-context behavioral advertising, or use it for significant profiling, so most opt-out rights are moot in our context. However, you may exercise any applicable access, correction, deletion, or portability right by contacting us at info@zonitel.com. We will respond as required by the law applicable to your state of residence.

20. HIPAA & Healthcare Customers

Zonitel offers HIPAA-compliant service configurations for healthcare organizations and other entities subject to the Health Insurance Portability and Accountability Act (HIPAA). Customers operating in regulated healthcare environments — including covered entities and their business associates — may require a signed Business Associate Agreement (BAA) with Zonitel before transmitting or storing Protected Health Information (PHI) through the platform.

Business Associate Agreement (BAA)

Zonitel will enter into a BAA with qualified customers upon request. A BAA governs the handling, use, and safeguarding of PHI processed through Zonitel's Services and is required under HIPAA before any PHI may be transmitted through our platform. To request a BAA, please contact us at info@zonitel.com with the subject line "BAA Request."

PHI Handling

Under a signed BAA, Zonitel agrees to: use and disclose PHI only as permitted by HIPAA and the BAA; implement appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of PHI; report any discovered breach of unsecured PHI to the covered entity in accordance with HIPAA's Breach Notification Rule; and ensure that any subcontractors that create, receive, maintain, or transmit PHI on Zonitel's behalf agree to the same restrictions and conditions.

Important: Zonitel's standard service plans are not configured for HIPAA compliance by default. Customers with HIPAA obligations must contact Zonitel to activate HIPAA-compliant settings and execute a BAA before transmitting any PHI. Transmitting PHI through the standard service without a BAA is a violation of our Terms of Use.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services we offer. When we make material changes, we will provide notice by sending an email to the address associated with your account and/or by posting a prominent notice on our website. Minor or clarifying changes may be made without direct notification.

The "Last Updated" date at the top of this policy will always reflect the date of the most recent revision. We encourage you to review this policy periodically to stay informed about how we protect your information. Your continued use of the Services after any changes to this Privacy Policy become effective constitutes your acceptance of the updated policy.

22. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data handling practices, please contact our Privacy team: