Legal

Privacy Policy

Last updated: May 14, 2026

This Privacy Policy describes how Champ AI Systems, Inc. ("Champ", "we," "us," or "our") collects, uses, discloses, and protects personal information when you visit our websites, use our products and services (including our AI voice agents and operations automation platform), interact with us at events, or otherwise engage with us (collectively, the "Services").

Champ is a B2B platform. Most personal information we process is provided to us by our enterprise customers (such as healthcare providers, delivery companies, professional employer organizations, and other operations teams) acting as data controllers. In those cases, Champ acts as a data processor and our customer's own privacy policy governs the relationship with end users. This Privacy Policy primarily addresses (a) our direct collection from website visitors and our customers' authorized users, and (b) general transparency about how the platform processes data.

If you are an end user whose personal information has been provided to Champ by one of our customers (for example, a patient of a Champ customer, or a recipient of a call from a Champ-powered voice agent), please direct rights requests and inquiries to the customer that holds the relationship with you. We will assist that customer in responding to your request.

Categories of information we process

Depending on how you interact with Champ, we may process the following categories of personal information:

  • Identifiers and contact information — name, email, phone number, employer, job title, business address.
  • Account and authentication data — credentials, login timestamps, session identifiers, multi-factor authentication tokens.
  • Customer Content and connected-system data — tickets, conversation logs, CRM and helpdesk data, and other information you (or your employer) authorizes Champ to access through integrations (such as Zendesk, Intercom, Salesforce, Slack, and similar systems).
  • Voice and call data — when you use or interact with Champ's voice agents, we may process the audio of telephone calls, real-time call streams, voice recordings (where permitted by law and where recording is enabled by the customer), call transcripts, conversation transcripts, call metadata (caller and called numbers, timestamps, duration, SIP signaling data), and DTMF tones.
  • Sensitive personal information — voice prints and other audio characteristics derived from a call may constitute biometric information under certain laws (including the California Privacy Rights Act). Where customers configure Champ to handle protected health information (PHI), Champ processes PHI under a Business Associate Agreement (BAA). We process sensitive personal information only as needed to provide the Services, and we do not use it for purposes that would require an additional notice or right-to-limit under applicable law.
  • Usage and device information — IP address, browser type, operating system, device identifiers, referring URLs, pages visited, features used, and time-zone and language preferences.
  • Marketing and event information — information you submit through demo requests, contact forms, event registrations, or marketing campaigns.
  • Inferences — limited inferences drawn from the categories above (for example, your likely industry or role) used to deliver and improve the Services we have contracted to provide.

How we collect information

We collect information directly from you, automatically through your use of the Services, and from third-party sources you or your employer authorize us to access.

  • Directly from you — when you create an account, request a demo, contact us, attend an event, or otherwise communicate with Champ.
  • Automatically — through cookies and similar technologies on our websites, and through our platform's normal operation when you use it.
  • From integrated third-party systems — when you (or your employer) connects Champ to Zendesk, Intercom, Salesforce, Slack, telephony providers, or similar systems, Champ receives data from those systems as authorized.
  • From voice agent interactions — when our customers deploy Champ voice agents that place or receive calls on their behalf, we process the audio and metadata of those calls.

How we use information

We use personal information for the following purposes:

  • Providing, operating, securing, and supporting the Services for our customers.
  • Authenticating users, managing accounts, and preventing fraud and abuse.
  • Communicating with you about your account, the Services, security notices, and operational updates.
  • Providing customer support and responding to your inquiries.
  • Improving the reliability and quality of the Services for the customer providing the data (such as debugging, error analysis, and quality assurance) without using customer data to train general-purpose AI models.
  • Marketing our products to existing and prospective business customers, subject to applicable law and your preferences.
  • Complying with legal obligations, responding to lawful requests, and protecting our and others' rights, property, and safety.

Where required by law (including the GDPR), we rely on the following lawful bases: performance of a contract; our legitimate interests in operating, securing, and growing our business; your consent (for example, for certain marketing communications and cookies); and compliance with legal obligations.

How we use AI and machine learning

Champ's Services are built around artificial intelligence and machine learning. Our commitments regarding AI processing of customer data are:

  • No training on customer data. Champ does not use Customer Content (including call audio, transcripts, ticket content, or connected-system data) to train, fine-tune, or otherwise improve any general-purpose or shared AI/ML model. Customer Content is processed only to deliver the Services to the customer that provided it.
  • No analytics outside the Services. Champ does not use Customer Content for analytics, profiling, or product research outside of operating and supporting the Services contracted for. Aggregated, de-identified, or anonymized statistics may be used to monitor service reliability, capacity, and security.
  • No sale or commercialization of customer data. Champ does not sell or share Customer Content, and does not use it for advertising.
  • Subprocessor commitments. Where Champ uses third-party AI providers (such as foundation-model APIs), Champ configures those services so that customer data is not used by the provider to train their models. We require equivalent commitments contractually.
  • Automated decision-making and profiling. Champ's Services may produce outputs that influence operational decisions (such as routing a call, generating a response, or recommending an action). For decisions that produce legal or similarly significant effects on an individual, our customers (as controllers) are responsible for any required human review, disclosures, and opt-outs under applicable law. Champ provides tooling and configuration to support customer compliance with automated-decision-making rules under the GDPR, CPRA, and emerging US state AI laws.

Voice calls and recording consent

When Champ-powered voice agents place or receive calls on behalf of our customers, applicable telephone-consumer-protection and wiretap laws may require notice and/or consent from one or both parties to the call. Our customers are responsible for obtaining any consent required under the Telephone Consumer Protection Act (TCPA), the California Invasion of Privacy Act (CIPA), and other applicable state and federal laws before initiating or recording calls. Champ provides configurable disclosures, recording controls, and call-handling policies to assist customers in meeting these obligations, but Champ does not independently determine whether the necessary consents have been obtained.

If you have received a call from a Champ-powered voice agent, the Champ customer who initiated or received the call is the controller of your personal information. To exercise rights or raise concerns about a specific call, please contact that customer.

Disclosure of information

We disclose personal information in the following circumstances:

  • To our customers who control the relevant data, and to authorized users within the customer's organization.
  • To subprocessors that provide infrastructure, AI inference, voice transport, and operational tooling on our behalf (see Subprocessors below). Each subprocessor is bound by contractual data-protection obligations.
  • To professional advisors (such as auditors, attorneys, accountants, and insurers) under confidentiality obligations.
  • In connection with a corporate transaction such as a merger, financing, acquisition, or sale of assets, subject to standard confidentiality protections.
  • To comply with law or protect rights when required by lawful process, or where we believe disclosure is necessary to investigate or prevent fraud, security incidents, or harm.

Champ does not sell personal information for monetary consideration, and does not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Privacy Rights Act.

Subprocessors

Champ uses the following categories of subprocessors to operate the Services. A current, detailed subprocessor list (including entity names, countries of operation, and the functions they perform) is available to customers upon request and via our Trust Center.

  • Cloud infrastructure and hosting — Amazon Web Services (AWS), Google Cloud Platform (GCP), Render, Vercel.
  • AI model providers — OpenAI, Anthropic, Google (Gemini).
  • Voice and telephony — Vapi (which orchestrates downstream providers including speech-to-text, text-to-speech, and real-time voice transport), and Champ's directly-contracted voice model providers (including Cartesia for text-to-speech).
  • Business and security operations — Google Workspace (email, productivity), Slack (internal communications), Vanta (compliance monitoring), and providers of observability, error tracking, and customer support tooling.

All subprocessors are bound by written agreements requiring them to protect personal information consistent with this Privacy Policy and our customer commitments, and to process personal information only on Champ's documented instructions. Customers on an active subscription will receive advance notice of material changes to the subprocessor list via our Trust Center.

International data transfers

Champ is headquartered in the United States and primarily processes personal information in the United States. Some of our subprocessors operate in other countries. Where we transfer personal information out of the European Economic Area, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on appropriate safeguards, including:

  • The European Commission's Standard Contractual Clauses (SCCs) and the UK Information Commissioner's Office Addendum.
  • The Swiss Federal Data Protection and Information Commissioner's contractual mechanism, where applicable.
  • Other lawful transfer mechanisms recognized under applicable law.

Copies of relevant transfer mechanisms are available to customers on request.

Data retention

We retain personal information only for as long as needed for the purposes described in this Policy or as required by applicable law. Specific retention periods include:

  • Customer Content — for the duration of the customer's subscription. Following termination, Customer Content is deleted from production systems in accordance with the applicable customer agreement (typically within 30 to 60 days), subject to residual data in routine backups, which is overwritten on standard rolling retention schedules of approximately 30 to 90 days.
  • Voice recordings and transcripts — retained per the customer's configuration (which may be as short as zero retention where the customer has enabled a no-storage mode), and otherwise retained for the duration of the subscription.
  • Account and authentication data — for the duration of the account, plus a reasonable period to address support, dispute, and security needs.
  • Billing and transactional records — for the period required by tax, accounting, and audit obligations (typically 7 years).
  • Marketing communications — until you opt out or otherwise object to processing.
  • Website logs and analytics — typically up to 13 months.

To request deletion of personal information that Champ holds about you directly (for example, your contact details on file with us as a prospect or website visitor), please contact [email protected]. For Customer Content provided by your employer or another Champ customer, requests should be directed to that customer.

Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, and destruction. Our security program includes:

  • SOC 2 Type II certification, audited annually by an independent third-party auditor.
  • HIPAA compliance program and Business Associate Agreements with customers whose use cases involve PHI.
  • Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
  • Role-based access controls, principle of least privilege, and multi-factor authentication for administrative access.
  • Logging, monitoring, and intrusion-detection across our production environment.
  • Annual independent penetration testing and ongoing vulnerability management.
  • Security training and confidentiality obligations for all personnel with access to personal information.
  • An incident-response program with documented breach-notification procedures.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

Your privacy rights

Depending on where you live, you may have the following rights regarding your personal information:

  • Right to access — to request a copy of the personal information we hold about you.
  • Right to correct or rectify — to request that we correct inaccurate or incomplete personal information.
  • Right to delete or erase — to request deletion of personal information, subject to certain exceptions.
  • Right to restrict or object to processing — under certain circumstances.
  • Right to data portability — to receive a copy of certain personal information in a portable format.
  • Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint — with a supervisory authority in your jurisdiction.

To exercise these rights with respect to information Champ holds directly about you, contact us at [email protected]. We will respond within the time period required by applicable law (typically 30 to 45 days), and may need to verify your identity before fulfilling a request. We will not discriminate against you for exercising your privacy rights.

If your personal information was provided to Champ by one of our customers (for example, through a call placed by a customer's voice agent, or through a customer's connected ticketing system), please direct your request to that customer; we will assist them in responding.

California privacy rights

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with the following rights regarding your personal information:

  • Right to know the categories and specific pieces of personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it.
  • Right to delete personal information, subject to certain exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing. Champ does not sell personal information and does not share personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.
  • Right to limit the use and disclosure of sensitive personal information. Champ uses sensitive personal information (such as voice recordings that may constitute biometric information) only as needed to provide the Services, and does not use it for purposes that would trigger the right to limit under California law. If our practices change in a way that would trigger this right, we will provide a mechanism to limit such use.
  • Right to non-discrimination for exercising your CCPA/CPRA rights.

The categories of personal information we collect, the purposes for collection, and the categories of recipients are described in the "Categories of information we process," "How we use information," and "Disclosure of information" sections above.

To exercise your California rights, contact [email protected]. An authorized agent may submit a request on your behalf with appropriate verification.

Other US state privacy rights

Residents of certain other US states (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Tennessee, Delaware, New Jersey, New Hampshire, Indiana, and others as their privacy laws take effect) have analogous rights regarding their personal information, including the right to access, correct, delete, obtain a portable copy, and opt out of targeted advertising, sale, and certain profiling. To exercise these rights, contact [email protected].

Cookies and similar technologies

We use cookies and similar technologies on our websites for the following purposes:

  • Strictly necessary cookies — required to operate the site and authenticate users.
  • Functional cookies — to remember preferences such as language and region.
  • Analytics cookies — to understand how visitors use the site so we can improve it.
  • Marketing cookies — limited use to measure the effectiveness of our marketing campaigns and reach prospective business customers.

You can control cookies through your browser settings and, where applicable, through our cookie consent banner. Disabling certain cookies may affect site functionality. Champ honors recognized Global Privacy Control (GPC) signals as opt-outs of sale/sharing where applicable.

Children's privacy

Champ's Services are not directed to, and we do not knowingly collect personal information from, children under the age of 16, and never from children under 13 in the United States as defined by the Children's Online Privacy Protection Act (COPPA). If we learn that we have inadvertently collected personal information from a child under these ages, we will delete it promptly. If you believe we have collected such information, please contact [email protected].

Third-party websites and services

Our websites and Services may contain links to, or integrate with, third-party websites and services. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy policies before providing them with personal information.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The "Last updated" date at the top of this page reflects the most recent revision. For material changes, we will provide additional notice (for example, by email to account holders or via a notice on our website) where required by law.

How to contact us

For questions about this Privacy Policy, to exercise privacy rights, or to raise a concern about our handling of personal information, contact:

Champ AI Systems, Inc.
Attn: Privacy
Email: [email protected]

For security-related disclosures, please contact [email protected].