CleanBase.io — Privacy Policy
Effective Date: April 5, 2026 | Last Updated: May 13, 2026
CleanBase.io, a product of Stratos Digital, a service of KMB Solutions LLC
KMB Solutions LLC, a Delaware limited liability company, operates under the trade names Nexus Agent Systems and Stratos Digital. ScanPlate.io and CleanBase.io are products operated under the Stratos Digital trade name.
This Privacy Policy explains how KMB Solutions LLC (“Company,” “we,” “us,” or “our”), operating under the trade names Nexus Agent Systems and Stratos Digital (collectively, the “Brands”), collects, uses, discloses, and protects information when you use our AI voice and chat agent web application, websites, and services. ScanPlate.io and CleanBase.io are products operated under the Stratos Digital trade name, and this Privacy Policy applies equally to those products and to any other current or future products operated under the Stratos Digital or Nexus Agent Systems trade names. This Privacy Policy describes our privacy practices and the choices available to you. Your use of our websites, applications, and services is also subject to our applicable Terms of Service or other written agreement with you or your organization.
1. Information We Collect
1.1 Information You Provide Directly
- Contact details: name, email address, phone number, company name
- Payment and billing information processed through Stripe, Inc., which acts as an independent PCI-DSS compliant payment processor.
- The Company does not store raw payment card information.
- Service configuration and agent customization preferences
- Communications you send us via our web application, email, or support channels
- Information submitted through contact forms, demo requests, event registration forms, meeting-booking forms, and similar data-capture interfaces on Company or Brand websites, including free-form text fields, business information, scheduling information, and related communications. This information may be processed and stored in the Company’s customer relationship management, workspace, calendar, and internal operations systems, including HubSpot and Google Workspace.
1.2 Information Collected Automatically
- Call metadata: caller ID, call duration, timestamp, call direction
- Call recordings, where enabled and where permitted by applicable law with required consent
- Customers enabling call recording functionality must ensure that legally sufficient notice and consent are provided to call participants where required under applicable law.
- Where the Company configures or operates AI voice agents on behalf of Customers, the Company may configure such agents to provide verbal disclosures at or near the beginning of recorded interactions. Customers remain responsible for determining whether call recording, call monitoring, AI-agent disclosure, TCPA, consent, or industry-specific notices are required for their particular use case, jurisdiction, callers, and call flows, and for ensuring that their scripts and practices comply with applicable law.
- The Company does not create or store biometric voice identifiers or voiceprints.
- Voice data processed through the platform is used solely to facilitate voice communication and AI voice synthesis functionality.
- SMS message content and delivery metadata
- Voice interaction data processed through our AI voice agent platform
- Interaction context indicating that the user may be communicating with an automated AI voice agent rather than a human representative
- Web application usage: IP address, browser type, pages visited, session data, cookies
- API request logs, error logs, and system performance data
1.3 Information From Third Parties
- Caller identification data from Telnyx LLC as part of telephony services
- Network and traffic data from Cloudflare, Inc. edge infrastructure
1.4 Meeting Recordings and Transcripts
Meetings, calls, consultations, demonstrations, and sales or support sessions between Company personnel and prospective or current customers may be recorded, transcribed, or summarized for note-taking, follow-up accuracy, training, quality assurance, internal operations, and dispute-resolution purposes. Where required by law, the Company will seek consent before recording. Participants may decline to be recorded by notifying the Company before or at the start of the meeting. Meeting recordings and transcripts may be processed by service providers such as Plaud.AI and Google/Gemini, as identified in the sub-processor table below.
2. How We Use Your Information
We use collected information to:
- Deliver, operate, and improve our AI voice and chat agent services
- Process payments and manage billing through Stripe, Inc.
- Route and connect telephone calls and SMS messages via Telnyx LLC
- Generate AI voice responses through ElevenLabs, Inc. voice synthesis
- Automate service workflows through n8n GmbH orchestration
- Send account, service, and support communications
- Comply with legal obligations and enforce our Terms of Service
- Protect platform security and integrity
- Record, transcribe, summarize, and follow up on meetings, calls, demonstrations, and support sessions, where permitted by law and with required consent.
Depending on the context in which the Services are used, the Company may act as either a data controller or a data processor with respect to personal information processed through the platform. Where the Company processes data on behalf of a customer using the Services, the customer acts as the data controller and the Company acts as a service provider or processor.
3. Sub-Processors and Third-Party Disclosures
We use the service providers and sub-processors listed below to provide, operate, secure, support, and improve the Services. These providers may process personal information only for the purposes described in this Policy, the applicable customer agreement, and any applicable data processing terms. Where we process personal information on behalf of a customer, these providers act as sub-processors to the extent applicable.
| Sub-Processor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| ElevenLabs, Inc. | AI voice synthesis, text-to-speech, speech generation, and related voice-agent functionality | Text prompts, conversation text, response-generation content, generated audio output, voice settings/configuration, API request metadata, usage logs, and related technical data | USA / EU / other locations where ElevenLabs and its subprocessors operate | elevenlabs.io/privacy |
| Telnyx LLC | VoIP telephony — call routing and SMS delivery | Caller numbers, call duration, call recordings (if enabled), SMS content | USA | telnyx.com/privacy |
| n8n GmbH | Workflow automation — agent logic orchestration | Event data, API payloads, form submissions | EU (Germany) | n8n.io/privacy |
| Stripe, Inc. | Payment processing — invoicing and subscriptions | Payment data (tokenized), billing address, transaction history | USA | stripe.com/privacy |
| Cloudflare, Inc. | Content delivery network (CDN), DNS infrastructure, and edge security including traffic filtering, bot detection, and DDoS mitigation | IP addresses, request metadata, cookies | USA / Global | cloudflare.com/privacypolicy |
| Google LLC (Workspace, Sheets, Calendar) | Workspace — internal email, calendar, Drive; registration form data storage (Sheets); calendar event management | Internal communications, registration form responses, calendar event metadata containing participant Personal Data | USA / Global | policies.google.com/privacy |
| Doppler Security, Inc. | Secrets management — API key storage | Encrypted credentials (no end-user PII) | USA | doppler.com/privacy |
| Anthropic, PBC | Large language model processing for AI voice agents (where configured) | Conversation prompts, voice agent system prompts, response generation context | USA | anthropic.com/legal/privacy |
| OpenAI, L.L.C. | Large language model processing for AI voice agents (where configured) | Conversation prompts, voice agent system prompts, response generation context | USA | openai.com/policies/privacy-policy |
| Google LLC (Google AI / Gemini) | Large language model processing for AI voice agents (where configured); meeting transcription and summarization | Conversation prompts, meeting audio recordings, meeting transcripts | USA / Global | policies.google.com/privacy |
| HubSpot, Inc. | Customer relationship management — contact, lead, opportunity, and communications data | Contact information, business names, deal data, communication metadata, free-form inputs from registration forms | USA | legal.hubspot.com/privacy-policy |
| Plaud.AI | Meeting audio recording and cloud sync for note-taking | Meeting audio recordings, transcripts, attendee names where mentioned | USA | plaud.ai/privacy |
| OpenStreetMap Foundation (Nominatim) | Address geocoding | Street addresses submitted for delivery routing | UK / EU | osmfoundation.org/wiki/Privacy_Policy |
We do not sell your personal information to third parties. We do not share your information with advertisers or data brokers.
3.1 ElevenLabs Voice Synthesis — Specific Disclosure
When end users interact with a Company AI voice agent, the text content of those interactions is transmitted to ElevenLabs, Inc. in real time for voice synthesis. ElevenLabs processes this data under its own Privacy Policy (elevenlabs.io/privacy) and under our data processing arrangement. Under the Company’s enterprise licensing arrangement with ElevenLabs, voice synthesis inputs transmitted for audio generation are not used by ElevenLabs to train or improve its machine learning models, except where necessary for abuse prevention or platform security as permitted under the applicable service agreement.
Where ElevenLabs functionality is incorporated into Company voice agents or customer-facing services, ElevenLabs may process end-user interaction content to generate or deliver AI voice functionality. Voice agent interactions may also be processed by additional large-language-model providers selected on a per-agent or per-workflow basis, including Anthropic, OpenAI, and Google/Gemini, where configured. Depending on the customer configuration, agent settings, workflow, or service feature, ElevenLabs and/or related AI providers may process prompts, conversation context, system prompts, transcripts, generated responses, generated audio, voice settings, response-generation context, API request metadata, usage logs, and related technical metadata solely to provide the configured service functionality, subject to applicable service terms, privacy policies, and contractual data-protection commitments. The Company does not authorize these providers to use Customer-specific Personal Data to train general-purpose AI models, except as permitted for abuse prevention, safety, security, or legal compliance under applicable service terms. Customers are responsible for providing any end-user notices and obtaining any consents required for their specific call flows, jurisdictions, and use cases.
3.2 Telnyx Telephony — Specific Disclosure
Telephone calls and SMS messages delivered through our services are routed via Telnyx LLC, a licensed telecommunications carrier. Telecommunications data processed through the Services may constitute Customer Proprietary Network Information (CPNI) under applicable U.S. telecommunications regulations. The Company and its telephony service providers process such information solely for the purpose of providing and maintaining the Services. Telnyx processes call metadata, phone numbers, call recordings (where applicable), and SMS content as a sub-processor. Telnyx is subject to CPNI regulations under federal telecommunications law. See telnyx.com/privacy. The Company does not use CPNI for marketing purposes and does not access or use CPNI except as reasonably necessary to provide, maintain, secure, support, or bill for the Services, or as otherwise permitted or required by applicable law.
Customers using the Services are responsible for complying with applicable telecommunications laws, including the Telephone Consumer Protection Act (TCPA) and state call recording consent laws where calls are recorded.
3.3 International Data Transfers
Personal information processed through the Services may be transferred to and processed in the United States, the European Union, the United Kingdom, and other jurisdictions where the Company or its authorized sub-processors operate. Where personal information is transferred from the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with data-transfer restrictions to a country that has not been recognized as providing an adequate level of protection, the Company relies on appropriate safeguards, which may include Standard Contractual Clauses, data-processing agreements, supplementary safeguards, and other lawful transfer mechanisms recognized under applicable data-protection laws.
4. Data Retention
We retain personal information only for as long as reasonably necessary for the purposes described in this Policy, unless a longer period is required or permitted by law, contract, security needs, dispute resolution, tax/accounting requirements, or customer configuration. Current retention periods generally include:
| Data Category | General Retention Period |
|---|---|
| Call metadata and system logs | Up to 180 days, unless a longer period is required for security, legal compliance, dispute resolution, or customer configuration |
| Call recordings, where enabled | According to customer configuration; if no configuration applies, generally up to 90 days unless a longer period is required or permitted |
| Voice agent transcripts | Generally up to 90 days unless otherwise configured or required |
| Account and billing information | Duration of the service relationship plus up to 7 years for tax, accounting, and legal compliance |
| Voice synthesis data | Processed in real time by applicable providers; the Company does not store raw voice synthesis inputs beyond logs, transcripts, or records otherwise described in this Policy |
| Web analytics | Up to 12 months in aggregated or anonymized form |
| Contact forms, registration forms, and CRM records | Duration of the customer or prospect relationship plus a reasonable business-retention period unless deletion is requested and legally required |
| Meeting recordings | Generally up to 90 days unless a longer period is required for legal, contractual, training, or dispute-resolution purposes |
| Meeting transcripts and summaries | Generally up to 12 months unless a longer period is required for legal, contractual, training, or dispute-resolution purposes |
| Calendar and scheduling records | Duration of the business relationship plus a reasonable administrative-retention period |
We may retain de-identified, aggregated, or anonymized information for longer periods where it cannot reasonably be used to identify an individual.
5. Your Privacy Rights
Depending on your location and the nature of your relationship with us, you may have rights to request access to, correction of, deletion of, or portability of your personal information, to object to or restrict certain processing, to withdraw consent where processing is based on consent, or to appeal a privacy-rights decision.
To submit a request, contact us at [email protected] or any other privacy contact address listed in Section 13. We may need to verify your identity and authority before processing a request. Authorized agents may submit requests where permitted by law, but we may require proof of authorization. We will respond within the timeframe required by applicable law, generally within 45 days unless a different period applies or an extension is permitted.
6. Data Security
- API key and credential management via Doppler Security, Inc.
- TLS encryption for all data in transit
- Access controls limiting data access to authorized personnel
- Cloudflare edge security, DDoS protection, and WAF
The Company maintains an internal security and compliance program and is pursuing SOC 2 Type 1 and Type 2 readiness and attestation. Current security and compliance materials may be made available to customers upon request, subject to appropriate confidentiality restrictions. No security system is impenetrable. We will comply with applicable breach notification laws in the event of a data breach.
7. Children’s Privacy
Our Services are directed to businesses and individuals acting in a business or professional capacity, and are not directed to children. We do not knowingly collect personal information from children under 13 in accordance with COPPA, and we do not knowingly sell or share the personal information of consumers under 16 as those terms are used under the CCPA/CPRA. If you believe a child has provided personal information to us, please contact us so we can review and take appropriate action.
8. Changes to This Policy
We may update this Policy from time to time. Material changes will be posted with an updated effective date. Continued use of our services after the effective date of a revised Policy constitutes acceptance.
9. California Privacy Rights (CCPA / CPRA)
This section applies to residents of the State of California and supplements the rest of this Privacy Policy. It is provided pursuant to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and applies to the extent Company meets applicable CCPA/CPRA thresholds.
9.1 Categories of Personal Information Collected
In the preceding 12 months, we have collected the following categories of personal information as defined under the CCPA:
- Identifiers (name, email address, phone number, IP address)
- Commercial information (payment records, subscription history, billing data)
- Internet or other electronic network activity (web app usage, IP logs, session data, cookies)
- Audio and voice data (call recordings and AI voice interaction data, where enabled)
- Professional or employment-related information (company name, business type, job role, where provided)
9.2 Purposes of Collection
We collect the categories of personal information listed above for the business purposes described in Section 2 of this Privacy Policy, including service delivery, payment processing, platform security, and legal compliance. We do not collect personal information for purposes other than those disclosed in this Policy. We disclose personal information only to service providers and vendors that perform functions on our behalf, including telecommunications carriers, cloud infrastructure providers, payment processors, and workflow automation providers.
9.3 Sale or Sharing of Personal Information
We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising purposes. Because we do not sell or share personal information as defined under the CCPA/CPRA, we do not offer a “Do Not Sell or Share” opt-out mechanism. If our practices change, we will update this Policy and provide required opt-out mechanisms before any such sharing begins.
9.4 Your California Rights
California residents have the following rights under the CCPA/CPRA, subject to applicable exceptions:
- Right to Know: The categories and specific pieces of personal information we have collected about you, the purposes of collection, and the categories of third parties with whom we share it.
- Right to Delete: Request deletion of personal information we have collected, subject to exceptions for data we are required to retain by law or for legitimate business purposes.
- Right to Correct: Request correction of inaccurate personal information we maintain about you.
- Right to Data Portability: Receive a copy of your personal information in a portable, readily usable format where technically feasible.
- Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond those permitted by the CPRA without your consent. To the extent any information we process is considered sensitive personal information under applicable law, we use it only to provide, secure, improve, support, or administer the Services, comply with law, prevent fraud or abuse, or as otherwise permitted by applicable law. We do not use sensitive personal information to infer characteristics about consumers except as permitted by law.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
9.5 How to Submit a Request
California residents may submit privacy rights requests by emailing [email protected]with the subject line “California Privacy Request.” We will acknowledge your request within 10 business days and respond within 45 calendar days. If we require additional time, we will notify you of the extension in writing. We may need to verify your identity before processing your request. Authorized agents may submit requests on your behalf with written authorization.
10. Additional State Privacy Rights
Residents of certain states, including Delaware and Texas, may have additional privacy rights where the applicable state privacy law applies to the Company and the relevant processing activity. These rights may include the right to access, correct, delete, or obtain a copy of personal data, the right to opt out of certain targeted advertising, sale of personal data, or profiling, and the right to appeal a denied request.
We do not sell personal information or share personal information for cross-context behavioral advertising as described in this Policy. To submit a state privacy request, please contact us using the contact information below and include your state of residence and the nature of your request.
11. European Economic Area, United Kingdom, and Switzerland
Where the GDPR, UK GDPR, or similar law applies, the Company processes personal data based on one or more lawful bases, including performance of a contract, legitimate interests, consent, compliance with legal obligations, or processing on behalf of a customer as processor/service provider. Individuals may have rights to access, correct, delete, restrict, object to processing, request portability, or lodge a complaint with a supervisory authority. Where we process personal data on behalf of a customer, we may direct requests to that customer as the applicable controller.
12. Cookies and Tracking Technologies
We and our service providers may use cookies, pixels, tags, local storage, and similar technologies to operate our websites and web applications, secure sessions, remember preferences, understand usage, improve performance, detect abuse, and support analytics or customer relationship management. These technologies may include strictly necessary cookies, functional cookies, analytics cookies, and security-related cookies.
You can control cookies through your browser settings and, where available, through cookie-consent or preference tools on our websites. Disabling some cookies may affect website or application functionality. We do not use cookies to sell personal information or share personal information for cross-context behavioral advertising as described under the CCPA/CPRA.
13. Contact
KMB Solutions LLC
d/b/a Nexus Agent Systems · Stratos Digital (operator of ScanPlate.io and CleanBase.io)
Email: [email protected]
If the Company establishes brand-specific privacy addresses, those addresses may also be used and routed to the same privacy team.