Privacy Policy
Effective Date: 2025
HARD CALL LLC PRIVACY POLICY
1. INTRODUCTION
1.1 This Privacy Policy ("Policy") describes how HARD CALL LLC, organized and operating from the Commonwealth of Massachusetts ("Hard Call LLC," "we," "us," or "our"), collects, uses, discloses, protects, and retains information, including Personal Data, in connection with our websites, applications, communication-processing tools, and related services (collectively, the "Services").
1.2 This Policy is drafted for an online communication-processing and message-moderation platform designed to handle sensitive, emotionally charged communications between individuals ("Clients" and "Recipients"). It is intended to withstand regulatory scrutiny under U.S. federal, state, and international privacy, data protection, accessibility, and platform-liability regimes, including but not limited to GDPR, CCPA/CPRA, COPPA, ADA, DSA, PCI DSS, CAN-SPAM, DMCA, ECPA, CFAA, FOSTA-SESTA, state data breach laws, and Section 5 of the FTC Act.
1.3 By accessing or using the Services, or by otherwise providing us with Personal Data, you acknowledge that you have read and understood this Policy and agree to the practices described herein, to the extent permitted by Applicable Law. If you do not agree with this Policy, you shall not use the Services.
1.4 This Policy is incorporated by reference into and forms part of the Hard Call LLC Terms of Service ("Terms"). Capitalized terms not defined in this Policy have the meaning given in the Terms.
2. DEFINITIONS
2.1 "Applicable Law" means all applicable federal, state, local, and international laws, regulations, and rules governing privacy, data protection, consumer protection, accessibility, electronic communications, and platform liability, including without limitation GDPR, UK GDPR, CCPA/CPRA, COPPA, ADA, WCAG 2.1 or later, DSA, PCI DSS, CAN-SPAM, DMCA, ECPA, CFAA, FOSTA-SESTA, Section 230 of the Communications Decency Act, INFORM Consumers Act, state data breach notification laws, and Section 5 of the FTC Act.
2.2 "Client" means the individual or entity that initiates a communication or message for review, refinement, and optional delivery through the Services.
2.3 "Recipient" means the individual or entity identified by the Client as the intended recipient of a message that may be sent via the Services.
2.4 "Editor" means a qualified human professional engaged by or on behalf of Hard Call to review, refine, or block message content and replies, supported by Hard Call Automation, in accordance with Hard Call’s internal policies and safety protocols.
2.5 "User" or "you" means any individual or entity that accesses or uses the Services, including Clients, Recipients who respond through the system, and visitors to our websites.
2.6 "Personal Data" means any information relating to an identified or identifiable natural person, including as defined under GDPR, UK GDPR, CCPA/CPRA, and other Applicable Laws. This may include identifiers (such as name, email address, IP address), online identifiers, and information relating to communications processed by the Services.
2.7 "Sensitive Personal Data" means categories of Personal Data that are afforded heightened protection under Applicable Law, such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, data concerning a natural person’s sex life or sexual orientation, or precise geolocation data, where defined as sensitive.
2.8 "User Content" means any content, data, text, communications, messages, information, or materials submitted, transmitted, uploaded, or otherwise made available through the Services by a User, including the substance of proposed or actual messages, replies, context descriptions, and any attachments or metadata.
2.9 "Processing," "Controller," and "Processor" have the meanings given under GDPR and analogous concepts under other Applicable Laws. Unless otherwise stated, Hard Call acts as an independent Controller with respect to Personal Data it collects and processes through the Services.
2.10 "Hard Call Automation" means automated systems, tooling, or software logic used by Hard Call to support Editors and the operation of the Services, including risk detection, pattern recognition, and workflow routing, but not a replacement for human editorial review.
3. SCOPE OF THIS POLICY AND HARD CALL’S ROLE
3.1 This Policy applies to Personal Data that we collect and process through the Services, including when you: (a) visit our websites or dashboards; (b) create an account; (c) submit messages or replies; (d) participate in testing, feedback, or research; or (e) otherwise interact with us online or offline in relation to the Services.
3.2 Hard Call LLC generally acts as an independent Controller when determining the purposes and means of processing Personal Data submitted via the Services. Where Hard Call LLC processes Personal Data strictly on behalf of a business customer under a separate written agreement, Hard Call LLC may act as a Processor with respect to such processing and will comply with the controller-processor allocation of responsibilities required under GDPR, CCPA/CPRA, and analogous laws.
3.3 This Policy does not apply to information processed solely by third parties in their own capacity and for their own purposes, such as independent therapists, attorneys, or other professionals you may separately engage, or third-party platforms that integrate with Hard Call LLC under their own terms and policies.
3.4 If you provide Personal Data about any other individual (including Recipients) to us through the Services, you are responsible for ensuring that such disclosure is lawful under Applicable Law, including providing any required notice and obtaining any necessary consent before you submit that Personal Data to Hard Call.
4. CATEGORIES OF PERSONAL DATA WE COLLECT
4.1 Identification and Account Data. We may collect identifiers and account-related information such as your name, username, password, email address, phone number, billing and shipping address, and similar identifiers, as well as records of your account status and settings.
4.2 Communication and Message Data. We collect the content of messages, drafts, prompts, replies, and contextual information that Clients and Recipients submit through the Services, including any embedded Personal Data about you or third parties, for example relationship context, complaints, apologies, or boundaries. This may include highly sensitive interpersonal information.
4.3 Technical and Usage Data. We may collect information about your interactions with the Services, such as IP address, device and browser type, operating system, access times, pages viewed, referring URLs, approximate location (based on IP address), diagnostic logs, and telemetry related to feature use, in accordance with Applicable Law.
4.4 Payment and Transaction Data. If you purchase paid Services, our payment processors collect and process payment card details and related transaction information. Hard Call itself endeavors to limit direct handling of card numbers and instead rely on PCI DSS-compliant payment processors.
4.5 Preference and Profile Data. We may collect information about your preferences, such as language, communication preferences, message handling options, and risk tolerance settings, as well as feedback, ratings, or survey responses you provide.
4.6 Support, Correspondence, and Compliance Data. We may collect information contained in support requests, emails, recordings or transcripts of calls (where permitted by law and with appropriate notice), regulatory inquiries, or documentation provided for identity verification or complaint handling.
4.7 Inferred Data. Where permitted by law, we may derive inferences about your likely interests, communication patterns, or risk indicators based on your use of the Services, subject to appropriate safeguards and proportionality requirements under GDPR, CCPA/CPRA, and similar laws.
4.8 Sensitive Personal Data. We do not actively require you to submit Sensitive Personal Data, but the nature of communications processed through Hard Call means Users may voluntarily include such data within message content (for example, information about health, sexual behavior, or alleged criminal conduct). Where we process Sensitive Personal Data, we do so only where there is a lawful basis under Applicable Law (such as explicit consent or substantial public interest) and with heightened safeguards.
5. SOURCES OF PERSONAL DATA
5.1 Directly from You. We collect Personal Data that you provide directly to us when you register for an account, configure settings, submit messages or replies, contact support, or otherwise interact with the Services.
5.2 From Clients about Recipients. Clients may submit Personal Data about Recipients or other third parties within message content or contextual descriptions. Hard Call LLC processes such data as described in this Policy and the Terms, and Clients are responsible for ensuring they have a lawful basis for such disclosure.
5.3 Automatically from Your Use of the Services. We automatically collect certain technical and usage data through cookies, pixels, SDKs, server logs, and similar technologies in accordance with Section 9 and Applicable Law.
5.4 From Third Parties. We may receive Personal Data from third-party service providers, identity verification services, payment processors, marketing partners, analytics providers, or professional referrers (such as therapists or attorneys) who introduce Clients to Hard Call LLC, as permitted by law and our agreements with such parties.
6. PURPOSES AND LEGAL BASES FOR PROCESSING
6.1 We process Personal Data for the following purposes and under the legal bases recognized by Applicable Law:
6.1.1 Service Provision and Operation. To provide, operate, maintain, and secure the Services, including message drafting, review, routing, and delivery; Editor workflows; risk scoring; and feature development. Legal bases include contract performance (where you have agreed to the Terms), legitimate interests in operating a secure and effective platform, and, where required, consent.
6.1.2 Safety, Risk Management, and Abuse Prevention. To detect, prevent, and respond to misuse of the Services, including harassment, threats, sex trafficking, exploitation, and other conduct prohibited by FOSTA-SESTA, CFAA, and other laws; to enforce message cooling-off periods and communication limits; and to protect Clients from harmful replies. Legal bases include legitimate interests, compliance with legal obligations, and protection of vital interests.
6.1.3 Legal and Regulatory Compliance. To comply with Applicable Law, regulatory inquiries, law enforcement requests, data subject or consumer rights requests, PCI DSS requirements, taxation, bookkeeping, and other legal obligations. Legal bases include compliance with legal obligations and legitimate interests.
6.1.4 Payment Processing and Fraud Prevention. To process payments, manage billing, and detect and prevent fraud or unauthorized transactions, often in cooperation with PCI DSS-compliant processors. Legal bases include contract performance and legitimate interests.
6.1.5 Communications and Support. To respond to inquiries, provide support, send service-related notices, and handle complaints or dispute resolution. Legal bases include contract performance and legitimate interests.
6.1.6 Product Improvement and Research. To analyze how the Services are used, improve performance and safety, develop new features, and conduct internal research and quality assurance, including limited use of de-identified or aggregated data. Legal bases include legitimate interests and, where required, consent.
6.1.7 Marketing and Outreach. To send permitted marketing communications about Hard Call, comply with CAN-SPAM and equivalent laws, measure campaign effectiveness, and tailor messaging. Legal bases include consent (where required) and legitimate interests, with opt-out options described in Section 11.
6.1.8 Enforcement of Terms and Protection of Rights. To enforce the Terms and other policies, defend legal claims, prevent fraud and security incidents, protect our rights, property, Users, and the public, and support Section 230 and similar safe-harbor frameworks. Legal bases include legitimate interests and legal obligations.
6.2 Where Applicable Law requires consent for certain processing activities (for example, use of non-essential cookies, some types of targeted advertising, or processing of Sensitive Personal Data), we will obtain such consent and allow you to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
7. CHILDREN’S PRIVACY AND MINOR SAFEGUARDS
7.1 The Services are intended for individuals 18 years of age or older. Hard Call LLC does not knowingly permit the initiation of messages to, or the targeting of communications at, individuals known or reasonably believed to be under the age of 18.
7.2 We do not knowingly collect Personal Data from children under 13 in a manner that would trigger COPPA without verifiable parental consent. If we discover that a child under 13 has provided Personal Data in violation of this Policy, we will take reasonable steps to delete such information and terminate associated access, consistent with COPPA and other Applicable Laws.
7.3 If you believe that a child under 13, or a minor under 18 in violation of our Terms, has provided Personal Data to Hard Call, you should contact us using the information in Section 17 so that we can take appropriate action.
8. COOKIES, TRACKING TECHNOLOGIES, AND ANALYTICS
8.1 We use cookies and similar technologies (such as pixels, tags, and local storage) to operate and secure the Services, understand usage patterns, and, where permitted, support analytics and marketing. Some cookies are strictly necessary for the Services to function, while others are optional and may require your consent under Applicable Law (for example, GDPR and ePrivacy rules in the EU).
8.2 Depending on your jurisdiction, we may provide cookie banners, consent management tools, and preference centers that allow you to manage your choices regarding non-essential cookies. Your choices may not apply across all browsers or devices unless we provide and you use a login-based preference mechanism.
8.3 We may use analytics providers to help us understand how Users interact with the Services. These providers may set cookies or use device identifiers to collect information such as IP address, browser type, and pages visited. We will ensure that such processing occurs under appropriate data protection safeguards, including data processing agreements, pseudonymization, and, where required, consent.
8.4 You may configure your browser to refuse or delete cookies; however, some features of the Services may not function properly if cookies are disabled. We do not currently respond to browser "Do Not Track" signals unless required by Applicable Law.
9. DISCLOSURE OF PERSONAL DATA
9.1 We may disclose Personal Data to the following categories of recipients for the purposes described in this Policy:
9.1.1 Editors and Operational Personnel. Human Editors and authorized operational staff who require access to Personal Data to perform their duties, including message review, risk assessment, and safety enforcement, under confidentiality commitments and strict access controls.
9.1.2 Service Providers and Processors. Third-party vendors that provide hosting, cloud infrastructure, analytics, payment processing, customer support tools, security services, and other operational support. We contractually require such providers to protect Personal Data and to only process it as instructed by Hard Call, consistent with GDPR, CCPA/CPRA, and other Applicable Laws.
9.1.3 Professional Referrers. Where you are referred to Hard Call by a therapist, attorney, or other professional under a structured program, we may share limited information back with that referrer (for example, status of engagement or aggregated feedback) only as permitted by Applicable Law and any applicable consent or authorization.
9.1.4 Corporate Transactions. In connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our assets, Personal Data may be transferred to a successor or affiliate as part of the transaction, subject to appropriate safeguards and continuity of this Policy or a substantively similar policy.
9.1.5 Legal, Regulatory, and Safety Disclosures. We may disclose Personal Data to law enforcement, regulators, courts, or other governmental authorities when required to do so by law or legal process, or when we believe in good faith that such disclosure is reasonably necessary to comply with Applicable Law (including FOSTA-SESTA, DSA, data protection laws), respond to valid requests, protect our rights or safety, prevent fraud or abuse, or address imminent threats to life or physical safety.
9.1.6 With Your Consent or at Your Direction. We may disclose Personal Data to third parties when you explicitly consent or direct us to do so, for example when integrating with another service or professional that you instruct us to communicate with.
9.2 We do not sell Personal Data in the traditional sense of exchanging data for money. To the extent "sale" or "sharing" of Personal Data for cross-context behavioral advertising is defined broadly under CCPA/CPRA, we will provide required notices and opt-out mechanisms if our practices fall within such definitions.
10. INTERNATIONAL DATA TRANSFERS
10.1 Hard Call LLC is based in the United States and processes Personal Data in the U.S. and potentially other jurisdictions. If you access the Services from outside the U.S., your Personal Data may be transferred to and processed in the U.S. or other countries that may not provide the same level of data protection as your home jurisdiction.
10.2 Where GDPR, UK GDPR, or similar laws apply to such transfers, we will implement appropriate safeguards, such as standard contractual clauses approved by the European Commission or UK authorities, supplemented by transfer impact assessments and additional safeguards where required.
10.3 By using the Services and providing Personal Data, you acknowledge that your Personal Data may be transferred to, stored, and processed in jurisdictions other than your country of residence, subject to Applicable Law and the safeguards described in this Policy.
11. MARKETING COMMUNICATIONS AND CAN-SPAM COMPLIANCE
11.1 We may send you marketing communications about Hard Call’s services, events, or initiatives where permitted by Applicable Law, such as when you have opted in or where we rely on legitimate interests and you have not opted out.
11.2 All marketing emails will include an option to unsubscribe or manage preferences, consistent with the CAN-SPAM Act and equivalent laws. You may also contact us using the information in Section 17 to request removal from marketing lists.
11.3 Even if you opt out of marketing communications, we may still send you non-promotional emails related to your account, transactions, safety notices, or changes to our Terms or this Policy.
12. DATA SECURITY, PCI DSS, AND ECPA
12.1 We implement appropriate administrative, technical, and physical safeguards designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as required by GDPR, CCPA/CPRA, ECPA, and other Applicable Laws.
12.2 We strive to limit direct handling of payment card data and instead rely on PCI DSS-compliant payment processors. Where we do handle cardholder information, we will implement controls consistent with PCI DSS requirements applicable to our role.
12.3 While we take reasonable steps to protect Personal Data, no system is completely secure. We cannot guarantee the absolute security of Personal Data transmitted to or stored by us, and you acknowledge that transmission of data over the internet is at your own risk, subject to non-waivable rights under Applicable Law.
12.4 Our access to and handling of communication content and metadata is governed by ECPA and other Applicable Laws. We access such data only as necessary to provide the Services, enforce our Terms, fulfill legal obligations, and protect Users and the public, including through Editor review and Hard Call Automation.
13. DATA RETENTION
13.1 We retain Personal Data for as long as reasonably necessary to fulfill the purposes described in this Policy, including providing the Services, complying with legal obligations, resolving disputes, enforcing agreements, and maintaining appropriate backups and logs, in each case consistent with Applicable Law.
13.2 We may retain certain message content for defined periods to support safety audits, training and quality assurance for Editors (subject to de-identification where feasible), and evidence preservation in the event of complaints, disputes, or regulatory inquiries.
13.3 When Personal Data is no longer needed for the purposes for which it was collected, we will delete, anonymize, or aggregate it, unless we are required by law to retain it for a longer period (for example, under record-keeping obligations or limitation periods).
14. DATA SUBJECT AND CONSUMER RIGHTS
14.1 Depending on your jurisdiction and subject to Applicable Law, you may have certain rights with respect to your Personal Data, which may include: (a) the right to access your Personal Data; (b) the right to correct or update inaccurate data; (c) the right to delete or erase Personal Data; (d) the right to restrict or object to processing; (e) the right to data portability; (f) the right to withdraw consent; and (g) the right to lodge a complaint with a supervisory authority or regulator.
14.2 Under GDPR and UK GDPR, you may have the rights described in Articles 15–21. Under CCPA/CPRA, California residents may have rights to know, access, correct, delete, and opt out of certain "sales" or "sharing" of Personal Data, and to be free from discriminatory treatment for exercising such rights.
14.3 To exercise your rights, you may contact us as set out in Section 17, specifying your relationship with Hard Call and the nature of your request. We may need to verify your identity and jurisdiction before responding. Where permitted, you may also designate an authorized agent to submit a request on your behalf under CCPA/CPRA, subject to verification requirements.
14.4 We will respond to rights requests within timelines required by Applicable Law. Certain requests may be denied where we are unable to verify your identity, where legal exceptions apply (for example, to protect the rights of others, preserve legal privilege, or comply with record-keeping obligations), or where the request is manifestly unfounded or excessive.
14.5 We will not retaliate against you for exercising your rights under Applicable Law. Any alleged retaliation may be reported to us and, where applicable, to relevant regulators.
15. HARD CALL LLC AUTOMATION AND PROFILING
15.1 Hard Call LLC uses Hard Call Automation to support Editors and the operation of the Services, including to surface patterns, flag potential risks, prioritize cases, and help ensure that harmful or high-risk communications are identified for additional review.
15.2 Hard Call Automation may involve forms of profiling as defined under GDPR, UK GDPR, and analogous laws, but Hard Call does not rely solely on automated decision-making that produces legal or similarly significant effects on individuals without meaningful human involvement, except where permitted by law with appropriate safeguards.
15.3 Where Applicable Law grants specific rights regarding automated decision-making or profiling (for example, the right to obtain human intervention, express your point of view, or contest a decision), we will honor those rights and provide additional information about the logic involved, subject to trade secret and security considerations.
15.4 Automated systems are safety aids, not autonomous decision-makers. Final determinations about message transmission, blocking, or escalation remain under human editorial control, consistent with Hard Call’s mission to prevent escalation and protect Clients from harmful replies.
16. DATA BREACH NOTIFICATION
16.1 In the event of a data breach or security incident that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, we will investigate the incident and take appropriate mitigation steps.
16.2 Where required by Applicable Law, including GDPR, UK GDPR, and state data breach notification statutes, we will notify affected individuals and/or relevant authorities without undue delay and within applicable statutory timeframes, providing information required by law about the nature of the breach, likely consequences, and measures taken or proposed to address it.
16.3 Our obligations under this Section do not apply to incidents that are attributable to your actions or omissions, such as failure to secure your devices or account credentials, except to the extent required by non-waivable law.
17. CONTACT INFORMATION AND DATA PROTECTION INQUIRIES
17.1 If you have questions or concerns about this Policy, our privacy practices, or your rights, or if you wish to exercise your rights under Applicable Law, you may contact us at: HARD CALL LLC, TWO LOWELL AVENUE, WINCHESTER, MA 01890, Attn: Privacy, and info@hardcall.com.
17.2 If GDPR or UK GDPR applies to our processing of your Personal Data, you may also have the right to lodge a complaint with your local supervisory authority or with the authority where you work or reside. A list of EU supervisory authorities is available from the European Data Protection Board, and information about the UK Information Commissioner’s Office is available on its website.
17.3 We will review and respond to your inquiries in good faith and in accordance with Applicable Law.
18. CHANGES TO THIS PRIVACY POLICY
18.1 We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or the Services. When we make material changes, we will provide notice as required by Applicable Law, such as by updating the "Last Updated" date, posting a notice in the Services, or sending you an email.
18.2 Unless otherwise stated, the updated Policy will be effective when posted. Your continued use of the Services after the effective date of the updated Policy constitutes your acknowledgment of the changes, to the extent permitted by law. If you do not agree with the updated Policy, you shall stop using the Services.
18.3 To the extent required by DSA, GDPR, CCPA/CPRA, or other Applicable Laws, we will provide additional information about material changes to this Policy and respect any statutory rights you may have to object or terminate use of the Services.
19. MISCELLANEOUS AND RELATIONSHIP TO OTHER TERMS
19.1 This Policy complements, and does not limit, the Hard Call Terms of Service. In the event of a conflict between this Policy and the Terms concerning privacy or data protection, this Policy will control to the extent of the conflict, unless Applicable Law requires otherwise.
19.2 Any disputes arising out of or relating to this Policy shall be governed by the dispute resolution, arbitration, and governing law provisions of the Terms, subject to any non-waivable rights under Applicable Law.
19.3 If any provision of this Policy is held invalid or unenforceable by a court or other competent authority, that provision shall be enforced to the maximum extent permissible, and the remaining provisions shall remain in full force and effect.
19.4 Nothing in this Policy is intended to reduce protections that you are entitled to under Applicable Law. To the fullest extent permitted by law, this Policy shall be interpreted to maximize compliance with Applicable Law and maintain the enforceability of Hard Call’s privacy and security commitments.