Compliance

01TCPA: Telephone Consumer Protection Act

Customers placing calls to contacts in all-party consent states must configure their AI Voice Agent scripts to include a legally sufficient recording consent disclosure at the beginning of each call, such as: "This call may be recorded for quality assurance purposes." Callengo makes no warranty that any particular disclosure language satisfies the recording consent requirements of any specific jurisdiction.

• ▸Contact Cooldown. A minimum interval is enforced between successive calls to the same contact number. Any attempt to call the same contact within this window is automatically blocked.
• ▸Concurrent Call Limits. Each account is limited to a maximum number of simultaneous calls based on its Subscription Plan, preventing bulk mass-calling of an individual contact list.
• ▸Daily and Hourly Rate Limits. Platform-level daily and hourly call volume limits are applied per account to prevent sustained high-frequency calling.

These technical controls do not substitute for customer compliance obligations and are not a guarantee of legal compliance.

02FTC Telemarketing Sales Rule (TSR)

The Federal Trade Commission's Telemarketing Sales Rule (16 C.F.R. Part 310) applies to telemarketing calls and imposes the following requirements on customers who use Callengo for telemarketing purposes:

• ▸Required Disclosures. For any outbound call that constitutes telemarketing, the TSR requires prompt disclosure at the beginning of the call of: the identity of the seller; the fact that the purpose of the call is to sell a product or service; and the nature of the product or service being offered.
• ▸Call Abandonment Rate. The TSR prohibits abandoning outbound telemarketing calls at a rate exceeding 3% of all calls answered by a live person per campaign, measured over a 30-day period.
• ▸Caller ID Transmission. Callers must transmit accurate caller ID information, including a callback telephone number. Blocking or falsifying caller ID is prohibited.
• ▸Do Not Call Compliance. Telemarketers must honor both the National DNC Registry and customer-specific do-not-call requests as described in Section 1.4.
• ▸Prohibited Practices. The TSR prohibits misrepresenting any material aspect of a product or service, the nature of the sales offer, or the identity of the caller.

Whether a particular Callengo campaign constitutes telemarketing under the TSR depends on the purpose and content of the calls. Customers are responsible for determining whether the TSR applies to their campaigns and for configuring campaigns to comply.

03GDPR Compliance: General Data Protection Regulation

We respond to data subject rights requests within 30 days of receipt. Where requests are complex or numerous, we may extend this period by an additional 60 days with prior notice.

04CCPA / CPRA Compliance: California Consumer Privacy Act

• ▸Right to Know. Request disclosure of the categories and specific pieces of personal information we collect, the sources, business purposes, and categories of third parties with whom we share it.
• ▸Right to Delete. Request deletion of personal information we have collected, subject to certain exceptions.
• ▸Right to Correct. Request correction of inaccurate personal information.
• ▸Right to Opt-Out of Sale or Sharing. Callengo does not sell personal information. Callengo does not share personal information for cross-context behavioral advertising.
• ▸Right to Limit Use of Sensitive Personal Information. We limit our use of sensitive personal information (including IP addresses) to purposes necessary to provide the Service.
• ▸Right to Non-Discrimination. You will not be denied services, charged different prices, or treated differently for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@callengo.com. We will respond within 45 calendar days.

05Data Security Posture

• ▸Assess the nature and scope of the breach and take immediate containment steps;
• ▸Notify affected EU/EEA residents and the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach where required by GDPR Articles 33 and 34;
• ▸Notify affected Wyoming residents and, where applicable, the Wyoming Attorney General in accordance with the Wyoming Data Security Act (Wyo. Stat. §§ 40-12-501 et seq.);
• ▸Notify affected customers where their Customer Data has been accessed or disclosed; and
• ▸Maintain records of all security incidents, including those that do not require formal notification.

To report a security vulnerability or suspected breach, contact us immediately at legal@callengo.com.

06Data Retention Policy

• ▸Necessity. We retain data only where there is an active business need or legal obligation.
• ▸Proportionality. Retention periods are proportionate to the sensitivity of the data and the purpose of processing.
• ▸Customer Control. Customers control the retention of their Contact data and Call Data within their account and may delete records at any time through the Application.

07Acceptable Use Policy

Callengo is a legitimate business-to-business technology platform. The following uses of the platform are strictly prohibited:

7.1 Prohibited Calling Practices

• ▸Placing calls to any individual who has not provided legally required consent for the type of call being placed;
• ▸Placing calls to numbers registered on the National DNC Registry, any state DNC registry, or an internal DNC list, without a legal exemption or documented consent;
• ▸Using AI Voice Agents to deceive or impersonate any person, business, or government entity;
• ▸Using the platform for calls that constitute harassment, threats, or intimidation;
• ▸Using the platform to place spam calls, scam calls, or any calls with a fraudulent purpose;
• ▸Using the platform for debt collection in violation of the Fair Debt Collection Practices Act;
• ▸Using the platform to target individuals under the age of 18;
• ▸Using the platform for political robocalling in violation of applicable law; and
• ▸Configuring calling hours that violate federal or state time-of-day restrictions.

7.2 Prohibited Data Practices

• ▸Uploading contact lists obtained through deceptive means, purchased without adequate consent verification, or obtained in violation of any privacy or data protection law;
• ▸Processing protected health information (PHI) as defined under HIPAA — Callengo does not currently offer Business Associate Agreements and the platform must not be used for HIPAA-regulated workflows;
• ▸Processing payment card data subject to PCI DSS requirements through the platform;
• ▸Uploading data that infringes any third-party intellectual property right; and
• ▸Using the platform to build or contribute to a database of personal data for sale to third parties.

7.3 Prohibited Technical Practices

• ▸Attempting to circumvent rate limits, concurrent call limits, or other technical controls;
• ▸Reverse engineering, decompiling, or attempting to extract source code from the platform;
• ▸Using automated tools to scrape data from the platform;
• ▸Attempting to access another customer's data or system resources;
• ▸Uploading or transmitting malicious code, viruses, or other harmful software; and
• ▸Building a competing product using data or outputs from the platform.

Violations of this Acceptable Use Policy may result in immediate account suspension or termination without refund, and may be reported to applicable law enforcement or regulatory authorities. Callengo reserves the right to determine, in its sole discretion, whether a use constitutes a violation of this policy.

08HIPAA and Regulated Industry Notice

Healthcare providers, health plans, healthcare clearinghouses, and their business associates are prohibited from using the Callengo platform to place calls to patients, process patient data, or handle any information that constitutes Protected Health Information (PHI) as defined under 45 C.F.R. § 160.103. Callengo does not currently offer Business Associate Agreements (BAAs) and cannot be used for HIPAA-regulated workflows.

For questions about healthcare use cases and future HIPAA support, contact legal@callengo.com.

Similarly, customers in other regulated industries (including financial services, subject to GLBA; legal, subject to attorney-client privilege and state bar rules; and education, subject to FERPA) are responsible for ensuring that their use of the Callengo platform complies with all industry-specific regulatory requirements. Law firm customers using the Clio integration should be aware that legal client data may be subject to heightened confidentiality obligations and should obtain ethics guidance before deploying AI calling to clients.

09CAN-SPAM Act

Callengo sends transactional emails to account holders (account verification, password reset, billing notifications, team invitations) from noreply@callengo.com. These emails are operational communications required to manage your account and are not commercial solicitations subject to CAN-SPAM's opt-out requirements. Any marketing or promotional emails Callengo sends include a clear unsubscribe mechanism and comply with applicable CAN-SPAM requirements.

Customers using the Callengo platform to send follow-up emails in connection with calling campaigns must independently ensure that such emails comply with the CAN-SPAM Act (15 U.S.C. §§ 7701 et seq.) and applicable state email marketing laws.

10Marketing Website Compliance

In addition to the platform-level compliance measures described above, Callengo implements the following compliance measures on its public marketing website (callengo.com) to protect visitor privacy and comply with applicable cookie consent and data protection regulations.

• ▸Functional. Cookies strictly necessary for the website to operate (always active; no consent required).
• ▸Analytics. Cookies used to measure website traffic and visitor behavior (e.g., Google Analytics 4). Requires explicit consent.
• ▸Marketing. Cookies used for advertising attribution and retargeting (e.g., LinkedIn Insight Tag, HubSpot tracking). Requires explicit consent.

Usercentrics integrates with Google Tag Manager (GTM) to gate all tracking tags behind consent signals. Tags for GA4, HubSpot, and LinkedIn fire only after the visitor has granted the corresponding consent category. The Usercentrics CMP is compliant with the GDPR, the ePrivacy Directive, CCPA, and IAB Transparency and Consent Framework (TCF) v2.2.

• ▸Page loads and Google Consent Mode v2 sets all storage types to denied by default;
• ▸Usercentrics CMP loads and displays the cookie consent banner to the visitor;
• ▸If the visitor consents: Usercentrics updates consent via gtag('consent', 'update', ...), and GTM processes the retained tags, enabling GA4, HubSpot, and LinkedIn tracking;
• ▸If the visitor rejects: all non-essential cookies remain blocked, and only functional cookies are active;
• ▸Visitors can change their cookie preferences at any time by clicking the "Cookie settings" button in the website footer, which opens the Usercentrics preference panel.

• ▸Displaying a cookie consent banner before any non-essential cookies are set;
• ▸Providing granular consent categories so visitors can choose which types of cookies to accept;
• ▸Allowing easy withdrawal of consent at any time via the "Cookie settings" button in the website footer;
• ▸Defaulting all non-essential storage types to denied until explicit consent is obtained; and
• ▸Maintaining a record of consent decisions through the Usercentrics platform.

• ▸HubSpot CRM. Contact form submissions and newsletter signups are processed by HubSpot, which is hosted in the EU1 region (eu1.hubspot.com). This ensures that personal data submitted through the website is stored and processed within the European Union.
• ▸Newsletter Subscriptions. The newsletter signup flow uses the HubSpot Contacts API v3 with the hs_marketable_status: true property, which represents explicit GDPR-compliant opt-in for marketing communications.
• ▸Analytics Data. Google Analytics 4 and HubSpot tracking are gated behind consent mode, ensuring no personal data is collected for analytics purposes without the visitor's explicit consent.

11Email Marketing Compliance

• ▸Including a clear and conspicuous unsubscribe link in every marketing email;
• ▸Honoring unsubscribe requests within the required timeframe;
• ▸Accurately identifying the sender and including valid physical postal address information;
• ▸Using truthful and non-deceptive subject lines; and
• ▸Not using harvested or purchased email addresses without adequate consent verification.

• ▸Explicit Opt-In. Newsletter subscriptions require explicit opt-in. The HubSpot marketable status property is set to true only upon affirmative consent by the subscriber.
• ▸Marketable Status Management. HubSpot manages the marketable status of all contacts. Contacts who unsubscribe are immediately marked as non-marketable and excluded from future campaigns.
• ▸EU Data Processing. All newsletter and marketing contact data is processed through HubSpot's EU1 data center, ensuring personal data remains within the European Union.
• ▸Right to Withdraw. Recipients can withdraw consent at any time by clicking the unsubscribe link or by contacting privacy@callengo.com.

12Compliance Contact and Reporting

For compliance-related inquiries, to report suspected violations, or to exercise data subject rights, please contact:

This page was last updated on March 27, 2026. Nothing on this page constitutes legal advice. Customers are solely responsible for ensuring that their use of the Callengo platform complies with all applicable laws and regulations.