Legal · 02

Privacy Policy.

What we collect, why, who processes it on our behalf, how long we keep it, and how to exercise your rights — including specific disclosures for our AI voice and SMS systems.

Last updated · May 29, 2026

Document Control

  • Version: 1.0.1
  • Effective Date: May 29, 2026
  • Last Reviewed: May 29, 2026
  • Classification: Public Document
  • Owner: Privacy Officer, J&M Solutions
  • Revision notes: v1.0.1 (May 29, 2026, extended self-audit) added CASL compliance disclosure (Section 5.6), pediatric / healthcare-context children’s privacy provisions (Section 13.2), and refined breach-notification timelines (Section 11). v1.0.1 is an internal self-audit extension and is not a lawyer-reviewed revision; v1.1 is reserved for the next post-counsel review cycle.

Summary

  • We collect only what we need to operate the website, respond to inquiries, and deliver the AI voice, SMS, and automation systems our clients buy from us.
  • Our voice AI agents record calls and transcripts. Audio is deleted after each call by default. Transcripts are retained for up to seven (7) years per Canadian medical-records standards when the deployment serves a healthcare client.
  • Personal information may be processed by sub-processors located in the United States and subject to U.S. law, including the CLOUD Act. See Section 7.
  • Analytics and marketing cookies are off by default. You opt in via the cookie banner.
  • We never sell personal information. We never share it for cross-context behavioural advertising.
  • You have access, correction, deletion, and portability rights under PIPA BC, PIPEDA, and other applicable laws. We honour them within thirty (30) days.

1. Definitions

For the purposes of this Policy, capitalised terms have the following meanings:

  • “J&M”, “we”, “us”— J&M Solutions, the Canadian business identified in Section 2.
  • “Site”— the website at jmsolutionsapp.com and its subdomains.
  • “Services”— the AI agents, automations, dashboards, and integrations we build and operate for clients under written engagement.
  • “Personal Information”— information about an identifiable individual, as defined under PIPA BC and PIPEDA. Includes names, contact information, voice recordings, transcripts, IP addresses, and any other information that can be used to identify a person.
  • “Personal Health Information”(PHI) — a subset of Personal Information relating to physical or mental health, healthcare services received, or appointment details with a healthcare provider. Subject to additional protections.
  • “Client”— an organisation that has engaged J&M to deliver Services, including healthcare clinics that operate Services with their patients.
  • “Sub-processor”— a third-party service provider that processes Personal Information on our behalf to deliver the Services. See Section 6.
  • “Processing”— any operation performed on Personal Information, including collection, storage, access, transmission, or deletion.

2. Who We Are

J&M Solutions is a Canadian business operated by José María Morales Galván, based in British Columbia, Canada.

Note: J&M Solutions is presently structured as a sole proprietorship registered in British Columbia. Incorporation in British Columbia is in progress; this Policy will be updated on completion to reflect the corporate entity.

For Personal Information collected through the Site, we act as the data controller. For Personal Information processed through Services we operate on behalf of Clients, we act as a data processorunder the Client’s instructions and under a written Data Processing Agreement.

3. Privacy Officer

Pursuant to PIPEDA Principle 1 (Accountability) and PIPA BC s. 4, our designated Privacy Officer is:

  • Name: José María Morales Galván
  • Title: Privacy Officer & Owner, J&M Solutions
  • Email: privacy@getjmsolutions.com
  • Postal address: British Columbia, Canada (full address available on written request)

For Québec residents, this designation also identifies the “person in charge of the protection of personal information” under Loi 25.

4. Information We Collect

4.1 Information You Provide Directly

  • Contact-form, chat, and quote-builder submissions: name, email, phone (optional), business name, business type, languages, and what you would like us to build.
  • Voice conversationswhen you call a phone number provisioned for a J&M-built voice AI agent. We capture audio recordings and transcripts generated by the voice AI platform. See Section 5 for AI-specific processing details and Section 8 for retention periods.
  • SMS / chat conversationswhen you text a number or chat through a J&M-built SMS or chat AI agent. We capture message content and metadata (timestamps, phone numbers, session identifiers).
  • Appointment and booking datawhen you schedule through a J&M-operated voice, SMS, or web booking flow: your name, contact details, requested service, date, time, and any notes you provide.
  • Discovery-call bookings via our Cal.com link: name, email, time zone, optional notes.
  • Email correspondence you send to any of our published email addresses.

4.2 Information Collected Automatically

  • Standard server and network logs: IP address, user agent, requested URL, timestamp, HTTP status. Used for security, rate-limiting, and debugging. Retained 30 days unless required longer for security investigation.
  • Vercel Analytics, only with analytics consent granted via the cookie banner: aggregate page views, referrers, performance metrics. No cross-site identifiers.
  • Browser session storage for the on-site chat assistant, so refreshing the page does not erase your message thread. Local to your browser; not transmitted unless you submit a message.

4.3 Information from Clients

When we operate Services on behalf of a Client, that Client may upload or transmit Personal Information about their own customers or patients into the Services (for example, a patient roster for appointment reminders). We process that information solely under the Client’s instructions and the applicable Data Processing Agreement; the Client is the data controller for that information.

5. How Our AI Systems Process Personal Information

This Section discloses, in plain language, what happens when you interact with a J&M-built AI voice or SMS agent. It applies to any deployment where we are operator or co-operator of the Service.

5.1 Voice AI Agent (Inbound and Outbound Calls)

  1. Your call arrives via Twilio Inc. (telephony provider, United States) and is routed to a voice AI agent operated on ElevenLabs Inc. (conversational voice AI, United States).
  2. The agent generates a real-time audio recording and transcript of the conversation. The audio is processed by a large language model (LLM) operated by ElevenLabs or, where applicable, by OpenAI or Google (Gemini), depending on the agent configuration.
  3. The agent may call internal tools (workflow webhooks) hosted on our self-managed n8n instance to look up availability, create appointments, or send confirmations. These workflows run on a virtual server hosted by Hetzner Online GmbH in the United States (Oregon).
  4. Resulting appointment or contact data is written to Supabase Inc. (managed PostgreSQL database). Our database currently resides in the United States; migration to a Canadian region is planned. See Section 7 for transfer safeguards.
  5. At the end of the call, audio is automatically deleted by the voice AI platform (per our agent configurationdelete_audio = true). The transcript is retained per Section 8.

5.2 SMS / Chat AI Agent

  1. SMS messages arrive via Twilio Inc. (United States) and are routed to an SMS AI agent operated on Vapi Inc.(conversational AI for messaging, United States).
  2. Message content, timestamps, and session identifiers are processed by the agent. The agent invokes the same n8n workflow layer as the voice agent to read and write Client data in Supabase.
  3. Where configured for healthcare deployments, additional compliance settings (such as ElevenLabs retention_days and VapicompliancePlan) are applied to limit data retention and audio persistence.

5.3 Workflow Automation Layer

Our n8n instance executes the orchestration logic that connects voice, SMS, calendars, databases, and notification channels. Each workflow execution is logged for debugging. Execution logs are automatically pruned after seven (7) days (EXECUTIONS_DATA_MAX_AGE = 168 hours).

5.4 Automated Decision-Making

Our voice and SMS AI agents make conversational and operational decisions automatically (e.g., proposing appointment times, confirming a booking, transferring to a human, sending a reminder). These decisions are not legally significant. A human is available on request: callers and texters can ask to speak to a person, and the agent will offer escalation paths.

We do not use Personal Information for profiling, automated credit decisions, employment decisions, or any decision producing legal effects within the meaning of GDPR Art. 22 or PIPEDA equivalents.

5.5 Use of AI Models for Improvement

We do not train third-party AI models on identifiable Personal Information. Where a sub-processor offers a “zero data retention” or “do not train” setting compatible with our tier, we enable it. Aggregate, anonymised quality signals (e.g., average call duration, escalation rate) may be used to tune our own prompts and workflows.

5.6 Compliance with Canadian Anti-Spam Law (CASL)

Where J&M sends commercial electronic messages (CEMs) — such as marketing emails or promotional SMS — to recipients in Canada, we comply with An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities(S.C. 2010, c. 23), commonly known as Canada’s Anti-Spam Legislation (CASL). Specifically:

  • Consent: We send CEMs only with express consent (per CASL s. 6) or, where applicable, with implied consent under the existing business relationship exception (CASL s. 10(9)(a)), valid for up to two (2) years from the last commercial transaction or six (6) months from an inquiry.
  • Identification: Every CEM identifies us by name and provides contact information including a mailing address and either a phone number, email, or website URL, as required by CASL s. 6(2).
  • Unsubscribe mechanism: Every CEM contains a functional unsubscribe mechanism that is conspicuous, easy to perform, valid for at least sixty (60) days, and that we honour within ten (10) business days of receipt (CASL s. 11).
  • Transactional and service messages: SMS or email messages that are purely transactional in nature — appointment confirmations, reminders, cancellations, rescheduling requests, and similar operational communications between a healthcare Client and its patients — are not CEMs within the meaning of CASL s. 6(6) and are governed by the underlying healthcare relationship, not by CASL consent.
  • Client-operated messaging: When a Client operates a J&M-built SMS or voice agent to communicate with the Client’s own customers or patients, the Client is the sender under CASL and is responsible for ensuring CASL-compliant consent, unsubscribe, and identification practices for any CEMs sent through the Service. We provide configuration tooling to support these obligations.

Complaints regarding CEMs we send may be directed to the Canadian Radio-television and Telecommunications Commission (CRTC) at crtc.gc.ca, to the Spam Reporting Centre at fightspam.gc.ca, or directly to our Privacy Officer.

6. Sub-Processors

The following sub-processors may process Personal Information on our behalf. Each is bound by terms requiring confidentiality, security, and use limited to the purpose for which we engage them. Locations reflect the country of the data centre where Personal Information is processed, not the company’s incorporation.

Sub-processorRoleProcessing location
ElevenLabs Inc.Voice AI agent platform; LLM, TTS, ASR; transcript storageUnited States
Vapi Inc.SMS / chat AI agent platformUnited States
OpenAI, L.L.C.Large language model API used inside certain agents and workflowsUnited States
Google LLC (Gemini)Large language model API used inside certain agents (where configured)United States
Twilio Inc.Telephony (inbound/outbound calls), SMS routingUnited States
SendGrid (Twilio)Transactional email deliveryUnited States
Hetzner Online GmbHVirtual server hosting our self-managed n8n workflow engineUnited States (Oregon)
Supabase Inc.Managed PostgreSQL database; authentication; storageUnited States (migration to Canada planned)
Vercel Inc.Website hosting, edge logs, analytics (when consented)Global edge; primary region United States
Cloudflare Inc.CDN, DDoS mitigation, DNS where applicableGlobal edge
Sentry, Inc. (Functional Software, Inc.)Error monitoring across the Site and operated ServicesUnited States
Cal.com, Inc.Discovery-call schedulingUnited States
GitHub Inc.Source-code hosting; no end-user Personal InformationUnited States
UptimeRobotAvailability monitoring; no Personal InformationUnited States
Google WorkspaceCalendar / Drive integrations per individual Client engagementUnited States; multi-region

This list is reviewed periodically. We add or remove sub-processors as the stack evolves. Material additions affecting Personal Information will update this page and, where applicable, trigger notice to Clients under their Data Processing Agreement.

7. International Transfers and U.S. Law Exposure

As shown in Section 6, most sub-processors are based in or operate primarily from the United States. When Personal Information is transferred outside Canada, the following safeguards apply:

  1. A written Data Processing Agreement or equivalent contractual terms requiring a comparable level of protection.
  2. Encryption in transit (TLS 1.2+) for all transfers between ourselves and sub-processors.
  3. Use of provider-side privacy controls where available and accessible on our service tier (e.g., ElevenLabsretention_days and delete_audio; VapicompliancePlan flags).

Important disclosure: Sub-processors based in the United States are subject to U.S. laws including the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) and Foreign Intelligence Surveillance Act (FISA) §702. These laws may, in specified circumstances, compel disclosure of data to U.S. government authorities without notice to data subjects or to us.

Where the deployment serves a healthcare Client or processes Personal Health Information, the Client is responsible for obtaining appropriate patient consent under PIPA BC s. 17 and providing notice of the cross-border processing described above. We supply a template patient-consent disclosure for Client use.

8. Retention

We retain Personal Information only as long as necessary for the purposes for which it was collected, then delete or anonymise it. Default retention periods:

CategoryDefault retention
Voice AI agent audio recordingsDeleted immediately after each call (delete_audio enabled)
Voice and SMS AI transcripts (healthcare deployments)Seven (7) years (2,555 days), aligned with BC College of Physicians and Surgeons standard for medical records
Voice and SMS AI transcripts (non-healthcare deployments)Twelve (12) months, unless the Client requests a different period under their Data Processing Agreement
Appointment and booking dataPer Client retention policy; in absence of specific direction, seven (7) years post-last-interaction for healthcare deployments
Workflow execution logs (n8n)Seven (7) days, then automatically pruned
Inquiries, quote leads, sales correspondenceUp to 24 months from last contact, then deleted or anonymised
Active-client commercial recordsDuration of engagement plus seven (7) years (Canadian tax)
Server / network logs30 days, longer only for security investigation

Historical data note: Some retention controls (such as transcript retention windows on the voice AI platform) apply forward from the date the control was enabled. Calls that occurred before the control was enabled remain subject to the platform’s configured retention from each call’s individual timestamp.

9. Your Rights

Subject to the applicable law in your jurisdiction, you have the following rights:

  1. Access — request a copy of the Personal Information we hold about you.
  2. Correction — ask us to fix inaccurate or incomplete data.
  3. Deletion / erasure — request deletion, subject to legal retention requirements.
  4. Portability — receive a machine-readable copy.
  5. Objection / restriction — tell us to stop or limit certain uses.
  6. Withdraw consent — at any time, without affecting prior lawful processing.
  7. Lodge a complaint — with the privacy regulator in your jurisdiction. In Canada, the federal regulator is the Office of the Privacy Commissioner of Canada (OPC); in British Columbia, the Office of the Information and Privacy Commissioner for British Columbia (OIPC BC); in Québec, the Commission d’accès à l’information (CAI).

How to make a request: email privacy@getjmsolutions.com. We respond within thirty (30) days (PIPEDA), and in the timelines prescribed by other applicable laws. We may need to verify your identity before fulfilling a request. If we cannot fulfil a request in whole or in part, we will explain why.

10. Region-Specific Notices

10.1 British Columbia (PIPA BC)

We process Personal Information about residents of British Columbia in accordance with the Personal Information Protection Act(SBC 2003, c. 63). Specifically, our reliance on sub-processors outside Canada is disclosed in Section 7 in compliance with PIPA s. 17. You may direct complaints or access requests to the OIPC BC: oipc.bc.ca.

10.2 Canada (PIPEDA)

Where PIPEDA applies, our processing is grounded in the ten Fair Information Principles, including Accountability (Section 3, Privacy Officer designation), Identifying Purposes, Consent, Limiting Collection, Limiting Use/Disclosure/Retention, Accuracy, Safeguards (Section 11), Openness, Individual Access (Section 9), and Challenging Compliance.

10.3 Québec (Loi 25 / Law 25)

For Québec residents, the senior person responsible for the protection of personal information is identified in Section 3. We provide notice of cross-border transfers (Section 7) and conduct privacy impact assessments for new processing activities involving Personal Information at meaningful risk. You may direct complaints to the CAI: cai.gouv.qc.ca.

10.4 EU / UK (GDPR)

Our legal bases for processing include consent, contract, legitimate interest, and legal obligation, as appropriate. You may contact your supervisory authority at any time.

10.5 California (CCPA / CPRA)

We do not sell Personal Information and do not share it for cross-context behavioural advertising. California residents may request access, deletion, correction, and an opt-out of any future sharing by contacting our Privacy Officer.

10.6 Mexico (LFPDPPP)

The ARCO rights — Acceso, Rectificación, Cancelación, Oposición— apply and may be exercised through the Privacy Officer.

11. Security

We apply reasonable technical and organisational measures to protect Personal Information, including:

  • HTTPS / TLS 1.2+ across all public endpoints.
  • Encryption at rest in the managed-database and storage layers we use.
  • Scoped API tokens; least-privilege access; secret rotation when material changes occur.
  • Server hardening on our n8n virtual server (firewall, fail2ban, automatic intrusion-attempt banning).
  • Centralised error monitoring and on-call response procedures.
  • Routine dependency security audits and prompt patching of known vulnerabilities.
  • Periodic Privacy Impact Assessments for new or changed processing activities.

No system is perfectly secure. If a breach affecting your Personal Information is reasonably likely to result in a real risk of significant harm, we will notify affected individuals without unreasonable delay, and the applicable regulators within the timelines required by law:

  • PIPEDA (federal, private sector) — s. 10.1: report to the Office of the Privacy Commissioner of Canada (OPC) “as soon as feasible” after determining the breach has occurred.
  • Québec — Loi 25, art. 3.5: report to the Commission d’accès à l’information (CAI) “promptly” (with reasonable diligence).
  • British Columbia — PIPA: no statutory deadline, but Office of the Information and Privacy Commissioner for British Columbia (OIPC BC) guidance directs reporting “as soon as feasible”.
  • Affected-individual notification: without unreasonable delay, with sufficient detail to allow the individual to mitigate harm (nature of the breach, types of Personal Information involved, steps taken, steps the individual can take, and a contact point for follow-up).

We maintain a documented breach-response procedure and a designated incident-response point of contact, and we keep a record of every breach of security safeguards as required by PIPEDA s. 10.3.

12. Cookies

Detailed cookie information lives in our Cookie Policy. In short: essential cookies only by default; analytics and marketing categories require explicit opt-in via the banner.

13. Children

13.1 Through this Site

The Site is not directed to children under 16. We do not knowingly collect Personal Information from children under that age through the Site. If you believe we have, please contact the Privacy Officer so we can delete it.

13.2 Through healthcare deployments

Where a Client operates a J&M-built voice or SMS agent in a healthcare context that may involve pediatric patients (for example, a pediatric optometry or family medicine practice), pediatric patient data — including names, contact details, and appointment information — is typically managed by the patient’s parent or legal guardian on the patient’s behalf.

In such deployments, the Client acts as data controller for pediatric patient information and is responsible for:

  • Obtaining appropriate consent from the parent or legal guardian under PIPA BC and PIPEDA prior to collection.
  • Determining when a minor may consent independently to the collection of their Personal Information, applying the principles articulated by the Office of the Privacy Commissioner of Canada in its guidance on the privacy of young people. PIPEDA does not set a single fixed age threshold; capacity to consent depends on the minor’s understanding of the nature, purposes, and consequences of the proposed processing.
  • Communicating clearly with parents and guardians, in language they can understand, about what information is collected through the Service and how it is used.

J&M’s role as data processor in these deployments is to operate the technical Service in accordance with the Client’s instructions and the Data Processing Agreement. We provide configuration tooling — including ElevenLabs retention_days, Vapi compliancePlan, and J&M dashboard role-based access control — to support the Client’s parental-consent and minor-privacy obligations.

14. Changes

We will post material updates on this page and adjust the Document-Control block at the top. Where required by law, we will request renewed consent. Historical versions are available on request from the Privacy Officer.

15. Contact

Privacy questions, access requests, or complaints: