# Data and privacy Here is what we know about you, how we use it, how we protect it, and what choices you have. ## What we collect From the business that placed your account: * Your name (business name and/or personal name if you're a sole proprietor). * Your contact information (phone, email, mailing address). * The invoice details — what's owed, when, what for. * Any notes the business shared. From skip-tracing / enrichment: * Updated phone numbers and email addresses. * Confirmation of business entity type. * Address verification. From your interactions with us: * Call recordings and transcripts. * Email replies. * Portal logins and activity. * Payments you make. * Documents you upload. * Messages you send. ## How we use it * To collect the debt (calling, emailing, the portal). * To verify the debt when disputed. * To process payments. * To meet legal and regulatory requirements (audit trail, recording obligations). * To improve our service (analytics on call outcomes, dispute patterns). ## What we don't do with it * We do **not** sell your information to anyone. * We do **not** share with third parties beyond what's needed to do the collection (e.g., the business that placed the account, our payment processor for payments, our voice and email providers for calling and emailing). * We do **not** publish your information. * We do **not** use your data for advertising or marketing outside of communications about this debt. ## Who can see your data | Who | What they see | | ------------------------------------- | ------------------------------------------------ | | You (via portal + DSAR access bundle) | Everything we have about you | | The business that placed your account | Everything about your account | | Our internal compliance team | Everything when handling a complaint or dispute | | Our internal ops team | Account information needed to help with an issue | | Payment processor (Stripe) | Payment details only | | Voice provider | Call audio during the call | | Email provider (Postmark) | Email contents for delivery | | Anyone in court order | Whatever the order requires | The database enforces tenant isolation via Postgres Row-Level Security. Every query on tenant tables filters on `creditor_id`. ## Security * Data is encrypted in transit (TLS). DSAR access bundles are Fernet-encrypted at rest when `dsar_encryption_key` is set. * Internal access in admin-posture sessions runs under a separate session helper so cross-tenant access is auditable. * Stripe holds full payment card numbers; we don't. ## Retention * **Audit events:** permanent, append-only. * **Call transcripts:** permanent, append-only. * Concrete bucket-level retention windows for call recordings and account records are governed by operational policy rather than encoded in the application config. ## Your data choices All data-subject requests are handled through the platform's DSAR workflow (CPRA-aligned). Submit a request via `POST /portal/dsar` with one of the supported `kind` values: * `access` — get a copy of everything we have about you. * `delete` — request deletion (subject to legal retention requirements). * `correct` — request a correction. * `opt_out_sale` — opt out of sale (we don't sell, so this is honored as a confirmation). * `opt_out_share` — opt out of sharing. The response SLA is **45 days** (`dsar_response_sla_days`). Within that window the request moves through `received` → `verifying` → `in_progress` → `completed` (or `denied` with a reason). When `kind=access`, the platform compiles an access bundle of your data and stores it encrypted at rest. You get a tracking token by email to check status at `GET /portal/dsar/{id}?token=…`. A standalone "request correction" or "request deletion" button in the portal UI is planned but not yet available — for now use the DSAR endpoint. ### Stop processing for new outreach See [How to stop contact](/for-debtors/compliance-and-rights/how-to-stop-contact.md). Cease requests are honored via the email reply classifier's `cease_all_contact` intent or the voice agent's `capture_cease` tool. ## State-specific privacy rights The compliance config tracks consumer-privacy-law applicability per state. Today only California is flagged (`consumer_privacy_law: "ccpa_cpra"`, `b2b_personal_info_covered: true`). Other state privacy laws (Colorado CPA, Connecticut, Virginia, Utah, etc.) are recognized in spirit but not yet flagged per-state in the engine. To exercise a state-specific right, use the DSAR endpoint above. The notice at collection text is served at `GET /portal/notice-at-collection`. *** Last reviewed: 2026-05-12 by Compliance Lead. **TODO: external counsel review.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.moderncollections.io/for-debtors/compliance-and-rights/data-and-privacy.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.