Privacy Policy

1. Introduction

Calla Technologies Inc. ("Calla," "we," "us," or "our") is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Agency Management System ("Service" or "Platform").

This Privacy Policy applies to all users of the Service, including agencies, carriers, principals, and end-users accessing the Service through embedded widgets or APIs.

BY USING THE SERVICE, YOU CONSENT TO THE DATA PRACTICES DESCRIBED IN THIS POLICY.

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

• Name, email address, phone number
• Business name, address, Tax ID (EIN/SSN)
• Role and job title
• Password and authentication credentials
• Payment information (credit card, ACH details)

Bond Application Data:

• Principal information (business name, financial data, owner information)
• Obligee information (entity name, contact information)
• Bond details (penalty amount, bond type, effective dates)
• Financial statements and supporting documents
• Credit reports and underwriting data
• Contract documents, specifications, bid information

Financial Transaction Data:

• Premium amounts, commissions, fees
• Payment processor transaction IDs
• Ledger entries and accounting records
• Invoice and receipt information

2.2 Information Collected Automatically

Device and Usage Information:

• IP address, browser type, operating system
• Device identifiers and model
• Pages viewed, features used, time spent
• Search queries and filter selections
• Click stream data and navigation patterns
• Error logs and crash reports

Cookies and Tracking Technologies:

• Session cookies for authentication
• Persistent cookies for preferences
• Analytics cookies (Google Analytics, Mixpanel)
• Marketing cookies (Facebook Pixel, LinkedIn Insight Tag)

2.3 Information from Third Parties

• Credit reports from Experian, Equifax, TransUnion
• Identity verification from LexisNexis, Socure
• Payment data from Stripe, Authorize.net, PayPal
• Carrier data from insurance partners
• Comhar Consulting underwriting recommendations

3. How We Use Your Information

We use collected information for the following purposes:

3.1 Service Delivery

• Process bond applications and issuances
• Perform underwriting analysis and risk assessment
• Generate quotes and calculate premiums
• Manage financial accounting and commissions
• Facilitate payment processing
• Send transaction confirmations and receipts

3.2 Platform Improvement

• Analyze usage patterns to improve features
• Train AI/ML models for document processing
• Debug errors and optimize performance
• Conduct A/B testing on new features
• Develop new products and services

3.3 Communications

• Send account notifications and security alerts
• Provide customer support
• Deliver product updates and announcements
• Send marketing emails (with opt-out option)
• Conduct surveys and feedback requests

3.4 Legal and Compliance

• Comply with legal obligations (subpoenas, court orders)
• Enforce Terms of Service
• Detect and prevent fraud, abuse, and security threats
• Maintain audit trails for financial transactions
• Respond to data subject rights requests (GDPR, CCPA)

4. Information Sharing and Disclosure

We may share your information in the following circumstances:

4.1 Service Providers

We share data with third-party vendors who perform services on our behalf:

• Cloud Hosting: Microsoft Azure (data storage and processing)
• Payment Processors: Stripe, Authorize.net, PayPal
• Credit Bureaus: Experian, Equifax, TransUnion
• Email Services: SendGrid, Mailgun
• Analytics: Google Analytics, Mixpanel, Amplitude
• Customer Support: Zendesk, Intercom
• Document Management: Azure Blob Storage, DocuSign

All service providers are bound by confidentiality agreements and may only use data as instructed.

4.2 Business Partners

• Carriers: Insurance carriers receive bond application data for underwriting
• Comhar Consulting: Underwriting partner receives limited data for risk analysis
• Obligees: Bond details shared as required for bond issuance

4.3 Multi-Tenant Data Isolation

Important: Calla is a multi-tenant platform. Your data is isolated in a dedicated schema and is NOT accessible to other tenants. We maintain strict data segregation to prevent cross-tenant access.

4.4 Legal Requirements

We may disclose information if required by law:

• In response to subpoenas, court orders, or legal process
• To comply with government or regulatory investigations
• To protect our rights, property, or safety
• To prevent fraud, illegal activity, or security threats
• In connection with a merger, acquisition, or asset sale

4.5 Consent-Based Sharing

We will not share your personal information with third parties for their marketing purposes without your explicit consent.

5. Data Security

We implement comprehensive security measures to protect your data:

5.1 Technical Safeguards

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Access Controls: Role-based access control (RBAC), least privilege principle
• Authentication: Multi-factor authentication (MFA) for all accounts
• Network Security: Firewalls, intrusion detection, DDoS protection
• Database Security: Encrypted backups, schema-level isolation
• API Security: JWT tokens, rate limiting, API key rotation

5.2 Organizational Safeguards

• Employee background checks and security training
• Confidentiality agreements for all personnel
• Incident response plan and breach notification procedures
• Regular security audits and penetration testing
• SOC 2 Type II certification

5.3 Data Breach Notification

In the event of a data breach affecting your personal information, we will notify you within 72 hours of discovery via email and provide information about the breach, impacted data, and remediation steps.

6. Data Retention

We retain your information for as long as necessary to fulfill the purposes described in this Privacy Policy:

6.1 Active Accounts

• Account data: Retained while account is active
• Bond data: Retained for 7 years after bond expiration (regulatory requirement)
• Financial records: Retained for 7 years (IRS and GAAP requirements)
• Underwriting data: Retained for 5 years

6.2 Terminated Accounts

• 30-day grace period for data export
• Anonymization of personal identifiers after export window
• Retention of aggregated, anonymized data for business analytics
• Legal hold overrides deletion if litigation is pending

6.3 Log Data

• Access logs: 90 days
• Audit logs: 1 year
• Security logs: 2 years

7. Your Rights and Choices

You have the following rights regarding your personal information:

7.1 Access and Portability

You may request a copy of your personal data in a structured, machine-readable format. Email privacy@calla.io to request data export.

7.2 Correction and Updates

You may update account information directly through the Service settings or by contacting support.

7.3 Deletion (Right to be Forgotten)

You may request deletion of your personal data, subject to legal retention requirements. Note that deletion may prevent access to the Service and historical records.

7.4 Opt-Out of Marketing

You may opt out of marketing emails by clicking "Unsubscribe" in any marketing email or by updating your communication preferences in account settings.

7.5 Do Not Track

Our Service does not currently respond to "Do Not Track" signals from browsers.

7.6 California Privacy Rights (CCPA)

California residents have additional rights under CCPA:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale of personal information (we do not sell data)
• Right to deletion
• Right to non-discrimination for exercising rights

7.7 European Privacy Rights (GDPR)

EU/EEA residents have rights under GDPR including:

• Right of access, rectification, and erasure
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent
• Right to lodge a complaint with a supervisory authority

8. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the United States.

For EU/EEA users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate protection for data transfers.

9. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we discover that a child under 18 has provided personal information, we will delete it immediately.

10. Third-Party Links and Services

The Service may contain links to third-party websites and integrate with third-party services. We are not responsible for the privacy practices of these external sites. We encourage you to read their privacy policies.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and/or prominent notice on the Service 30 days before the effective date. Your continued use after changes constitutes acceptance.

We will maintain historical versions at: /privacy/archive

12. Contact Us

For questions, concerns, or to exercise your privacy rights, please contact: