Repen, Inc. ("Repen", "we", "us", "our") operates an AI-powered voice automation platform and is committed to responsible data stewardship. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with the Platform at repen.co and our related services. By using the Platform, you acknowledge this Policy.

2.1  Scope

This Policy applies to: (a) business representatives who create and manage Repen accounts ("Account Holders"); (b) Authorized Users of the Platform; and (c) individuals whose personal data is processed through the Platform by Account Holders ("Lead Contacts"). This Policy does not apply to third-party websites linked from the Platform, which have their own privacy policies.

2.2  Information We Collect

A.  Information You Provide Directly

•       Account registration: full name, company name, business email address, phone number, billing address

•       Payment information: collected and processed by Stripe, Inc.; Repen stores only a tokenized payment reference

•       Agent configuration: AI call scripts, qualification questions, knowledge base content, meeting details

•       Lead data you upload: prospect names, phone numbers, email addresses, and any custom fields you provide

•       Support interactions: emails, chat messages, attachments, and troubleshooting information

B.  Information Collected Automatically

•       Usage and activity data: pages visited, features used, button clicks, session timestamps, and navigation paths

•       Device and technical data: IP address, browser type and version, operating system, device identifiers, screen resolution

•       Log data: server logs, API request records, error logs, and performance metrics

•       Cookies and similar technologies: as described in the Cookie Policy (Section 5)

C.  Call and Conversation Data

•       Full call recordings and AI-generated transcripts

•       Call disposition: appointment booked, disqualified, voicemail, no answer, opt-out, and similar outcomes

•       Lead responses, sentiment signals, and qualification answers captured during voice interactions

•       Call metadata: originating phone number, destination number, duration, timestamp, and call status

D.  Data from Third-Party Integrations

•       Lead data from connected sources: Facebook Lead Ads, Typeform, GoHighLevel, or custom webhooks

•       Calendar data from Google Calendar or other calendar integrations you authorize

•       CRM data from HubSpot, Pipedrive, Zoho, or other systems you connect

•       We access only the data necessary for the specific integration you enable

2.3  How We Use Personal Information

We use personal information for the following purposes, limited to what is necessary for each purpose:

•       Provision of the Platform: authenticate accounts, route and initiate calls, sync integrations, generate transcripts

•       Billing and account management: process payments, manage subscriptions, send receipts and usage reports

•       Customer support: respond to support tickets, diagnose technical issues, and resolve billing disputes

•       Security and fraud prevention: detect and investigate unauthorized access, abuse, and security incidents

•       Legal compliance: retain records as required by law, respond to lawful government and court requests

•       Product improvement: analyze aggregate, de-identified usage patterns to improve Platform performance and features

•       Communications: send transactional emails (call summaries, system alerts, billing notices); marketing communications only with explicit opt-in consent

We do not use Customer Data or Lead Contact data for Repen's own advertising, marketing to third parties, or sale to data brokers.

2.4  Legal Bases for Processing (GDPR / UK GDPR)

For individuals in the EEA, UK, or Switzerland, our legal bases for processing personal data are:

•       Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the Platform services you have subscribed to

•       Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, security monitoring, aggregate analytics, and product improvement — subject to balancing against data subjects' interests

•       Legal obligation (Art. 6(1)(c) GDPR): Compliance with applicable laws including tax, financial, and data protection regulations

•       Consent (Art. 6(1)(a) GDPR): Where required, such as for optional marketing communications or specific cookie categories

2.5  Disclosure and Sharing

We do not sell personal information. We may share personal information in the following limited circumstances:

Sub-processors

We share data with vendors who process data on our behalf under written agreements with data protection terms no less protective than this Policy. Key sub-processors include: Vapi AI (voice infrastructure), Convex (database hosting), Vercel (application hosting), Stripe (payment processing), and LLM providers (conversational AI inference). A current list of sub-processors is available upon request at privacy@repen.co.

Customer-Authorized Integrations

When you connect a CRM, calendar, or lead source, data flows between Repen and that service per your configuration and the third party's own privacy policy. You are responsible for reviewing third-party policies before enabling integrations.

Legal Requirements

We may disclose personal information if required by applicable law, regulation, legal process, or enforceable governmental request. Where permitted, we will notify affected parties prior to disclosure.

Business Transfers

If Repen undergoes a merger, acquisition, bankruptcy, or sale of substantially all assets, Customer Data may be transferred to the successor entity. We will provide notice prior to any such transfer and require the recipient to comply with this Policy or provide equivalent protections.

2.6  Data Retention

Account data and associated Customer Data: retained for the duration of the Subscription Term plus ninety (90) days following termination, after which it will be securely deleted or anonymized.

Call recordings and transcripts: retained for twelve (12) months by default; Customer may delete earlier through the dashboard or by written request to privacy@repen.co.

Billing and transaction records: retained for seven (7) years to satisfy tax and accounting obligations.

Backup copies: may be retained for up to ninety (90) additional days beyond the applicable retention period as part of routine disaster recovery procedures.

2.7  Security

We implement and maintain the following security measures: (a) TLS 1.2+ encryption for all data in transit; (b) AES-256 encryption for data at rest; (c) role-based access controls and principle of least privilege for employee access; (d) regular security assessments and vulnerability scans; (e) incident response procedures including breach notification processes. Despite these measures, no electronic transmission or storage system is completely secure. We cannot guarantee absolute security and encourage Customers to implement strong internal access controls.

2.8  Your Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal data. To exercise any right, contact us at privacy@repen.co. We will respond within thirty (30) days or within the shorter period required by applicable law.

•       Access: Request a copy of the personal data we hold about you

•       Rectification / Correction: Request correction of inaccurate or incomplete data

•       Erasure / Deletion: Request deletion of your data, subject to legal retention requirements

•       Data Portability: Receive your data in a structured, machine-readable format (EEA/UK)

•       Restriction of Processing: Request that we limit how we process your data pending resolution of a dispute

•       Objection: Object to processing based on legitimate interests

•       Withdrawal of Consent: Where processing is consent-based, withdraw consent at any time without affecting prior lawful processing

•       Non-Discrimination: We will not discriminate against you for exercising your privacy rights

2.9  California Privacy Rights (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

•       Right to know the categories and specific pieces of personal information collected, disclosed, or sold

•       Right to delete personal information (subject to exceptions)

•       Right to correct inaccurate personal information

•       Right to opt out of the sale or sharing of personal information — Repen does not sell or share personal information for cross-context behavioral advertising

•       Right to limit use of sensitive personal information

•       Right to non-discrimination for exercising CCPA rights

To submit a California privacy request, email privacy@repen.co with subject line "California Privacy Request." We may need to verify your identity before processing the request.

2.10  International Data Transfers

Repen is based in the United States. If you access the Platform from outside the United States, your personal data may be transferred to and processed in the U.S. For transfers of personal data from the EEA, UK, or Switzerland, we rely on: (a) the European Commission's Standard Contractual Clauses (SCCs) for transfers to third countries; (b) UK International Data Transfer Agreements (IDTAs) for transfers from the UK; and (c) the Swiss-U.S. framework as applicable. A copy of our applicable transfer mechanism is available upon request at privacy@repen.co.

2.11  Children's Privacy

The Platform is not directed to, and we do not knowingly collect personal information from, individuals under the age of 18. If we learn that we have inadvertently collected personal information from a person under 18, we will promptly delete it. If you believe we have collected information from a minor, contact us at privacy@repen.co.

2.12  Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Account Holders of material changes at least fourteen (14) days before the effective date via email or in-platform notice. The "Effective Date" at the top of this Policy reflects the date of the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the revised Policy.

3.  ACCEPTABLE USE POLICY

Effective: February 23, 2026  ·  Questions: legal@repen.co

This Acceptable Use Policy ("AUP") establishes the rules governing use of the Repen Platform. Violation of this AUP may result in immediate suspension or termination of your account without refund and may be reported to regulatory authorities. This AUP is incorporated into the Terms of Service by reference.

⚠  Repen is a technology platform. You — the Customer — are the "caller," "seller," and responsible party under all applicable telemarketing and consumer protection laws. Nothing in this AUP or the Terms of Service shifts that legal responsibility to Repen.

3.1  Permitted Use

You may use the Platform exclusively for lawful, legitimate business purposes — specifically, to automate AI-powered outbound voice calls to individuals who have provided Prior Express Written Consent (as defined under the TCPA and FCC regulations) directly to your business. Calls must relate to the product or service the lead originally expressed interest in, and must comply with all applicable laws.

3.2  Call Compliance — Prohibited Conduct

Consent Violations

•       Calling any individual without obtaining, documenting, and retaining Prior Express Written Consent (PEWC) that satisfies all TCPA and FCC requirements effective as of the date of the call

•       Calling individuals whose numbers appear on the National Do Not Call Registry, your internal suppression list, or any applicable state DNC list, without a valid, documented exemption

•       Failing to honor any opt-out, revocation, or do-not-call request within the period required by applicable law (currently ten (10) business days under April 2025 FCC rules for any reasonable revocation method)

•       Using leads obtained through scraping, purchasing lists, data aggregators, or any means other than direct, individual opt-in to your specific offer

•       Placing calls outside the legally permitted time window of 8:00 AM to 9:00 PM in the called party's local time zone

•       Calling phone numbers without first checking them against the FCC Reassigned Numbers Database (RND) where required

Fraudulent, Deceptive, or Abusive Conduct

•       Misrepresenting your identity, company name, phone number (including caller ID spoofing), product, or offer

•       Configuring agents to deny being AI or claim to be a human when the lead sincerely inquires — this is a violation of FCC rules, FTC guidance, and applicable state law

•       Impersonating any named individual, brand, or organization without documented authorization

•       Using false urgency, fabricated scarcity, misleading pricing, or other deceptive sales tactics

•       Engaging in any act constituting wire fraud, mail fraud, or telemarketing fraud under 18 U.S.C. §§ 1341, 1343

Harassment and Discrimination

•       Placing repeated or continuous calls designed to harass, threaten, intimidate, or abuse any person

•       Configuring agents to use language that demeans, discriminates against, or harasses individuals on the basis of race, ethnicity, national origin, religion, sex, gender identity, sexual orientation, disability, or any other protected characteristic

Platform Abuse

•       Circumventing or attempting to circumvent usage metering, billing mechanisms, or plan restrictions

•       Probing, scanning, or testing Platform vulnerability without prior written authorization from ${BRAND}

•       Uploading malware, viruses, or any malicious code to the Platform

•       Placing unreasonable load on Platform infrastructure or engaging in denial-of-service attacks

•       Reselling, sublicensing, or white-labeling access to the Platform without ${BRAND}'s express written consent

3.3  Restricted Industries

Use of the Platform in the following industries requires prior written approval from Repen and submission of additional compliance documentation demonstrating adequate legal safeguards:

•       Debt collection and financial recovery (subject to FDCPA requirements)

•       Healthcare and medical services (subject to HIPAA, state licensure, and enhanced consent requirements)

•       Political campaigns, candidate solicitation, and issue advocacy

•       Financial services and investment products subject to FINRA, SEC, or state securities regulation

•       Sweepstakes, prize promotions, and any campaign with mandatory purchase requirements

•       Any industry currently subject to a consent decree, regulatory order, or enforcement action related to outbound calling

3.4  Content Requirements

All agent scripts and call content deployed through the Platform must:

1.     Identify the calling organization by name at or before the start of the substantive portion of the call

2.     Disclose that the caller is an AI or automated voice system (see Section 8 for applicable timing requirements)

3.     Provide an opt-out mechanism during each call, including recognition of natural language opt-out phrases such as 'stop calling,' 'remove me,' or 'I'm not interested'

4.     Provide a callback number and the name of the business upon request

5.     Comply with all FTC truth-in-advertising standards and applicable consumer protection laws

6.     Not solicit or collect sensitive personal information — including Social Security numbers, financial account numbers, full payment card numbers, or health information — without appropriate safeguards, disclosures, and legal authorization

3.5  Record-Keeping Obligations

You must maintain records sufficient to demonstrate compliance with applicable law, including at minimum:

•       Consent records for each called party: timestamp, IP address, consent source URL, and the specific language of consent

•       Evidence that the consent specifically identifies your company as an authorized caller (post-FCC one-to-one consent guidance)

•       Opt-out and suppression list records with timestamps

•       DNC scrub records and Reassigned Numbers Database query results

•       Call scripts and any material changes, with effective dates

Records must be retained for a minimum of five (5) years, or longer if required by applicable law.

3.6  Enforcement

Repen may investigate any suspected violation of this AUP. Upon confirming or reasonably suspecting a violation, Repen may take any or all of the following actions, at its sole discretion: issue a formal written warning; require immediate removal or correction of non-compliant agent scripts; suspend account access pending investigation; permanently terminate the account; and report the violation to relevant regulatory authorities (FCC, FTC, state attorneys general). Termination for AUP violation does not entitle Customer to any refund.

4.  DATA PROCESSING AGREEMENT (DPA)

Effective: February 23, 2026  ·  Incorporated into the Terms of Service  ·  Questions: privacy@repen.co

This Data Processing Agreement ("DPA") forms part of and supplements the Repen Terms of Service. It governs the processing of personal data by Repen, Inc. ("Repen", "Processor", "Service Provider") on behalf of Customer ("Controller", "Business") in connection with the Platform. In the event of conflict between this DPA and the Terms of Service, this DPA governs with respect to data processing matters.

4.1  Definitions

•       "Controller" (GDPR) / "Business" (CCPA) means Customer, who determines the purposes and means of processing personal data.

•       "Processor" (GDPR) / "Service Provider" (CCPA) means ${BRAND}, which processes personal data on behalf of the Controller.

•       "Data Subject" means the identified or identifiable natural person to whom personal data relates.

•       "Personal Data" has the meaning given under the applicable data protection law (e.g., GDPR Art. 4(1); Cal. Civ. Code § 1798.140).

•       "Processing" means any operation performed on personal data, whether automated or manual.

•       "Special Categories of Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, health, sex life or sexual orientation, or biometric data used for identification.

•       "Sub-processor" means a third party engaged by ${BRAND} to process personal data in connection with the Platform.

•       "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.

4.2  Scope of Processing

Repen will process personal data solely: (a) to provide the Platform services described in the Terms of Service; (b) as instructed by Customer in writing from time to time; and (c) as required by applicable law, in which case Repen will inform Customer unless legally prohibited from doing so.

Repen will notify Customer promptly if, in Repen's opinion, an instruction from Customer violates applicable data protection law. Repen is not required to follow any instruction that would require Repen to violate applicable law.

4.3  Customer's Obligations as Controller

Customer represents, warrants, and covenants that:

7.     Customer has a lawful basis for processing each Data Subject's personal data and for sharing it with ${BRAND} as Processor;

8.     Customer has provided all required notices to, and obtained all required consents from, Data Subjects prior to uploading their personal data to the Platform;

9.     Customer's instructions to ${BRAND} comply with all applicable data protection laws;

10.  Customer will not submit Special Categories of Data to the Platform without prior written agreement specifying appropriate safeguards;

11.  Customer will comply with all applicable data protection laws governing Customer's activities as a Controller.

4.4  Processor Obligations

Repen agrees to:

12.  Process personal data only on Customer's documented instructions and as described in this DPA, unless required by applicable law;

13.  Ensure that all personnel authorized to process personal data are bound by appropriate confidentiality obligations;

14.  Implement and maintain the technical and organizational security measures described in Section 4.6;

15.  Assist Customer, taking into account the nature of processing and information available to ${BRAND}, in fulfilling Customer's obligations to respond to Data Subject rights requests;

16.  Assist Customer with its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIA, prior consultation), to the extent reasonably practicable;

17.  Upon termination of the Terms of Service, at Customer's election and within ninety (90) days, delete or return all personal data processed on Customer's behalf, except as required to retain by applicable law;

18.  Make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, and permit audits as provided in Section 4.8.

4.5  Sub-processors

Customer grants Repen general written authorization to engage sub-processors listed below. Repen will enter into written data processing agreements with each sub-processor imposing data protection obligations no less stringent than this DPA. Repen remains liable for sub-processor compliance.

•       Vapi AI, Inc. — Real-time voice call infrastructure, speech-to-text, text-to-speech

•       Convex, Inc. — Database hosting, serverless functions

•       Vercel, Inc. — Application hosting, CDN, serverless compute

•       FanBasis, Inc. — Payment processing (processes payment data under its own privacy policy)

•       Anthropic, PBC / OpenAI, L.L.C. / Google LLC — Large language model inference for conversational AI

•       Amazon Web Services, Inc. / Google Cloud — Cloud infrastructure (sub-contracted by the above)

Repen will provide Customer with at least fourteen (14) days' written notice before adding or replacing any sub-processor. Customer may object to a new sub-processor by providing written notice within ten (10) days of Repen's notification; if Repen cannot accommodate the objection without materially impairing the Service, Customer may terminate the affected portion of the Service on thirty (30) days' notice.

4.6  Technical and Organizational Security Measures

Repen implements the following measures appropriate to the risk of the processing:

•       Pseudonymization and encryption of personal data (TLS 1.2+ in transit; AES-256 at rest)

•       Ongoing confidentiality, integrity, availability, and resilience of processing systems

•       Ability to restore availability and access to personal data in a timely manner following a physical or technical incident

•       Process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures

•       Role-based access controls, multi-factor authentication for administrative access, and least-privilege principles

•       Logging and monitoring of access to personal data

4.7  Security Incident Notification

Repen will notify Customer without undue delay, and in any event within seventy-two (72) hours of becoming aware of a Security Incident affecting Customer Data. Notification will include, to the extent known: (a) nature and scope of the Security Incident; (b) categories and approximate number of Data Subjects and records affected; (c) likely consequences; (d) measures taken or proposed to address the incident. Repen's notification does not constitute an admission of fault or liability. Customer is responsible for any notification obligations it has to Data Subjects and regulatory authorities.

4.8  Audit Rights

Upon thirty (30) days' prior written notice, no more than once per calendar year absent a reasonable basis for additional review, Customer may audit Repen's processing activities as they relate to Customer Data. Audits may be conducted by Customer or a qualified third-party auditor bound by confidentiality obligations, at Customer's expense. Repen may require execution of a mutually agreed confidentiality agreement prior to the audit. Repen may satisfy audit obligations by providing relevant certifications (e.g., SOC 2 Type II report) in lieu of on-site audit.

4.9  International Data Transfers

For transfers of personal data from the EEA, UK, or Switzerland to the United States or other non-adequate countries, the parties agree to comply with applicable transfer mechanisms, including: (a) the EU Standard Contractual Clauses (Module Two: Controller to Processor) as adopted by the European Commission; (b) UK International Data Transfer Agreements for UK-origin data; and (c) Swiss adequacy mechanisms as applicable. The relevant SCCs are incorporated by reference into this DPA and are available upon request at privacy@repen.co.

4.10  CCPA Service Provider Provisions

To the extent Repen processes "personal information" of California residents as a "service provider" within the meaning of the CCPA/CPRA: (a) Repen will not sell or share such personal information; (b) Repen will not retain, use, or disclose such personal information for any purpose other than the business purpose of providing the Platform; (c) Repen certifies that it understands its obligations under this Section and will comply with them.

4.11  Term

This DPA is effective for the duration of the Terms of Service and survives termination to the extent necessary to ensure the secure return or deletion of personal data.