Privacy Policy

This Privacy Policy describes how WOCOM Limited ("WOCOM", "We", "Us" or "Our") collects, uses, discloses, transfers, and protects personal data when You use Our websites, portals, telecommunications services, Cloud PBX, Flexi-SIP Trunk, WOCOM AI, Contact Center, AI Sentiment Call Analysis, and any related products or services (together, the "Service").

WOCOM is committed to processing personal data lawfully, fairly, and transparently in accordance with the Data Protection Act, 2020 of Jamaica (the "DPA") and any regulations made under it. By using the Service, You acknowledge that You have read and understood this Policy.

WOCOM Limited acts as a Data Controller in respect of personal data We collect about Our clients, callers, website visitors, and authorised users. Where We process personal data on behalf of Our business clients (for example, call recordings and transcripts of calls placed to a client's AI receptionist), We act as a Data Processor and Our client is the Data Controller.

WOCOM is in the process of registering with the Office of the Information Commissioner (OIC) of Jamaica as required under the DPA. Our registration number will be published on this page once issued.

Account

A unique account created for You to access Our Service or parts of Our Service.

Affiliate

An entity that controls, is controlled by, or is under common control with a party, where "control" means ownership of 50% or more of the shares.

Company

WOCOM Limited, 30-32 Red Hills Road, Kingston 10, Jamaica (referred to as "We", "Us" or "Our").

Cookies

Small files placed on Your device by a website, containing details of Your browsing history among other uses.

Country

Jamaica.

Data Controller

The natural or legal person who determines the purposes and means of processing personal data.

Data Processor

A natural or legal person who processes personal data on behalf of a Data Controller.

Data Subject

The identified or identifiable individual to whom personal data relates.

Device

Any device that can access the Service such as a computer, cellphone, or digital tablet.

DPA

The Data Protection Act, 2020 of Jamaica, together with any regulations made under it.

OIC

The Office of the Information Commissioner of Jamaica, the regulator established under the DPA.

Personal Data

Any information relating to an identified or identifiable individual (as defined in the DPA), including names, contact details, voice recordings, transcripts, and online identifiers.

Processing

Any operation performed on personal data including collection, recording, storage, retrieval, use, disclosure, transmission, or erasure.

Sensitive Personal Data

Personal Data revealing racial or ethnic origin, political opinions, religious beliefs, physical or mental health, sexual life, criminal convictions, or financial information, as defined in Section 2 of the DPA.

Service

The Website and all WOCOM products including Cloud PBX, Flexi-SIP Trunk, WOCOM AI, AI Sentiment Call Analysis, Contact Center, and associated portals.

Service Provider

Any natural or legal person who processes data on behalf of the Company, including hosting, telephony, AI/transcription, payment, and analytics providers.

Usage Data

Data collected automatically from the use of the Service or its infrastructure (for example, IP address, browser type, pages visited).

Website

www.wocomja.com

You

The Data Subject — the individual accessing or using the Service, or any individual whose personal data We process.

Information You provide

• Identity & contact data — name, email, phone number, business name, billing address.
• Account credentials — username and securely hashed password.
• Payment information — processed by Our authorised payment service providers; We do not store full card numbers.
• Communications — emails, support tickets, chat messages, and call notes sent to Us.

Information collected automatically

• Usage data — IP address, browser type, device identifiers, pages visited, dates and times of access, referring URLs.
• Telephony metadata — caller and called numbers, call duration, time of call, route, and disposition (for Cloud PBX, SIP Trunk, and AI services).
• Cookies and similar technologies — see Cookies section below.

Information generated by Our AI services

• Call audio recordings of calls placed to or from numbers using WOCOM AI or Contact Center.
• Transcripts produced from those recordings.
• Sentiment, keyword, and analytics scores produced by AI Sentiment Call Analysis.
• Form data and appointment details captured by Your AI receptionist.

Cookies & Tracking

We use Cookies and similar tracking technologies to track activity on Our Service and store certain information. Cookies can be "Persistent" (remain on Your device after You go offline) or "Session" (deleted as soon as You close Your browser).

We use both types of Cookies for: essential service delivery, policy acceptance tracking, security, and functionality preferences such as login state and language settings. You can instruct Your browser to refuse Cookies or to indicate when a Cookie is being sent; however, if You do not accept Cookies, You may not be able to use some parts of the Service.

We only process personal data where We have a lawful basis to do so. Depending on the activity, We rely on one or more of the following:

• Service delivery — to provide, operate, maintain, and support the Service.
• Account management — to create and manage Your account, authenticate users, and process payments.
• AI receptionist functions — to answer calls on Your behalf, capture messages, transcribe conversations, and book appointments where authorised.
• Quality assurance and training — to review and improve the quality, accuracy, and safety of Our AI models and human-handled calls.
• Communications — to send service notices, billing notices, security alerts, and (with consent) marketing messages.
• Compliance and legal — to comply with the DPA, the Telecommunications Act, tax laws, and other legal obligations.
• Security & fraud prevention — to detect, investigate, and prevent fraudulent, abusive, or unlawful activity.

In accordance with Section 22 of the DPA, We commit to processing personal data in line with the following standards:

• 1. Fair & lawful — We process personal data fairly, lawfully, and transparently.
• 2. Purpose limitation — We collect data only for specified, explicit, and legitimate purposes.
• 3. Data minimisation — We collect only what is adequate, relevant, and not excessive for the stated purpose.
• 4. Accuracy — We take reasonable steps to keep personal data accurate and up to date.
• 5. Storage limitation — We retain personal data only for as long as necessary.
• 6. Rights of Data Subjects — We process data in a way that respects Your rights under the DPA.
• 7. Security — We apply appropriate technical and organisational measures to protect personal data.
• 8. Cross-border safeguards — We do not transfer data outside Jamaica unless adequate protection is in place.

We share personal data only where necessary and only with parties bound by appropriate confidentiality and data protection obligations:

• Service providers & processors — hosting, cloud infrastructure, telephony carriers, AI/transcription providers, payment processors, email and SMS delivery, and analytics.
• Our business clients — where We act as Processor, personal data collected through their AI receptionist or Contact Center is shared with that client account holder.
• Affiliates — companies within the WOCOM group, bound by this Policy.
• Regulatory and law enforcement bodies — when required by law, court order, or valid request from a competent authority.
• Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.
• With Your consent — for any other purpose disclosed to You at the time of collection.

We do not sell personal data to third parties.

WOCOM operates infrastructure and engages service providers in multiple jurisdictions. Personal data may be stored or processed on servers located in:

In accordance with Section 24 of the DPA, where personal data is transferred outside Jamaica, WOCOM ensures an adequate level of protection through one or more of the following:

• Written data-processing agreements with each provider, including obligations equivalent to those imposed by the DPA.
• Encryption of personal data both in transit (TLS 1.2 or higher) and at rest.
• Selection of providers that comply with recognised international standards such as SOC 2 Type II, ISO 27001, and (where applicable) HIPAA.
• Reliance on Canada's status as a jurisdiction with comparable data protection laws (PIPEDA).
• For US transfers, additional contractual safeguards including data-processing addenda, sub-processor controls, and audit rights.

You may contact Our DPO at any time for further information on the safeguards in place for a specific transfer.

We retain personal data only for as long as necessary to fulfil the purpose for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce Our agreements. Indicative retention periods:

When the applicable retention period expires, personal data is securely deleted, anonymised, or archived in line with Our retention schedule.

As a Data Subject, You have the following rights in respect of personal data We hold about You:

• Right to be informed — to know what data is collected, why, and who has access.
• Right of access — to request a copy of the personal data We hold about You (a "Subject Access Request").
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure / blocking — to request deletion or blocking of data where permitted by law.
• Right to object — to processing for direct marketing or other specified purposes.
• Right to prevent automated decision-making — to require that significant decisions affecting You are not made solely by automated means, including AI.
• Right to compensation — for damage suffered as a result of a contravention of the DPA.
• Right to lodge a complaint — with the Office of the Information Commissioner (see Complaints section).

To exercise any of these rights, contact Our Data Protection Officer at dpo@wocomja.com. We will respond within the timeframe required by the DPA (generally within 40 days). We may need to verify Your identity before fulfilling Your request.

Other Disclosures

Business Transactions: If WOCOM is involved in a merger, acquisition, financing, restructuring, or sale of assets, Your Personal Data may be transferred as part of that transaction. We will provide reasonable notice on the Website (and where appropriate, by email) before any such transfer becomes subject to a different privacy policy.

Law Enforcement & Legal Obligations: WOCOM may be required to disclose Your Personal Data where required to do so by law, court order, or a valid request from a public authority — for example, a request from law enforcement, the courts, or a regulator. Where lawful, We will notify You before disclosing Your data.

WOCOM provides AI-powered telephony services including WOCOM AI (AI receptionist), Contact Center, and AI Sentiment Call Analysis. The following terms apply specifically to those services:

Notice to callers

Inbound and outbound calls handled by these services may be recorded, transcribed, and analysed by automated systems. Callers will be given an audible notice at the start of the call advising that the call is being recorded and may be processed by AI. By remaining on the line, the caller is deemed to have been notified.

What is processed

• Audio recordings of the call.
• Machine-generated transcripts of the conversation.
• Sentiment scores, keyword extracts, and analytics derived from the transcript.
• Data entered by the caller (names, phone numbers, appointment requests, free-text messages).

Where processing happens

Speech-to-text, transcription, sentiment, and large-language-model inference are performed by AI providers located in the United States. See Cross-Border Transfers above. All transmission is encrypted.

Automated decision-making

Our AI services support call handling — they do not make legally significant decisions about callers. Where a caller would prefer to speak with a human, the AI is configured to escalate or take a message. You may request human review of any AI-handled call at any time.

Client responsibilities

Where You are a WOCOM business client using these services, You are the Data Controller for the personal data of Your callers. You are responsible for ensuring Your own privacy notice discloses Your use of WOCOM AI and for honouring data subject requests You receive from Your callers. WOCOM will reasonably assist You as Processor.

Deletion of recordings

You may request deletion of specific call recordings or transcripts at any time via Your client portal or by contacting Our DPO.

WOCOM AI allows You to connect third-party services such as Google Calendar to enable appointment scheduling and availability checking through Your AI receptionist. This section describes how We handle data obtained through these integrations.

Google Calendar Data

When You connect Your Google Calendar account, WOCOM AI accesses the following data through the Google Calendar API:

• Calendar events — event titles, start/end times, descriptions, locations, and attendee information, used to check Your availability and prevent double-booking.
• Event creation — new calendar events are created when callers book appointments through Your AI receptionist.

How We Use Google Calendar Data

Your Google Calendar data is used solely to:

• Check Your real-time availability when callers request an appointment.
• Create new events on Your calendar when appointments are confirmed.
• Display Your upcoming appointments within Your WOCOM AI portal.

Storage & Protection of Google Data

OAuth access tokens and refresh tokens are stored in encrypted form in Our database. Calendar event data is accessed in real time and is not permanently stored or cached beyond what is necessary to complete the booking transaction. All communication with Google APIs is conducted over encrypted HTTPS connections.

Google API Services — Limited Use Disclosure

WOCOM AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google data for the purposes described in this Privacy Policy and as displayed to You in the OAuth consent screen.
• We do not transfer Google data to third parties except as necessary to provide or improve the Service, for security purposes, or as required by law.
• We do not use Google data for advertising or to serve ads.
• Human employees do not read Your Google data unless You have given explicit consent, it is necessary for security purposes, it is required by law, or the data has been aggregated and anonymised for internal operations.

Revoking Access

You may disconnect Your Google Calendar at any time from the Integrations page in Your WOCOM AI portal. Upon disconnection, We immediately delete Your stored OAuth tokens and cease all access to Your Google Calendar data. You may also revoke access directly from Your Google Account permissions page.

WOCOM applies a range of technical and organisational measures appropriate to the risk, including:

• TLS encryption (1.2 or higher) for all data in transit, including SIP/SRTP for voice traffic where supported.
• Encryption at rest for sensitive data stores and backups.
• Role-based access controls, least-privilege provisioning, and audit logging.
• Multi-factor authentication for administrative access.
• Regular vulnerability scanning, patching, and security testing.
• Strict Content Security Policy and HTTP security headers on our websites and portals.
• Confidentiality undertakings binding all employees and contractors.

No method of transmission or storage is 100% secure, but We continuously work to maintain a level of security commensurate with the risk.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of Data Subjects, WOCOM will:

• Notify the Office of the Information Commissioner without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Section 27 of the DPA.
• Notify affected Data Subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
• Maintain an internal record of every breach, including its facts, effects, and remedial action taken.
• Where We act as Processor for a business client, notify that client promptly so they can fulfil their own notification obligations.

The Service is intended for business users and is not directed to children under 18 years of age. We do not knowingly collect personal data from children under 18 without the consent of a parent or legal guardian. If You believe We have inadvertently collected such data, please contact Us so We can promptly delete it.

If You have a concern about how We have handled Your personal data, please contact Our Data Protection Officer first at dpo@wocomja.com. We take all complaints seriously and will respond promptly.

If You are not satisfied with Our response, You have the right to lodge a complaint with the regulator:

We may update this Policy from time to time to reflect changes in Our practices, technologies, legal requirements, or for other operational reasons. Where changes are material, We will provide reasonable notice (for example, by email or a prominent notice on the Website). The "Last updated" date at the top of this Policy will always show when it was most recently revised.

For privacy questions, to exercise Your rights, or to contact Our Data Protection Officer:

Note: this Policy is provided for transparency. It does not constitute legal advice. WOCOM recommends that business clients also obtain their own legal advice on their obligations under the DPA.