Privacy Policy

Core Enterprise LLC, a Florida limited liability company doing business as NeuralDesk ("NeuralDesk," "we," "our," or "us"), operates the website at www.neuraldesk.usand provides AI-powered call automation, lead capture, appointment scheduling, CRM integration, and digital marketing services (the "Services"). This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information in connection with our website and Services.

This Policy applies to: (a) business clients who contract with us for the Services; (b) End Users — the customers, patients, prospects, and other individuals who interact with AI Voice Agents operated on behalf of our clients; (c) visitors to our website; and (d) any other individual whose personal information we process in connection with our business operations.

By accessing our website or using our Services, you acknowledge that you have read and understood this Policy. If you do not agree, please discontinue use of our website and Services immediately. For clients, this Policy is incorporated by reference into the Terms of Service.

This Policy should be read alongside our companion compliance documents, each of which governs a specific aspect of our operations: (a) Terms of Service — governing the contractual relationship with clients; (b) TCPA Compliance Addendum — governing AI Voice Agent calling obligations; (c) Business Associate Agreement (BAA) — governing the handling of Protected Health Information; and (d) Data Processing Agreement (DPA) — governing data processing arrangements for international clients subject to GDPR or similar regimes. Where any companion document conflicts with this Policy on a specific subject matter, the companion document controls.

We reserve the right to modify this Policy at any time. For material changes, we will provide notice by: (a) posting the updated Policy at www.neuraldesk.us/privacy with a revised effective date; (b) sending email notice to clients' addresses on file; and/or (c) displaying a prominent banner on our website. Your continued use of our Services after the effective date constitutes acceptance of the revised Policy.

When you fill out our contact or demo request form, execute a service agreement, or otherwise communicate with us, we may collect: full name and job title; business name and industry; business and personal email addresses; phone numbers (business and mobile); estimated monthly call volume and business size; business challenges, goals, and pain points as described in intake forms; billing and payment information (processed exclusively by third-party payment processors — we do not store full card numbers); and any other information you voluntarily provide.

Our core service involves AI-powered Voice Agents that handle telephone calls on behalf of our clients. In the course of providing these Services, we collect and process on behalf of our clients: full audio recordings of telephone conversations; transcriptions generated by automated speech-to-text systems; AI-generated call summaries, lead qualification scores, and intent notes; caller name, telephone number, email, and other personal information provided verbally during calls; service interest, budget, timeline, and purchasing intent data captured during calls; caller's preferred language and geographic indicators; and call metadata including duration, timestamp, call outcome, transfer history, and opt-out signals.

Notice: Callers interacting with AI Voice Agents are informed via an opening disclosure that they are speaking with an automated system and that the call may be recorded. Call recording disclosures are governed by applicable federal and state law, including all-party consent requirements. Clients are solely responsible for ensuring legally compliant disclosures.

When you visit our website, we automatically collect through cookies, pixels, and similar technologies: IP address and approximate geolocation (city/region level); browser type, version, and operating system; device type, identifiers, and screen resolution; pages visited, time on page, click path, and exit pages; referring URL and traffic source; session duration and interaction data; and cookie identifiers and similar tracking tokens.

With client authorization, we receive or synchronize information from third-party platforms connected to our Services, including: CRM systems (HubSpot, Salesforce, Pipedrive, GoHighLevel, Close.io, ActiveCampaign, Monday.com); calendar platforms (Google Calendar, Calendly); telephony and communication platforms (Twilio, Aircall, Zendesk); and any other platforms authorized by the client during onboarding and integration.

We do not intentionally collect: Social Security Numbers or government-issued identification numbers; full payment card numbers (handled exclusively by PCI-DSS-compliant payment processors); biometric data (other than voice recordings where legally disclosed); or personal information from individuals we know to be under 18 years of age.

We use personal information to: configure, operate, and improve AI Voice Agents on behalf of clients; qualify leads, schedule appointments, and log call outcomes; route calls to human agents when required by client configuration; sync call recordings, transcripts, and lead data to client CRM and calendar systems; and send confirmation messages and follow-up communications as directed by clients.

We use personal information to: process client onboarding, contracting, invoicing, and account management; respond to inquiries, demo requests, and support tickets; communicate service updates, billing notices, and operational information; and conduct sales and marketing outreach to business prospects (B2B only).

We use aggregated, de-identified, and anonymized data to analyze call patterns and AI Voice Agent performance, monitor system uptime and security, generate performance benchmarks, and train and refine AI models. We do not train AI models using identifiable personal information of specific individuals without appropriate consent.

We use personal information to comply with applicable law, maintain records as required, enforce our Terms of Service, respond to lawful requests and government investigations, and protect the rights, property, and safety of our company, clients, and third parties.

Processing is necessary to perform our contractual obligations under the Terms of Service and applicable Order Forms.

Processing is necessary for legitimate business interests — improving our Services, preventing fraud, ensuring security, and conducting B2B sales — provided such interests are not overridden by individuals' privacy rights and fundamental freedoms.

Processing is necessary to comply with legal obligations, including responding to lawful governmental requests, retaining records, and fulfilling Breach Notification requirements.

Where required by law — including for certain marketing communications, call recording in all-party consent states, and international data transfers where no other basis applies — we obtain express prior consent. Consent may be withdrawn at any time at privacy@neuraldesk.us.

NeuralDesk operates AI Voice Agent calling systems subject to the Telephone Consumer Protection Act (47 U.S.C. § 227), FCC regulations (47 C.F.R. Part 64), and applicable state telemarketing laws. Comprehensive TCPA compliance obligations are set forth in our TCPA Compliance Addendum, which is a required companion document for all clients subscribing to AI Call Automation services.

In our own name (not on behalf of clients), NeuralDesk does not initiate marketing calls using automated dialing systems without prior express written consent. We honor all opt-out requests within ten (10) business days. We maintain an internal Do Not Call suppression list. Our AI agents disclose their automated nature when required by applicable law.

Clients who use our AI Call Automation services are solely responsible for obtaining and documenting all required consents, complying with applicable DNC registry requirements, and obtaining required state telemarketing registrations.

All calls handled by our AI Voice Agents may be recorded for quality assurance, transcription, and service delivery. Callers are notified through an opening disclosure. In states requiring all-party consent (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington), clients are responsible for ensuring legally adequate consent is obtained.

When our Services involve PHI as defined under HIPAA (45 C.F.R. Parts 160 and 164), we operate as a Business Associate of the Covered Entity client. Comprehensive HIPAA obligations are set forth in our BAA, which must be fully executed before any PHI is transmitted.

When processing PHI under an executed BAA, NeuralDesk: handles PHI solely for Permitted Purposes; limits access to personnel with legitimate need-to-know; implements administrative, physical, and technical safeguards required by the HIPAA Security Rule; and does not use or disclose PHI beyond those purposes authorized in the BAA.

NeuralDesk's Services are not intended to receive PHI in the absence of a fully executed BAA. Healthcare clients should contact info@neuraldesk.us to initiate the BAA process before commencing services.

Call recordings, transcripts, lead data, and caller information collected by AI Voice Agents are collected on behalf of, and shared with, the client for whose account the AI Voice Agent operates. Such data is owned by the client.

We engage vetted third-party vendors under written data processing agreements: cloud infrastructure and hosting providers; AI and speech-to-text processing vendors; telephony providers (including Twilio); CRM and calendar partners; payment processors (billing data only — no PHI or call content); and website analytics tools.

We may disclose personal information when required by law, regulation, subpoena, court order, search warrant, or other legal process, with notice to affected parties where legally permissible.

If NeuralDesk is involved in a merger, acquisition, asset sale, financing, reorganization, or change of control, personal information may be transferred as part of that transaction.

We may share personal information with third parties not described in this Policy if we obtain your express prior consent.

We may share aggregated or anonymized data — which cannot reasonably identify any individual — for research or in published benchmarks, without restriction.

Retained for a minimum of twelve (12) months from the date of the call. Recordings subject to legal hold are retained until the matter is resolved. Healthcare call recordings involving PHI are subject to BAA and HIPAA retention (minimum six (6) years).

Retained for the duration of the client relationship and for twenty-four (24) months following termination, unless deletion is requested earlier or required by law.

Retained on a rolling twenty-four (24) month basis. Aggregated, de-identified analytics data may be retained indefinitely.

Retained for a minimum of seven (7) years to comply with federal and state tax, accounting, and financial recordkeeping obligations.

Data subject to ongoing or anticipated litigation, regulatory investigation, or government inquiry is retained until the matter is fully resolved.

Upon expiration of applicable retention periods, personal information is securely deleted using industry-recognized methods, or anonymized so that it can no longer be linked to an identifiable individual.

We implement commercially reasonable technical safeguards: encryption in transit using TLS 1.2 or higher; encryption at rest using AES-256 or equivalent; role-based access controls; multi-factor authentication for administrative systems; and automated intrusion detection and anomaly monitoring.

We maintain written information security policies, conduct security awareness training, perform periodic risk assessments, and maintain an incident response plan.

We implement physical access controls for facilities housing systems that process personal information, including badge access, visitor logging, and secure workstation policies.

In the event of a confirmed data security breach, we will notify you as required by applicable law, including the Florida Information Protection Act (F.S. § 501.171), the CCPA, and other state breach notification statutes.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. Notify us at privacy@neuraldesk.us of any suspected unauthorized access.

Request that we disclose categories of personal information collected, sources, business or commercial purpose, categories of third parties with whom we share, and specific pieces of personal information collected about you.

Request deletion of personal information we have collected about you, subject to legal exceptions.

Request correction of inaccurate personal information we maintain about you.

NeuralDesk does not sell personal information as defined under the CCPA. NeuralDesk does not share personal information for cross-context behavioral advertising. Accordingly, no opt-out is required for these specific practices.

You may request that we limit our use and disclosure of sensitive personal information to purposes necessary to perform our Services or as otherwise permitted by law.

We will not discriminate against you for exercising your CCPA/CPRA rights.

Submit rights requests by email to privacy@neuraldesk.us or via our contact form. We will verify your identity and respond within forty-five (45) days, with one (1) forty-five day extension where reasonably necessary.

You may designate an authorized agent. We require written authorization signed by you, plus verification of your identity directly before processing through the agent.

Identifiers; commercial information; internet or other electronic network activity; audio, electronic, or visual information (call recordings, voice transcriptions); professional or employment-related information; and inferences drawn from the above.

Effective July 1, 2024 (F.S. § 501.701 et seq.). Florida consumers have the rights to access, correct, delete, obtain a portable copy, and opt out of sale, targeted advertising, and significant-effect profiling. Contact privacy@neuraldesk.us; we will respond within forty-five (45) days.

Virginia residents have rights under Va. Code § 59.1-575 et seq. — access, correct, delete, obtain a copy of, and opt out of certain processing. We will respond within forty-five (45) days.

Colorado (C.R.S. § 6-1-1301 et seq.) and Connecticut (Conn. Gen. Stat. § 42-515 et seq.) residents have rights to access, correct, delete, opt out, and data portability.

Texas residents have rights under Tex. Bus. & Com. Code § 541 et seq., effective July 1, 2024.

Residents of other states with comprehensive privacy laws (including Montana, Iowa, Indiana, Tennessee, and Oregon) may have similar rights. Contact privacy@neuraldesk.us.

(a) Strictly Necessary — required for the website to function (cannot be disabled). (b) Analytics — to understand how visitors interact with our website. (c) Marketing — to measure advertising effectiveness and deliver relevant B2B advertising. (d) Preference — to remember your settings.

You may control cookies through your browser settings. A cookie preference centre is available below for granular control of non-essential cookies.

We do not currently respond to Do Not Track (DNT) browser signals, as no uniform DNT standard has been adopted by regulatory bodies. For analytics opt-out, install the Google Analytics Opt-Out Browser Add-On at tools.google.com/dlpage/gaoptout.

Our website may include pixels, tags, or tracking scripts from third parties. We do not control third-party tracking technologies and encourage you to review each third party's privacy policy.

Our Services are directed exclusively to businesses and their adult representatives. We do not knowingly collect personal information from individuals under 18.

If we become aware that we have inadvertently collected personal information from a Minor without verifiable parental consent, we will promptly delete it. Contact privacy@neuraldesk.us with the subject line "Minor Data Removal Request."

Core Enterprise LLC d/b/a NeuralDesk is domiciled in Florida. Personal information collected through our Services is stored and processed in the United States.

If you access our Services from outside the United States, your personal information will be transferred to, stored, and processed in the United States. We implement appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA, the UK, or Switzerland.

For data processed in connection with individuals in the EEA, UK, or Switzerland, we process such data in accordance with GDPR or equivalent law. Clients requiring a DPA should contact privacy@neuraldesk.us.

Our website may contain hyperlinks to third-party websites. Our Services integrate with numerous third-party platforms. This Policy applies solely to personal information processed directly by NeuralDesk.

We encourage you to review the privacy policies of any third-party platform with which you interact in connection with our Services.

(a) Posting the updated Policy at www.neuraldesk.us/privacy with a new effective date; (b) email notice to client accounts on file; or (c) a prominent banner on our website homepage for at least thirty (30) days.

Your continued use of our website or Services after the effective date constitutes acceptance of the updated Policy.

Prior versions of this Policy are available upon written request to privacy@neuraldesk.us.

We acknowledge all privacy rights requests within five (5) business days and respond within the timeframe required by applicable law, and in no case later than forty-five (45) days.

You have the right to lodge a complaint with the applicable regulatory authority — the FTC at ftc.gov/complaint, the CPPA at cppa.ca.gov, the Florida AG at myfloridalegal.com, or your state's attorney general office. We encourage you to contact us first.

This Privacy Policy is governed by Florida law and applicable federal law.

Disputes not subject to arbitration under our Terms of Service shall be resolved exclusively in state and federal courts located in Pinellas County, Florida.

Nothing in this Section limits your right to file a complaint with any applicable data protection authority or regulatory body.