Privacy Policy

1. Introduction and Commitment

NextWave Automation ("NextWave," "we," "us," or "our") is committed to protecting the privacy and security of personal information in all aspects of our operations. This Privacy Policy ("Policy") explains how we collect, use, disclose, retain, and safeguard personal information in compliance with the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ("PIPEDA"), Canada's Anti-Spam Legislation, S.C. 2010, c. 23 ("CASL"), and all other applicable federal and provincial privacy and communications statutes.

By accessing our website at nextwaveautomation.ca or using any of our services (collectively, the "Services"), you acknowledge that you have read, understood, and agreed to the collection and handling of personal information as described in this Policy.

2. Definitions

For purposes of this Policy, the following terms have the meanings set out below:

• Client: Any business entity or individual that contracts with NextWave Automation for Services.
• End User: Any individual whose personal information is collected or processed through our automated systems on behalf of a Client.
• Personal Information: Has the meaning ascribed to it under PIPEDA, and includes any information about an identifiable individual, excluding business contact information used solely for business-to-business communications as permitted under applicable law.
• Privacy Officer: The individual designated by NextWave Automation to oversee compliance with this Policy and applicable privacy legislation.
• Services: The AI-powered automation tools, voice agents, chatbot systems, customer relationship management integrations, lead generation systems, and all related services provided by NextWave Automation.

3. Scope of This Policy

This Policy applies to:

• Personal information collected directly from visitors to our website and prospective Clients;
• Personal information provided by Clients in connection with their use of our Services; and
• Personal information of End Users collected or processed through our automated systems on behalf of Clients.

This Policy does not govern the employment or HR practices of NextWave Automation, which are subject to separate internal policies and applicable employment legislation.

4. Accountability and Privacy Officer

NextWave Automation has designated a Privacy Officer who is responsible for overseeing our compliance with PIPEDA, CASL, and this Policy. The Privacy Officer is the first point of contact for all privacy-related inquiries, access requests, correction requests, and complaints.

5. Information We Collect

We collect only the personal information that is necessary to fulfill the identified purposes set out in this Policy. We may collect the following categories of information:

• Client and Business Contact Information: Names, job titles, business names, mailing and email addresses, and telephone numbers.
• Billing and Financial Information: Payment details (processed by our third-party payment processor), invoicing information, and billing addresses. We do not store full payment card numbers on our systems.
• End User Data: Names, telephone numbers, email addresses, and other information voluntarily submitted by End Users through automated systems deployed on behalf of Clients.
• Communications Data: Records of interactions between End Users and our automated systems, including voice call recordings, call transcripts, and chat logs, to the extent required to deliver, support, and improve the Services. Where voice calls are processed through AI voice agents, such calls may be recorded and stored as personal information subject to this Policy.
• Technical and Usage Data: IP addresses, browser type and version, referring URLs, pages visited, session duration, and other analytics data collected through cookies and similar technologies.

We do not knowingly collect sensitive personal information — such as social insurance numbers, health information, or financial account credentials — unless expressly required for a specific purpose and specifically consented to by the individual.

6. How We Use Personal Information

We use personal information only for the purposes identified at or before the time of collection, which include:

• Providing, administering, and continuously improving our Services;
• Processing and fulfilling contractual obligations to Clients;
• Communicating with Clients and End Users regarding their inquiries, accounts, or service-related matters;
• Processing billing, invoicing, and payments;
• Detecting, investigating, and preventing fraudulent, unauthorized, or illegal activities;
• Complying with applicable legal, regulatory, and audit obligations; and
• Sending administrative, transactional, or commercial electronic messages, subject to consent requirements under CASL.

We do not sell, rent, trade, or otherwise disclose personal information to third parties for their own marketing purposes under any circumstances.

7. Consent

8. Electronic Communications and CASL Compliance

NextWave Automation fully complies with Canada's Anti-Spam Legislation (CASL). Commercial electronic messages — including promotional emails and SMS communications — are sent only to recipients from whom we have obtained express or implied consent as defined under CASL. Each commercial electronic message sent by NextWave Automation includes: (a) clear identification of NextWave Automation as the sender; (b) accurate contact information; and (c) a functioning unsubscribe mechanism.

9. Disclosure of Personal Information

We do not disclose personal information except in the following circumstances:

• Service Providers: We may engage third-party vendors to provide services on our behalf, such as cloud hosting, data storage, payment processing, and communications infrastructure. All service providers are contractually required to maintain privacy and security standards no less protective than those in this Policy and to use personal information only for the purposes for which it was disclosed.
• Clients: Personal information collected through our Services on behalf of a Client is made available to that Client in accordance with the applicable service agreement.
• Legal and Regulatory Requirements: We may disclose personal information where required by applicable law, regulation, court order, or lawful request from a government authority, or where we believe disclosure is reasonably necessary to protect our rights, the rights of individuals, or public safety.
• Business Transfers: In connection with a merger, acquisition, sale of assets, or corporate reorganization, personal information may be disclosed to prospective or actual successors, subject to confidentiality obligations. Affected individuals will be notified of any material change in the handling of their personal information.

We do not disclose personal information for any purpose other than those identified in this Policy without prior consent from the affected individual or as otherwise permitted by law.

10. Cross-Border Data Transfers

Personal information collected through our Services may be transferred to, stored in, and processed in jurisdictions outside of Canada, including the United States, where certain third-party service providers maintain their infrastructure. When personal information is transferred outside Canada, it becomes subject to the laws of the receiving jurisdiction, including lawful access by foreign governments or courts.

We take reasonable contractual steps to ensure that service providers in other jurisdictions maintain privacy and security safeguards comparable to those required under PIPEDA. By using our Services or providing personal information to us, you acknowledge and consent to the transfer of your information outside of Canada as described herein. Clients and End Users located in the United States should be aware that their personal information may be subject to applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) where applicable. NextWave Automation will update this Policy as required to reflect obligations arising under applicable U.S. state privacy legislation as its operations expand into U.S. markets.

11. Security Safeguards

We implement administrative, technical, and physical safeguards appropriate to the sensitivity of the personal information we hold. These measures include, but are not limited to:

• Encryption of personal information in transit using TLS/SSL protocols and at rest using industry-standard encryption;
• Role-based access controls and least-privilege access policies to limit access to authorized personnel only;
• Multi-factor authentication for access to systems that store or process personal information;
• Regular security assessments, vulnerability testing, and system audits; and
• Privacy and security training for all personnel who handle personal information.

While we take reasonable and industry-standard steps to protect personal information against unauthorized access, disclosure, copying, use, or modification, no security system is completely impenetrable. We cannot guarantee the absolute security of information transmitted over the internet and are not liable for unauthorized access, disclosure, or misuse resulting from circumstances beyond our reasonable control.

12. Breach of Security Safeguards

In the event of a breach of security safeguards involving personal information that gives rise to a real risk of significant harm to one or more individuals, NextWave Automation will, as required by PIPEDA and the Breach of Security Safeguards Regulations, SOR/2018-64:

• Notify the Office of the Privacy Commissioner of Canada as soon as feasible following the determination that a reportable breach has occurred;
• Directly notify all affected individuals as soon as feasible; and
• Maintain a written record of every breach of security safeguards for a minimum of twenty-four (24) months from the date the breach was determined.

13. Data Retention

Personal information is retained only for as long as necessary to fulfill the purposes described in this Policy, to maintain business and financial records, or as required by applicable law or contractual obligation. Upon expiry of the applicable retention period, personal information is securely destroyed, deleted, or anonymized in a manner appropriate to the sensitivity of the information.

General retention guidelines are as follows:

• Client account and contractual records: Retained for the duration of the business relationship and for a minimum of seven (7) years thereafter, to satisfy applicable tax, corporate, and legal obligations.
• End User data: Retained in accordance with the applicable Client service agreement, or for a maximum of twelve (12) months following the date of collection, unless a longer period is required by law.
• Inquiry and communications records: Retained for a period of two (2) years following the last interaction.

Individuals may submit a written request for the earlier deletion or anonymization of their personal information to [email protected]. Such requests will be considered in accordance with PIPEDA, including any applicable legal exceptions.

14. Individual Rights: Access, Correction, and Portability

Subject to applicable legal exceptions, individuals have the following rights with respect to their personal information held by NextWave Automation:

• Right of Access: To request information about whether we hold personal information about you, and to receive a copy of that information, including a description of how it has been used and disclosed.
• Right of Correction: To request that inaccurate, incomplete, or out-of-date personal information be corrected or annotated.
• Right of Portability: To request, where technically feasible, a copy of your personal information in a structured, commonly used, machine-readable format. NextWave Automation provides this right on a voluntary basis in anticipation of applicable legislative developments, including Canada's proposed Consumer Privacy Protection Act. The scope and legal basis of this right will be updated as applicable legislation comes into force.

Requests must be submitted in writing to [email protected]. We will acknowledge receipt and respond substantively within thirty (30) days, as required by PIPEDA. Where an extension is required due to the volume or complexity of the request, we will provide written notice of the extension and the reason within the initial thirty-day period, in accordance with applicable law.

We reserve the right to decline access requests in whole or in part where permitted by law — for example, where compliance would reveal confidential commercial information, information about other identifiable individuals, or information subject to solicitor-client privilege. Where a request is declined, we will provide written reasons for the refusal and inform the requester of their right to seek a review by the Office of the Privacy Commissioner of Canada.

15. Accuracy of Personal Information

We take reasonable steps to ensure that personal information is accurate, complete, and current as required for the purposes for which it is used. Clients and individuals are encouraged to promptly notify us of any changes to their personal information to ensure that our records remain accurate. Correction requests will be handled in accordance with Section 14 above.

15A. Automated Processing and AI Systems

NextWave Automation provides AI-powered tools that process personal information through automated systems, including voice agents and chatbots, to respond to inquiries, capture lead information, and facilitate business communications on behalf of Clients. These systems do not make legally significant or consequential decisions about individuals without human review. The outputs of our automated systems — including call transcripts, chat responses, and captured lead data — are provided to Clients for their review and use. NextWave Automation does not independently use automated processing to evaluate, profile, or make decisions about End Users for any purpose beyond the delivery of the Services. Clients are solely responsible for ensuring that their use of automated outputs complies with all applicable laws and does not result in unlawful automated decision-making affecting their End Users.

16. Cookies and Tracking Technologies

Our website may use cookies, web beacons, pixel tags, and similar tracking technologies to enhance user experience, analyze site performance, and support service delivery. Cookies used on our website may include:

• Essential cookies: Strictly necessary for the operation of our website and cannot be disabled without affecting core functionality.
• Analytics cookies: Used to understand how visitors interact with our website, including pages viewed and session duration. This data is aggregated and anonymized where possible.
• Preference cookies: Used to remember user settings and preferences across visits.

We do not use cookies to build advertising profiles, track users across third-party websites, or sell data to advertisers or third parties.

Users may configure their browser settings to refuse or delete cookies at any time; however, disabling certain cookies may affect the functionality of portions of our website. Where consent is required for the use of non-essential cookies under applicable law, NextWave Automation will implement a cookie consent mechanism on its website to obtain such consent prior to deploying non-essential cookies.

17. Third-Party Links and Services

Our website may contain links to third-party websites or services that are not owned or controlled by NextWave Automation. This Policy does not govern the privacy practices of those third parties, and we are not responsible for their content, privacy policies, or practices. We encourage all users to review the privacy policies of any third-party websites they access before submitting personal information.

18. Children's Privacy

Our Services are designed exclusively for use by businesses and their authorized adult representatives. We do not knowingly collect personal information from individuals under the age of sixteen (16). If we become aware that personal information has been inadvertently collected from a minor, we will take prompt steps to delete such information from our records. If you have reason to believe that a minor has provided personal information to us, please contact us immediately at [email protected].

19. Our Role as Service Provider

When NextWave Automation processes personal information on behalf of a Client, we act in the capacity of a service provider or data processor — not as the principal collector or controller of that information. In such circumstances:

• Our processing activities are governed solely by the applicable service agreement with the Client;
• The Client is responsible for determining the purposes and means of collection and for obtaining all required consents from End Users; and
• NextWave Automation processes personal information only in accordance with Client instructions and applicable law, and does not use such information for its own independent purposes.

Clients are independently responsible for their compliance with PIPEDA, CASL, and all other applicable privacy and communications legislation in connection with their deployment and use of our Services.

20. Updates to This Policy

We reserve the right to update or amend this Policy from time to time to reflect changes in our business practices, the Services we offer, or applicable laws and regulations. Any updates will be posted on our website at nextwaveautomation.ca with a revised "Last Reviewed" date. Where changes are material, we will take reasonable steps to provide prior notice, which may include posting a prominent notice on our website or sending a direct communication to affected Clients. Continued use of our Services following the posting of any amendments constitutes your acceptance of the revised Policy.

21. Filing a Complaint

We are committed to resolving all privacy concerns promptly and fairly. If you have a complaint regarding our handling of your personal information, please contact our Privacy Officer in the first instance using the contact information in Section 4 above. We will acknowledge your complaint within five (5) business days and respond substantively within thirty (30) days.

If your complaint is not resolved to your satisfaction after engaging with our Privacy Officer, you have the right to escalate your complaint to the Office of the Privacy Commissioner of Canada:

22. Contact Us

For all privacy inquiries, access requests, correction requests, or to exercise any rights described in this Policy, please contact: