Privacy Policy

Spence Consulting Services, LLC

d/b/a ZYGON ARTIFICIAL INTELLIGENCE
Effective date: October 7, 2025

Who We Are (Controller / Processor)

Spence Consulting Services, LLC, doing business as ZYGON ARTIFICIAL INTELLIGENCE (“ZYGON,” “we,” “us,” or “our”), provides AI-powered solutions (voice and text

chatbots/agents, basic analytics, related services) primarily to B2B clients.

Controller: We act as a data controller for personal data we collect via our website, marketing, account creation, billing administration, and support.

Processor/Service Provider: We act as a processor (a “service provider” under some laws) when clients send us personal data for processing through our AI

products/services, strictly under their instructions and the applicable Data Processing Agreement (DPA).

SecurityContact:
3507 South Ivanhoe Street, Denver, Colorado, 80237, USA
Email: [email protected]
Website: https://www.zygon.io

Who This Policy Covers & Children’s Privacy

Our services are intended for business users and are not directed to children. We do not knowingly collect personal data from children:

- US: under 13

- EEA/UK: under 16 (or lower/upper local age as required by law)

If you believe a child’s data was provided to us, contact [email protected] and we will take appropriate steps to delete it.

Information We Collect

We collect only what’s necessary for the correct functioning, security, and improvement of our services.

Account & Contact Data: name, username, password, email, phone, business address.

Billing/Payments: processed by providers (e.g., Stripe, PayPal). We do not store full card numbers; we may receive limited details (e.g., last-4, expiry, tokens).

User-Generated Content: prompts, files, feedback submitted to our AI tools (controller for our own services; processor when provided by/for a client).

Usage & Device Data: IP address, device/browser data, timestamps, log data, telemetry. Geolocation is approximate (IP-based).

Cookies & Similar Tech: essential (e.g., session), analytics (e.g., Google Analytics), and advertising/retargeting pixels (e.g., Meta, Google Ads, LinkedIn).

Support Content: tickets, emails, and—where applicable—limited call/chat recordings for quality and support.

Sensitive Data: We do not seek sensitive data (e.g., health, biometrics, government IDs). Where a client instructs us to process such data, we do so only on their behalf and only with appropriate permissions/agreements. We are not a HIPAA covered entity; any health-related processing occurs only under a signed BAA or equivalent, if applicable.

Sources: directly from you or your organization, through our services (usage we generate), and from vendors processing on our behalf (e.g., Azure, OpenAI, Twilio, Go High Level (HighLevel)).

How We Use Your Data (Purposes & Legal Bases)

We use personal data for:

Provide & Secure Services (account set-up, authentication, service delivery, security, fraud/abuse prevention) — contract necessity / legitimate interests / legal obligation.

Customer Support — contract necessity / legitimate interests.

Service Analytics & Product Improvement — legitimate interests / consent where required.

AI Quality & Safety — legitimate interests / consent where required. See “AI & Model Operations.”

Marketing Communications (B2B newsletters, promotions) — consent (EU/UK/Canada) or legitimate interests (where permitted). You can opt out anytime.

Payments & Invoicing — contract necessity / legal obligation.

Legal Compliance, Recordkeeping, and Claims — legal obligation / legitimate interests.

Legitimate Interests (examples): maintaining and improving service functionality and security; scheduling and delivery of requested services; preventing misuse/fraud.

We do not rely on vital interests or public task except in rare, clearly applicable scenarios.

We do not use customer personal data for model training.

We may use anonymized/aggregated information to improve models and services.

We fine-tune models with customer-provided datasets only with explicit agreement.

We cache prompts/outputs for 30 days for trust & safety, abuse prevention, debugging, and quality.

Human review is limited and access-controlled, and may occur periodically for trust & safety, quality, and support purposes, in line with applicable compliance requirements.

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals (e.g., credit, employment, housing decisions).

Cookies, Analytics AI & Model Operations& Ads

In the EU/UK, we display a cookie banner with granular controls. Consent is required for analytics/advertising cookies; strictly necessary cookies are used on legitimate

i interests.

We use Google Analytics (GA4) for usage analytics.

We may use Meta, Google Ads, and LinkedIn pixels for advertising/retargeting where consented (EU/UK) or permitted (elsewhere).

We honor Global Privacy Control (GPC) signals as an opt-out of targeted advertising/sale/share where applicable.

We generally do not respond to Do Not Track (DNT) signals (industry standard), but we do honor GPC.

You can manage preferences via our banner (EU/UK) and your browser settings.

When We Act as a Processor (B2B)

When clients use our platform and submit end-user data (e.g., contact info, issue statements) we process strictly under their instructions and the applicable DPA.

DPA availability: Available on request.

Deletion/Return on Termination: Within 30 days unless law requires longer retention.

Sub-processor Changes: We will give 15 days’ prior notice via our website and/or email where contractually required.

Public Sub-processor List: https://www.zygon.io/subprocessors (to be maintained).

Sharing & Disclosures

We share personal data only with:

Service Providers / Sub-processors, under contract, for hosting/infrastructure, AI, comms, analytics, payments, CRM/email, and support, including (as applicable):
Microsoft Azure, OpenAI, Google, Meta, Twilio, Stripe, PayPal, AWeber, HighLevel (Go High Level), and Google Analytics.

Professional advisors (legal, accounting), and authorities where required by law.

Business transfers (e.g., merger, acquisition) subject to appropriate safeguards.

We do not sell personal information. However, use of advertising/retargeting pixels may constitute “sharing” under the California CPRA and targeted advertising under other US state laws. See “Your Privacy Rights” and opt-out options below.

International Data Transfers

We mainly process data in the United States. If we transfer personal data internationally (including EU/UK → US), we use appropriate safeguards, which may include:

EU Standard Contractual Clauses (SCCs) and the UK Addendum/IDTA, and

The EU-US Data Privacy Framework (DPF) (where a vendor participates).
We perform transfer risk assessments where appropriate and apply additional measures as needed.

Retention

We retain data only as long as necessary for the purposes described or as required by law.

Account data: while the account is active + 24 months.

Prompts/outputs cache: 30 days.

Telemetry/logs: 12 months.

Support tickets/recordings: 24 months.

Payment records: 7 years (or statutory requirement).

Marketing data: until you opt out or after 24 months of inactivity.

Client training datasets: per contract; deleted or returned within 30 days of termination or on request unless law requires longer.

Security

We use technical and organizational measures aligned to industry standards to protect personal data, including:

Encryption in transit (TLS 1.2+) and at rest; KMS/HSM for key management.

Network segmentation, WAF, DDoS protection; secrets management/rotation.

Audit logging & monitoring; SSO/MFA, RBAC, and least-privilege access.

Vulnerability management: quarterly scanning and annual penetration testing (and after material changes).

Policies & Training, Vendor Risk Management & DPAs, incident response and breach notification processes, DPIAs when needed.

We align to SOC 2 and ISO/IEC 27001 practices (as applicable).

No security program can guarantee absolute security; if we learn of a breach that affects your personal data, we will notify you and regulators as required by law.

Security Your Privacy Rights

Your rights depend on where you live. You can exercise rights by emailing [email protected] or via our webform/portal (coming soon). We will verify your request (e.g.,

email verification, account login, and, if needed, additional proof) and respond within 30–45 days (or the period required by law). An appeal process is available—reply to our decision with “Appeal” in the subject, and we will review. If unresolved, you may contact your regulator.

EU/EEA & UK (GDPR/UK-GDPR): access, rectification, deletion, restriction, objection, portability, and the right to withdraw consent. You may complain to your Data

Protection Authority/ICO.

United States (including CA, CO, CT, VA, UT and similar laws):

Know/Access the categories and specific pieces of personal information we collected about you; Delete; Correct; Portability (copies).

Opt-out of “Sale” or “Sharing” (CPRA) and Targeted Advertising (state laws). We treat GPC signals as an opt-out preference signal where required.

Sensitive Personal Information: We do not use/disclose sensitive PI for purposes that require a “limit” right under CPRA.

Authorized agents may submit requests where allowed.

Canada (PIPEDA): access and correction, withdrawal of consent to marketing (CASL), and complaint to the OPC.

South Africa (POPIA): access, correction, deletion, and objection to processing; you may contact the Information Regulator.

Opt-Out of Sale/Sharing/Targeted Ads

Until our portal is live, you may opt out by:

Clicking the “Do Not Sell or Share My Personal Information” link in the site footer (when available), or

Emailing [email protected] with the subject: “Do Not Sell/Share” (please include your account email and relevant website(s)).

Please note:

No mobile information will be shared with third parties or affiliates for marketing/promotional purposes. IText messaging originator opt-in data and consent information will not be shared with any third parties, excluding aggregators and providers of the Text Message services.

Third-Party Links

Our website and services may link to third-party sites. We are not responsible for their privacy practices. Review their policies before providing personal data.

Your Choices

Marketing: You can unsubscribe via any marketing email or email [email protected].

Cookies/Tracking: Use our EU/UK banner controls, browser settings, and ad-platform controls.

Account: You may request account deletion by contacting [email protected].

Changes to This Policy

We may update this policy to reflect changes to our practices or the law. We will post updates here and notify you by site notice and, where required, by email. The “ Effective date” above shows when this policy last changed.

How to Contact Us

Spence Consulting Services, LLC d/b/a ZYGON ARTIFICIAL INTELLIGENCE
3507 South Ivanhoe Street, Denver, Colorado, 80237, USA
Email: [email protected]