Privacy Policy
1. Introduction
Strike Force Agency LLC ("we," "us," "Strike Force") respects your privacy. This Privacy Policy explains what information we collect, who we share it with, how long we keep it, and your rights under federal law, the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and the EU General Data Protection Regulation (GDPR).
We wrote this in plain English on purpose. If anything is unclear, email us at privacy@strikeforce.agency and we'll explain.
If you don't agree with this policy, don't use our services.
2. Categories of Personal Information We Collect
This section follows the categories defined in CCPA § 1798.140(v) and § 1798.110(c). For each category we list the types of data, where it came from, why we collect it, and who we share it with. The full sub-processor list is in Section 10.
| CCPA category | Examples | Source | Purpose | Shared with |
|---|---|---|---|---|
| Identifiers | Name, email, phone, business name, IP address, account ID | You; your website; public business records | Account setup, support, billing, fraud prevention | Hosting, email, payment, voice/SMS sub-processors (Section 10) |
| Commercial information | Services purchased, package selected, billing history | You; payment processor | Billing, accounting, customer support | Payment processor, email service provider |
| Internet / network activity | Pages viewed on our site, features used in portal, login times, browser type | Collected automatically via cookies and server logs | Security, debugging, product analytics (aggregated) | Hosting, CAPTCHA sub-processor |
| Audio / electronic information | Voice call recordings, call transcripts, SMS message contents, chat transcripts | You and your callers (with disclosed consent) | Operate the voice agent, deliver the conversation to the right human, quality assurance, training | Voice AI platform, LLM provider, voice/SMS carrier (Section 10) |
| Professional / employment information | Business industry, revenue range, employee count, role at the company | You during discovery; public business records | System design, pricing, qualification | Strike Force team only (not shared with sub-processors except as needed to operate the platform) |
| Inferences | Lead quality scores, fit signals, recommended package | Derived by our system from the data above | Sales qualification, recommend the right Module mix | Strike Force team only |
| Sensitive personal information (CPRA) | Account login credentials (hashed); contents of voice calls and emails you send to us | You | Authenticate you; deliver your messages to the right recipient | Limited to sub-processors strictly required to deliver the service |
| Payment data | Cardholder name and last 4; transaction amount and date | Payment processor (we never see your full card number) | Billing and chargeback handling | Payment processor only — card numbers never touch Strike Force servers |
We do NOT collect
- Government-issued IDs, Social Security numbers, or driver's licenses.
- Precise geolocation (we only see approximate IP-based region).
- Race, religion, sexual orientation, union membership, or political views.
- Health or medical records.
- Biometric identifiers (voiceprints, faceprints).
Sources we collect from
- Directly from you: contact forms, discovery calls, account signup, support emails.
- Automatically: server logs, cookies, the portal application.
- From third parties: our payment processor (transaction confirmations); tools you connect (your CRM, Google Workspace, etc., only the data you authorize); public sources (your website, LinkedIn, Google Business Profile — used for system design only).
3. How We Use Your Information
To provide services
- Design, install, and operate your custom AI system.
- Integrate with your tools.
- Deliver support and optimization.
- Investigate and resolve issues.
To improve services
- Understand how your system performs (aggregated, deidentified).
- Improve our own infrastructure (we do not train third-party AI models on your data).
For communication
- System updates, support responses, billing receipts, policy changes.
For legal compliance
- Responding to lawful requests, enforcing our agreements, preventing fraud.
NOT for marketing
We do not sell your data. We do not share your data with ad networks, data brokers, or competitors.
4. How We Share Your Information
We share with
- Our team: Strike Force employees and contractors who support your system, under written confidentiality agreements.
- Sub-processors: the vendors listed in Section 10 below. Each one operates under a data processing agreement that limits how they can use your data.
- Tools you connect: when you authorize an integration (your CRM, Google Workspace, etc.), the connected platform receives the data it needs to function.
We do not share with
- Ad networks or data brokers.
- Competitors or other businesses.
- Marketing agencies (other than vendors we use to support our own outbound — and those vendors do not get your customer data).
We do not sell or "share" for cross-context behavioral advertising
Under CCPA / CPRA, "sale" and "share" have specific legal meanings. We do not sell your personal information. We do not share your personal information with third parties for cross-context behavioral advertising. We have never done so in the past 12 months.
Exceptions (legal requirements)
We may disclose information if required by court order, subpoena, law enforcement request, or other binding legal obligation. Where lawful, we will give you prompt notice and a reasonable opportunity to seek a protective order.
5. Data Security
- Encrypt data in transit (HTTPS / TLS).
- Encrypt data at rest where supported by our infrastructure providers.
- OAuth 2.0 authentication where applicable.
- Access controls (least-privilege).
- Routine backups.
- Telecom-fraud monitoring + hard daily spend caps on every provisioned phone number (see §9.5 of our Master Service Agreement).
Your responsibilities
- Use strong, unique passwords.
- Don't share your login.
- Maintain your own backups of business-critical data.
Incident response
If we discover a security breach that affects your personal information, we will notify you and any applicable regulator within 72 hours of becoming aware of the breach. This matches the GDPR Article 33 standard and meets or exceeds the breach-notice rules in every U.S. state where we operate. The notice will explain what happened, what data was involved, and what steps we are taking.
6. Data Retention
| Type | Retention | Reason |
|---|---|---|
| System performance data | 90 days | Debugging and optimization |
| Access logs | 90 days | Security monitoring |
| Voice recordings | 12 months default (configurable) | Quality assurance, training, Client review |
| Audit trails | 7 years (deidentified) | Compliance and legal holds |
| Business information | 3 years after last engagement | Legal and operational needs |
| Payment records | 7 years | Tax and accounting compliance |
You can request deletion at any time, subject to legal holds and compliance requirements.
7. Your Rights: Know, Delete, Correct, Opt-Out
You have rights over the information we hold about you. This section explains each right and exactly how to use it. We honor every right listed here regardless of where you live.
Right to Know (CCPA § 1798.110 / GDPR Art. 15)
You can ask us for a copy of the personal information we have about you, the categories we collected, where we got it, why we collected it, and who we shared it with. We will respond within the timeframes required by applicable law.
Right to Delete (CCPA § 1798.105 / GDPR Art. 17)
You can ask us to delete your personal information, and we will honor the request within the timeframes required by applicable law. Some data may need to be kept longer when the law requires it (for example, tax records or fraud-prevention logs). If we can't delete something, we'll tell you why.
Right to Correct (CCPA § 1798.106 / GDPR Art. 16)
If something we have about you is wrong, tell us and we'll correct it within the timeframes required by applicable law.
Right to Data Portability (CCPA § 1798.130 / GDPR Art. 20)
You can ask for your data in a portable, machine-readable format (CSV or JSON), and we will deliver it within the timeframes required by applicable law.
Right to Opt-Out of Sale or Sharing (CCPA § 1798.120)
We do not sell or share your personal information for cross-context behavioral advertising. The "Do Not Sell or Share My Personal Information" link in our footer is provided for your convenience and as a record of our position.
Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121)
You can ask us to limit how we use your sensitive personal information (login credentials, call/email contents) to only what is strictly necessary to provide the service you asked for.
Right to Non-Discrimination (CCPA § 1798.125)
We will not deny service, charge more, give worse service, or retaliate against you for exercising any privacy right.
Right to Designate an Authorized Agent (CCPA § 1798.135)
You can have someone submit a request on your behalf. The agent must give us written proof of authority signed by you, and we may ask you to confirm the request directly.
How to submit a request
- Email privacy@strikeforce.agency with one of these subject lines: "DATA REQUEST — KNOW", "DATA REQUEST — DELETE", "DATA REQUEST — CORRECT", "DATA REQUEST — PORTABILITY", or "DATA REQUEST — LIMIT SPI".
- Include the email address or phone number you used with us, so we can find your records.
- We will confirm receipt promptly and may ask you to verify your identity (for example, by replying from the email on file).
- You can also call our compliance line at +1 (302) 726-6754 or mail a request to the address in Section 16.
There is no fee for these requests. If we can't honor part of a request (for example, we can't delete records we are required by law to keep), we'll tell you in writing why and what we can do instead.
8. Your Business Data Belongs to You
The customer data, calls, messages, and records your AI systems collect on your behalf belong to you. Strike Force is the custodian during the engagement. On termination, we export your data to you within 30 days in standard formats per §3.5 of the Master Service Agreement.
9. How Your Data Moves Through Our Systems
To make our sub-processor disclosure meaningful, here is what actually happens with the most sensitive data flows. Read this with the sub-processor table in Section 10.
Voice agent calls (Jade / Nova / Leyla)
- Your caller dials a Strike Force number. The call connects through SignalWire (our voice/SMS carrier).
- Audio is streamed to Vapi (our voice AI platform), which turns speech into text.
- The transcript is sent to Anthropic (our LLM provider — Claude family models) to generate the agent's response. Anthropic processes this data under a Zero-Retention agreement: prompts and completions are not used to train models and are not retained beyond the inference request.
- The response audio is played back to your caller through Vapi and SignalWire.
- The full call recording and transcript are stored on Strike Force servers (hosted by Render), encrypted at rest. You can request deletion at any time (Section 7).
- A nightly encrypted backup snapshot is sent to Backblaze B2 for disaster recovery.
Cold email outreach
- We pull a list of business contacts from public business records or licensed data sources.
- We send outreach through Instantly (cold email platform). Replies route back to Strike Force.
- Transactional follow-ups (receipts, contract delivery) are sent through SendGrid (Twilio brand).
Payments
- You enter card details on a hosted Easy Pay Direct (EPD) page. Your card number never touches Strike Force servers.
- EPD returns a transaction confirmation (cardholder name, last 4, amount, date). We store that confirmation for billing and tax records.
Web forms and CAPTCHA
- When you fill in a form on our site, Cloudflare Turnstile runs a privacy-respecting bot check. Cloudflare does not receive form contents.
- Form data is sent to Strike Force servers (hosted by Render).
10. Sub-Processors
A sub-processor is a third-party service that processes personal information on our behalf so we can deliver our services to you. Below is the complete list of sub-processors we currently use. Each one is bound by a written data processing agreement and is required to keep your data secure.
| Sub-processor | Purpose | Data shared | Jurisdiction |
|---|---|---|---|
| Anthropic, PBC | Large language model (Claude family — Sonnet / Haiku / Opus) used to power voice agent responses, drafting, and summarization | Call transcripts, prompt context, prospect business info as needed for the conversation | United States. Operates under Zero-Retention terms; no model training on Strike Force data. |
| Vapi, Inc. | Voice AI orchestration — speech-to-text, text-to-speech, real-time call handling | Call audio, transcripts, caller phone number, agent configuration | United States |
| SignalWire, Inc. | Voice and SMS carrier — phone numbers, SMS delivery, call routing | Caller and recipient phone numbers, SMS message contents, call metadata, audio | United States |
| Twilio SendGrid | Transactional email — receipts, contracts, password resets, system notifications | Recipient email, subject, body, delivery metadata | United States |
| Instantly.ai | Cold email outreach platform | Prospect email, name, business name, sequence step, reply contents | United States |
| Easy Pay Direct (EPD) | Payment processor — collects card details on a hosted page | Cardholder name, billing address, card number (PCI-compliant — Strike Force does not see or store the card number) | United States |
| Google LLC (Google Workspace) | Email, calendar, Google Meet video conferencing | Email contents, calendar events, meeting attendee info, Meet call audio/video (when used for meetings) | United States (with EU-US Data Privacy Framework certification) |
| Render Services, Inc. | Application hosting and database hosting for the Strike Force platform | All Strike Force application data — call records, transcripts, account data, prospect dossiers (encrypted at rest) | United States |
| Backblaze, Inc. (B2) | Nightly encrypted backup storage for disaster recovery | Encrypted snapshots of the Strike Force database | United States |
| Cloudflare, Inc. | Bot protection (Turnstile CAPTCHA) on public web forms | IP address, browser fingerprint signals; not the contents of the form | United States |
| Porkbun, LLC | Domain name registration and DNS | Domain configuration only — no personal data | United States |
| iPostal, Inc. | Commercial mail receiving agency (CMRA) — our legal-of-record postal address | Sender information on inbound mail; nothing else | United States |
Notice of new sub-processors
Before we add a new sub-processor that will process customer personal information, we will notify customers by email at least 30 days in advance. The email will name the new sub-processor, the purpose, and the data it will receive. If you object, contact us within 30 days and we will work with you to find a path that does not require the new sub-processor, or we will let you terminate the affected service without penalty.
International transfers
All sub-processors above operate in the United States. If you are in the EU/EEA, the UK, or Switzerland, your personal information is transferred to the U.S. under one of the GDPR-approved transfer mechanisms (typically Standard Contractual Clauses, or the EU-US Data Privacy Framework where the vendor is certified, e.g. Google).
11. Children's Privacy
Strike Force services are not directed at children under 13. We do not knowingly collect data from children. If we discover we have, we will delete it.
12. California Privacy Rights (CCPA / CPRA)
California residents have all the rights listed in Section 7. We do not sell personal information, and we do not "share" personal information for cross-context behavioral advertising. We have not done either in the past 12 months. The categories of personal information we collect are listed in Section 2. The categories of sub-processors we share with are listed in Section 10.
Submit any CCPA request using the instructions in Section 7.
13. EU Privacy Rights (GDPR)
If you are in the EU/EEA, we process your personal data only with your consent or another lawful basis under GDPR Article 6 (typically: performance of a contract, legitimate interests, or your consent). We comply with Articles 32 (security) and 33 (breach notification to the lead supervisory authority and, where required, to affected individuals, within the timeframes required by GDPR). Standard Contractual Clauses are used for any international transfers (see Section 10).
You have the right to lodge a complaint with your local data protection authority. We will cooperate fully with any such investigation.
14. Updates to This Policy
We may update this Privacy Policy from time to time. We will provide notice of material changes — including the addition of new sub-processors — by email or in-product notice at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version. Continued use after the effective date constitutes acceptance.
15. Do Not Sell or Share My Personal Information
Strike Force does not sell or share personal information for cross-context behavioral advertising. You can confirm this position at any time by emailing privacy@strikeforce.agency with the subject line "DO NOT SELL OR SHARE". We will acknowledge promptly. We do not require you to create an account to make this request.
16. Contact Us
Questions about privacy?
Strike Force Agency LLC — Privacy Team
Email: privacy@strikeforce.agency
General contact: services@strikeforce.agency
Mail: Strike Force Agency LLC, 3575 Arden Way #1048, Sacramento, CA 95864
Compliance / DNC removal: +1 (302) 726-6754
DNC Organization ID: 10335777-58890
For California-specific requests, see Section 7. For EU/EEA requests, you can also contact your local data protection authority.