Privacy Policy

01Introduction and Controller Identity

Fuentes Digital Ventures LLC, a Wyoming limited liability company operating under the commercial brand Callengo ("Callengo," "we," "us," or "our"), is committed to protecting the privacy of individuals who interact with our platform, our website, and our services. This Privacy Policy explains who we are, what personal data we collect, why we collect it, how we use and share it, and what rights you have with respect to your personal data.

This Privacy Policy applies to:

• ▸The Callengo Application available at app.callengo.com, the AI-powered outbound voice automation platform used by business customers and their authorized team members;
• ▸The Callengo marketing website available at callengo.com, including all pages, blog content, and web forms; and
• ▸All related services, integrations, APIs, and communications associated with the Callengo platform.

This Privacy Policy governs data about Callengo's business customers and their authorized team members (the people who create and use Callengo accounts). For information about how Callengo processes personal data of individuals contacted through customer campaigns (call recipients), please refer to Section 6.

02Definitions

For purposes of this Privacy Policy, the following definitions apply:

03Information We Collect

We collect personal data in the following categories, depending on how you interact with our Service:

3.1 Information You Provide to Us (Application)

3.2 Information We Collect Automatically (Application)

3.3 Information We Collect Through Integrations (Application)

When you connect a third-party service to your Callengo account, we receive and store data from that service as necessary to operate the integration. All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before storage. Integration credentials are deleted from our database when you disconnect the integration.

3.4 Customer Contact Data (Information About Third Parties)

When you use the Application to run calling campaigns, you upload or import personal data about your contacts (the individuals to be called). This data may include names, phone numbers, email addresses, postal addresses, company names, job titles, and any custom fields you configure. This data belongs to you as the data controller; Callengo processes it on your behalf as a data processor. See Section 6 for important information about Contact data.

3.5 Information We Collect (Website: callengo.com)

The Callengo marketing website at callengo.com uses a consent-based tracking architecture. All tracking technologies on the Website are managed through Google Tag Manager (container GTM-MXFGV52S) and are subject to Google Consent Mode v2, which defaults all cookie storage to "denied" until you provide explicit consent through our cookie consent management platform. No non-essential tracking occurs until you affirmatively consent.

• ▸Audio demo interactions (play, pause, scenario change)
• ▸Call-to-action button clicks (free trial, talk to sales)
• ▸Pricing page interactions (plan selection, billing cycle toggle)
• ▸Contact form and HubSpot form submissions
• ▸Newsletter subscriptions
• ▸Feature and integration page interactions (learn more clicks, integration card clicks)

All GA4 data collection is consent-gated via Google Consent Mode v2 and will not activate unless you have granted consent through Usercentrics.

04How We Use Your Information

05Legal Basis for Processing (GDPR)

For users in the European Union, European Economic Area, or United Kingdom, we process personal data under the following legal bases as required by the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR:

Where we rely on legitimate interests as our legal basis, we have conducted a balancing assessment and concluded that our legitimate interests are not overridden by your rights and interests, given the nature of the data processed and the safeguards we apply. You have the right to object to processing based on legitimate interests; see Section 13.

Where we rely on consent, you have the right to withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal; see Section 13.

06Contact Data: Third-Party Data Subject Information

• ▸You are the data controller. You determine the purpose for which Contacts are called, the data fields collected, and how call outcomes are used in your business.
• ▸Callengo is the data processor. We process Contact data exclusively as instructed by you, in accordance with your campaign configuration, and subject to our Data Processing Addendum (available at callengo.com/legal/dpa).

Callengo does not use Contact data for any purpose other than executing your campaigns and providing the Service to you. We do not sell, share, or commercially exploit Contact data.

07How We Share Your Information

A current list of Callengo's Sub-processors, including entity names and processing locations, is available at callengo.com/legal/sub-processors. We will provide at least 30 days' advance notice of any addition of a new Sub-processor through our Sub-processor list page and by email notification.

Additionally, data flows exist between the following platforms in connection with our business operations: Stripe payment data is synced to HubSpot CRM for contact, invoice, and product lifecycle management; PostHog application analytics data is synced to HubSpot for product-led growth insights; and Smartlead cold email engagement data is synced to HubSpot for contact and deal management via webhook and native integration.

08Google API Services and User Data

Google Sheets file selection. Because Callengo uses the non-sensitive drive.file scope rather than broader Drive scopes, Callengo cannot list, search, or read any file in your Drive unless you explicitly share it with the application through the Google Picker. When you click “Pick a spreadsheet from Google Drive” inside Callengo, Google's own file picker opens and you select which spreadsheet(s) to grant access to. Callengo only ever sees the files you pick (or files Callengo itself creates). If you want Callengo to stop accessing a spreadsheet, you can unlink it from Callengo's integration settings or remove Callengo's permissions in your Google Account.

Google Calendar data is used to check availability for appointment scheduling, create new calendar events for confirmed appointments, update existing events when appointments are rescheduled or cancelled, and display synced calendar events within the Application interface.

Google Sheets data is used exclusively for one-way inbound contact import. When you pick a spreadsheet via the Google Picker, Callengo reads the spreadsheet's file name, sheet tab names, and the cell values in the tab you choose, mapping columns (such as phone number, name, email, company, and notes) into contact records in your Callengo account. Callengo does not write to, modify, or create Google Sheets files. The sync is strictly read-only and inbound-only.

Google account identity data (email, display name, profile picture) is used solely to identify which Google account is connected and associate the OAuth credentials with your Callengo user account.

We do not use Google user data for any of the following purposes: serving or personalizing advertising; building user profiles for purposes unrelated to the authorized integration feature; selling, renting, or transferring Google user data to any third party for their own purposes; training general-purpose AI or machine learning models; or any purpose not directly related to providing the calendar synchronization or spreadsheet import feature to you.

09Other Integration-Specific Data Disclosures

The following disclosures apply to customers who connect specific integrations. These integrations are optional and only activated when you explicitly connect them. In each case, OAuth tokens are stored encrypted at rest, and integration data is used exclusively for the stated purpose.

10Data Security

We implement reasonable and appropriate technical and organizational security measures designed to protect personal data against unauthorized access, disclosure, alteration, loss, or destruction. These measures include:

While we implement these measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of personal data. In the event of a data breach, we will respond in accordance with our breach notification obligations described in Section 17.

11Data Retention

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes and enforce agreements. The following retention periods apply as general guidelines:

When you close your Callengo account, operational data (contacts, call records, campaign data, integration credentials, AI conversations) is permanently deleted within 90 days of account closure, following a period during which you may export your data. Billing history, transaction records, and other financial data required by applicable law are retained regardless of account closure.

12International Data Transfers

Callengo is incorporated in the United States and our primary infrastructure is located in the United States. Personal data that we collect may be transferred to, stored, and processed in the United States or other countries where our Sub-processors operate.

If you are located in the European Union, European Economic Area, United Kingdom, or Switzerland, we ensure that transfers of your personal data to countries that do not provide an adequate level of protection are made using appropriate safeguards, including:

• ▸Standard Contractual Clauses (SCCs). For transfers to the United States and other third countries, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as an appropriate transfer mechanism. Our Data Processing Addendum (available at callengo.com/legal/dpa) incorporates the applicable SCCs.
• ▸EU-US Data Privacy Framework. Where applicable, we rely on the EU-US Data Privacy Framework and its UK and Swiss equivalents as an additional adequacy mechanism for transfers to Sub-processors certified under the Framework.

By using the Service from outside the United States, you acknowledge that your personal data will be transferred to and processed in the United States and other countries. We take steps to ensure that such transfers are made in compliance with applicable data protection law.

13Your Rights and Choices

13.1 All Users

• ▸Account Information. You may access, review, and update most of your account profile information at any time through your Account Settings within the Application.
• ▸Communication Preferences. You may opt out of marketing and promotional emails by clicking the "unsubscribe" link in any such email. You cannot opt out of transactional emails necessary to operate your account.
• ▸Data Export. You may export your contact data from the Application in CSV, JSON, or XLSX format at any time through the Contacts section of the Application.
• ▸Account Deletion. To request deletion of your Callengo account, please contact us at privacy@callengo.com. We will process your request in accordance with our data retention obligations.
• ▸Analytics Opt-Out. You may opt out of behavioral analytics tracking by enabling the "Do Not Track" setting in your browser. The Application respects the Do Not Track browser signal for product analytics. You may also manage cookie preferences through the Cookie Settings tool on the Website.

13.2 European Union and EEA Residents: GDPR Rights

If you are located in the EU or EEA, you have the following rights under the General Data Protection Regulation:

We respond to data subject rights requests within 30 days of receipt. Where requests are complex or numerous, we may extend this period by an additional 60 days with prior notice.

13.3 California Residents: CCPA / CPRA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100) and the California Privacy Rights Act:

• ▸Right to Know. Request disclosure of the categories and specific pieces of personal information we collect about you, the purposes for which we use it, and the categories of third parties with whom we share it.
• ▸Right to Delete. Request deletion of personal information we have collected about you, subject to certain exceptions.
• ▸Right to Correct. Request correction of inaccurate personal information.
• ▸Right to Opt-Out of Sale or Sharing. Callengo does not sell personal information. Callengo does not share personal information for cross-context behavioral advertising.
• ▸Right to Limit Use of Sensitive Personal Information. We limit our use of sensitive personal information (including IP addresses) to purposes necessary to provide the Service.
• ▸Right to Non-Discrimination. You will not be denied services, charged different prices, or treated differently for exercising your CCPA rights.

To submit a CCPA request, contact us at privacy@callengo.com. We will respond within 45 calendar days.

13.4 Service Provider Relationship for Contact Data

When Callengo processes the personal information of individuals on behalf of its business customers (Contact data), Callengo acts as a "service provider" under the CCPA. As a service provider, Callengo is prohibited from retaining, using, or disclosing Contact data for any purpose other than performing the services specified in the agreement with the customer, combining Contact data from different customers, or using Contact data for Callengo's own commercial purposes.

14Cookies and Tracking Technologies

For detailed information about the cookies and similar tracking technologies used on the Callengo Website and Application, including the specific cookies set, their purpose, duration, and how to manage your preferences, please refer to our Cookie Policy available at callengo.com/cookies.

14.1 Website (callengo.com): Consent-Based Tracking Architecture

The Website implements a privacy-by-default tracking architecture using the following components:

• ▸Google Consent Mode v2. All tracking tags on the Website are governed by Google Consent Mode v2, which is configured to default all storage types (analytics_storage, ad_storage, ad_user_data, ad_personalization, functionality_storage, personalization_storage, security_storage) to "denied" until you provide explicit consent. A 500ms wait period is configured to ensure your consent preferences are loaded before any tags fire.
• ▸Usercentrics Consent Management Platform (CMP). The Website uses Usercentrics, an EU-based Consent Management Platform, to present you with a cookie consent banner upon your first visit. Usercentrics manages consent state for all non-essential tracking technologies, stores your consent preferences, and communicates your choices to Google Consent Mode v2 and all downstream tags. You can update your preferences at any time via the cookie settings link in the Website footer.
• ▸Google Tag Manager (GTM). All tracking tags are deployed and managed centrally through Google Tag Manager (container GTM-MXFGV52S). GTM itself does not set cookies but serves as the orchestration layer that loads tags only when the appropriate consent has been granted.

The following tracking technologies are loaded via GTM on the Website, subject to consent:

No non-essential cookies are set until you grant consent. If you decline non-essential cookies or do not interact with the consent banner, only strictly necessary cookies (such as Usercentrics consent state storage) are set. Google Consent Mode v2 ensures that even Google's own tags respect your consent preferences by blocking cookie writes and data collection when consent has not been granted.

14.2 Application (app.callengo.com)

The Application uses product analytics tools (PostHog) to track how authenticated users interact with Application features. These tools use pseudonymized identifiers (your account UUID, not your email address) to track usage. Session recordings are captured with sensitive field masking. Strictly necessary cookies (authentication session cookies) are always active in the Application as they are required for the Application to function.

14.3 Managing Your Preferences

• ▸Website cookie consent. Click the cookie settings link in the Website footer to open the Usercentrics consent dialog and update your preferences at any time. You may grant or revoke consent for each category of cookies independently.
• ▸Browser controls. Most web browsers allow you to block or delete cookies through browser settings. Note that blocking all cookies may impair Website functionality.
• ▸Do Not Track. The Website and Application respect the Do Not Track (DNT) browser signal. When DNT is enabled, non-essential tracking is suppressed.
• ▸Google Ads opt-out. You may opt out of personalized advertising from Google at ads.google.com/settings.
• ▸LinkedIn opt-out. You may opt out of LinkedIn advertising at linkedin.com/psettings/advertising.

15Children's Privacy

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If you believe that we have inadvertently collected personal data from a child under 18, please contact us immediately at privacy@callengo.com and we will take steps to delete such information as promptly as possible.

16Call Recording and Transcript Disclosure

All calls initiated through the Callengo platform are recorded by default. Call recordings and transcripts are stored in your Callengo account and are accessible to authorized members of your company account. You are solely responsible for ensuring that you have obtained all legally required consents to record calls in every jurisdiction where your campaign calls are placed or received.

In the following U.S. states, among others, all parties to a telephone call must consent to the call being recorded before recording may lawfully begin: California, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington. Please refer to our Compliance page for detailed information about call recording consent obligations by jurisdiction.

17Data Breach Notification

In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will:

• ▸Notify affected EU/EEA residents and the relevant supervisory authority (AEPD) within 72 hours of becoming aware of the breach where required by GDPR Articles 33 and 34;
• ▸Notify affected Wyoming residents and, where applicable, the Wyoming Attorney General in accordance with the Wyoming Data Security Act (Wyo. Stat. §§ 40-12-501 et seq.);
• ▸Notify affected customers where their Customer Data has been accessed or disclosed;
• ▸Take prompt steps to contain, remediate, and investigate the breach; and
• ▸Maintain records of all security incidents, including those that do not require formal notification.

To report a security concern or potential breach, please contact us immediately at legal@callengo.com.

18Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes, we will:

• ▸Post the updated Privacy Policy on this page with a revised "Last Updated" date;
• ▸Send an email notification to the primary email address associated with your account; and
• ▸Display a notice in the Application.

Your continued use of the Service after the effective date of any change constitutes your acceptance of the updated Privacy Policy. If you do not agree to the updated Privacy Policy, you must cease using the Service.

19Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

This Privacy Policy was last updated on March 27, 2026. By using the Callengo Service, you acknowledge that you have read and understood this Privacy Policy.