Privacy Policy

Version 1.0 · Effective May 9, 2026 · Operated by IzzyOS LLC · Under legal review

IzzyOS LLC (“IzzyOS,” “we,” “us”) operates the IzzyOS platform at izzyos.com, funnels.izzyos.com, and connected subdomains (the “Service”). This policy explains what information we collect, how we use it, who we share it with, your rights, and how to exercise them. It covers the GDPR (EU), UK-GDPR, PIPEDA (Canada), CCPA/CPRA (California), LGPD (Brazil), and other privacy laws of the jurisdictions we serve.

1. Controller and processor roles

For your account data (name, email, billing, content you create), IzzyOS LLC is the data controller — we decide why and how it is processed.

For your contacts’ and leads’ data (people who opt in through funnels you operate on IzzyOS), you are the controller and we are the processor. We process that data only on your documented instructions, governed by our Data Processing Agreement, which is incorporated into our Terms of Service and accepted automatically when you create an account.

2. Information we collect

  • Account information. Name, email, phone number, business details, profile photo, brand assets, and credentials you provide when you create an IzzyOS account or apply to work with us.
  • Lead information (your contacts). When a visitor opts in through one of your IzzyOS funnels — typically a contact form on a sales page — we collect their name, email, phone number, IP address at consent, and any answers they provide. This data belongs to you; we process it on your behalf as your processor.
  • Communication content. Messages sent or received via our SMS, voice, email, and chat features. Voice calls may be recorded for quality and training; recordings are accessible to the account owner. Call transcripts are stored as long as the contact record exists.
  • Usage data. Pages viewed, actions taken, browser type, IP address, device identifiers, and similar technical data. We use cookies and similar technologies for session management, security, and analytics — see §9.
  • Payment information. Processed by Stripe; we do not store full card numbers. We retain billing records for the period required by tax and financial regulations (typically 7 years).
  • Sensitive personal information. We do not knowingly collect special-category data (health, biometric, racial origin, political opinion, sexual orientation, religious belief, trade-union membership, or government identifiers). Voice recordings are treated as biometric-adjacent — see §6.

3. Lawful basis for processing (GDPR Art. 6)

ActivityLawful basis
Account creation and billingContract (Art. 6(1)(b))
Operating the Service for you, including AI features (Kai)Contract (Art. 6(1)(b))
Processing contacts on your behalfYour instructions, under DPA
Marketing emails about the ServiceLegitimate interest (with opt-out) or consent
Product analyticsLegitimate interest
Non-essential cookiesConsent (Art. 6(1)(a) + PECR)
Fraud prevention and securityLegitimate interest, legal obligation

4. How we use information

  • Provide, operate, and improve the Service
  • Send the SMS, voice, email, and chat messages you (or visitors to your funnels) consent to receive
  • Respond to support requests and customer questions
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations

5. AI processing — and our no-training commitment

Kai, our AI assistant, processes your data and your contacts’ data to operate the Service. We use AI providers including Anthropic (Claude) and OpenAI.

Your data is never used to train AI models. We use the API endpoints of these providers under the standard terms that prohibit training on customer data. Anthropic does not train on API data by default. OpenAI has not used API data for training since March 2023. We do not and will not opt your data into any training program.

Kai assists; it does not autonomously decide. You set the trust level for AI actions in your account settings, and significant actions (sending campaigns, charging customers) require your approval. If our automation crosses into automated decision-making with legal or significant effects on individuals (GDPR Art. 22), you have the right to obtain human review by emailing privacy@izzyos.com.

6. SMS, voice, and email communications

When you (or a visitor opting in through a funnel) provide a phone number and consent to be contacted, we may send SMS messages and place voice calls related to the service requested. This includes:

  • Lead-confirmation texts after a contact opts in
  • Appointment reminders and reschedule notifications
  • Payment-link delivery and receipts
  • Follow-ups from Kai regarding scheduled calls or services purchased

Standard message and data rates may apply. Message frequency varies based on activity and the campaigns opted into. You can opt out at any time by replying STOP to any SMS message; reply HELP for support information. Opt-out of voice calls by request to privacy@izzyos.com. Voice recordings are retained for the lifetime of the contact record and are accessible to the account owner; data subjects can request a copy or deletion under §7.

7. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — request a copy of personal data we hold about you (GDPR Art. 15, CCPA §1798.100, PIPEDA Principle 9)
  • Rectification / correction — correct inaccurate data (GDPR Art. 16, CCPA §1798.106)
  • Erasure / deletion — delete your data, subject to legal retention obligations (GDPR Art. 17, CCPA §1798.105)
  • Restriction of processing — pause processing on request (GDPR Art. 18)
  • Portability — receive your data in a structured, machine-readable format (GDPR Art. 20)
  • Object — opt out of specific processing including direct marketing (GDPR Art. 21, CCPA §1798.120)
  • Not subject to solely automated decisions with legal effects (GDPR Art. 22)
  • Do Not Sell or Share My Personal Information — California residents have the right to opt out of sale or sharing of personal data. We do not sell your data, and we do not share it for cross-context behavioral advertising. To formally exercise this right, email privacy@izzyos.com. (CCPA/CPRA §1798.120)
  • Limit use of sensitive personal information (CPRA §1798.121) — we do not collect sensitive personal information; this right is preserved by default
  • Authorized agent — California residents may designate a third party to submit a request on their behalf with verifiable authorization (CCPA)
  • Withdraw consent at any time without affecting the lawfulness of prior processing
  • Lodge a complaint with your supervisory authority (see §14)

How to exercise. Email privacy@izzyos.com with your request type and jurisdiction. We respond within 30 days for GDPR/UK-GDPR/PIPEDA requests and 45 days (extendable to 90) for CCPA requests. Requests are free; we may charge a reasonable fee only for excessive or manifestly unfounded requests, as permitted by GDPR Art. 12(5). PIPEDA access requests are always free.

If you are a contact on someone else’s IzzyOS funnel, your data is controlled by that customer (the business running the funnel). You can ask us to forward your request to them, or contact them directly using the information they provided to you. We will assist them in honoring your request.

8. Sharing of information

We do not sell your information, and we do not share it with third parties for their own marketing purposes. We share information only with:

  • Sub-processors who help us operate the Service. The full list is published at /legal/sub-processors and is updated with at least 30 days’ advance notice of material changes. All sub-processors are bound by contractual confidentiality and are permitted to use data only to perform services for us.
  • Customers running funnels — when a visitor opts into your funnel, you (the customer) receive the lead information for the purpose of communicating with that lead.
  • Legal compliance — when required by law, court order, or to protect rights, property, or safety.
  • Business transfers — if IzzyOS is involved in a merger, acquisition, or asset sale, your data may be transferred, with notice and continued obligations under this policy.

9. Cookies and tracking

We use the following categories of cookies and similar technologies:

  • Strictly necessary — session, authentication, CSRF, security. Always on; cannot be disabled.
  • Functional — preferences (language, theme).
  • Analytics — product telemetry to improve the Service. Subject to consent in the EU, UK, Switzerland, Canada, and California.
  • Marketing — only if you (the IzzyOS customer) configure them on your funnels; subject to your visitors’ consent. We do not run marketing pixels for our own purposes.

A cookie consent banner with granular controls is being rolled out across our surfaces. Until then, you may disable cookies in your browser; some Service features will not work without strictly-necessary cookies. We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals as opt-out signals where required by law.

10. International data transfers

IzzyOS is operated from the United States. Our infrastructure runs on Supabase (US region) and Vercel (US default), and our sub-processors are predominantly located in the US. If you access the Service from the EU, UK, Switzerland, Canada, Brazil, or any other jurisdiction with data-export restrictions, your data is transferred to the United States.

We rely on the following safeguards for these transfers:

  • Standard Contractual Clauses (SCCs) issued by the European Commission, incorporated into our Data Processing Agreement and our agreements with sub-processors
  • UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, for UK transfers
  • Transfer Impact Assessments per the Schrems II decision, documenting why each transfer is trusted and what supplementary measures apply

You can request a copy of the relevant transfer safeguards by emailing privacy@izzyos.com.

11. Data retention

We retain account information for as long as your account is active, plus a reasonable period for legal, tax, and operational requirements:

  • Account profile data: until 30 days after deletion request
  • Communication content (emails, SMS, calls): for the lifetime of the related contact record, plus 30 days
  • Voice recordings: same as communication content
  • Billing records: 7 years (Stripe, US tax law) — even after account deletion
  • Consent records and audit logs: 2 years after account deletion (for legal defense)
  • Backups: rolling 30-day retention; deleted data is purged from backups within that window

12. Security

We use industry-standard practices to protect your information, including encryption in transit (TLS) and at rest, role-based access controls, audit logging, secret management, and regular dependency reviews. No system is perfectly secure; if you discover a vulnerability, please report it to privacy@izzyos.com. We will notify you and the relevant supervisory authorities of personal-data breaches in accordance with applicable law (within 72 hours under GDPR for high-risk breaches).

13. Children

The Service is intended for adults operating businesses. We do not knowingly collect personal information from children under 16 (EU/UK) or under 13 (US). If you believe we have collected such information, contact privacy@izzyos.com and we will delete it.

14. Jurisdiction-specific information

European Union (GDPR)

Our supervisory authority list is the consolidated list of EU data protection authorities maintained by the European Data Protection Board: edpb.europa.eu/about-edpb/about-edpb/members_en. You may lodge a complaint with the authority of your country of residence, place of work, or place of the alleged infringement.

EU Representative under Art. 27 GDPR: [EU Representative — Prighter signup in flight, contact details to be inserted by 2026-05-11]

United Kingdom (UK-GDPR)

Our UK supervisory authority is the Information Commissioner’s Office (ICO): ico.org.uk. You may lodge a complaint with the ICO.

UK Representative under Art. 27 UK-GDPR: [UK Representative — Prighter signup in flight, contact details to be inserted by 2026-05-11]

Canada (PIPEDA)

Our supervisory authority is the Office of the Privacy Commissioner of Canada (OPC): priv.gc.ca. Quebec residents are also covered by Quebec Law 25, and may complain to the Commission d’accès à l’information du Québec.

California (CCPA / CPRA)

California residents have the rights described in §7. We do not sell or share personal data for cross-context behavioral advertising. To exercise your rights, including the “Do Not Sell or Share” right, email privacy@izzyos.com. We do not discriminate against users who exercise their rights.

Other US states

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have rights similar to those listed in §7. The same intake email applies: privacy@izzyos.com.

Brazil (LGPD), India (DPDP), and other jurisdictions

We extend the rights in §7 to data subjects in all jurisdictions where applicable law applies. Local supervisory-authority sections will be added as we onboard customers in those regions.

15. Privacy contact

Our privacy point of contact is the founder of IzzyOS LLC. While we are below the threshold that requires a formal Data Protection Officer (DPA) appointment, we maintain a single accountable contact:

Privacy contact: privacy@izzyos.com
Postal: IzzyOS LLC, 1309 Coffeen Ave STE 1200, Sheridan, WY 82801, USA

16. Changes to this policy

We may update this Privacy Policy from time to time. The version number and effective date at the top reflect the latest version. We will give material changes at least 30 days’ advance notice by email or in-app notice where feasible.

17. Contact us

Privacy questions, rights requests, breach reports:

IzzyOS LLC
1309 Coffeen Ave STE 1200
Sheridan, WY 82801, United States
privacy@izzyos.com (privacy + DSAR)
support@izzyos.com (general support)
(307) 522-1176

IzzyOS is operated by IzzyOS LLC · 1309 Coffeen Ave STE 1200, Sheridan, WY 82801 · support@izzyos.com · (307) 522-1176

Privacy · Terms · DPA · Sub-processors · Do Not Sell or Share