Back to Home

Privacy Policy

Effective Date: April 1, 2025 Last Updated: April 1, 2025

This Privacy Policy describes how VirtualPBX.com ("VirtualPBX," "we," "us," or "our") collects, uses, stores, and protects information when you use our platform and services (collectively, the "Service"). By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

1. Information We Collect

We collect information necessary to provide, maintain, and improve the Service. The types of information we collect depend on how you interact with VirtualPBX and which features you use.

1.1 Account Information

When you create an account or register for the Service, we collect the following information:

  • Full name and professional title
  • Email address
  • Phone number
  • Company or organization name
  • Billing address and related billing information
  • Login credentials (passwords are stored in hashed form only)

1.2 Communication Data

As a communications platform, VirtualPBX processes the following data to deliver the Service:

  • Message content across all supported channels, including SMS, MMS, webchat, email, and voice transcripts
  • Message metadata, including timestamps, delivery and read status, channel type, and message direction (inbound or outbound)
  • Contact information of your customers and end users as stored within your account
  • Attachments and media files transmitted through the Service
  • Voice recordings and associated transcription data (where enabled)

1.3 AI and Analytics Data

When you use VirtualText's AI-powered features, we collect and process:

  • Sentiment analysis results generated from conversation content
  • Conversation observations, summaries, and intelligence outputs
  • AI agent configurations, playbook rules, and brand-voice settings
  • AI agent interaction data, including responses generated, escalation events, and performance metrics
  • Conversation timeline and activity event data

1.4 Usage Data

We automatically collect certain information when you access or use the Service:

  • Server log data, including request timestamps, response codes, and request paths
  • Device information, such as operating system, hardware model, and unique device identifiers
  • IP addresses and approximate geographic location derived from IP
  • Browser type, version, and language preferences
  • Pages visited, features used, and interactions within the platform
  • Referral URLs and marketing attribution data

1.5 Payment Data

Payment processing is handled by our third-party payment processor, Stripe, Inc. When you subscribe to a paid plan or make a purchase, Stripe collects and processes your payment card information directly. We do not receive or store your full payment card number, CVV, or PIN. We do store your Stripe customer identifier, subscription status, plan details, and billing history for the purpose of managing your account and providing receipts.

1.6 Integration Data

When you connect third-party services to VirtualPBX, we may receive data from those integrations, including:

  • Bandwidth: carrier-level message delivery data, status callbacks, phone number provisioning information, and toll-free verification data
  • Shopify: order data, customer information, and e-commerce event data as configured in your integration settings
  • Webhook payloads: data transmitted to and from your configured webhook endpoints
  • Other integrations: data as described in the relevant integration documentation

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and maintain the Service: To operate the VirtualText platform, authenticate users, manage accounts, and deliver core functionality including message routing, contact management, and conversation tracking.
  • Process and deliver messages: To send and receive messages across all supported channels (SMS, MMS, webchat, email, and voice), including message queuing, delivery confirmation, and retry logic.
  • Power AI features: To operate AI agents, execute playbook-based automated responses, generate brand-voice replies, and deliver real-time AI assistance to your team.
  • Perform conversation intelligence: To conduct sentiment analysis, generate conversation observations and summaries, and provide actionable insights about customer interactions.
  • Process payments: To manage subscriptions, process billing, issue invoices, and synchronize product catalog data with our payment processor.
  • Send service communications: To deliver account notifications, system alerts, security warnings, onboarding materials, and other messages necessary for the operation of the Service.
  • Improve the platform: To analyze usage patterns, diagnose technical issues, test new features, and optimize performance and reliability of the Service.
  • Comply with legal obligations: To meet our obligations under applicable laws, regulations, and legal processes, including responding to lawful requests from public authorities.
  • Detect and prevent abuse: To identify and prevent fraud, spam, security threats, and violations of our Terms of Service and Acceptable Use Policy, including rate limiting, opt-in verification, and 10DLC compliance enforcement.

3. Data Architecture and Isolation

VirtualPBX employs a single-tenant architecture, which means each customer's data is stored on dedicated, isolated infrastructure. This architectural decision is fundamental to how we protect your information and differentiates VirtualPBX from multi-tenant SaaS platforms.

Specifically, our single-tenant model provides the following guarantees:

  • Complete data isolation: Your data is stored in a dedicated database instance. It is never co-mingled, shared, or accessible alongside another customer's data.
  • Dedicated infrastructure: Each customer operates on their own server instance with independent compute, storage, and networking resources.
  • Database-level separation: Isolation is enforced at the database level, eliminating the risk of cross-tenant data leakage that can occur in shared-database architectures.
  • Geographic deployment flexibility: Single-tenant infrastructure can be deployed in specific geographic regions to meet data residency requirements mandated by applicable law or your organization's policies.
  • Independent maintenance: Updates, backups, and maintenance operations are performed independently per tenant, reducing blast radius and enabling customer-specific scheduling.

This architecture is foundational to our HIPAA compliance posture and ensures that Protected Health Information (PHI) and other sensitive data remains fully contained within your dedicated environment.

4. Data Security

We implement industry-standard technical and organizational measures to protect your data against unauthorized access, alteration, disclosure, or destruction. While no system can guarantee absolute security, we maintain a defense-in-depth approach that includes the following safeguards:

4.1 Encryption

  • End-to-end encryption across all communication channels, including SMS, MMS, webchat, and voice
  • AES-256 encryption for all data at rest, including database contents, file storage, and backups
  • TLS 1.3 enforced for all data in transit between clients, servers, and third-party integrations
  • Encrypted credential storage for API keys, tokens, and other secrets using Rails encrypted credentials

4.2 Application Security

  • Regular automated security scanning using Brakeman (static analysis) and bundler-audit (dependency vulnerability scanning)
  • JavaScript dependency auditing via importmap audit
  • Continuous error monitoring and anomaly detection through Sentry integration
  • HMAC-SHA256 signature verification for all inbound webhooks to prevent tampering and replay attacks
  • Rate limiting and abuse prevention mechanisms at both the application and infrastructure levels

4.3 Access Controls and Audit

  • Role-based access controls to restrict platform functionality based on user roles and permissions
  • Comprehensive audit trails that record all significant actions within the platform, including user logins, message events, configuration changes, and administrative actions
  • Account-scoped data access to prevent cross-tenant data leakage at the application layer
  • Session management with configurable timeout policies

4.4 Infrastructure Security

  • Dedicated server instances with restricted network access
  • Automated encrypted backups with tested restoration procedures
  • Container-based deployment with minimal attack surface
  • Infrastructure managed via Kamal with version-controlled configuration

5. Third-Party Service Providers

We share information with third-party service providers only as necessary to deliver the Service. Each provider is contractually obligated to use your data solely for the purposes of providing their services to us and to maintain appropriate technical and organizational security measures. Our key service providers include:

  • Bandwidth, Inc. — Provides SMS and MMS carrier services, message delivery, phone number provisioning, and toll-free number verification. Bandwidth processes message content and metadata as required to route and deliver communications.
  • Stripe, Inc. — Handles payment processing, subscription management, invoicing, and product catalog synchronization. Stripe processes billing and payment card information in accordance with PCI DSS Level 1 requirements.
  • Google Cloud (Natural Language API) — Performs sentiment analysis and natural language processing on conversation content. Text data is transmitted to Google solely for analysis and is not used by Google to improve its own services when accessed via the API.
  • Twilio, Telnyx, and Telgorithm — Available as alternative SMS/MMS carrier services under our Bring Your Own Carrier (BYOC) model. These providers process message content and metadata only when you configure them as your carrier of choice.
  • Hetzner Online GmbH — Provides dedicated server infrastructure for single-tenant deployments. Hetzner provides physical hosting but does not have access to application data, which is encrypted at rest.
  • Sentry (Functional Software, Inc.) — Provides error tracking and performance monitoring. Sentry may receive technical diagnostic data, including stack traces and request metadata, but not message content or personally identifiable information.

We do not sell your personal information to any third party. We do not share your data with third parties for their own marketing purposes.

6. Data Retention

We retain your data only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

  • Account data: Retained for the duration of your active account. Upon account termination, account data is deleted within 30 days unless retention is required by applicable law.
  • Communication data: Message content, transcripts, and associated metadata are retained for the duration of your subscription plus 30 days following account termination. This grace period allows for account reactivation or data export.
  • Audit logs: Retained for a minimum of 12 months from the date of the recorded event to support compliance, security investigation, and dispute resolution needs.
  • Payment records: Retained as required by applicable tax, financial reporting, and anti-fraud regulations, typically for a period of 7 years.
  • Quarantined and spam messages: Automatically purged in accordance with your configured cleanup schedule.
  • Backups: Encrypted backups are retained for up to 30 days and are automatically rotated. Backup data is subject to the same deletion timelines as primary data.

You may request deletion of your data at any time by contacting us at privacy@virtualpbx.com. See Section 9 (Your Rights) for details on exercising your data deletion rights.

7. HIPAA Compliance

VirtualPBX is designed to be HIPAA-ready for healthcare customers and other covered entities that handle Protected Health Information (PHI). Our HIPAA compliance posture is built into the platform's architecture, not bolted on as an afterthought.

  • Business Associate Agreements (BAAs): We offer BAAs to customers who require them. A BAA formalizes our obligations regarding the handling of PHI and can be executed upon request.
  • Single-tenant isolation: PHI is stored exclusively within your dedicated infrastructure and is never co-mingled with data from other customers. This exceeds the isolation requirements typically achievable in multi-tenant environments.
  • Encryption of PHI: All PHI is encrypted both at rest (AES-256) and in transit (TLS 1.3) across every communication channel supported by the platform.
  • Audit trail compliance: Our comprehensive audit logging satisfies HIPAA documentation requirements, recording access to and modifications of PHI with timestamps, user identifiers, and action descriptions.
  • PII redaction: VirtualText provides configurable PII redaction capabilities that can automatically detect and mask sensitive data elements within conversations and records.
  • Access controls: Role-based access and account-scoped data isolation ensure that PHI is accessible only to authorized personnel within your organization.

For detailed information about our HIPAA compliance measures, please visit our HIPAA Compliance page or contact compliance@virtualpbx.com.

8. Cookies and Tracking

We use a limited set of cookies and similar technologies on our marketing website at virtualtext.com to operate the site, measure performance, and support conversion reporting. We do not sell your personal information. Where required by law, we ask for your consent before setting non-essential cookies.

8.1 Essential Cookies

These cookies are strictly necessary for core site operation and cannot be disabled through our cookie banner. They include the vt_consent cookie, which stores your cookie preference choices for up to 12 months, and similar first-party storage required to remember those settings. Within the authenticated VirtualText application, essential cookies may also include session cookies for authentication, CSRF protection tokens, and preference cookies for account settings.

8.2 Analytics Cookies

On virtualtext.com, we use Google Tag Manager and Google Analytics to understand how visitors interact with our marketing pages, including page views, navigation paths, referral sources, and conversion events such as trial checkout clicks. These analytics cookies are controlled through our cookie banner and Google Consent Mode. Analytics cookies are not used within the authenticated application.

8.3 Marketing and Measurement Cookies

Where enabled in Google Tag Manager, marketing tags (such as Google Ads conversion measurement) may set cookies or use similar technologies to attribute visits and conversions to advertising campaigns. These tags are disabled unless you grant marketing consent, or unless applicable law permits a different default in your region.

8.4 Webchat, Calendly, and Local Storage

Our webchat widget is loaded directly on the site as a functional feature after our consent framework initializes. It uses browser local storage to persist conversation history and contact identification for returning visitors on virtualtext.com. Calendly scheduling widgets may set third-party cookies when you book a demo or onboarding session. Landing pages may also store campaign attribution parameters (such as UTM tags) in session storage to preserve referral context during your visit. Webchat and scheduling tools are not gated behind analytics or marketing consent choices.

8.5 Cookie Preferences

You can change your cookie choices at any time using the Cookie preferences link in the site footer. Visitors in the EU, EEA, and UK are asked to opt in before non-essential cookies are enabled. Visitors in the United States see a notice with an option to opt out of analytics and marketing cookies, including choices that may constitute a request to limit the “sale” or “sharing” of personal information under California law where applicable.

You can also control or delete cookies through your browser settings. Disabling essential cookies may prevent the site from remembering your consent choices. For browser-specific instructions, refer to your browser’s help documentation.

9. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights and have established processes to facilitate their exercise. You or your authorized agent may exercise any of the following rights by contacting us at privacy@virtualpbx.com.

  • Right of Access: You may request a copy of the personal data we hold about you, including the categories of data collected, the purposes of processing, and any third parties with whom the data has been shared.
  • Right to Correction: You may request that we correct or update any inaccurate or incomplete personal data we hold about you.
  • Right to Deletion: You may request that we delete your personal data, subject to certain exceptions required by law (such as data retention for legal compliance, active dispute resolution, or fraud prevention).
  • Right to Data Portability: You may request that we provide your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) to facilitate transfer to another service provider.
  • Right to Restriction of Processing: You may request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to its processing.
  • Right to Object: You may object to certain types of processing, including processing for direct marketing purposes or processing based on our legitimate interests.

We will respond to verified requests within 30 days. If we require additional time (up to an additional 60 days), we will notify you of the extension and the reasons for it. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive.

To protect your privacy, we will verify your identity before processing any rights request. Verification may include confirming your email address, account credentials, or other identifying information.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This section supplements the rest of this Privacy Policy and applies solely to California residents.

  • Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You have the right to request that we delete personal information we have collected from you, subject to certain legal exceptions.
  • Right to Opt-Out of Sale: You have the right to opt out of the "sale" of your personal information. VirtualPBX does not sell your personal information to any third party, and we have not sold personal information in the preceding 12 months.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, or provide a different level of quality based on your exercise of privacy rights.
  • Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
  • Right to Limit Use of Sensitive Personal Information: Where applicable, you have the right to limit the use and disclosure of sensitive personal information to what is necessary to perform the services you request.

To exercise your California privacy rights, please contact us at privacy@virtualpbx.com or use the contact information in Section 14.

Categories of personal information collected: We collect the categories of personal information described in Section 1 of this Privacy Policy, including identifiers, commercial information, internet or electronic network activity, professional or employment-related information, and inferences drawn from the above.

11. International Data Transfers

VirtualPBX is headquartered in the United States, and your data is primarily processed and stored in the United States. If you access the Service from outside the United States, you understand and consent to the transfer of your data to the United States, where privacy laws may differ from those in your jurisdiction.

Our single-tenant architecture provides flexibility in deployment location. For customers who require data residency within a specific geographic region or jurisdiction (for example, to comply with the European Union's General Data Protection Regulation or other local data protection laws), we can deploy your dedicated instance in the region of your choice, subject to infrastructure availability. Please contact sales@virtualtext.com to discuss regional deployment options.

We are actively working toward full GDPR compliance and intend to offer Data Processing Agreements (DPAs) and Standard Contractual Clauses (SCCs) for international data transfers in 2026.

12. Children's Privacy

The Service is designed for use by businesses and their employees and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16 years of age. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@virtualpbx.com.

If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this page.

If we make material changes that affect how we handle your personal data, we will provide notice through one or more of the following means:

  • Email notification to the address associated with your account
  • Prominent in-app notification within the VirtualText platform
  • A banner or notice on our website

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue use of the Service and contact us to close your account.

Previous versions of this Privacy Policy are available upon request by contacting privacy@virtualpbx.com.

14. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the information below:

VirtualPBX.com

We aim to respond to all privacy-related inquiries within 5 business days. For urgent matters related to data security incidents, please include "URGENT" in the subject line.