Privacy Policy

1 Introduction

This Privacy Policy explains how Bamboo Metrix LLC ("Bamboo," "we," "us") collects, uses, and shares personal information in connection with the Bamboo platform at mybamboo.ai and related services (the "Services").

Bamboo provides software-as-a-service for designing and operating AI voice agents. This Policy describes our practices both as a controller of personal data (for example, information about our account holders) and as a processor of personal data on behalf of our customers (for example, end-user call recordings and transcripts).

2 Information We Collect

2.1 Information You Provide to Us

• Account information: name, email address, company name, role, billing address
• Authentication information: password (hashed), single-sign-on identifiers
• Payment information: processed by our payment provider; we do not store full payment card numbers
• Communications: information you provide in support tickets, sales conversations, and feedback

2.2 Information Generated Through Use of the Services

• Configuration data: agent prompts, knowledge base content, integration credentials (encrypted at rest), test cases, override rules, objectives, and other artifacts you create in the platform
• Operational data: workspace, organization, department, and user assignments; activity logs; feature usage metrics

2.3 Information About Calls Handled by Customer Voice Agents

When a customer's voice agent handles a call, we process the following on behalf of the customer:

• Audio recordings of the call between the AI agent and the caller, and where applicable, of the post-transfer call between the caller and a human agent (the "conference recording")
• Transcripts generated from audio via speech-to-text
• Caller telephone numbers and other metadata communicated by the telephony provider
• Information disclosed by the caller during the call, such as name, contact details, order numbers, location, and any other information the caller chooses to share
• AI-generated summaries, evaluations, and reasoning derived from the call

2.4 Information Collected Automatically

• Device and connection information: IP address, browser type, operating system, device identifiers
• Usage information: pages visited, features used, time stamps, referring URLs
• Cookies and similar technologies: see Section 11

2.5 Information From Third Parties

• Integration data: when you connect a third-party service (e.g., Dutchie, Metrc, Alpine IQ, Springbig, HubSpot, Salesforce, Twilio, Google Calendar), we receive data from that service as necessary to provide the Services
• Marketing and analytics partners: information from advertising and analytics providers about your interaction with our website

3 How We Use Information

We use information for the following purposes:

• (a) To provide and operate the Services, including running voice agents, recording and transcribing calls, generating summaries and evaluations, routing transfers, sending notifications, and producing analytics.
• (b) To bill, invoice, and collect payment.
• (c) To improve the Services, including debugging, monitoring performance, training and tuning internal evaluation systems, and developing new features. We use aggregated and de-identified data for these purposes. We do not use customer-specific Customer Content to train third-party AI foundation models without express opt-in.
• (d) To communicate with you about your account, support requests, security alerts, and product updates.
• (e) To send marketing communications, where permitted by law and subject to opt-out.
• (f) To detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms.
• (g) To comply with legal obligations, including responding to lawful requests by public authorities.
• (h) To exercise or defend legal claims.

4 Legal Basis for Processing (EEA, UK, Switzerland)

If you are in the European Economic Area, United Kingdom, or Switzerland, we process personal data on one or more of the following legal bases:

• Performance of a contract — to deliver the Services you have requested
• Legitimate interests — to operate, improve, and secure the Services; to communicate with customers; to detect fraud. Where we rely on legitimate interests, we have assessed that those interests are not overridden by your data-protection rights
• Consent — for certain marketing communications and for any processing for which consent is required by law. You can withdraw consent at any time
• Compliance with a legal obligation

5 How We Share Information

5.1 Service Providers (Subprocessors)

We share information with third-party providers who help us operate the Services. Categories include:

A current list of subprocessors is available upon request at privacy@mybamboo.ai. We require subprocessors to maintain appropriate technical and organizational safeguards and to process personal data only as instructed.

5.2 Customer-Selected Integrations

When you (or our customer, if you are an end user) connect a third-party integration, data is transmitted to and from that integration according to your instructions. We are not responsible for the privacy practices of those third parties.

5.3 Within the Bamboo Group

We may share information with affiliated entities (including our Romanian operating entity) for the purposes described in this Policy.

5.4 Business Transfers

In connection with a merger, acquisition, financing, or sale of assets, we may transfer information to the relevant counterparty, subject to confidentiality protections.

5.5 Legal Requirements

We may disclose information when required by law, regulation, legal process, or governmental request, or to protect our rights, the safety of users or the public, or the integrity of the Services.

5.6 With Your Consent

We may share information for other purposes with your consent.

5.7 We Do Not Sell Personal Information

We do not sell personal information for monetary consideration. To the extent any sharing constitutes a "sale" or "sharing" under the California Consumer Privacy Act (as amended by the CPRA), California residents may opt out as described in Section 9.

5.8 Mobile Information and SMS Privacy

We value your privacy and are committed to protecting your personal information. No mobile information or phone numbers will be shared with third parties, affiliates, or partners for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties under any circumstances. Your mobile number is strictly used internally within the Bamboo Metrix platform to provide authentication, security verification, and transactional notifications.

6 International Data Transfers

Bamboo is a US-headquartered company with engineering and operational activities in Romania. Personal data may be transferred to and processed in countries that may have different data-protection laws than your country.

Where required by law (including GDPR), we implement appropriate safeguards for international transfers, including the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or equivalent mechanisms.

7 Data Retention

We retain personal data for as long as necessary to provide the Services and for the purposes described in this Policy, including to satisfy legal, accounting, and reporting obligations.

Customers may configure retention periods within the platform for data processed on their behalf. After the retention period, data is deleted or de-identified.

8 Security

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal data, including encryption in transit (TLS) and at rest, access controls, audit logging, secret management, and regular security reviews. No system is fully secure, and we cannot guarantee absolute security.

If a security incident affects your personal data, we will notify you as required by applicable law.

9 Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the personal data we hold about you
• Correction — request that we correct inaccurate or incomplete data
• Deletion — request that we delete your personal data, subject to legal exceptions
• Restriction — request that we restrict processing in certain circumstances
• Objection — object to processing based on legitimate interests or direct marketing
• Portability — request a copy of certain data in a portable format
• Withdraw consent — where processing is based on consent
• Opt-out of "sale" or "sharing" of personal information (California residents)
• Opt-out of automated decision-making that produces legal or similarly significant effects

To exercise any of these rights, please contact us at privacy@mybamboo.ai. We will respond within the time required by applicable law (typically 30 days under GDPR; 45 days under CCPA, extendable once).

You also have the right to lodge a complaint with a data-protection authority. In the EU, this is the authority in your country of residence. In Romania, this is the ANSPDCP.

10 Voice Recordings — Special Notice

Calls handled through the Bamboo platform are typically recorded for service delivery, quality, and compliance purposes. Our customers (the operators of the voice agents) are responsible for providing any disclosure or obtaining any consent required by applicable law before recording occurs, including:

• US state two-party-consent laws (California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, Washington, and others)
• Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), and similar laws if voice characteristics may be considered biometric identifiers
• Disclosure requirements that the caller is interacting with an AI system (California SB 1001, EU AI Act, Utah AI Policy Act, and others as applicable)

11 Cookies and Similar Technologies

Our website uses cookies and similar technologies for essential operation, analytics, and (with consent) marketing. You can manage cookie preferences through the cookie banner on our website or your browser settings.

• Strictly necessary — required for the platform to function (authentication, security)
• Analytics — to understand how users interact with the site (e.g., Google Analytics)
• Functional — to remember preferences
• Marketing — to measure marketing effectiveness; only with your consent in jurisdictions where required

12 Children's Privacy

The Services are not directed to individuals under 18, and we do not knowingly collect personal information from individuals under 18. Customers operating in regulated industries (including cannabis) are responsible for implementing age-verification controls.

13 Third-Party Links and Services

The Services and our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

14 Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date at the top reflects the latest revision. Material changes will be communicated by email or in-app notice. Continued use of the Services after the effective date of the revised Policy constitutes acceptance.

15 Contact

For questions, requests, or complaints about this Policy or our data practices, contact us at:

If you are in the EEA, UK, or Switzerland, you may also contact our EU representative (if applicable) at: Ionut Dumitru (dpo@mybamboo.ai).

Our Data Protection Officer is Ionut Dumitru and can be reached at dpo@mybamboo.ai.