Privacy Policy

Last updated: March 31, 2026

This Privacy Policy explains how Ringlet ("we," "our," or "us") collects, uses, shares, and protects your personal information when you use our virtual phone number service (the "Service").

We are a sole proprietorship operated from British Columbia, Canada, serving users in Canada and the United States. We are committed to protecting your privacy and complying with applicable privacy laws, including:

• The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
• Quebec's Law 25 (An Act to modernize legislative provisions as regards the protection of personal information)
• Alberta's Personal Information Protection Act (PIPA)
• British Columbia's Personal Information Protection Act (PIPA)
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents

We understand that your communication content is sensitive. This policy explains your rights and how we safeguard your information.

1. What Information We Collect

We collect the following types of information to provide and improve the Service:

Account Information

• Contact details: Your name, email address, and phone number (if provided)
• Authentication credentials: Password (stored securely using cryptographic hashing — we never see your actual password)
• Account settings: Your preferences and configuration choices

Communication Content

• Provisioned phone numbers: The virtual phone number(s) assigned to your account
• SMS messages: The full content of text messages received at your virtual numbers, including sender phone numbers and timestamps
• Voicemail recordings: Audio files of voicemails left at your virtual numbers
• Voicemail transcriptions: Machine-generated text versions of voicemail audio
• Message metadata: Delivery status, timestamps, and carrier routing information

Billing and Payment Information

• Transaction records: Subscription tier, billing amounts, payment dates, and invoice history
• Payment details: Processed through our payment processor (Paddle). We receive confirmation of payment but do not store your full credit card numbers

Technical and Usage Information

• Device and browser data: IP address, browser type, operating system, device identifiers
• Usage logs: Features you use, pages you visit, actions you take within the Service
• Cookies and similar technologies: Small data files that help us recognize your browser and maintain your session. You can control cookies through your browser settings

2. How We Use Your Information

We use your information only for the purposes described below. We will not use it for other purposes without your consent.

To Provide the Service

• Provisioning and managing your virtual phone numbers
• Receiving, storing, and displaying SMS messages and voicemails
• Transcribing voicemail audio into text
• Sending you notifications about new messages (including push notifications to your mobile device)
• Maintaining your account and processing your requests

For Billing and Payment

• Processing subscription payments
• Generating invoices and receipts
• Managing subscription renewals and cancellations

To Prevent Abuse and Ensure Security

• Detecting and preventing fraud, spam, or misuse of the Service
• Investigating violations of our Terms of Service
• Protecting the security and integrity of our systems

For Legal Compliance

• Complying with valid legal requests from law enforcement or regulators
• Retaining records required by tax and financial regulations
• Investigating and responding to data breaches as required by law

To Improve the Service

• Analyzing usage patterns to identify bugs and improve features (using aggregated, anonymized data whenever possible)
• Understanding how users interact with the Service to make it more useful

We do not sell your personal information. We do not use your communication content for advertising. Your messages are yours.

3. Who We Share Your Information With

We share your information only with trusted service providers who help us operate the Service. These providers are contractually obligated to protect your information and use it only for the purposes we specify.

Telnyx (Telephony Provider)

Telnyx provides the underlying phone number provisioning, SMS routing, and voicemail recording capabilities. When you receive an SMS or voicemail, it is first processed by Telnyx before being delivered to our systems. Telnyx processes this data on our behalf under a data processing agreement.

Cloudflare (Infrastructure and Storage)

Ringlet is built on Cloudflare's edge platform. Cloudflare provides:

• Cloudflare Workers: Serverless compute that runs our application code
• Cloudflare D1: Database storage for your account data and message metadata
• Cloudflare R2: Object storage for voicemail audio files
• Cloudflare KV: Cache and session storage

Cloudflare processes this data on our behalf under their standard data processing terms. Cloudflare is certified under the EU-US Data Privacy Framework and provides appropriate safeguards for international data transfers.

Paddle (Payment Processor)

Paddle is our merchant of record and handles all payment processing. When you subscribe, your payment information goes directly to Paddle. We receive only confirmation that payment was successful, along with a transaction ID. Paddle is PCI-DSS compliant and maintains appropriate security measures for payment data.

Law Enforcement and Legal Obligations

We may disclose your information if required by law or in response to valid legal process, such as:

• Subpoenas or court orders
• National security or law enforcement requests
• Regulatory investigations

When legally permitted, we will notify you of such requests and provide you with a copy of the demand. We carefully review all legal requests to ensure they are valid and narrow in scope.

4. Where Your Information Is Stored

We operate on Cloudflare's global network, and Telnyx operates infrastructure primarily in the United States. This means your information may be stored or processed outside of Canada, including in the United States.

When your data is transferred outside Canada, we ensure appropriate safeguards are in place:

• Contractual protections: Our service providers are bound by data processing agreements that require them to protect your information according to standards comparable to Canadian privacy law
• Certifications: Cloudflare participates in recognized privacy frameworks such as the EU-US Data Privacy Framework
• Encryption: All data is encrypted in transit and at rest, regardless of where it is stored

Under PIPEDA and provincial privacy laws, you have the right to know where your data is processed. If you have questions or concerns about international data transfers, please contact us at privacy@ringlet.tel.

5. How Long We Keep Your Information

We retain your information only as long as necessary to provide the Service, comply with legal obligations, or resolve disputes.

Communication Content (SMS and Voicemails)

We retain your messages and voicemail recordings until you delete them, or until your account is closed. After account closure, we delete this content within 30 days, giving you a grace period to export your data if needed.

Account Information

We retain your account details (name, email, account settings) while your account is active. After you delete your account, this information is deleted within 30 days, except where retention is legally required (see below).

Billing Records

Under Canadian tax law, we are required to retain billing and payment records for 7 years. This includes invoices, transaction records, and payment confirmations. These records are kept in secure, access-controlled storage.

Security Incident Records

PIPEDA requires us to retain records of data breaches for 2 years after the date we become aware of the breach. These records include incident reports, notifications sent, and remediation steps taken.

Usage Logs and Technical Data

We retain usage logs and IP addresses for up to 90 days for security monitoring and abuse prevention. After that, this data is either deleted or anonymized.

6. Your Rights and Choices

You have significant control over your personal information. The rights available to you depend on where you live.

For All Users

Access Your Data

You can view your account information, messages, and voicemails at any time by logging into your account. You also have the right to request a complete copy of all personal information we hold about you.

Correct Inaccurate Data

If any of your account information is incorrect, you can update it directly in your account settings. For other corrections, please contact us.

Delete Your Data

You can delete individual messages and voicemails through the Service interface. You can also delete your entire account, which will remove all your personal information within 30 days (except for data we are legally required to retain, such as billing records).

Export Your Data

You can request a full export of your data in a portable format (JSON or CSV). This includes your messages, voicemails, transcriptions, and account metadata. To request an export, email privacy@ringlet.tel.

Additional Rights for Canadian Users (PIPEDA)

Under PIPEDA and provincial privacy laws (Quebec Law 25, Alberta PIPA, BC PIPA), you have the right to:

• Withdraw consent: You can withdraw your consent for us to use your information for non-essential purposes (such as service improvement analytics). Note that withdrawing consent may limit your ability to use certain features
• Challenge compliance: If you believe we are not complying with privacy laws, you have the right to challenge our practices and file a complaint with the Office of the Privacy Commissioner of Canada (OPC) or your provincial privacy commissioner
• Understand automated decisions: If we use automated decision-making that significantly affects you (such as account suspension for suspected abuse), you have the right to an explanation and human review

Additional Rights for California Users (CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA and CPRA:

• Right to know: You can request details about the categories and specific pieces of personal information we have collected about you in the past 12 months, including the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it
• Right to delete: You can request that we delete your personal information, subject to certain exceptions (such as legal obligations)
• Right to opt out of sale: We do not sell your personal information. If our practices change in the future, we will provide a clear way to opt out
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, service quality, or features as a result of making a privacy request
• Right to correct: You can request correction of inaccurate personal information
• Right to limit use of sensitive information: To the extent we collect sensitive personal information (such as message content), we use it only for the purposes of providing the Service, as permitted by CPRA

How to Exercise Your Rights

To make a privacy request or exercise any of the rights described above, please email us at privacy@ringlet.tel with the subject line "Privacy Request."

Please include:

• Your full name and the email address associated with your account
• A description of your request (e.g., "I want to export all my data" or "I want to delete my account")
• Any relevant details that will help us process your request

We will verify your identity before processing your request (typically by confirming your email address). We will respond within 30 days for most requests, or 45 days for complex requests under CCPA. If we need more time, we will let you know.

There is no fee for making a privacy request. If requests become excessive or repetitive, we may charge a reasonable administrative fee or decline the request, as permitted by law.

7. How We Protect Your Information

We take security seriously. Communication content is sensitive, and we implement multiple layers of protection.

Encryption

• In transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security). This includes your messages, voicemails, and account credentials
• At rest: Your messages, voicemails, and account data are encrypted when stored in Cloudflare D1 and R2. Encryption keys are managed by Cloudflare's infrastructure

Access Controls

• Only authorized personnel have access to production systems, and access is logged and monitored
• We use multi-factor authentication for all administrative access
• Access to personal information is granted on a least-privilege basis (people see only what they need to do their job)

Secure Development Practices

• We follow secure coding practices and regularly review code for security vulnerabilities
• We keep dependencies up to date and apply security patches promptly
• We conduct security testing before deploying changes to production

Vendor Security

• We carefully select service providers based on their security practices and certifications
• Telnyx, Cloudflare, and Paddle all maintain SOC 2 Type II certifications and undergo regular third-party security audits

No system is perfectly secure. While we implement strong safeguards, we cannot guarantee absolute security. If you believe your account has been compromised, please change your password immediately and contact us at privacy@ringlet.tel.

8. Data Breach Notification

Despite our best efforts, security incidents can occur. If we experience a data breach that poses a real risk of significant harm to you, we will:

1. Investigate promptly: We will determine the scope and impact of the breach as quickly as possible
2. Notify affected users: We will email you at the address on file, describing what happened, what information was affected, and what steps we are taking to address the breach
3. Report to regulators: We will notify the Office of the Privacy Commissioner of Canada (OPC) and any applicable provincial privacy commissioners as required by PIPEDA and provincial laws
4. Take corrective action: We will implement measures to prevent similar breaches in the future

"Real risk of significant harm" means there is a reasonable likelihood that the breach could result in identity theft, fraud, damage to reputation, or other serious consequences. This is the threshold set by PIPEDA.

We will send breach notifications as soon as reasonably possible after confirming the breach, typically within 72 hours of discovery.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

If you are under 18, please do not use the Service or provide any personal information to us. If we learn that we have collected information from someone under 18, we will delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@ringlet.tel so we can take appropriate action.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the features we offer.

If we make material changes — meaning changes that significantly affect your rights or how we handle your information — we will:

• Email you at the address on file at least 30 days before the changes take effect
• Post a notice on our website and in the Service
• Update the "Last updated" date at the top of this policy

By continuing to use the Service after the changes take effect, you agree to the updated policy. If you do not agree with the changes, you may delete your account before the effective date.

For minor changes (such as fixing typos or clarifying existing practices), we will update the policy without prior notice, though the "Last updated" date will always reflect the most recent revision.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: privacy@ringlet.tel

We will respond to your inquiry within 30 days, or sooner if required by law.

If you are not satisfied with our response, Canadian residents have the right to file a complaint with:

• Office of the Privacy Commissioner of Canada: www.priv.gc.ca
• British Columbia Office of the Information and Privacy Commissioner: www.oipc.bc.ca (for BC PIPA matters)
• Alberta Office of the Information and Privacy Commissioner: www.oipc.ab.ca (for Alberta PIPA matters)
• Commission d'accès à l'information du Québec: www.cai.gouv.qc.ca (for Quebec Law 25 matters)

In Plain English

Here's what you need to know about how we handle your information:

• What we collect: Your account details, the content of messages and voicemails sent to your virtual numbers, billing information, and basic technical data (like your IP address and device type).
• Why we collect it: To provide the Service (receive messages, store voicemails, send you notifications), process payments, prevent abuse, and comply with the law. We don't sell your data or use it for advertising.
• Who sees it: Only our essential service providers — Telnyx (telephony), Cloudflare (infrastructure), and Paddle (payments). They're contractually required to protect your information. We may also disclose data if legally required by a valid court order or subpoena.
• Where it's stored: Primarily on Cloudflare's global network and Telnyx's US-based systems. Your data may be processed outside Canada, but we use encryption and contractual safeguards to protect it.
• How long we keep it: Messages and voicemails are kept until you delete them or close your account (then deleted within 30 days). Billing records are kept for 7 years per Canadian tax law. Logs are kept for 90 days.
• Your rights: You can access, correct, export, and delete your information at any time. Canadian users have additional rights under PIPEDA. California users have rights under CCPA. Email privacy@ringlet.tel to exercise these rights.
• Security: We encrypt everything (in transit and at rest), use strong access controls, and choose vendors with rigorous security practices. If a breach occurs, we'll notify you and regulators as required by law.
• Changes: If we make significant changes to this policy, we'll email you at least 30 days in advance. Continuing to use the Service means you accept the new terms.

This "In Plain English" summary is provided for your convenience and is not a substitute for the full Privacy Policy above. In case of any conflict, the full policy governs.