Privacy Policy

TelecomsXChange ("TelecomsXChange," "we," "us," or "our") operates the website at telecomsxchange.com and the TelecomsXChange wholesale telecommunications platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our platform and services.

TelecomsXChange is a business-to-business (B2B) wholesale telecommunications platform that enables communications service providers to discover, interconnect, and transact voice, SMS, DID, and eSIM services. This policy applies to all website visitors, registered platform members, and API users.

By accessing or using our website and platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our website or services.

SECTION 1 — INFORMATION WE COLLECT

A. Information You Provide Directly

• Contact Form: First name, last name, business email address, phone number, company name, job role, service interest, and project/message details.
• Sign-Up / Registration: Company name, company website, company logo (file upload), company registration certificate (file upload), first name, last name, email, NOC email, rates email, phone number, membership type (Buyer/Seller/Both), U.S.-based status, switching equipment type, SIP signaling IP address, street address, country, and business description.
• Newsletter Subscription: Email address only.
• AI Chatbot Conversations: Text messages you type into the TeleAnalytix AI chatbot widget, which are transmitted to OpenAI's API for processing (see Section 7 for details).
• SMS Length Calculator: Message text submitted for SMS encoding analysis, which is transmitted to an external analysis API.
• HLR Lookup Tool: Phone numbers submitted for carrier and validity lookup, processed via the TelecomsXChange production API.

B. Information Collected Automatically

• Google Analytics 4 (GA4): We use GA4 (measurement ID: G-58P6REHXNQ) to collect IP address, browser type and version, operating system, referring URL, pages visited, time spent on pages, and click interactions. GA4 is configured with Google Signals and ad personalization signals enabled, allowing Google to use this data for demographic insights and ad personalization features. Custom event tracking includes contact form submissions, sign-up activity, demo requests, API documentation views, case study views, calculator usage, and eSIM interactions.
• Web Vitals Performance Metrics: We collect Cumulative Layout Shift (CLS), First Input Delay (FID), First Contentful Paint (FCP), Largest Contentful Paint (LCP), and Time to First Byte (TTFB) for website performance monitoring.
• Server Logs: Our hosting provider (Netlify) automatically logs IP addresses, request timestamps, HTTP methods, URLs, status codes, and user agents.

C. Information from Third-Party Sources

We do not purchase or receive personal information from third-party data brokers. When you interact with our integrated third-party services (listed in Section 5), those services may share certain information back to us in accordance with their own privacy policies.

SECTION 2 — HOW WE USE YOUR INFORMATION

We use the information we collect for the following purposes:

• Platform Operations: Processing registrations, enabling interconnections between telecom carriers, and facilitating wholesale voice, SMS, DID, and eSIM transactions.
• Communication: Responding to contact form inquiries, sending service-related communications, newsletters (if opted in), and platform updates.
• Payment Processing: Facilitating payments through Stripe for platform subscriptions and wholesale telecom services.
• Analytics and Improvement: Analyzing usage patterns via GA4 analytics, monitoring Web Vitals performance metrics, and understanding which features are most used to improve the platform.
• AI-Powered Assistance: Processing chatbot conversations through OpenAI to answer questions about our platform, services, and telecom data analysis.
• Telecom Analysis Tools: Processing SMS content for encoding analysis and performing HLR lookups for phone number validation and carrier identification.
• Security: Enforcing input sanitization, XSS prevention, rate limiting on form submissions, and security headers (CSP, HSTS, X-Frame-Options) to protect against threats.
• Legal Compliance: Responding to lawful requests from regulatory bodies and law enforcement, and complying with applicable telecommunications regulations.

SECTION 3 — LEGAL BASIS FOR PROCESSING (GDPR)

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we process personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Contractual Necessity (Art. 6(1)(b)): Processing registration data, transaction data, and platform usage data necessary to provide our wholesale telecom services under our subscriber agreement.
• Legitimate Interests (Art. 6(1)(f)): Analytics and performance monitoring, security measures, improving our platform, and marketing to existing business contacts. Our legitimate interests are balanced against data subjects' rights and freedoms.
• Consent (Art. 6(1)(a)): Newsletter subscriptions, cookie-based tracking (GA4 with ad personalization signals), and AI chatbot interactions. You may withdraw consent at any time (see Section 4).
• Legal Obligation (Art. 6(1)(c)): Where we are required to retain or disclose data under applicable telecommunications regulations, tax laws, or other legal requirements.

SECTION 4 — CONSENT AND YOUR CHOICES

How we obtain consent: When you voluntarily submit personal information through our forms, subscribe to our newsletter, use our AI chatbot, or use our analysis tools, you consent to our collecting and using that information for the stated purpose.

Withdrawing consent: You may withdraw consent at any time by contacting us at support@telecomsxchange.com or writing to TelecomsXChange, 4145 N Service Rd, Burlington, Ontario, L7L 6A3, Canada. Withdrawal does not affect the lawfulness of processing performed before withdrawal.

Opting out of marketing: Every marketing email includes an unsubscribe mechanism. You may also contact us directly to be removed from mailing lists.

Opting out of analytics: You may install the Google Analytics Opt-out Browser Add-on to prevent GA4 data collection. You may also disable cookies in your browser settings (see Section 6).

SECTION 5 — THIRD-PARTY SERVICE PROVIDERS

We use the following third-party service providers to operate our platform. Each provider only collects, uses, and discloses your information to the extent necessary to perform the services they provide to us:

• Netlify — Website hosting, content delivery network, and security header enforcement (HSTS, CSP, X-Frame-Options). Netlify processes server logs including IP addresses and request data.
• Google Analytics 4 (GA4) — Website analytics, traffic analysis, user behavior tracking, and demographic insights. Configured with Google Signals and ad personalization enabled.
• Google Fonts — Typography delivery (Poppins and Inter fonts). Google may log IP addresses and request metadata when fonts are loaded.
• Stripe — Payment processing for platform subscriptions and wholesale telecom services. Stripe collects payment card information and billing addresses, and sets its own cookies for fraud prevention. TelecomsXChange does not store credit card numbers on its own servers.
• Zapier — Webhook-based form processing and workflow automation for contact, newsletter, and sign-up form submissions. Form data is transmitted to Zapier for secure routing to our business systems.
• OpenAI — AI chatbot powered by OpenAI's language models. User chat messages and conversation history are sent to OpenAI's API for generating responses. See Section 7 for full details.
• SMS Analysis API — Processes SMS message text for encoding analysis, segment counting, and character set detection.
• TelecomsXChange API — HLR (Home Location Register) lookups for phone number validation and carrier identification.
• Cloudflare CDN — Delivers certain front-end assets. Cloudflare may set performance cookies and log IP addresses.

We recommend that you review these providers' privacy policies to understand how your personal information is handled by each. Once you leave our website or interact with a third-party service, that service's privacy policy governs the handling of your data.

SECTION 6 — COOKIES AND TRACKING TECHNOLOGIES

We use cookies and similar tracking technologies on our website. Cookies are small data files placed on your device that help us improve your experience and understand how our website is used.

Cookies we use:

• _ga (Google Analytics 4) — Distinguishes unique users. Persistent, expires after 2 years.
• _ga_[ID] (Google Analytics 4) — Maintains session state and tracks interactions. Persistent, expires after 2 years.
• __stripe_mid (Stripe) — Fraud prevention and payment security. Persistent, expires after 1 year.
• __stripe_sid (Stripe) — Fraud prevention session tracking. Session-based, expires after 30 minutes.

Google Signals: When enabled in GA4, Google Signals allows Google to associate browsing activity with Google account information for cross-device reporting and ad personalization. This is currently active on our website.

Managing cookies: Most web browsers allow you to refuse or delete cookies through browser settings. Please note that disabling cookies may affect website functionality. To opt out of Google Analytics specifically, install the Google Analytics Opt-out Browser Add-on.

SECTION 7 — ARTIFICIAL INTELLIGENCE AND CHATBOT DISCLOSURE

Our website includes an AI-powered chatbot ("TeleAnalytix AI") that uses OpenAI's language models to assist with platform inquiries and telecom data analysis.

What data is sent to OpenAI: Your chat messages, the full conversation history within a session, and a system prompt that defines the chatbot's role and context.

What data is NOT sent: Your name, email, account information, or any other personal information from forms or your platform account — unless you voluntarily type such information into the chatbot.

How OpenAI processes the data: Messages are sent via API to OpenAI's servers for response generation. OpenAI's data usage and retention practices are governed by their own API data usage policy. Per OpenAI's current API terms, data submitted through the API is not used to train OpenAI's models.

Recommendation: Do not share sensitive personal information, account credentials, payment details, or confidential business data through the chatbot. The chatbot is designed for general platform inquiries and telecom analysis support.

Automated decision-making: The chatbot does not make automated decisions that produce legal effects or similarly significantly affect you. It provides informational assistance only.

SECTION 8 — DATA RETENTION

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law:

• Contact form submissions: Retained for up to 3 years from last interaction, unless a longer period is required by applicable law.
• Registration and account data: Retained for the duration of your active platform membership and for a reasonable period thereafter as required by telecommunications record-keeping regulations.
• Newsletter subscriptions: Retained until you unsubscribe or request deletion.
• AI chatbot conversations: Session-based only. Conversation history is maintained in your browser memory during the active session and is not stored on our servers. Data sent to OpenAI is subject to OpenAI's retention policies.
• Analytics data (GA4): Retained per Google's default retention settings (14 months for user-level data, or as configured in our GA4 property).
• Server logs (Netlify): Retained per Netlify's standard log retention period, typically 30 days.
• Payment data (Stripe): Retained by Stripe per its own data retention policy and applicable financial regulations. TelecomsXChange does not store payment card details.

SECTION 9 — DATA SECURITY

We take the security of your personal information seriously and implement the following measures:

• All data transmitted to and from our website is encrypted using HTTPS with TLS encryption.
• HTTP Strict Transport Security (HSTS) is enforced with a max-age of one year, including subdomains, with HSTS preload enabled.
• Content Security Policy (CSP) headers restrict script, style, font, image, connection, and frame sources to specific trusted domains.
• Additional security headers include X-Frame-Options (DENY), X-XSS-Protection, X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy (restricting camera, microphone, and geolocation access).
• Form submissions include input sanitization (HTML entity escaping, XSS pattern detection), rate limiting (30-second cooldown between submissions), and field length validation.
• File uploads are restricted to accepted file types.

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining industry-standard protections.

SECTION 10 — DISCLOSURE AND SHARING OF INFORMATION

We do not sell your personal information. We may share your data in the following circumstances:

• Service Providers: With the third-party service providers listed in Section 5, solely to the extent necessary for them to perform services on our behalf.
• Legal Requirements: When required to comply with applicable law, regulation, legal process, or enforceable governmental request.
• Protection of Rights: To enforce our Terms of Service, protect our rights, privacy, safety, or property, and that of our users or the public.
• Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide notice of any such change.
• With Your Consent: When you have given us explicit consent to share your information for a specific purpose.
• Aggregated Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you.

SECTION 11 — INTERNATIONAL DATA TRANSFERS

TelecomsXChange is headquartered in Canada. Our third-party service providers (including Google, OpenAI, Stripe, and Zapier) operate servers in the United States and other jurisdictions. If you access our platform from outside Canada or the United States — including from the European Economic Area (EEA), United Kingdom, or other jurisdictions — your information may be transferred to, stored, and processed in countries with different data protection laws than your own.

For EEA and UK users, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK Information Commissioner's Office as the legal mechanism for cross-border data transfers, where applicable. We encourage you to review our third-party providers' privacy policies for details on their specific transfer mechanisms and safeguards.

SECTION 12 — YOUR RIGHTS UNDER GDPR (EEA/UK USERS)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access (Art. 15): Request a copy of the personal data we hold about you.
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Right to Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
• Right to Data Portability (Art. 20): Request a copy of your data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling and direct marketing.
• Right to Withdraw Consent (Art. 7(3)): Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
• Right to Lodge a Complaint: You may file a complaint with your local data protection supervisory authority.

To exercise any of these rights, contact us at support@telecomsxchange.com with the subject line "GDPR Request." We will respond within 30 days or within the timeframe required by applicable law.

SECTION 13 — YOUR RIGHTS UNDER CCPA/CPRA AND PIPEDA

California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g., completing a transaction, legal obligations, security).
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. However, our use of Google Analytics 4 with ad personalization signals enabled may constitute "sharing" under CCPA/CPRA. You may opt out by installing the Google Analytics Opt-out Add-on or by contacting us.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

Categories of personal information collected (per CCPA categories): Identifiers (name, email, phone, IP address); Commercial information (service interests, membership type); Internet/electronic network activity (browsing history, interaction data); Professional/employment information (job title, company name); Geolocation data (derived from IP address).

Canadian Residents (PIPEDA)

As a Canadian organization, TelecomsXChange is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Under PIPEDA, you have the following rights:

• Right to Access: You may request access to the personal information we hold about you.
• Right to Challenge Accuracy: You may challenge the accuracy and completeness of your personal information and have it amended as appropriate.
• Right to Withdraw Consent: You may withdraw consent to the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
• Right to Complain: You may file a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

To exercise any of these rights, contact us at support@telecomsxchange.com. For CCPA/CPRA requests, use the subject line "CCPA Request." We will verify your identity before processing your request. You may designate an authorized agent to make requests on your behalf.

SECTION 14 — CHILDREN'S PRIVACY

TelecomsXChange is a B2B wholesale telecommunications platform intended exclusively for business professionals and corporate users. Our platform is not directed at individuals under the age of 13 (or 16 in certain jurisdictions).

We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@telecomsxchange.com.

SECTION 15 — DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Where the breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay, as required by GDPR Article 34.
• For California residents, we will provide notice in accordance with California Civil Code Section 1798.82.
• For Canadian residents, we will report breaches to the Office of the Privacy Commissioner of Canada and notify affected individuals as required under PIPEDA's breach notification provisions.

Notification will be provided via email to affected users and, where appropriate, through a prominent notice on our website.

SECTION 16 — LINKS TO OTHER WEBSITES

Our website may contain links to third-party websites, including our blog, partner websites, and external resources. We are not responsible for the privacy practices of third-party websites. We encourage you to read their privacy statements before providing any personal information.

SECTION 17 — CHANGES TO THIS PRIVACY POLICY

We reserve the right to update this Privacy Policy at any time. Changes take effect immediately upon posting on this page. Material changes will be communicated by updating the "Last updated" date at the top of this page and, where appropriate, by email notification to registered platform members.

Your continued use of our website and platform after changes to this Privacy Policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

SECTION 18 — CONTACT INFORMATION

If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, contact our Privacy Compliance Officer:

• Email: support@telecomsxchange.com
• Mail: TelecomsXChange [Attn: Privacy Compliance Officer], 4145 N Service Rd, Burlington, Ontario, L7L 6A3, Canada

For GDPR-related inquiries, please use the subject line "GDPR Request." For CCPA/CPRA-related requests, please use the subject line "CCPA Request." For PIPEDA-related requests, please use the subject line "PIPEDA Request."

This Privacy Policy should be reviewed by qualified legal counsel before being relied upon for legal compliance decisions. It is provided as a comprehensive disclosure of TelecomsXChange's data practices and is not a substitute for professional legal advice.