IZZI AI — Enterprise Privacy Policy

This Privacy Policy describes how IZZI AI, a product of SSUP ("IZZI", "we", "us", or "our"), collects, uses, processes, stores, transfers, and protects Personal Data in connection with our agentic AI communication infrastructure platform, including AI video avatars, voice agents, automation workflows, in-call commerce capabilities, internal business process automation, and associated services (collectively, the "Services").

IZZI acts as a data controller with respect to data collected directly through its website and platform. IZZI acts as a data processor with respect to Personal Data processed on behalf of enterprise clients ("Customers") in delivery of the Services.

For all privacy enquiries, contact privacy@myizzi.ai.

This Privacy Policy applies to:

• Visitors to myizzi.ai and associated IZZI-operated web properties
• Customers and authorised users accessing the IZZI platform
• End-users interacting with IZZI AI agents deployed by Customers
• Individuals whose data is processed through IZZI integrations with third-party systems

This Policy does not apply to third-party services integrated with the IZZI platform, which are governed by their own privacy policies.

Personal Data: Any information that identifies or can reasonably be linked to an identified or identifiable natural person.

Customer: Any organisation or business under agreement with IZZI to use the Services.

End-User: Any individual who interacts with an IZZI AI agent deployed by a Customer.

AI Agent: An autonomous AI system deployed by IZZI to conduct voice or video conversations, send communications, manage workflows, or execute transactions on behalf of a Customer.

Visual Call Data: Screen content, product imagery, property media, or visual materials displayed during a live AI-assisted call.

Interaction Data: Audio, video, transcripts, chat logs, and metadata generated during AI conversations.

Agentic Action Data: Records of autonomous actions taken by IZZI AI agents, including emails sent, tasks created, workflows triggered, and transactions completed.

Biometric-Adjacent Data: Voice patterns, facial image processing, and likeness data used in avatar creation or voice synthesis.

4.1 Data Collected Directly

Identity and Contact Data: Full name, email address, phone number, job title, company name, and contact information provided when registering, requesting a demo, or contacting IZZI.

Account and Configuration Data: Login credentials, platform configuration settings, integration preferences, and usage parameters set by Customers or authorised users.

Communication Data: Emails, messages, and correspondence with IZZI team or platform.

4.2 Data Collected Through Service Delivery

Interaction Data: Audio recordings, video recordings, call transcripts, chat logs, and conversation metadata generated when End-Users interact with IZZI AI agents. Recording is enabled only where the Customer has configured it and obtained required consents.

Visual Call Data: Content displayed during AI-assisted visual calls, including property media, product catalogues, travel itineraries, and related materials. This is not retained beyond session unless explicitly configured by the Customer.

Agentic Action Data: Records of autonomous actions taken on behalf of Customers, including outbound communications, task updates, CRM updates, workflow triggers, and transaction processing.

Transaction and Payment Data: Purchase details, payment method metadata, and order confirmation information for in-call commerce. Full payment card data is processed through PCI DSS-compliant infrastructure and is not stored by IZZI.

Integration Data: Data received from or transmitted to integrated third-party systems, including CRM, ERP, payment gateways, calendars, and communication tools, based on Customer configuration.

Technical Data: IP addresses, device identifiers, browser type and version, operating system, session data, and access logs.

Analytics and Performance Data: Usage patterns, call performance metrics, conversion data, response time data, and operational analytics.

4.3 Biometric-Adjacent Data

Voice Data: Where IZZI creates custom AI voices, authorised voice samples are used to generate synthetic models and retained only as required to build those models unless otherwise agreed.

Likeness Data: Where IZZI creates a custom avatar from an identifiable person, Customers are responsible for obtaining all required consents and permissions before providing such data.

Voice Pattern Processing: Real-time processing may be used to facilitate natural conversation and is transient unless explicitly configured by the Customer for a permitted purpose.

IZZI does not use biometric-adjacent data to identify individuals without their knowledge, build persistent biometric profiles, or process it beyond service delivery.

Where processing is based on consent, consent may be withdrawn at any time without affecting lawfulness of prior processing.

• Service Delivery: Operate, maintain, and improve platform services.
• AI Agent Operations: Enable conversations, workflows, transactions, and agentic actions.
• Personalisation: Adapt interactions according to configured context.
• Performance and Analytics: Produce operational insights for Customers.
• Security and Integrity: Detect and respond to abuse, fraud, and incidents.
• Legal Compliance: Satisfy lawful requests and regulatory obligations.
• Service Communications: Send operational and transactional notices.
• Marketing: Send permitted marketing communications with opt-out support.

Model Training and Improvement: IZZI uses Client Data, End-User interaction data, and platform usage data to train, fine-tune, and improve AI models, including models deployed specifically for a Client use case. This improves model accuracy, personalization, and effectiveness over time for each Client industry, catalogue, and customer base. Client-specific training data is not directly disclosed to or made accessible by other clients.

Clients may request information about model training activities by contacting privacy@myizzi.ai. Upon contract termination, IZZI will, to the extent technically feasible and upon written request, remove Client-specific training data from deployed models within ninety (90) days. IZZI may use anonymised, aggregated, de-identified data derived from platform usage for general platform research and improvement, provided no Client-identifiable information is disclosed.

7.1 Nature of Agentic Processing

IZZI platform operates as an agentic AI system capable of autonomous actions, including initiating communications, qualifying leads, processing transactions, creating tasks, updating CRM records, and managing interactions.

7.2 Automated Decisions Affecting Individuals

Where significant decisions are automated, Customers are responsible for ensuring suitable human oversight, disclosure, review rights, and sector-specific compliance. IZZI provides configuration tools and audit trails to support these obligations.

7.3 Transparency to End-Users

Customers are responsible for informing End-Users when they interact with AI systems in accordance with applicable transparency obligations.

8.1 We Do Not Sell Personal Data

IZZI does not sell, rent, or transfer Personal Data to third parties for their own commercial purposes.

8.2 Service Providers and Sub-Processors

IZZI engages Sub-Processors for infrastructure, AI models, payments, communications, and analytics. All are contractually bound by data protection obligations.

Customers may request the current Sub-Processor list at privacy@myizzi.ai.

8.3 Customer Integrations

Where Customers connect third-party systems, data is transmitted based on Customer instructions. IZZI is not responsible for third-party platform privacy practices.

8.4 Legal Disclosure

IZZI may disclose data to competent authorities, regulators, or courts where required by law or legal process.

8.5 Business Transfers

In a merger, acquisition, restructuring, or asset sale, Personal Data may transfer to a successor entity with equivalent protections.

IZZI operates globally and may transfer Personal Data across jurisdictions. Where data is transferred outside origin jurisdiction, IZZI implements safeguards including SCCs, contractual protections, adequacy mechanisms, and appropriate technical and organizational security controls.

Customers with data localization requirements should contact IZZI to discuss deployment options aligned with those obligations.

10.1 UAE (PDPL): IZZI aligns with lawful processing, minimization, purpose limitation, rights, and transfer safeguards.

10.2 Saudi Arabia (PDPL): IZZI aligns with consent, notification, and transfer requirements under applicable law.

10.3 United Kingdom (UK GDPR): UK rights include access, rectification, erasure, restriction, portability, and objection.

10.4 Singapore (PDPA): IZZI aligns with consent, purpose limitation, protection obligations, and breach requirements.

10.5 European Union (GDPR): IZZI provides processing aligned with GDPR and supports DPAs where required.

10.6 United States: IZZI aligns with applicable state privacy obligations, including CCPA and CPRA where relevant.

Depending on jurisdiction, you may have rights to:

• Access
• Rectification
• Erasure
• Restriction
• Portability
• Objection
• Human review of automated decisions
• Withdrawal of consent where applicable

End-Users whose data is processed on behalf of a Customer should direct requests to that Customer first. IZZI assists Customers under contractual obligations.

To exercise rights directly with IZZI, contact privacy@myizzi.ai. IZZI responds within legally required timelines.

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Role-based access controls and multi-factor authentication
• Regular security assessments and penetration testing
• Security monitoring and incident detection systems
• Employee security training and access management
• Physical data center security controls
• Data processing agreements with all Sub-Processors

Payment card data for in-call commerce is handled through PCI DSS-compliant infrastructure. IZZI does not store full card numbers.

No system is fully immune to incidents. Where required by law, IZZI notifies affected Customers and relevant authorities in required timeframes.

In the event of a Personal Data breach, IZZI notifies affected Customers without undue delay and, where feasible, within 72 hours of awareness. Notifications include breach nature, likely impact, affected categories, and mitigation actions. IZZI cooperates with Customers on regulatory and data subject notifications.

IZZI uses cookies and similar technologies for strictly necessary, functional, analytics, and marketing purposes. You can manage preferences via browser settings or cookie preference center. Disabling some cookies may affect platform functionality.

Services are intended for business use and are not directed to individuals under 18. IZZI does not knowingly collect Personal Data from minors. If you believe this occurred, contact privacy@myizzi.ai.

IZZI may update this Policy from time to time. Customers are notified of material changes by email or in-platform notice at least 30 days before changes take effect. Continued use after effective date constitutes acceptance.

For privacy requests, enquiries, or concerns:

• Privacy Team: privacy@myizzi.ai
• General: hello@myizzi.ai
• Website: myizzi.ai
• IZZI AI is a product of SSUP.