Privacy Policy

Last Updated: March 11, 2026

This Privacy Policy ("Policy") explains how AmberNexus and our affiliates (together, "AmberNexus", "we", "our", or "us") process Personal Data (defined below) of individuals who access or use our Services or otherwise engage with AmberNexus.

This Policy also explains your rights and choices about how we use your Personal Data, including how you may be able to access or update certain information about you. Where processing is based on consent, and to the extent permitted by law, by using the Services or otherwise engaging with AmberNexus, you consent to the use of your Personal Data as described in this Policy.

1. Scope & Definitions

1.1 Definitions

Personal Data means any information relating to an identified or identifiable individual, such as name, address, telephone number, or email address. In certain jurisdictions, this may also be referred to as "Personal Information." Other capitalised terms not defined herein shall have the meanings ascribed to them in our Terms of Service.

Voice Data means audio recordings and derived data generated in connection with your use of the Services, including call recordings, voice inputs, synthesised audio outputs, and call transcripts. Depending on where you reside and how we use your Voice Data, applicable law may define Voice Data as biometric data. We do not use Voice Data to infer characteristics about an individual beyond what is necessary to provide the Services.

Input means text, audio, or other content you or an End Customer provides to the Services. Output means content generated by the Services in response to an Input, including synthesised voice responses. End Customer means an individual who interacts with a voice agent deployed by a business using the Services via a telephone number provisioned through the Services and browser-based services.

1.2 Scope

This Policy applies only for instances in which AmberNexus acts as a responsible party (i.e., data controller or data fiduciary) under applicable laws, including where AmberNexus provides Services to individual users or businesses. This Policy does not apply when we process Personal Data strictly on behalf of enterprise or business customers. We act as a service provider or data processor for those relationships, and our use of Personal Data in connection therewith is governed by the applicable Data Processing Addendum set forth in such customer's agreement.

2. Categories of Personal Data We Collect

2.1 Personal Data You Provide to Us

Account & Contact Details

When you request access to our Services, or when an Administrator creates an account on your behalf, we may collect certain contact and account-related information. This may include your full name, email address, country or region, and an optional message describing your intended use of the Services. Once your request is approved, we will send a secure, time-limited link that allows you to create your account password. For security purposes, users are required to update their password upon first login before accessing the Services. Access to the Services is restricted to the permissions assigned by an authorized Administrator.

Outbound Call Numbers

Where you or your organisation use our Services to make outbound calls, we process the destination telephone number(s) provided for the purpose of initiating and routing those calls. This information is stored in connection with the relevant call request and is used solely to deliver the outbound calling functionality. Such numbers may constitute Personal Data and are processed in accordance with this Policy.

Services Input & Output

We process your Input (which may include voice/audio, text, or other content) and Output (which may include synthesised voice audio, text responses, or other content), and any other information you provide in connection with your use of the Services, including any Personal Data contained therein. The modalities available (voice, text, or both) depend on the configuration of the Services and the features enabled for your account.

Audio Recordings and Voice Data

We collect and process audio recordings of conversations conducted through the Services ("Voice Data") in order to provide our Services to you. This includes voice inputs received via telephone numbers provisioned through the Services and synthesised audio outputs generated by the Services. Voice Data may also include derived data such as speech transcripts. Where call recording is enabled by an Administrator, call audio is stored securely in our cloud storage infrastructure (Amazon S3). AmberNexus does not enable call recording at the telecommunications service provider level. Accordingly, our telecommunications service providers (Twilio and Plivo) do not retain call recordings on AmberNexus's behalf. Administrators are responsible for ensuring that End Customers are informed of and, where required by law, have consented to the recording of calls prior to or at the commencement of each call.

Feedback and Communications

If you contact us directly, express interest in using our Services, or otherwise provide us with feedback, we collect Personal Data including your name, email address, the contents of any message or attachments you send to us, and other information you choose to provide. When we send you emails, we may track whether you open them to learn how to deliver a better customer experience and improve our Services.

Other Information You Provide

We may collect other information you provide to us, such as when you participate in a beta programme, interact with us at events, or otherwise engage with AmberNexus online or offline. Some of these engagements may have additional terms.

2.2 Personal Data We May Otherwise Collect From You and/or Your Device

Information from Cookies and Similar Technologies

We and our third-party partners may collect information about you using cookies, pixel tags, SDKs, or similar technologies ("Cookies"). See the "Your Cookie Choices" section of this Policy and our Cookie Policy for further detail. Categories of information we may collect using cookies include:

Location Information. When you use our Services, we infer your general location information, for example by using your internet protocol (IP) address. In some jurisdictions, we will ask for your permission before doing so.
Device Information. We receive information about the device and software you use to access our Services, including IP address, web browser type, operating system version, device identifiers, and related technical attributes.
Usage Information. We receive information about your interactions with our Services, the content you view, the actions you take, the features with which you interact, and the dates and times of your visits.

2.3 Personal Data We Collect from Third Parties

Information from Service Providers

We may receive information about you from third-party service providers that are authorised to share your Personal Data with us, including in connection with verification, data enrichment, or Know Your Customer and Anti-Money Laundering checks where applicable.

Telephony and Communications Data

When you interact with our Services through a telephone number provisioned via the Services, we may receive call metadata and related communications data from our telecommunications service providers. This includes call timestamps, duration, caller identifiers, and geographic indicators. In some cases, we need to collect your Personal Data to provide you with our Services. In these cases, if you choose not to provide the requested Personal Data, you may not be able to use our Services. We will tell you if providing Personal Data is required by law or under a contract and the consequences of failing to provide it, if applicable.

2.4 Personal Data and AmberNexus Voice Services

AmberNexus uses Voice Data to provide its voice agent services, including speech processing, voice synthesis, and conversational AI services. When a call is placed to or from a number provisioned through the Services, we process voice inputs and generate synthesised audio outputs as necessary to operate the voice agent. This may include real-time transcription of speech and the generation of responses using our AI systems.

Where call recording is enabled by the Administrator, call audio is stored securely in our cloud storage infrastructure (Amazon S3). Call recording at the telecommunications service provider level is not enabled by AmberNexus — accordingly, our telecommunications service providers do not independently retain call recordings. AmberNexus does not use Voice Data to infer characteristics about an individual beyond what is necessary to provide the Services.

2.5 Content Moderation and Account Suspension

AmberNexus does not undertake to review all Input and Output and expressly disclaims any duty or obligation to monitor or review content. However, to maintain the integrity and security of the Services, and for fraud prevention purposes, AmberNexus reserves the right to review Input and Output. In certain circumstances, AmberNexus may share Input or Output, which may include Personal Data, with third parties to support content moderation and safety initiatives. Users found to have engaged in activity that violates our Acceptable Use Policy may be subject to termination or suspension under the applicable Terms of Service.

3.Purposes of Processing Personal Data and Legal Basis

3.1 Purpose and Legal Basis

The table below describes the purposes for which we process your Personal Data when acting as a data controller or data fiduciary, and the legal bases for such processing. When we rely on legitimate interest as the legal grounds to process your Personal Data, you have the right to object to that processing as set out in Section 8 ("Your Rights"). Please note that where the legal bases specified are not applicable in your country, we will rely on consent or other available grounds to process your Personal Data.

Purpose	Description of Processing Activity	Legal Ground for Processing
Providing the Services	To operate, maintain, and provide the features and functionality of the AmberNexus platform as requested by you and outlined in our Terms of Service.	Necessary to enter into or perform our contract with you.
Ingesting & Processing Voice Data	To collect audio streams and process voice inputs via our sub-processors (e.g., speech-to-text transcription) necessary to enable the AI voice agent functionality.	Necessary to fulfill the service requested by the Administrator.
Generating Synthesized Audio	To generate and output synthesized audio responses (text-to-speech) necessary to operate the voice agent and facilitate dynamic conversations.	Necessary to fulfill the service requested by the Administrator.
Storing Call Recordings & Transcripts	To securely store call audio and transcripts in our cloud infrastructure (e.g., Amazon S3) strictly when enabled by the Administrator. AmberNexus disables carrier-level recording. Processing is subject to applicable notice and consent requirements managed by the Administrator.	Processed on behalf of the Administrator's legitimate interest (quality assurance, compliance). Where required by law, this relies on the End Customer’s explicit consent, obtained by the Administrator.
Personalizing the Experience	To tailor your experience on the platform, including saving preferences and suggesting content, configurations, or features relevant to your usage.	Necessary for our legitimate interest in optimizing user experience. (Or Consent, where explicitly requested).
Platform Communications & Support	To communicate operational updates, respond to inquiries, provide technical support, diagnose system errors, and deliver customer service.	Necessary to fulfill support obligations and for our legitimate interest in maintaining customer relationships.
Marketing Communications	To send prospective and current users promotional materials, newsletters, and information about new products or features that may be of interest.	Provided explicitly by you. (Or Legitimate Interest for existing customers, subject to applicable anti-spam laws allowing soft opt-ins).
Billing and Accounting	To process payments, manage subscriptions, and maintain financial records associated with your use of the Services.	Necessary to fulfill billing terms and comply with standard accounting laws.
Security and Fraud Prevention	To monitor for, detect, and prevent unauthorized access, malicious activity, deceptive practices, or abuse of the AmberNexus platform and its associated APIs.	Necessary to safeguard our infrastructure, protect users, and maintain the integrity of our Services.
Analytics and Usage Tracking	To analyze trends, monitor platform performance, understand how the Services are utilized, and inform the development of new features and products.	Necessary for our legitimate interest in conducting business intelligence and improving our technology.
Data Aggregation & Anonymization	To generate de-identified, anonymized, or aggregated datasets for research, product improvement, and statistical analysis. We will not attempt to re-identify this data unless required by law.	Necessary for our legitimate interest in enhancing AI models and platform capabilities without compromising individual privacy.
Legal and Administrative Compliance	To enforce our Terms of Service, defend our legal rights, address administrative disputes, and respond to lawful requests from law enforcement or regulatory bodies.	Necessary to comply with statutory requirements and protect our legal rights.

We only rely on our legitimate interests to process your Personal Data when we determine that these interests are not overridden by your rights and interests. When we use your information because we have a legitimate interest to do so, you may have the right to object to that use.

Data Recipients

Your Personal Data may be shared with:

Affiliates. We may share any Personal Data we receive with our current or future affiliates for any of the purposes described in this Privacy Policy.
Vendors and Service Providers. We may share your Personal Data with third-party vendors and service providers who provide services such as website hosting, cloud infrastructure, data storage, voice and telephony services, speech processing, AI and language model services, customer support, email delivery, auditing, and payment processing. A current list of our service providers and sub-processors is maintained at ambernexus.ai/subprocessors.
Telecommunications Service Providers. Where you interact with the Services via a provisioned telephone number, call metadata (such as timestamps, duration, and caller identifiers) is processed by our telecommunications service providers, which may include Twilio, Plivo, and/or SIP-based telephony providers, depending on the configuration requested by your organisation. These providers are used to route and deliver calls. AmberNexus does not enable call recording at the telecommunications service provider level; call recordings are stored solely within AmberNexus's own cloud storage infrastructure (Amazon S3). The list of active telecommunications providers may vary and will be reflected in our sub-processors list at ambernexus.ai/subprocessors.
Business Administrators. Platform Administrators of your organisation may access call logs, transcripts, recordings (where recording is enabled), and user account data within the scope of their assigned permissions. Administrators are responsible for ensuring that their own use of such data complies with applicable law.
As Required by Law and Similar Disclosures. We may access, preserve, and disclose your Personal Data to law enforcement agencies, regulatory bodies, and public authorities or pursuant to legal proceedings if we believe doing so is required or appropriate to: (a) comply with law enforcement requests and legal process, such as a court order or subpoena; or (b) protect your, our, or others' rights, property, or safety.
Merger, Sale, or Other Asset Transfers. We may disclose your Personal Data to service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction or reorganisation, such as a merger, acquisition, or sale of assets.
Other Data Recipients. We may also disclose your information to other third parties where we have received your consent to do so.

International Data Transfers

We maintain hosting and server locations primarily in the United States. This means we may transfer your Personal Data outside your country, state, or province of residence, depending on your location at that time. Regardless of your location, Personal Data may be transferred to the United States for storage and processing.

The data will be transferred for the time required to fulfil the purpose for which it is processed. It may be shared with our service providers and affiliates for the purposes listed in Section 3. In such cases, AmberNexus is the controller of the data, and the service providers are processors or sub-processors, as the case may be.

Depending on where you reside, we apply appropriate protections when we transfer your Personal Data outside of your country of residence. These protections may include:

Transferring Personal Data to countries which have been found to provide adequate protection by the competent authorities;
Using contractual protections, such as Standard Contractual Clauses approved by the European Commission, for the transfer of Personal Data;
For residents of India, complying with the requirements of the Digital Personal Data Protection Act, 2023 and rules made thereunder regarding cross-border data transfers;
For residents of Jamaica, complying with the requirements of the Data Protection Act, 2020 regarding international transfers; or
Obtaining your express consent.

For more information about how we transfer Personal Data, or to obtain a copy of the contractual safeguards we use for such transfers to the extent applicable laws afford such right, please contact us using the details in the "Contact Us" section below.

Please note that the data protection laws in the locations where we transfer or process data may differ from those in your area. While the data is in another jurisdiction, it may be accessed by the courts, law enforcement, and national security authorities of that jurisdiction.

Data Retention

We take measures to delete your Personal Data or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required or permitted by law to keep this information for a longer period. When determining the specific retention period, we consider various factors, such as the type of service provided to you, the nature and length of our relationship with you, and mandatory retention periods provided by law and any relevant statute of limitations.

The following table summarises the principal retention periods that apply to Personal Data processed in connection with our Services, including the periods applied by our key sub-processors:

Data Category	Retained By	Retention Period
Call Recordings & Transcripts (Audio and text logs of conversations)	AmberNexus (via Amazon S3)	Up to 3 years from the date of the call. Administrators may configure shorter retention periods via the Platform settings. Transcripts are generated and stored strictly when the transcript feature is enabled; if disabled, no transcript content is generated or retained.
Call Audio Processing (Speech-to-text inference)	Deepgram, Inc.	Zero retention for audio. Audio streams are processed ephemerally and are not stored post-transcription. API usage logs (containing request metadata only; no audio or transcript content) are retained for up to 90 days for operational and diagnostic purposes.
Synthesized Voice Outputs (Text-to-speech inference)	ElevenLabs Inc.	Up to 2 years for conversation transcripts and audio, and up to 3 years following the last interaction for general account history, in accordance with the provider's standard privacy and retention policies.
Telecommunications Metadata (Timestamps, duration, phone numbers, status)	Twilio Inc.	Up to 13 months (400 days). Call Detail Records (CDRs) are retained for billing, analytical, and operational purposes. Note: AmberNexus strictly prohibits and explicitly disables all audio recording functionality on this provider's infrastructure.
Telecommunications Metadata (Timestamps, duration, phone numbers, status)	Plivo Inc.	Up to 90 days (Unredacted) / Up to 7 years (Anonymized). Unredacted CDRs are retained for operational purposes for 90 days. Subsequently, data is anonymized/redacted and retained for up to 7 years strictly to fulfill legal, regulatory, and taxation obligations. Note: AmberNexus strictly prohibits and explicitly disables all audio recording functionality on this provider's infrastructure.
Transactional Emails & OTPs (Email addresses, delivery metadata, routing)	Mailgun Technologies, Inc.	Up to 3 days (Message Bodies) / Up to 30 days (Event Logs). Message bodies are securely purged after 3 days. Email event logs and delivery metadata are retained for up to 30 days for deliverability tracking and diagnostics.
LLM Inference Data (Conversation context passed to AI model)	Google LLC (Gemini / Vertex AI)	Zero retention. Customer context and prompts are processed ephemerally for API fulfillment and are not retained beyond the duration of the API request, subject to AmberNexus's enterprise opt-outs for caching and logging. Google explicitly does not use submitted Customer Content to train its foundation models.
Account & Administrative Data (Name, email, region, access logs)	AmberNexus (via Amazon S3 / AWS)	Duration of the active agreement + up to 3 years. Retained for the lifetime of the account relationship. Following account closure or termination, data is securely retained for up to 3 years for legal, auditing, and compliance purposes, unless a shorter deletion period is legally mandated or specifically requested by the customer.

Call recording on the telecommunications service provider platforms (Twilio and Plivo) is not enabled by AmberNexus. All call recordings generated through the Services are stored solely within AmberNexus's cloud storage infrastructure (Amazon S3) and are subject to AmberNexus's retention policy as described above. Where the Platform supports it, Administrators may configure shorter retention periods for recordings and transcripts. This feature may not be available across all plan types or configurations. Please refer to the Platform documentation or contact your account manager for details on available retention controls.

When you submit a deletion request under Section 8, we will delete or anonymise your Personal Data held within AmberNexus's own systems within a commercially reasonable period, subject to any legal obligations to retain certain records. When you submit a deletion request, we will use commercially reasonable efforts to delete or anonymise your Personal Data held within our own systems, subject to any legal obligations to retain certain records. With respect to Personal Data held by our sub-processors, we will forward your deletion request to the relevant provider in accordance with the applicable Data Processing Agreement. Please note that the ability to action deletion requests may be subject to the sub-processor's own data retention obligations, technical limitations, and contractual terms. We cannot guarantee the deletion of data held across all third-party sub-processors within a specific timeframe.

Your Rights

Depending on where you are located or reside, you may have certain rights regarding the Personal Data we maintain about you and certain choices about what Personal Data we collect from you, how we use it, and how we communicate with you. Such rights may include the rights to:

Access Your Personal Data – Receive confirmation of processing and request access to the Personal Data we maintain about you. Where provided by applicable law, you may request that we include a description of the purpose of the processing of your Personal Data, third parties with which your data has been shared, and information regarding the safeguards for international data transfer.
Correct Your Personal Data – Request to update and correct inaccuracies in your Personal Data.
Delete Your Personal Data – Request that AmberNexus delete the Personal Data we maintain about you, including your account and the Voice Data associated with your account. Where provided by applicable law, you may request that your Personal Data be anonymised rather than deleted.
Restrict or Object to Processing of Your Personal Data – Restrict or object to the processing of your Personal Data, where applicable.
Request Portability of Your Personal Data – Request to transfer your Personal Data to another authorised organisation.
Withdraw Consent – You may withdraw any consent you previously provided to us regarding the processing of your Personal Data at any time. We will apply your preferences going forward, and this will not affect the lawfulness of processing that occurred before you withdrew your consent.
Unsubscribe from Marketing Communications – You may unsubscribe from receiving marketing communications at any time by following the unsubscribe instructions in the relevant communication or by contacting us as described in Section 13. Please be aware that, if you opt out, you will continue to receive administrative messages from us regarding our Services.
Anonymisation – To the extent provided by law, you may ask to have your Personal Data anonymised rather than deleted. Where anonymisation is not feasible, we will inform you of the reasons.
Right to Information About Shared Entities – To the extent provided by law, you may have the right to be informed about the entities with which we share your Personal Data.

You may exercise these rights, as applicable, by contacting us using the details set out in Section 13 ("Contact Us"). Before fulfilling your request, we may ask you to provide reasonable information to verify your identity and/or residence. Please note that applicable law may provide for exceptions and limitations to each of these rights.

In addition to the rights listed above, you may also have the right to lodge a complaint with a supervisory authority, including in your country of residence, place of work, or where an incident took place.

Residents of India

If you are a Data Principal residing in India, in addition to the rights in Section 8.1, you have the following additional rights under the Digital Personal Data Protection Act, 2023 ("DPDPA"):

Right to Nominate – You have the right to nominate any individual who will exercise the rights available to you in case of your death or incapacity. Nominations may be submitted to us at the contact address in Section 11.
Right to Know – You have the right to know what Personal Data is being processed about you, the identity of all Data Fiduciaries and Data Processors who have processed it, and the grounds for each processing activity.
Right to Grievance Redressal – You have the right to contact us about how we process your Personal Data, our obligations in relation to such Personal Data, and your rights regarding such data. You may exercise this right by contacting us as described in Section 13. If your grievance is not resolved to your satisfaction, you may approach the Data Protection Board of India once constituted.

AmberNexus acknowledges its obligations as a Data Fiduciary under the DPDPA 2023 and will comply with all rules and regulations issued thereunder, including those relating to the Consent Manager framework upon its operationalisation.

Residents of Jamaica

If you are a data subject residing in Jamaica, in addition to the rights in Section 8.1, you have the following additional rights under the Data Protection Act, 2020:

Right of Subject Access – Receive confirmation that Personal Data about you is being processed, and obtain a description of the data held, the purposes of processing, and information about third parties to whom it has been or may be disclosed.
Right to Prevent Processing Likely to Cause Damage or Distress – Submit a written notice requiring AmberNexus to cease, or not to begin, processing your Personal Data for specified reasons where that processing is likely to cause you substantial unwarranted damage or distress.
Right to Prevent Automated Decision-Making – Request human review of decisions made solely by automated means where those decisions significantly affect you.
Right to Rectification, Blocking, Erasure, or Destruction – Request that inaccurate Personal Data be corrected, blocked, erased, or destroyed, and that third parties to whom the data was disclosed be notified accordingly.

AmberNexus is committed to compliance with the Data Protection Act, 2020 of Jamaica and the oversight of the Office of the Information Commissioner (OIC).

Residents of the EEA, Switzerland, and the United Kingdom

If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the full suite of rights under the General Data Protection Regulation (GDPR) and UK GDPR respectively, including all rights described in Section 8.1. You also have the right to lodge a complaint with your local data protection supervisory authority. In the United Kingdom, the relevant authority is the Information Commissioner's Office (ICO).

Third Parties

Our Services may contain links to other websites, products, or services that we do not own or operate. We are not responsible for the privacy practices of these third parties. Please be aware that this Privacy Policy does not apply to your activities on these third-party services or any information you disclose to these third parties. We encourage you to read their privacy policies before providing any information to them.

Where our Services interact with third-party platforms or service providers (including our telecommunications and cloud service providers), such providers operate under their own Terms of Service and privacy policies. AmberNexus is not responsible for the independent data practices of those providers. For details on the sub-processors we engage and their applicable data retention periods, please refer to our Sub-Processor List available at subprocessors.

Security

We implement reasonable and appropriate technical and organisational measures to secure and protect your Personal Data against unauthorised access, disclosure, alteration, or destruction. These measures include encryption of data in transit and at rest, access controls, audit logging, and regular security assessments. An up-to-date description of our security controls is available at Security Controls.

As no electronic transmission or storage of information can be entirely secure, we cannot make absolute guarantees as to the security or privacy of your information, to the extent permitted by applicable law. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and, where required, affected individuals, within the timeframes prescribed by applicable law.

Children's Privacy

Our Services are not intended for or directed at children under the age of 18, and AmberNexus does not knowingly collect, store, or process Personal Data from children under the age of 18. However, as our Services involve voice communications, there may be instances where a person under the age of 18 participates in a call incidentally (for example, by answering a telephone). In such cases, any Personal Data incidentally captured will be processed solely to the extent necessary to deliver the Service and will be deleted upon becoming aware of such collection, in accordance with applicable law. If you believe that Personal Data of a minor has been incidentally processed through our Services, please contact us at the address in Section 13.

Updates to this Policy

We may periodically update this Policy to reflect changes in our data processing practices, legal obligations, or the Services. If there are significant changes, we will notify you as required by law, for example, by sending an email to the address associated with your account, or by displaying a notice on our Platform, at least fourteen (14) days before the change takes effect. Continued use of the Services following such notice constitutes acceptance of the revised Policy, to the extent permitted by applicable law.

Contact Us

For any questions regarding this Policy or our processing of your Personal Data, please contact our Data Protection Officer or Privacy Team at:

Email (General / DPO): privacy@myambergroup.com

You may exercise your rights by emailing us at the applicable address above. Please include the right you would like to exercise in the subject line (e.g., "Right of Access Request") and note the country or region in which you reside. Before fulfilling your request, we may ask you to provide reasonable information to verify your identity and/or residence.

Sub-Processors

Effective Date: March 11, 2026

Overview

AmberNexus engages third-party sub-processors to assist in providing our Services. This page lists all sub-processors that may process personal data on our behalf.

All sub-processors are bound by Data Processing Agreements that require them to:

Process data only according to our instructions.
Implement and maintain appropriate technical and organisational security measures.
Notify us promptly of any personal data breaches.
Delete or return personal data upon termination of services.
Engage further sub-processors only with our prior written consent.

AmberNexus undertakes to use a commercially reasonable selection process by which it evaluates the security, privacy, and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process personal data.

Current Sub-Processors

Infrastructure & Hosting

Sub-Processor	Service	Data Processed	Location
Amazon Web Services (AWS)	Cloud infrastructure, application hosting, object storage (S3), and compute services	All service data including voice recordings, transcripts, account data, user configurations, system configurations, call metadata, and conversation metadata	United States

AI & Voice Services

Sub-Processor	Service	Data Processed	Location
Deepgram, Inc.	Real-time speech-to-text (STT) transcription of call audio for voice agent processing	Call audio streams (processed transiently); API usage logs (request metadata only)	United States
ElevenLabs Inc.	AI-powered voice synthesis (text-to-speech) for voice agent audio responses	Text inputs, synthesised audio outputs, voice configuration data	United States, Netherlands, Singapore
Google LLC (Gemini LLM)	Large language model (LLM) inference for natural language understanding and response generation	Transcribed speech text, conversation context, session metadata	United States / Global

Communication Services

Sub-Processor	Service	Data Processed	Location
Google LLC (Gmail / Workspace)	Internal business email and workspace communications for AmberNexus personnel	Email addresses, names, internal communication content	United States
Mailgun Technologies, Inc. (Sinch Group)	Transactional notification and OTP email delivery to users and administrators; user registration requests and voice clone requests	Email addresses, names, notification and OTP message content, delivery metadata	United States

Telephony & Voice Channel Services

Sub-Processor	Service	Data Processed	Location
Twilio Inc.	SIP telephony routing and phone number provisioning for call delivery	Call audio (routing only), phone numbers, call timestamps, duration, call status metadata	United States
Plivo Inc.	PSTN telephony routing and phone number provisioning for call delivery	Call audio (routing only), phone numbers, call timestamps, duration, call status metadata	Global

Sub-Processor Details

Amazon Web Services (AWS)

Entity: Amazon Web Services, Inc.
Parent Company: Amazon.com, Inc.
Category: Infrastructure & Hosting
Purpose: Primary cloud infrastructure provider for application hosting, data storage (including voice recordings stored in Amazon S3), compute services, and network delivery. Call transcripts are stored in PostgreSQL. All AmberNexus platform data resides on AWS infrastructure.
Data Types: All customer data, including personal data, voice recordings, call transcripts, call metadata, account data, and usage logs.
Location: United States (primary), data may be stored in other AWS regions as configured.
Certifications: SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1, CSA STAR.
Privacy Policy: Privacy Policy
DPA: AWS Global Data Processing Addendum (incorporated into AWS Service Terms)
Sub-processor List: Subprocessor
Data Retention: AWS S3 does not impose a fixed vendor-side retention period. Retention is entirely controlled by AmberNexus via S3 Lifecycle Policies. AmberNexus retains call recordings in Amazon S3 for up to 3 years from the date of the call or last interaction. Call transcripts are retained in PostgreSQL for up to 3 years. Account and service data is retained for the duration of the account relationship and up to 3 years following account closure.

Deepgram, Inc.

Entity: Deepgram, Inc.
Category: AI & Voice Services
Purpose: Provides real-time automatic speech recognition (ASR / speech-to-text) for transcribing call audio into text as part of the AmberNexus voice agent pipeline. Deepgram processes audio streams in real time during each call and returns transcript data; it does not store audio or transcripts after processing is complete.
Data Types: Call audio streams (processed transiently during the call); API usage logs containing request metadata (e.g. timestamps, duration, request IDs), not audio content or transcript text.
Location: United States (primary). EU endpoint is available for data residency requirements but is not currently used by AmberNexus.
Certifications: SOC 2 Type I & Type II, HIPAA (BAA available), GDPR, CCPA, PCI DSS.
Privacy Policy: Privacy Policy
Security & Compliance: Trust Center
Data Retention: Audio streams are processed ephemerally and are not stored post-transcription, ensuring zero retention for call audio and transcripts. API usage logs (containing request metadata only, no audio or transcript content) are retained for up to 90 days. Customer Data retention is otherwise governed by the applicable Data Processing Agreement between AmberNexus and Deepgram.
Note: Deepgram does not use Customer Content submitted via the API to train its models unless a customer explicitly opts into the Model Improvement Partnership Program. AmberNexus has not opted into this programme.

ElevenLabs Inc.

Entity: ElevenLabs Inc.
Category: AI & Voice Services
Purpose: Provides AI-powered voice synthesis (text-to-speech) technology for generating natural audio responses delivered by AmberNexus voice agents.
Data Types: Text inputs submitted for synthesis, synthesised audio outputs, voice configuration and model data.
Location: United States (primary), processing may also occur in the Netherlands and Singapore.
Privacy Policy: Privacy Policy
DPA: ElevenLabs Data Processing Addendum
Trust Center: Compliance Center
Data Retention: Voice data (audio recordings and derived data) retained for up to 3 years after last interaction, per ElevenLabs Privacy Policy. Conversation transcripts and audio stored via the Agents Platform are retained for 2 years by default; this period is configurable by AmberNexus. ElevenLabs Zero Retention Mode (enterprise) is available for use cases requiring immediate deletion upon request completion.
Note: Voice data may be used by ElevenLabs for AI model improvement. An opt-out is available via ElevenLabs account settings or upon request to ElevenLabs directly.

Google LLC (Gemini LLM)

Entity: Google LLC
Parent Company: Alphabet Inc.
Category: AI & Voice Services
Purpose: Provides large language model (LLM) inference for natural language understanding, intent recognition, and generation of conversational responses within AmberNexus voice agents.
Data Types: Transcribed speech text, conversation context and history, session metadata passed to the model for inference.
Location: United States and other Google Cloud regions globally.
Certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS.
Privacy Policy: Privacy Policy
DPA: Google Cloud Data Processing Addendum
Sub-processor List: Subprocessor
Data Retention: Customer context and prompts are processed ephemerally for API fulfillment and are not retained beyond the duration of the API request, subject to AmberNexus's enterprise opt-outs for data caching and abuse monitoring logs. Google explicitly does not use submitted Customer Content via the Google Cloud API to train its foundation models. Refer to the Google Cloud Data Processing Addendum for full details.

Google LLC (Gmail / Google Workspace)

Entity: Google LLC
Parent Company: Alphabet Inc.
Category: Communication Services
Purpose: Internal business email and collaboration tooling used by AmberNexus personnel for operational and administrative communications.
Data Types: Email addresses, names, internal communication content.
Location: United States
Certifications: ISO 27001, SOC 1/2/3, FedRAMP.
Privacy Policy: Privacy Policy
DPA: Google Workspace Data Processing Amendment
Data Retention: Retention of internal email and workspace data is entirely controlled by AmberNexus as the Google Workspace administrator. Google does not impose a fixed vendor-side retention period on Workspace customer data. AmberNexus retains internal communications in line with its internal data governance policy.

Mailgun Technologies, Inc.

Entity: Mailgun Technologies, Inc.
Parent Company: Sinch Group
Category: Communication Services
Purpose: Transactional email delivery for customer-facing notifications and one-time passwords (OTPs) only. Mailgun is not used for marketing communications. Use is limited to service notifications (account access, alerts) and OTP delivery to End Customers and Administrators, as well as processing user registration requests and voice clone requests submitted to AmberNexus.
Data Types: Recipient email addresses, names, email subject lines and OTP/notification message content, email delivery metadata.
Location: United States
Privacy Policy: mailgun.com/legal/privacy-policy
DPA: Mailgun Data Processing Addendum
Data Retention: Email message bodies (including notification and OTP content) are securely purged after 3 days. Email event logs (delivery status, timestamps, metadata) are retained for up to 30 days for deliverability tracking and diagnostics. OTP content is short-lived and typically expires within minutes of delivery.

Twilio Inc.

Entity: Twilio Inc.
Category: Telephony & Voice Channel Services
Purpose: Provision and management of SIP telephone numbers and PSTN call routing services. Twilio enables End Customers to reach AmberNexus-powered voice agents via standard telephone calls.
Data Types: Call audio streams (for routing only), caller and called phone numbers (retained in call detail records), call timestamps and duration, call status metadata. Call recordings are not retained by Twilio on AmberNexus’s behalf.
Location: United States
Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1.
Privacy Policy: twilio.com/en-us/legal/privacy
DPA: Twilio Data Protection Addendum
Sub-processor List: SubProcessors
Data Retention: Call detail records (metadata) retained for up to 13 months (400 days) by default, per Twilio's data access policy. TwiML and request inspector logs retained for 30 days. Full data retention overview available at Twilio Data Retention & Deletion. Call recordings are not enabled on the Twilio platform by AmberNexus and are therefore not retained by Twilio.
Note: Call recording at the Twilio platform level is disabled by AmberNexus. All recordings are stored exclusively in AmberNexus's Amazon S3 infrastructure and governed by AmberNexus's own retention policy.

Plivo Inc.

Entity: Plivo Inc.
Category: Telephony & Voice Channel Services
Purpose: Provision and management of PSTN telephone numbers and call routing services as an alternative or supplementary telephony provider.
Data Types: Call audio streams (for routing only), caller and called phone numbers, call timestamps and duration, call status metadata. Call recordings are not retained by Plivo on AmberNexus's behalf.
Location: Global (United States, India, and other regions).
Certifications: ISO 27001, SOC 2 Type II.
Privacy Policy: Privacy Policy
Data Retention: Call detail records (CDRs) retained in Plivo's transactional databases for 90 days from the date of creation. Call recordings are not enabled on the Plivo platform by AmberNexus and are therefore not retained by Plivo.
Note: Call recording at the Plivo platform level is disabled by AmberNexus. All recordings are stored exclusively within AmberNexus's Amazon S3 infrastructure and governed by AmberNexus's own retention policy.

Data Transfer Safeguards

For sub-processors located outside your jurisdiction, we implement appropriate safeguards for the international transfer of personal data:

Safeguard	Applicable To
Standard Contractual Clauses (SCCs)	All non-EEA sub-processors processing personal data of EEA residents
UK International Data Transfer Agreement (IDTA)	Sub-processors processing personal data of UK residents
EU-U.S. Data Privacy Framework	Certified US-based sub-processors where applicable
Data Processing Agreements (DPAs)	All sub-processors, across all jurisdictions
DPDPA Cross-Border Transfer Compliance	Sub-processors processing personal data of residents of India, pursuant to the Digital Personal Data Protection Act, 2023
Jamaica Data Protection Act Compliance	Sub-processors processing personal data of residents of Jamaica, pursuant to the Data Protection Act, 2020

Changes to Sub-Processors

Notification Process

We may update our sub-processors from time to time. When we add or replace a sub-processor that processes personal data:

We will update this page with the new sub-processor details and the effective date of the change.
Enterprise customers with Data Processing Agreements in place will receive email notification at least 30 days prior to the change becoming effective.
Changes become effective 30 days after the date of posting, unless otherwise agreed in writing.

Objection Process

If you have legitimate concerns about a new or replacement sub-processor on grounds related to data protection or data security:

Contact us at privacy@myambergroup.com within 30 days of the date of notification.
We will work with you in good faith to address any legitimate data protection or security concerns.
If concerns cannot be resolved, you may within 30 days of concluded negotiations terminate the affected Services upon written notice.

Contact

For questions about our sub-processors or to request copies of Data Processing Agreements:

Email: privacy@myambergroup.com

Address: Data Protection Officer, Amber Connect Limited, 5th Floor, 13, Haining Road, Kingston 5, Jamaica.

Terms of Service

Effective Date: March 19, 2026

Amber Nexus ("AMBER NEXUS"), a division of Amber Innovations Limited

AMBER NEXUS Terms of Service

These AMBER NEXUS Terms of Service ("Terms") are between ("you" or "your") and Amber Innovations Limited. ("AMBER NEXUS", "we", "us", or "our"). By accessing or using our Services (defined below) in any way, or by completing the account registration process you agree to be bound by these Terms. These Terms apply to your access to and use of Amber Nexus:

Services (including mobile applications) and products accessible via our application programming interfaces (APIs), or otherwise made available to you by us (the "Services").

We may indicate that different or additional terms, conditions, guidelines, policies, or rules apply in relation to your access to and use of some or all of our Services ("Supplemental Terms"), including:

Conversational AI Terms, which apply to your use of certain Services ("Annexure A");
The Voice Library Terms, which applies your use of our Voice Library Service ("Annexure B");
Any other terms and conditions disclosed within the Services, such as restrictions relating to use of a User Voice Model (defined below).

Any Supplemental Terms become part of your agreement with us if you use the applicable Services, and if there is a conflict between these Terms and the Supplemental Terms, the Supplemental Terms will control for that conflict.

1. Eligibility and Use Restrictions

(a) Age.

(b) Authorization.

If you register, access or use our Services on behalf of another person or entity, (i) all references to "you" throughout these Terms (other than in this Section 1(a)) will include that person or entity, (ii) you represent that you are authorized to enter into these Terms on that person's or entity's behalf, and (iii) in the event you or that person or entity violates these Terms, that person or entity also agrees to be responsible to us. If you are an entity using any Services pursuant to these Terms, you are responsible for your employees' and representatives' use of the Services, including ensuring they comply with these Terms.

(c) Use Restrictions.

Your access to and use of the Services and your use of any Output (defined below) must comply with these Terms. Without limiting the forgoing: (i) if you access or use our Services free of charge (such a user, a "Free User"), you may only use the Services for non-commercial purpose; (ii) if you access or use our Services through a paid subscription plan (such a user, a "Paid User"), you may use the Services for commercial purposes, but in either case, your access and use of the Services and any Output must still comply with the Prohibited Use Policy.

2. Personal Data

You may provide certain information to AMBER NEXUS in connection with your access to or use of our Services, or we may otherwise collect certain information about you when you access or use our Services. You represent and warrant that any information that you provide to AMBER NEXUS in connection with the Services is accurate.

You acknowledge that AMBER NEXUS may process personal data relating to the operation, support, or use of our Services for our own business purposes, including:

billing, account management, technical support, and compliance with law – processed as necessary to perform our contract with you or to comply with legal obligations;
analytics, usage tracking, data aggregation, and anonymisation – processed on the basis of our legitimate interest in improving our Services and AI models. You have the right to object to this processing at any time by contacting us at privacy@myambergroup.com; and
research and improvement of our AI models using your Input or Voice Data processed only to the extent you have provided written consent under Section 4(d) of these Terms. You may withdraw that consent at any time in accordance with Section 4(g).

"Voice Data" means audio recordings and derived data generated in connection with your use of the Services, including call recordings, voice inputs, synthesised audio outputs, and call transcripts, as further defined in the Privacy Policy. "Input" means text, audio, or other content you provide to the Services. "Output" means content generated by the Services in response to an Input, including synthesised voice responses.

All terms relating to Data Protection are governed by our Privacy Policy, available at ambernexus.ai/legal.html, which is incorporated into these Terms by reference. The Privacy Policy sets out in full the categories of Personal Data collected, the legal bases for each processing activity, your rights, and the data retention periods that apply, including those applied by our key sub-processors.

3. Accounts

We may require that you create an account in order to use some or all of our Services. You may not share or permit others to use your individual account credentials. You will promptly update any information contained in your account if it changes. You must maintain the security of your account, as applicable, and promptly notify us if you discover or suspect that someone has accessed your account without your permission.

4. Content and User Voice Models; AMBER NEXUS Models

(a) Inputs and Outputs.

You may transmit or otherwise provide data and information as input to our Services ("Input"). When you provide Input to the Services, you may receive audio output generated and returned by one or more AMBER NEXUS Voice Models (defined below), or text output generated and returned by one or more AMBER NEXUS LLMs (defined below), based on Input ("Output") (Input and Output, collectively, the "Content"). Input may include, without limitation, recordings of your voice, text descriptions, or any other content that you may provide to us through the Services. We may enable you to download Output from some (but not all) of the Services; in such cases, you are permitted to use such Output outside of the Services but always subject to these Terms. If you choose to make any of your information publicly available through the Services or otherwise, you do so at your own risk.

(b) User Voice Models (Voice Clones).

Some of our Services allow you to create a digital replication or synthetic version of a human voice (commonly referred to as a "Voice Clone") that can be used to generate Output in the form of synthetic audio sounding like your own voice or the voice of an individual for whom you have obtained all necessary rights, permissions, and consents (each, a "User Voice Model"). To create a User Voice Model, you may be required to upload audio recordings of your own voice or the voice of an individual you are authorized to represent as Input to the Services. You represent and warrant that you have obtained explicit, informed, and legally valid consent from the individual whose voice is used, including consent for synthetic voice generation. Subject to subsection 4(d) below, AMBER NEXUS is permitted to use such audio recordings solely to create, operate, and maintain the User Voice Model and to provide the Services. You may request deletion of your User Voice Models through your account, subject to applicable law and AMBER NEXUS's data retention obligations.

(c) Rights to your Content.

(i) Except as expressly set forth herein, as between you and AMBER NEXUS, you retain all rights in and to your Input.

(ii) For the avoidance of doubt, Output may be generated by, but does not include, AMBER NEXUS' foundational and other artificial intelligence voice models (the "AMBER NEXUS Voice Models") or AMBER NEXUS' foundational and other artificial intelligence or language learning models ("AMBER NEXUS LLMs") (AMBER NEXUS Voice Models and AMBER NEXUS LLMs, collectively, the "AMBER NEXUS Models"). Except as expressly set forth herein, as between you and AMBER NEXUS, you retain all rights in and to your Output.

(d) License to Your Content.

To the extent that You provide AMBER NEXUS with written consent, you hereby grant to AMBER NEXUS a revocable license to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, publicly or otherwise perform and display, and use your Input to provide the Services (including the trust and safety features therein), to improve the Services, and to develop new services and products. For avoidance of doubt, to the extent that your Input includes your voice, the foregoing license allows AMBER NEXUS to reproduce, modify, publish, create derivative works from, distribute, publicly or otherwise perform, and use your voice, and other indicia of your persona that may be contained therein, to provide and improve the Services, and to develop new services and products. Notwithstanding the foregoing, we will not commercialize your voice on a standalone basis without your permission to do so. This non-commercialisation restriction applies equally to all affiliates, vendors, sub-processors, and third-party service providers to whom your Voice Data may be disclosed pursuant to the Privacy Policy, and AMBER NEXUS shall contractually impose equivalent restrictions on such parties. Such license shall be:

Revocable,
nonexclusive (which means you can license your Input to others),
subject to royalties, unless otherwise agreed between the Parties,
worldwide (which means it's valid anywhere in the world), and
non-sub-licensable except that AMBER NEXUS may share your Input with its affiliates, sub-processors, and service providers as listed in the Privacy Policy sub-processor list (ambernexus.ai/subprocessors), solely as necessary to deliver the Services, provided such parties are contractually bound by confidentiality and data protection obligations no less restrictive than those set out in these Terms (which means we cannot otherwise make it available to others unless expressly agreed to in writing by you).

Please note: revoking this license does not automatically result in the immediate deletion of your Personal Data. AMBER NEXUS and its sub-processors may retain your Personal Data for the periods set out in the Privacy Policy data retention schedule (which may be up to 3 years from account closure or call date, and up to 2–3 years for synthesised voice outputs retained by ElevenLabs Inc., as applicable), to the extent required by law or legitimate operational need. Revocation of consent prevents future use of your data for model improvement but does not require deletion of data retained under other lawful bases.

(e) License to User Voice Models.

To the extent you own or acquire any intellectual property rights in or to any User Voice Models, you hereby grant to AMBER NEXUS a limited, revocable, non-exclusive, worldwide license to use, reproduce, modify, adapt, and create derivative works from such User Voice Models solely as necessary to:

provide, operate, and maintain the Services for you;
enable trust, safety, security, and abuse-prevention features; and
improve the performance and functionality of the Services in an aggregated and non-identifiable manner.

Such license is granted subject to the following conditions:

revocable, meaning you may withdraw this license by deleting the applicable User Voice Model or closing your account, subject to applicable law;
non-exclusive, meaning you may license your User Voice Models to others;
royalty-bearing only where expressly agreed in writing between the Parties;
worldwide; and
non-sub-licensable, except to AMBER NEXUS's affiliates, contractors, and subprocessors solely as necessary to provide the Services.

For the avoidance of doubt, AMBER NEXUS shall not commercialize, license, or make available any User Voice Model to third parties without your express permission, including through the Voice Library Service.

Please note: revoking this license or deleting your User Voice Model does not override AMBER NEXUS's data retention obligations under the Privacy Policy. Synthesised voice outputs processed by ElevenLabs Inc. may be retained for up to 2 years (audio/transcripts) and up to 3 years (account history) in accordance with that provider's retention schedule, which operates independently of requests submitted to AMBER NEXUS.

(f) Necessary Rights.

You may not provide Input or create Output for which you do not have all the rights necessary to grant us the license described above. You represent and warrant that the Content and User Voice Models, and our use of the Content and User Voice Models, will not violate any rights of any person or entity, or cause injury to any person or entity.

(g) Data Deletion and Opt Out.

You may request for us to delete your personal data as required under applicable law. Please see our Privacy Policy for more information. In addition, you may request to opt out of your Content and User Voice Models being used by us to improve the Services (including Amber Nexus Models). AMBER NEXUS will action deletion and opt-out requests within 30 business days of receipt. Your Content and User Voice Models will no longer be used to improve our Services (including Amber Nexus Models) once the request has been processed by our team, but does not affect any uses of (or materials resulting from uses of) your Content or User Voice Models prior to that date. Please be aware that certain sub-processors operate independent data retention schedules that may survive a deletion request submitted to AMBER NEXUS. In particular, ElevenLabs Inc. retains synthesised voice outputs for up to 2 years (audio and transcripts) and up to 3 years (account history) from the date of last interaction. AMBER NEXUS will use commercially reasonable efforts to coordinate deletion requests with sub-processors but cannot guarantee deletion within a specific timeframe on third-party systems. Full sub-processor retention periods are published in the Privacy Policy.

5. Our Intellectual Property

(a) Ownership.

The Services, including the text, graphics, images, photographs, videos, illustrations, and other content contained therein, and all intellectual property rights therein and thereto, are owned by AMBER NEXUS or our licensors. Except as explicitly stated in these Terms, all rights in and to the Services, including all intellectual property rights therein and thereto, are reserved by us or our licensors.

(b) Limited License.

Subject to your compliance with these Terms, AMBER NEXUS hereby grants to you a limited, non-exclusive, non-transferable, sublicensable, irrevocable license to access and use our Services. For clarity, any use of the Services other than as specifically authorized herein, without our prior written permission, is strictly prohibited and will terminate the license granted herein.

(c) Trademarks.

The name "AMBER NEXUS" and our logos, product or service names, slogans, and the look and feel of the Services are trademarks of AMBER NEXUS and may not be copied, imitated or used, in whole or in part, without our prior written permission. All other trademarks, registered trademarks, product names, and company names or logos mentioned or in connection with the Services are the property of their respective owners. Reference to any products, services, processes, or other information by trade name, trademark, manufacturer, supplier, or otherwise does not constitute or imply endorsement, sponsorship, or recommendation by us. All white labelled products/Services shall bear the name of the product followed by the wording "Powered by Amber".

6. Subscription Services; Payment

(a) Subscriptions.

Subscription/Service Fees shall be attached as Annexure C. To access and use certain Services, you may be required to enroll in a subscription payment plan (a "Recurring Subscription"). Your Recurring Subscription will automatically renew until you cancel it or your Recurring Subscription is otherwise terminated. AMBER NEXUS will submit an invoice to you every month which shall be settled by you within 30 days of invoice. You may cancel your subscription through your account. You may cancel a Recurring Subscription at any time. Following any cancellation, however, you will continue to have access to the applicable Services through the end of your current subscription period. Subject to mutual agreement between the Parties, AMBER NEXUS may change the prices charged for Recurring Subscriptions at any time by posting updated pricing through the Services; provided, however, that the prices for your Recurring Subscription will remain in force for the duration of the subscription period for which you have paid. After that period ends, your use of the applicable Services will be charged at the then-current subscription price.

(b) Other Usage Charges.

In the event your usage exceeds the volume provided under your Recurring Subscription, you will be charged usage overage fees for your Recurring Subscription, as indicated to you upon subscribing. In such event, we shall invoice you for these additional charges as per the agreed rate.

(c) Payment.

AMBER NEXUS will submit an invoice to you every month which shall be settled by you within 30 days of invoice.

7. Copyright Complaints

(a) Reporting Claims of Copyright Infringement.

If you believe that any content on our Services infringe any copyright that you own or control, you may notify AMBER NEXUS' designated agent (your notification, a "Notice") as follows:

By Email: privacy@myambergroup.com

8. Third-Party Services and Content

(a) Our Services may rely on or interoperate with third-party products and services, including data storage services, communications technologies, third-party LLM providers, and internet and mobile operators (collectively, "Third-Party Services"). These Third-Party Services are beyond our control, but their operation may impact, or be impacted by, the use and reliability of our Services. A current list of our third-party sub-processors, including their data processing roles and applicable retention periods, is maintained at ambernexus.ai/subprocessors in accordance with the Privacy Policy.

9. Indemnification

To the fullest extent permitted by applicable law, both parties will indemnify each other, defend, and hold harmless the other Party and their officers, directors, partners, licensors, employees and agents from and against any losses, liabilities, claims, demands, damages, expenses or costs ("Claims") arising out of or related to: (a) the violation of these Terms; (b) the violation, misappropriation, or infringement of any rights of another (including intellectual property rights or privacy rights); or (c) conduct in connection with the Services or the Content. The breaching party will cooperate with the other party in defending such Claims, and pay all fees, costs, and expenses associated with defending such Claims (including attorneys' fees). The non breaching party will have control of the defense or settlement, at the non breaching parties sole option, of any third-party Claims. This indemnity is in addition to, and not in lieu of, any other indemnities set forth in a written agreement between you and AMBER NEXUS.

10. Disclaimers

AMBER NEXUS does not represent or warrant that our Services or any content provided therein or therewith are error-free or that access to our Services or any content provided therein or therewith will be uninterrupted. While AMBER NEXUS attempts to make your use of our Services and any content provided therein or therewith safe using industry best practices, we cannot and do not represent or warrant that our Services or any content provided therein or therewith are free of viruses or other harmful components or content or materials. All disclaimers of any kind (including in this Section 10 and elsewhere in these Terms) are made for the benefit of all AMBER NEXUS and AMBER NEXUS' respective shareholders, agents, representatives, licensors, suppliers, and service providers, as well as our and their respective successors and assigns.

11. Limitation of Liability

(a)

To the fullest extent permitted by applicable law, either party will not be liable to the other under any theory of liability (whether based in contract, tort, negligence, warranty, or otherwise) for any indirect, consequential, exemplary, incidental, punitive, or special damages or lost profits.

(b)

The total liability of AMBER NEXUS for any claim arising out of or relating to these Terms or our Services, regardless of the form of the action, is limited to the amount paid by you to use our Services in the 12 months preceding the claim.

12. Dispute Resolution; Arbitration

Please read this Section 12 carefully because it requires you and AMBER NEXUS to arbitrate certain disputes and claims and limits the manner in which we can seek relief from each other.

(a) Informal Dispute Resolution Prior to Arbitration.

For any dispute or claim between you and AMBER NEXUS arising out of or relating in any way to your access to or use of the Services, any communications you receive, any products sold or distributed through the Services or these Terms and prior versions of these Terms, including claims and disputes that arose between you and us before the effective date of these Terms, or any privacy or data security claims, (collectively, "Disputes", and each a "Dispute"), you and AMBER NEXUS agree to attempt to first resolve the Claim informally via the following process:

If you assert a Dispute against AMBER NEXUS, you will first contact AMBER NEXUS by sending a written notice of your Dispute to AMBER NEXUS by email to privacy@myambergroup.com. If AMBER NEXUS asserts a Dispute against you, AMBER NEXUS will contact you by sending a written notice of AMBER NEXUS' Dispute to you via email to the primary email address associated with your account.

If you and AMBER NEXUS cannot reach an agreement to resolve the Dispute within 30 days after you or AMBER NEXUS receives the applicable notice, then either party may submit the Dispute to binding arbitration as set forth below. The statute of limitations and any filing fee deadlines shall be tolled for thirty (30) days from the date that either you or AMBER NEXUS first send the applicable notice so that the parties can engage in this informal dispute-resolution process.

(b) Disputes Subject to Arbitration; Exceptions.

Except for individual disputes that qualify for small claims court and any disputes exclusively related to the intellectual property or intellectual property rights of you or AMBER NEXUS, including any disputes in which you or AMBER NEXUS seek injunctive or other equitable relief for the alleged unlawful use of your or AMBER NEXUS' intellectual property or other infringement of your or AMBER NEXUS' intellectual property rights ("IP Disputes"), all Disputes, whether based in contract, tort, statute, fraud, misrepresentation, or any other legal theory, that are not resolved in accordance with Section 12(a) will be resolved by a neutral arbitrator through arbitration instead of in a court. The arbitration shall be governed by Jamaican law under the Arbitration Act, 2017 subject to JAIAC Arbitration Rules. The arbitrator will have the authority to grant any remedy or relief that would otherwise be available in court.

A party who wishes to initiate arbitration must provide the other party with a request for arbitration (the "Request"). The Request must include: (i) the name, mailing address, email address, and telephone number of the party seeking arbitration and the email address associated with any applicable account; (ii) a statement of the legal claims being asserted and the factual bases of those claims; (iii) a description of the remedy sought and an accurate, good faith calculation of the amount in controversy in United States dollars; (iv) a statement certifying completion of the informal dispute resolution process as described in Section 12(a) above; and (v) evidence that the requesting party has paid any necessary filing fees in connection with such arbitration.

If the party requesting arbitration is represented by counsel, the Request shall also include such counsel's name, mailing address, email address, and telephone number. Such counsel must also sign the Request. By signing the Request, counsel certifies to the best of counsel's knowledge, information, and belief, formed after an inquiry reasonable under the circumstances, that: (A) the Request is not being presented for an improper purpose, such as to harass, cause unnecessary delay, or needlessly increase the cost of dispute resolution; (B) the claims, defenses and other legal contentions are warranted by existing law or by a non-frivolous argument for extending, modifying, or reversing existing law or for establishing new law; and (C) the factual and damages contentions have evidentiary support or, if specifically so identified, will likely have evidentiary support after a reasonable opportunity for further investigation or discovery.

You and AMBER NEXUS agree that all materials and documents exchanged during the arbitration proceedings shall be kept confidential and shall not be shared with anyone except the parties' attorneys, accountants, or authorized representatives, and shall be subject to the condition that they agree to keep all materials and documents exchanged during the arbitration proceedings strictly confidential.

13. Governing Law

Any Claims will be governed by and construed and enforced in accordance with the laws of Jamaica.

Notwithstanding the foregoing, nothing in this Section 13 limits or excludes the statutory data protection rights of users under the laws of their country of residence. In particular:

Users residing in the European Economic Area or the United Kingdom retain all rights under the EU GDPR or UK GDPR respectively, including the right to lodge a complaint with their local supervisory authority.
Users residing in India retain all rights under the Digital Personal Data Protection Act, 2023 ("DPDPA"), including rights of nomination, grievance redressal, and the right to approach the Data Protection Board of India.
Users residing in Jamaica retain all rights under the Data Protection Act, 2020, including oversight by the Office of the Information Commissioner.

The general Jamaican law clause governs commercial disputes under these Terms; it does not displace users' statutory data protection rights in their jurisdiction of residence. Where a data protection claim cannot be resolved under Jamaican law, the applicable local data protection law shall govern that claim.

14. Modifying

No modification of these terms shall be of any force or effect unless modified and agreed in writing by both Parties.

15. Miscellaneous

(a)

These Terms reflect the entire agreement between the parties relating to the subject matter hereof and supersede all prior agreements, representations, statements, and understandings of the parties. Except as otherwise provided herein, these Terms are intended solely for the benefit of the parties and are not intended to confer third-party beneficiary rights upon any other person or entity. Communications and transactions between us may be conducted electronically.

(b)

The section titles in these Terms are for convenience only and have no legal or contractual effect. Lists of examples following "including" or "e.g." or similar words are not exhaustive (that is, they are interpreted to include "without limitation").

(c)

If any portion of these Terms is found to be unenforceable or unlawful for any reason, including but not limited to because it is found to be unconscionable, (a) the unenforceable or unlawful provision will be severed from these Terms; (b) severance of the unenforceable or unlawful provision will have no impact whatsoever on the remainder of these Terms; and (c) the unenforceable or unlawful provision may be revised to the extent required to render the Terms enforceable or valid, and the rights and responsibilities of the parties will be interpreted and enforced accordingly, so as to preserve the Terms and the intent of the Terms to the fullest possible extent.

(d)

If you have a question or complaint regarding the Services, please send an email to privacy@myambergroup.com

Annexure A

Conversational AI Terms

These Conversational AI Terms ("Service Terms") supplement your ("you", "your" or "Customer") existing Terms of Service with AMBER NEXUS (the "Underlying AMBER NEXUS Agreement"). Defined terms used in these Service Terms have the meanings set forth in the Underlying AMBER NEXUS Agreement.

By using Conversational AI you agree to these Service Terms. Service Terms constitute a legally binding contract between you and AMBER NEXUS. In case of any conflict between these Service Terms and other terms agreed upon between you and AMBER NEXUS, these Service Terms shall prevail with respect to your access or use of Conversational AI.

1. CONVERSATIONAL AI

"Conversational AI" is a solution offered by AMBER NEXUS that enables the deployment of interactive AI voice agents ("Customer AI Agent") as part of AMBER NEXUS' Services. Conversational AI is powered in part by one or more third-party LLM providers ("LLM Provider"). By using Conversational AI, you acknowledge and agree that you may interact with and direct information to these LLM Providers and that you must comply with applicable LLM Provider policies.

2. RESTRICTIONS

Customer shall not, and shall not permit its End Users (defined below) to:

use Conversational AI or LLM Provider services hereunder in a manner that violates any applicable laws or infringes, misappropriates or otherwise violates any party's intellectual property rights;
modify or create derivative works of Conversational AI or LLM Provider services;
reverse assemble, reverse compile, reverse engineer, decompile, translate, engage in model extraction or stealing attacks, or otherwise attempt to discover the source code or underlying components of models, algorithms, and systems of Conversational AI or those of an LLM Provider (except to the extent such restrictions are contrary to applicable law, in which case, if you reside in a jurisdiction that expressly prohibits such restrictions, you must provide AMBER NEXUS with advance written notice prior to engaging in any such activities, and AMBER NEXUS may, in its discretion, either provide such information to you or impose reasonable conditions, including a reasonable fee, on such use of AMBER NEXUS' source code for Conversational AI to ensure AMBER NEXUS' (and our suppliers') proprietary rights in such source code are protected);
provide as Input to Conversational AI or otherwise submit or make accessible to AMBER NEXUS any financial account identifiers (e.g., credit card numbers or bank account numbers), government issued identifiers (e.g., social insurance numbers, health card numbers) or other types of sensitive data that is subject to specific or elevated data protection requirements, including without limitation protected health information ("Prohibited Data"), unless AMBER NEXUS has expressly agreed in writing that it can comply with such requirements. AMBER NEXUS reserves the right to delete any such Prohibited Data at its sole discretion; or
use the Conversational AI or LLM Provider services in violation of any applicable laws or regulations governing the initiation, placement, recording, or monitoring of telephone calls or other voice communications.

3. RESPONSIBILITIES

Customer shall clearly and prominently inform its End Users that (a) they are interacting with AI rather than a human, and (b) conversations are being recorded and may be shared with AMBER NEXUS and LLM Providers. Customer is also required to update its privacy policies accordingly. In the event Customer initiates outbound calls using Conversational AI, Customer shall be responsible for obtaining all legally required consents and providing all legally required disclosures related thereto. Customer is solely responsible for ensuring compliance with all applicable laws, regulations, and industry standards in connection with Customer's use of Conversational AI.

4. END USERS

Each End User that has access to a Customer AI Agent must have accepted an End User Agreement (defined below) that includes the following terms: (1) End Users must be bound by restrictions, obligations, and prohibitions regarding their use of the Customer AI Agent at least as restrictive as those found in Amber Nexus Terms of Service and these Service Terms; (2) Customer is not AMBER NEXUS' agent or partner or in a joint venture with AMBER NEXUS; (3) AMBER NEXUS is a third-party beneficiary of Customer's agreement with End Users; and (4) End User grants AMBER NEXUS and its affiliates and subcontractors a non-exclusive right to process and use End User's data to provide and support the Services. Customer will not make any representations or warranties in the End User Agreement regarding the functionality or performance of the Services that conflict with the Underlying AMBER NEXUS Agreement. The End User Agreement must be binding on End Users under applicable laws and regulations in the jurisdiction in which Customer is providing access to the Customer AI Agent. As used herein, "End User" means Customer's customer that (w) is licensing or using the Customer AI Agent only for its own internal business operations or personal use, and (x) has signed an End User Agreement. "End User Agreement" means a (y) written contract, or (z) "clickwrap" style online agreements involving conspicuous notice to End Users and an affirmative click to accept by End Users, entered into between Customer and any End User pursuant to which End User accesses or uses the Customer AI Agent.

5. NO PROFESSIONAL OR MEDICAL ADVICE

OUTPUT GENERATED BY CONVERSATIONAL AI IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE PROFESSIONAL ADVICE IN ANY FIELD, INCLUDING WITHOUT LIMITATION MEDICAL, LEGAL, ACCOUNTING, FINANCIAL, INVESTMENT, OR PSYCHOLOGICAL ADVICE. CUSTOMER AGREES NOT TO RELY ON SUCH OUTPUT AS A SUBSTITUTE FOR PROFESSIONAL ADVICE. ALWAYS SEEK ADVICE FROM A QUALIFIED PROFESSIONAL. AMBER NEXUS DISCLAIMS ALL LIABILITY FOR ANY ACTIONS TAKEN BASED ON OUTPUT GENERATED BY CONVERSATIONAL AI. ANY RELIANCE ON OUTPUT IS SOLELY AT CUSTOMER'S OWN RISK.

6. BRING YOUR OWN LARGE LANGUAGE MODEL

If Customer elects to integrate a Customer-Provided LLM (defined below) with Conversational AI, the following terms also apply:

6.1 Defined Terms:

"BYO-LLM Integration" means the integration of the Customer-Provided LLM with Conversational AI to enable interaction and functionality with the Customer-Provided LLM.

"Customer-Provided LLM" means any algorithm or machine learning model developed, licensed, or sourced by Customer independently from the Services ("Third-Party Model") and integrated into the Services by Customer for use with Conversational AI. For the avoidance of doubt, "Customer-Provided LLM" shall not include Conversational AI.

6.2 License to Access and Use Customer-Provided LLM.

Customer hereby grants AMBER NEXUS a revocable non-exclusive, non-transferable license to access, interact with and use the Customer-Provided LLM as necessary to deliver Conversational AI.

6.3 Customer Responsibility for Customer-Provided LLM.

6.3.1 Customer acknowledges and agrees that any Customer-Provided LLM is solely its responsibility, including without limitation the procurement, management, and compliance obligations associated with such Third-Party Model.

6.3.2 Customer represents and warrants that: (1) it has all necessary licenses, consents, permissions or approvals necessary to access and use the Customer-Provided LLMs in conjunction with the Services provided hereunder; (2) its use of the Customer-Provided LLMs hereunder shall comply with AMBER NEXUS' Prohibited Use Policy and any agreements or terms governing the use of such Customer-Provided LLM; and (3) it shall not use any Customer-Provided LLMs in any manner that infringes upon any third party rights, violates applicable laws, or introduces security vulnerabilities, or compromises the integrity of the Services or AMBER NEXUS' other customers.

6.3.3 Customer retains ownership of any data processed by the Customer-Provided LLM. Customer represents and warrants that all data used with the Customer-Provided LLM complies with all applicable data protection laws.

6.4 No Subprocessor Relationship.

Customer acknowledges that Customer and AMBER NEXUS operate independently, and any Third-Party Model integrated with Conversational AI through a BYO-LLM Integration shall not be deemed a subprocessor of AMBER NEXUS. Customer shall be solely responsible for (i) establishing any required contractual or compliance obligations with the Third Party Model, including obtaining any necessary consents or authorizations for data processing; and (ii) ensuring that the Customer-Provided LLM complies with all applicable laws, including data protection laws and regulations.

6.5 Compliance and Security Requirements.

6.5.1 Customer agrees that it is solely responsible for ensuring that the Customer-Provided LLM operates in compliance with applicable data protection laws and security standards. Customer shall implement appropriate security measures and protocols to protect both its data and the integrity of AMBER NEXUS' Services when using the Customer-Provided LLM. Customer shall be responsible, and assumes all liability, for security vulnerabilities or data protection obligations introduced through the use of the Customer-Provided LLM.

6.5.2 Without prejudice to AMBER NEXUS's security obligations, Customer acknowledges and agrees that it, rather than AMBER NEXUS, is responsible for certain configurations and design decisions for the Customer-Provided LLM and Customer AI Agent, and that Customer, and not AMBER NEXUS, is responsible for implementing those configurations and design decisions in a secure manner that complies with applicable data protection laws.

6.5.3 Customer bears sole responsibility for its API, including without limitation, the API's configuration and access control functionalities, and assumes all liability for damages. Customer is solely responsible for maintaining the confidentiality and security of its API keys. Customer is responsible for all activities that occur under its API keys, regardless of whether such activities are authorized by Customer.

6.6 Restrictions.

6.6.1 Customer shall not use the Customer-Provided LLM to generate, create, or distribute content that is illegal, offensive, defamatory, or otherwise in violation of AMBER NEXUS' Prohibited Use Policy. Additionally, Customer shall not use the Customer-Provided LLM to create, generate or distribute any sexual content. AMBER NEXUS reserves the right to suspend or terminate Customer's access to the BYO-LLM Integration if the Customer-Provided LLM is used in violation of Amber Nexus Terms of Service or these Service Terms.

6.6.2 Customer shall not use the BYO-LLM Integration to develop competing models or services.

6.7 No Warranty or Support Obligation.

6.7.1 AMBER NEXUS makes no representations, warranties or guarantees regarding the functionality, performance, reliability, accuracy, or security of any Customer-Provided LLM. Customer acknowledges that AMBER NEXUS is not responsible for any outcomes, errors, or issues arising from the Customer-Provided LLM's performance within the BYO-LLM Integration.

6.7.2 AMBER NEXUS shall have no obligation to provide support or maintenance for any issues specific to the Customer-Provided LLM. For clarity, any service level commitments made by AMBER NEXUS do not apply to Customer-Provided LLMs.

6.8 Indemnification.

Without limiting Customer's indemnity obligations under the Underlying AMBER NEXUS Agreement or as otherwise set forth herein, Customer agrees to indemnify, defend, and hold harmless AMBER NEXUS and its officers, directors, partners, licensors, employees and agents from any claims, damages, losses, or liabilities arising from or related to the Customer-Provided LLM, including without limitation claims related to intellectual property infringement, data privacy violations, content generated through the Customer-Provided LLM, and security breaches caused by or related to the Customer-Provided LLM.

6.9 Termination and Suspension Rights.

AMBER NEXUS reserves the right to suspend or terminate the Customer's access to the BYO-LLM Integration on 60 days written notice, if the Customer-Provided LLM poses a security or safety risk, violates the Underlying AMBER NEXUS Agreement, or if Customer is in breach of any terms herein. Upon termination, AMBER NEXUS will revoke access to the BYO-LLM Integration and handle any data associated with the Customer-Provided LLM in accordance with AMBER NEXUS' data retention policies.

Annexure B

Voice Library Terms

These Voice Library Terms supplements Amber Nexus Terms of Service ("Terms of Service") and, together with the Terms of Service, applies to your use of our Voice Library Service, including the sharing of User Voice Models on or through the Voice Library Service. Defined terms used in this Annexure B have the meanings set forth in the Terms of Service.

1. Content on the Voice Library

The Voice Library Service makes available AMBER NEXUS Voice Models, provided by AMBER NEXUS, as well as User Voice Models, provided by AMBER NEXUS users, including you, through the Services. The rights in and to AMBER NEXUS Voice Models and User Voice Models, including those made available as part of the Voice Library Service, are set out in our Terms of Service.

2. Sharing User Voice Models in the Voice Library

You may share User Voice Models you've generated on our platform through the Voice Library Service. If you chose to do so, you hereby authorize us, subject to agreed license fee terms, to make available the User Voice Models for others to access and use through the Voice Library Service in accordance with the Terms of Service and these Voice Library terms ("Voice Library License"). For clarity, others may be able to generate Output with the User Voice Models you have shared in our Library subject to the payment of license fees.

3. Eligibility & Conditions

As a condition of making available any User Voice Model in the Voice Library, you agree that you satisfy (and will continue to satisfy) the following requirements: You must create and share a User Voice Model based on your voice using our technology and platform. You must not create and share a User Voice Model based on another person's voice or an altered version of your voice.

4. Personal Data

Nothing in this Annexure B shall be construed as waiving or limiting any rights or protections conferred to the user under personal data protection and privacy laws.

5. Termination

You can terminate your participation in the Voice Library service by deleting the User Voice Models you have shared from your account or deleting your account, subject to the procedure described below. In the event you terminate your participation in the Voice Library service, your User Voice Models will be available until the end of the Notice Period as set forth above.

The termination of your participation in the Voice Library service will not impact the transfer or licensing of intellectual property and other rights up to the point of termination.

This Annexure B and the Terms of Service may be terminated if you exercise your legal right to withdraw consent for the processing of the necessary categories of their personal data by AMBER NEXUS, as defined by applicable laws and which are necessary to fulfill the purpose of this service. If this occurs, we will treat it as an Early Revocation Request and you will pay the corresponding fee described above.

6. Other Terms

To the fullest extent permitted by applicable law, we reserve the right to review and remove any User Voice Model made available in the Voice Library in our sole discretion, and at any point in time, with notice to you, including as indicated in the Terms of Service.

Annexure C

Service/Subscription Fees

Service/Subscription Fees information will be provided separately.