Last updated: July 13, 2026
This Data Processing Agreement ("DPA") forms part of, and supplements, the Terms of Service between Open Lines Technologies Inc. ("Open Lines", "we", "our", "us") and the business that subscribes to the Service ("Customer", "you"). It governs how we process personal information on your behalf when providing the Open Lines AI-powered voice receptionist platform (the "Service").
This DPA applies only to personal information we process on your behalf. It does not apply to information we process for our own business purposes — such as account administration, billing, security monitoring, and fraud prevention — which is governed by our Privacy Policy.
"Personal Information" means information about an identifiable individual, as defined under applicable privacy laws.
"Customer Data" means information submitted through the Service by you or your users, including caller information, call recordings, transcripts, appointment details, lead information, and knowledge-base content.
"Processing" means any operation performed on personal information, including collection, storage, use, disclosure, retrieval, analysis, or deletion.
"Applicable Privacy Laws" means the privacy and data-protection laws that apply to the processing, including Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, and — where applicable to you — the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
You are the controller. You determine why and what personal information is collected through your AI agent, how it is used, and the notices and consents required from your callers. You are responsible for ensuring your instructions to us comply with Applicable Privacy Laws.
We are the processor. We process personal information only to provide the Service, according to your instructions, as needed to maintain security, and as required by law. We do not sell Customer Data, and we do not use it for our own unrelated purposes.
You instruct us to process personal information for the purpose of providing the Service, which includes: answering and managing inbound calls; generating transcripts and summaries; scheduling appointments through connected calendars; sending notifications; storing and retrieving records; providing analytics; troubleshooting; and maintaining the security and reliability of the Service. We process personal information only as necessary for these purposes.
Depending on how you configure the Service, we may process names, telephone numbers, email addresses, appointment details, caller enquiries, call recordings and voice data, transcripts, preferences, and AI-generated summaries. Data subjects may include your callers, customers, prospects, employees, and representatives. You determine whether any sensitive or regulated information is submitted through the Service.
You are responsible for providing lawful instructions; giving your callers appropriate privacy notices; obtaining any required consent (including for call recording); complying with telecommunications and anti-spam laws; configuring your AI agent appropriately; and responding to requests from individuals about their information. We are not responsible for your failure to meet these obligations.
Personnel authorised to process Customer Data are bound by confidentiality obligations. We will not disclose Customer Data except to provide the Service, to authorised sub-processors, as you direct, as required by law, or to protect rights, security, or property.
We implement administrative, technical, and organisational safeguards appropriate to the personal information we process, including encryption in transit and at rest, access controls, authentication requirements, monitoring, backups, and incident-response processes. Further detail is in our Privacy Policy. No security system can guarantee absolute protection.
You authorise us to engage third-party service providers ("sub-processors") to help deliver the Service — for example, cloud hosting, telephony, AI, messaging, and payment providers. We require sub-processors to maintain appropriate confidentiality and security obligations, and we remain responsible for their performance under this DPA. A current list of our sub-processors is available at openlines.ai/subprocessors.
The Service uses AI to perform speech recognition, conversation handling, transcription, summarisation, and appointment assistance. You acknowledge that AI output may contain errors and requires appropriate oversight, and that you remain responsible for decisions made using it. We do not use Customer Data to train publicly available AI models without your written authorisation.
Where required by Applicable Privacy Laws, we will provide reasonable assistance to help you respond to requests from individuals to access, correct, delete, or port their information, or to restrict its processing. You remain responsible for verifying the identity of requestors and determining whether a disclosure is legally required.
We will notify you without undue delay after confirming a security incident involving unauthorised access to Customer Data that requires notification under Applicable Privacy Laws. Our notice will describe, to the extent known, the nature of the incident, the information affected, the likely impact, and the steps we are taking. We will cooperate reasonably with your investigation and response.
Your primary database — the main store of tenant and caller records — is hosted in Canada (Supabase, ca-central-1 / Montreal). Some processing (for example, live call transcription, language, voice, telephony, and email) is performed by sub-processors located in the United States and other countries, so some personal information may be processed outside Canada and may be subject to the laws of those countries. We use these providers under contractual safeguards intended to provide a comparable level of protection to that required under Canadian law.
We retain Customer Data for as long as needed to provide the Service and as described in our Privacy Policy. You may request deletion of Customer Data at any time by contacting us. Following termination of the Service, we may delete Customer Data after thirty (30) days unless we are required by law to retain it.
On reasonable written request, we will provide information reasonably necessary to demonstrate compliance with this DPA. Such requests must not be disruptive, must not seek access to other customers' information or confidential security details, and may be subject to reasonable notice and fees.
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. This DPA does not create additional liability beyond those Terms except where required by Applicable Privacy Laws.
This DPA remains in effect for as long as we process Customer Data on your behalf. It is governed by the laws of Ontario, Canada, and the parties submit to the exclusive jurisdiction of the courts of Ontario. If there is a conflict between this DPA and the Terms of Service regarding the processing of Customer Data, this DPA controls.
For questions about this DPA or our data-processing practices, contact our Privacy Officer:
© 2026 Open Lines Technologies Inc. All rights reserved.