Privacy Policy

Short version. We are a B2B platform. Our customers (businesses) use Atlas Agents to communicate with their own end users. For data submitted to us by a customer (call recordings, transcripts, contact records, marketing content, etc.), the customer is the controller and we are the processor / service provider. We do not sell or share personal information for cross-context behavioral advertising. We do not use identifiable customer data to train third-party AI models. This Policy explains the details.

1. Who we are

"Veluna" or "we" means Minas El Masri Inc., a corporation incorporated under the Business Corporations Act (Ontario), Ontario Corporation Number 002858701, doing business as "Veluna" and "Atlas Agents". Registered office: 1554 Portsmouth Place, Mississauga, Ontario, Canada L5M 7W1. Contact: dr.gmikhail@gmail.com.

2. Scope of this Policy

This Policy applies to (a) visitors to our marketing websites at velunasleep.com, agents.velunasleep.com, and related Veluna properties (the "Sites"), and (b) authorized users of business customers who use the Atlas Agents platform (the "Service"). It does not apply to the websites, products, or practices of our customers or other third parties, even if linked from the Service.

If you are an end user of one of our customers (for example, you called a phone number answered by an Atlas voice agent, or received an email or SMS from a business that uses Atlas), the business that contacted you is the data controller of your information. Please review that business's privacy notice and direct your privacy requests to that business. We will support our customer in responding to those requests.

3. Information we collect

3.1 Information you provide directly

When you visit the Sites or sign up for the Service, you may provide: name, business name, business email, business phone number, billing address, tax identification number, payment instrument (handled by Stripe, not stored by Veluna), website URL, industry, business size, goals, and any other information you submit through forms, qualification intakes, support tickets, or call recordings with us.

3.2 Customer Content processed on behalf of customers

While operating the Service for a customer, we process information the customer submits to us or directs us to collect, which may include: contact records (names, phone numbers, email addresses, postal addresses), call audio and transcripts, SMS and email content, chat transcripts, calendar and booking data, CRM records, marketing copy, product information, and analytics and engagement events. This is "Customer Content" and is processed in accordance with the customer's instructions and our Master Services Agreement.

3.3 Information collected automatically

When you interact with the Sites or the Service, we automatically collect: IP address, device and browser identifiers, operating system, referring URL, pages viewed, timestamps, session duration, approximate geolocation (city/region from IP), and similar telemetry. We use cookies and similar technologies for authentication, security, preference storage, and basic first-party analytics. We do not use third-party advertising cookies or cross-site tracking pixels on the authenticated Service.

3.4 Information from third parties

We may receive information from: Stripe (subscription, billing, and tax status), email and phone verification providers, lead-enrichment providers used at the customer's instruction, and integrations the customer connects (for example, CRM, calendar, telephony providers). We receive only what is necessary to operate the Service.

4. How we use information

We use information to: (a) provide, operate, secure, and improve the Service; (b) authenticate users and prevent fraud or abuse; (c) bill customers and remit applicable taxes; (d) provide support and respond to inquiries; (e) send service announcements, security notices, and other transactional communications; (f) send marketing communications to business contacts (where permitted, with an opt-out in every message); (g) measure usage and improve features in aggregated or de-identified form; (h) comply with law, enforce our agreements, and protect our rights, property, and safety, and that of our customers and others.

We do not use identifiable Customer Content to train third-party foundation models. We may use aggregated or de-identified data derived from the Service (with all direct and indirect identifiers removed) to improve Veluna's own models, benchmarks, and Service quality, including after termination of a customer's account.

5. Legal bases (where applicable)

Where Quebec Law 25, GDPR, UK GDPR, or similar laws apply, our legal bases include: performance of a contract with the customer; our legitimate interests in operating, securing, and improving the Service and in marketing to business contacts; consent (where required, for example for certain cookies or marketing); and compliance with legal obligations.

6. How we share information

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA). We disclose information only as follows:

• To subprocessors that help us run the Service, under written agreements requiring confidentiality and data-protection safeguards. Current categories and primary subprocessors: cloud hosting and storage (Google Cloud, Cloudflare); payments and tax (Stripe); email delivery and verification (Postmark, Hunter, ZeroBounce); telephony and SMS (Twilio); AI model providers (OpenAI, Anthropic, Google); productivity and meeting (Microsoft 365); analytics (first-party).
• To customer-connected integrations at the customer's direction (for example, the customer's CRM, calendar, or telephony provider).
• To professional advisors (accountants, lawyers, auditors, insurers) under confidentiality obligations.
• In connection with a corporate transaction (merger, acquisition, financing, reorganization, sale of assets, or bankruptcy), in which case any successor will be bound by this Policy or will give affected parties notice.
• To comply with law, including in response to lawful requests from public authorities, or to protect rights, property, or safety.
• With your consent or at your direction.

We maintain an up-to-date list of subprocessors and will give notice of material additions through the Service or the Sites.

7. International transfers; data residency

Veluna is based in Canada. The Service is operated primarily from data centers in the United States and Canada. By using the Service, you understand that information may be transferred to, stored in, and processed in the United States and Canada and other jurisdictions where our subprocessors operate. Where required, we rely on appropriate transfer mechanisms, including the Standard Contractual Clauses (EU and UK) and equivalent safeguards.

8. Retention

We retain information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Customer Content is retained while the customer's account is active and is deleted or returned within ninety (90) days of termination of the Master Services Agreement, except where we are required by law to retain it longer or where the data has been aggregated and de-identified. Billing and tax records are retained for the period required by Canadian and U.S. tax law (typically seven years).

9. Security

We use commercially reasonable administrative, technical, and physical safeguards to protect information, including encryption in transit, encryption at rest for sensitive data stores, access controls, least-privilege role-based access, audit logging, secrets management, and periodic vulnerability review. No method of transmission or storage is completely secure; we cannot guarantee absolute security. Customers are responsible for configuring user permissions, protecting their account credentials, and notifying us of any suspected unauthorized access.

10. Your choices and rights

10.1 Marketing communications

You can opt out of marketing emails by clicking the "unsubscribe" link in any marketing message or by emailing dr.gmikhail@gmail.com. We will continue to send transactional and service messages.

10.2 Cookies

You can configure your browser to refuse cookies or to alert you when cookies are being set. Disabling cookies may break authentication and other Service features.

10.3 California residents (CCPA/CPRA)

If you are a California resident, you may have the right to: know what personal information we collect about you and how we use and disclose it; request deletion of personal information; request correction of inaccurate personal information; opt out of the sale or sharing of personal information (we do not sell or share); and not be discriminated against for exercising these rights. To exercise these rights for personal information we hold as a business (for example, a business contact at one of our customers), email dr.gmikhail@gmail.com. For personal information that one of our customers has uploaded into the Service (you are an end user of a customer), please contact that customer directly; we will support the customer's response as a service provider.

10.4 Quebec residents (Law 25)

Quebec residents have rights to access, correction, and de-indexing in certain circumstances. To exercise these rights, contact dr.gmikhail@gmail.com.

10.5 EEA / UK residents (GDPR / UK GDPR)

You have rights to access, rectification, erasure, restriction, portability, and objection. Where we rely on consent, you can withdraw it at any time. You may lodge a complaint with a supervisory authority. Contact dr.gmikhail@gmail.com.

10.6 Verification

We may need to verify your identity before responding to a privacy request and may reject requests that we cannot verify or that are excessive or manifestly unfounded.

11. Children

The Service is not directed to, and we do not knowingly collect personal information from, children under sixteen (16). If you believe a child has provided us with information, please contact dr.gmikhail@gmail.com and we will delete it.

12. Sensitive information; restricted data

The Service is not designed for, and customers may not submit through the Service: protected health information ("PHI") under HIPAA (unless a separate Business Associate Agreement is in place, which Veluna does not currently offer); information subject to the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, or Children's Online Privacy Protection Act; government-issued identification numbers (other than business tax IDs); biometric identifiers; or payment-card data outside of the Stripe-hosted payment flow. Customer is responsible for any breach of these restrictions and will indemnify Veluna against any resulting claims.

13. Automated decision-making and AI outputs

The Service uses artificial intelligence and machine learning models to generate text, audio, summaries, scoring, and other outputs ("AI Outputs"). AI Outputs may be incorrect, biased, or out of date. Customers and end users should not rely on AI Outputs without independent human review for any decision that has legal or similarly significant effects. We do not knowingly make solely automated decisions that produce legal or similarly significant effects about individuals; where required, customers must implement human review.

14. Do Not Track

We do not respond to Do Not Track signals because there is no industry consensus on how to interpret them.

15. Changes

We may update this Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, provide additional notice (for example, by email or in-product banner). Your continued use of the Service after the effective date of a revised Policy constitutes acceptance of the changes.

16. How to contact us

Privacy questions, requests, or complaints: dr.gmikhail@gmail.com.
Postal: Minas El Masri Inc., 1554 Portsmouth Place, Mississauga, Ontario, Canada L5M 7W1.

This Privacy Policy is incorporated by reference into the Veluna Atlas Agents Master Services Agreement.