Manufar Sirri

I. Introduction

1. Our Commitment to Privacy

MessageActivity LLC ("MessageActivity," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and related services (collectively, the "Service").

By using MessageActivity, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

2. Scope of This Policy

This Privacy Policy applies to information collected through:

• The MessageActivity mobile application (iOS and Android)
• Our website and related web services
• Email, text, and other electronic communications
• Interactions with our customer support team

II. Information We Collect

3. Information You Provide to Us

We collect information that you voluntarily provide when using our Service, including:

Account Information

• Name and contact details (email address, phone number)
• Business name and professional information
• Payment information (processed securely through third-party payment processors)
• Profile information and preferences

Client & Sales Data

• Client and prospect contact information you enter
• Communication history (emails, SMS messages, call logs, transcriptions)
• Lead scoring and sales pipeline data
• Task lists, appointments, and follow-up schedules
• Document uploads and message templates
• Custom notes, tags, and client preferences

Communications

• Messages and feedback you send to our support team
• Responses to surveys or questionnaires
• Reviews, ratings, or testimonials

4. Information Collected Automatically

When you access and use our Service, we may automatically collect certain information about your device and usage patterns:

Device Information

• Device type, operating system, and version
• Unique device identifiers (UDID, advertising ID)
• Mobile network information
• IP address and general location data (city/region level)

Usage Data

• App features and functions you use
• Time spent in the app and interaction patterns
• Error logs and diagnostic data
• Performance metrics and crash reports

Analytics & Cookies

We use analytics tools and similar technologies to collect usage data and improve our Service. This may include cookies, web beacons, and other tracking technologies. For more information, see Section 11 (Cookies & Tracking Technologies).

5. Information from Third Parties

We may receive information about you from third-party sources, including:

• Payment processors (transaction confirmations, fraud prevention data)
• Marketing and analytics partners
• Publicly available sources
• Third-party integrations you connect to MessageActivity (e.g., email providers, SMS providers, accounting software)

III. How We Use Your Information

6. Purposes of Data Processing

We use the information we collect for the following purposes:

Providing & Improving the Service

• Operate, maintain, and deliver the MessageActivity app and its features
• Process transactions and manage subscriptions
• Provide customer support and respond to inquiries
• Develop new features and improve existing functionality
• Personalize your experience and provide tailored recommendations

Sales Process Maximizer AI-Powered Features

• Analyze your sales conversations to provide coaching recommendations
• Transcribe and analyze call recordings for insights
• Optimize send times for email and SMS campaigns based on engagement patterns
• Train and improve our AI models (using aggregated, anonymized data)

Communication

• Send transactional emails (account confirmations, password resets, payment receipts)
• Facilitate communication between you and your clients via email, SMS, and voice
• Provide customer support and respond to your requests
• Send service announcements and important updates
• Deliver marketing communications (if you opt in)

Security & Compliance

• Detect, prevent, and investigate fraud and security threats
• Enforce our Terms of Service and other policies
• Comply with legal obligations and regulatory requirements (including TCPA, CMS, GDPR, CCPA)
• Protect the rights, property, and safety of MessageActivity, our users, and others

Analytics & Research

• Analyze usage trends and user behavior
• Conduct market research and product development
• Generate aggregated, anonymized statistics and insights
• Measure the effectiveness of marketing campaigns

7. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), United Kingdom, or other jurisdictions with similar data protection laws, we process your personal data based on the following legal grounds:

• Contract Performance: Processing necessary to provide the Service and fulfill our contractual obligations to you
• Legitimate Interests: Processing necessary for our legitimate business interests (e.g., improving the Service, fraud prevention, analytics)
• Consent: Processing based on your explicit consent (e.g., marketing communications, optional features)
• Legal Obligation: Processing required to comply with applicable laws and regulations

IV. Data Sharing & Disclosure

8. How We Share Your Information

We do not sell your personal information to third parties. We may share your information in the following circumstances:

Service Providers

We share information with third-party vendors and service providers who perform services on our behalf, including:

• Cloud hosting and data storage providers (Supabase, AWS, Google Cloud)
• Payment processors and billing services (Stripe)
• Email service providers (SendGrid, Mailgun, etc.)
• SMS and VoIP providers (Telnyx)
• AI and transcription services (OpenAI, Deepgram, etc.)
• Analytics and performance monitoring tools
• Customer support platforms
• Marketing and advertising partners

These service providers are contractually obligated to protect your information and may only use it to provide services to MessageActivity.

Business Integrations

If you connect MessageActivity with third-party services (e.g., accounting software, CRM integrations), we will share relevant data with those platforms as necessary to provide the integration. Your use of third-party services is governed by their respective privacy policies.

Legal Requirements & Protection

We may disclose your information if required to do so by law or if we believe such action is necessary to:

• Comply with legal obligations, court orders, or government requests
• Enforce our Terms of Service or other agreements
• Detect, prevent, or investigate fraud, security threats, or illegal activity
• Protect the rights, property, or safety of MessageActivity, our users, or the public

Business Transfers

If MessageActivity is involved in a merger, acquisition, asset sale, bankruptcy, or other business transaction, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

Aggregated & Anonymized Data

We may share aggregated, anonymized, or de-identified data that does not directly identify you with third parties for research, marketing, analytics, or other business purposes.

V. Data Security & Retention

9. How We Protect Your Information

We implement reasonable administrative, technical, and physical security measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure cloud infrastructure with access controls
• Regular security audits and vulnerability assessments
• Employee training on data protection and privacy practices
• Multi-factor authentication and role-based access controls

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

10. Data Retention

We retain your information for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary based on the type of data:

• Account Information: Retained for the duration of your account, plus a reasonable period after account closure for legal and business purposes
• Client & Communication Data: Retained while your account is active and for a period after cancellation to facilitate reactivation
• CMS-Regulated Records: Call recordings, transcriptions, and compliance documentation may be retained for up to 10 years as required by CMS regulations for Medicare and insurance communications
• Transaction Records: Retained as required by tax and financial regulations (typically 7 years)
• Usage & Analytics Data: Retained for up to 3 years for analytics and product improvement
• Marketing Data: Retained until you opt out or request deletion

When data is no longer needed, we will securely delete or anonymize it. You may request deletion of your data at any time, subject to legal and operational requirements (see Section 13: Your Rights and Choices).

VI. Cookies & Tracking Technologies

11. Use of Cookies & Similar Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect usage data, improve functionality, and deliver personalized experiences.

Types of Cookies We Use

• Essential Cookies: Necessary for the Service to function (e.g., authentication, security)
• Performance Cookies: Collect information about how you use the Service (e.g., pages visited, errors encountered)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand usage patterns and improve the Service
• Advertising Cookies: Deliver personalized ads and measure campaign effectiveness

Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that disabling certain cookies may affect the functionality of the Service.

For mobile app tracking, you can adjust your device settings to limit ad tracking or reset your advertising ID:

• iOS: Settings > Privacy > Tracking / Advertising
• Android: Settings > Google > Ads

Third-Party Analytics

We use third-party analytics services (e.g., Google Analytics, Firebase) to collect usage data. These services may use cookies and similar technologies to collect information on our behalf. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

VII. Your Rights & Choices

12. Communication Preferences

You have control over the communications you receive from MessageActivity:

• Marketing Emails: You can opt out by clicking the "unsubscribe" link in any marketing email or by contacting us at WeListen@MessageActivity.com
• Push Notifications: You can disable push notifications through your device settings or in-app preferences
• Transactional Emails: You cannot opt out of essential service emails (e.g., account confirmations, billing notifications) while using the Service

13. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

Access & Portability

You have the right to request access to the personal information we hold about you and to receive a copy of your data in a structured, commonly used format (data portability).

Correction & Update

You can update or correct your account information at any time through the app settings or by contacting us.

Deletion

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, fraud prevention, legitimate business interests). To request deletion, contact us at WeListen@MessageActivity.com.

Objection & Restriction

You may object to certain types of processing (e.g., marketing, profiling) or request that we restrict processing of your data in certain circumstances.

Withdraw Consent

If we process your data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing before withdrawal.

Lodge a Complaint

If you believe we have violated your privacy rights, you have the right to lodge a complaint with a data protection authority in your jurisdiction.

VIII. Special Privacy Considerations

14. Children's Privacy

MessageActivity is not intended for use by children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If we become aware that we have collected information from a child without parental consent, we will delete that information promptly.

If you believe we have collected information from a child, please contact us immediately at WeListen@MessageActivity.com.

15. International Data Transfers

MessageActivity is based in the United States, and your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those in your country of residence.

If you are located in the EEA, UK, or other jurisdictions with data transfer restrictions, we take steps to ensure adequate protection of your data through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing certain countries as providing adequate protection
• Other legally recognized transfer mechanisms

16. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Delete: You can request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out: You have the right to opt out of the "sale" of personal information (note: we do not sell personal information)
• Right to Non-Discrimination: You have the right to not receive discriminatory treatment for exercising your CCPA rights

To exercise your CCPA rights, contact us at WeListen@MessageActivity.com. You may designate an authorized agent to make requests on your behalf.

17. Do Not Track Signals

Some browsers support "Do Not Track" (DNT) signals. MessageActivity does not currently respond to DNT signals, as there is no industry standard for how to interpret and respond to such signals. We will continue to monitor developments in this area.

IX. Blue Button 2.0 & Medicare Claims Data

18. What Is Blue Button Data

MessageActivity integrates with the CMS Blue Button 2.0 API, which allows Medicare beneficiaries to authorize third-party applications to access their Medicare claims data. This data may include:

• Medicare beneficiary identification information (name, Medicare Beneficiary Identifier / MBI)
• Coverage periods and plan enrollment history
• Claims data including Part A (hospital), Part B (medical), and Part D (prescription drug) Explanation of Benefits (EOBs)
• Provider and prescriber information associated with claims

This data may constitute Protected Health Information (PHI) under HIPAA. It is processed only when a beneficiary provides explicit, affirmative authorization through the CMS OAuth 2.0 / PKCE authorization flow.

19. How We Collect Blue Button Data

Blue Button data is collected only when:

• (a) A licensed insurance agent with a valid NPN initiates an authorization request;
• (b) The Medicare beneficiary (the agent's client) is presented with a CMS-hosted consent screen and affirmatively clicks "Authorize" to grant access to their data;
• (c) CMS returns an authorization code that MessageActivity exchanges for an access token via a secure server-to-server call using PKCE (Proof Key for Code Exchange) to prevent interception.

At no point does MessageActivity receive or store the beneficiary's Medicare login credentials. The OAuth flow is handled entirely by CMS infrastructure.

20. How We Store & Protect Blue Button Data

Blue Button access and refresh tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database. Claims data retrieved from the Blue Button API is associated only with the specific beneficiary who authorized access and is stored in their client profile within the agent's account.

All data transmitted between MessageActivity servers and the CMS Blue Button API is encrypted in transit using TLS 1.2 or higher. Access to stored Blue Button data is restricted by Row-Level Security (RLS) policies to the agent who holds the authorization, and only for the duration of a valid access token.

21. How We Use Blue Button Data

Blue Button Medicare claims data is used exclusively to:

• Display the beneficiary's coverage history, plan enrollment, and claims summary within their client profile in the MessageActivity app
• Help the licensed agent provide more informed Medicare plan recommendations based on the beneficiary's actual utilization
• Support compliant Medicare Advantage, Medicare Supplement, and Part D sales and enrollment activities

Blue Button data is never used for:

• Building advertising profiles or marketing segments
• Sharing with any third party other than the authorized agent and their agency account
• Training AI models without separate explicit consent
• Any purpose unrelated to the direct insurance needs of the consenting beneficiary

22. Revocation & Data Deletion

A beneficiary may revoke their Blue Button authorization at any time by:

• Visiting MyMedicare.gov and revoking the MessageActivity application's access under their connected apps
• Asking their agent to disconnect the Blue Button connection within the MessageActivity app, which immediately invalidates stored tokens and ceases all data access

Upon revocation, MessageActivity immediately invalidates the stored access and refresh tokens. Previously retrieved claims data that has been stored in the client profile is retained subject to the agent's data retention obligations (including CMS 10-year record requirements) unless the beneficiary requests deletion and no legal retention obligation applies.

23. CMS Blue Button API Compliance

MessageActivity's use of the Blue Button 2.0 API is subject to the CMS Blue Button API Terms of Service. MessageActivity is registered as an authorized application with CMS. Any use of Blue Button data that violates CMS API terms, HIPAA, or applicable state health privacy laws is strictly prohibited and may result in immediate account termination.

X. Approved Marketing Partner Data

24. Data Collected from Marketing Partners

Organizations that apply for or are approved under the MessageActivity Approved Marketing Partner Program provide additional information as part of the application and ongoing use of the partner portal, including:

• Organization name, contact name, email, phone, and website
• States of operation and lines of insurance authority
• Lead type and business model (live transfers, lead lists, or both)
• Company logo (if consent is provided)
• Compliance consent acknowledgments and timestamps
• Agent codes and marketing representative profiles

25. Lead & Enrollment Data

When Marketing Partners submit leads to the platform, the following data is collected and processed:

• Prospect/lead contact information (name, phone, DOB, zip code, state, email where provided)
• Lead source attribution (agent code, marketing rep, submission date and time)
• Lead transfer status and assignment history (submitted, accepted, recalled, rejected)
• Disposition outcomes (enrolled, contacted, callback, not interested, DNC, etc.)
• Enrollment confirmation and plan type (when enrollment occurs)
• Partner notes and expected commission amounts
• TCPA consent documentation uploads (file name, lead count, upload date)

This data is accessible to the Marketing Partner organization that submitted it and to agents within the receiving business account. It is used to provide the partner portal's analytics, tracking, and reporting features and is not shared with other marketing organizations.

26. Automated Direct Mail Data

When Marketing Partners configure automated direct mail triggers, lead contact information (name and mailing address) is transmitted to Thanks.io or Handwrytten for physical mail fulfillment. These providers receive only the data necessary to produce and deliver the mail piece. Their handling of that data is governed by their respective privacy policies. MessageActivity logs mail order status and delivery information for partner analytics and budget tracking purposes.

27. Webhook Data Transmission

If a Marketing Partner configures an outbound webhook, enrollment event data is transmitted to the partner's configured endpoint when a lead enrolls. This data includes the transfer ID, client ID, agent ID, and enrollment timestamp. Webhook payloads are signed with HMAC-SHA256 using the partner's configured webhook secret. MessageActivity is not responsible for the security of data once it is received by the partner's webhook endpoint.

28. Partner Data Retention

Lead transfer records, enrollment data, and compliance documentation submitted by Marketing Partners are retained for the duration of the partner's approved status and for a period thereafter to satisfy legal, regulatory, and compliance obligations. Upon partner removal or voluntary withdrawal, access to the partner portal is revoked immediately; underlying lead and enrollment data associated with agent accounts is retained in accordance with agent account data retention policies and applicable CMS record-keeping requirements.

XI. Changes & Updates

29. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. We will notify you of material changes by:

• Updating the "Last Updated" date at the top of this page
• Sending an email notification to the address associated with your account
• Displaying an in-app notification or banner

Your continued use of the Service after changes take effect constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should stop using the Service and cancel your account.

30. Review & Updates

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. The most current version will always be available at this URL and within the app.

XII. Contact Information