Privacy Policy

Last Updated: March 10, 2026

This Privacy Policy describes how Worthington ("we," "us," or "our") collects, uses, and shares information when you use our AI-powered communication management platform designed for real estate professionals (the "Service").

By creating an account and using the Service, you provide your express consent to the collection, use, and disclosure of your personal information as described in this policy. Where we collect sensitive personal information — including the full content of your email communications and voice call recordings — we rely on your express consent, which you provide when you connect these services during account setup. You may withdraw your consent at any time, subject to legal or contractual restrictions, by following the procedures described in Section 6. Withdrawing consent may limit or prevent your use of certain features of the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

• Name (first name, last name, salutation)
• Email address(es)
• Phone number(s)
• Mailing address
• Professional role (e.g., broker, realtor)

1.2 Email Data

When you connect your Google Workspace or Gmail account, we access and process:

• Email messages, including sender and recipient addresses, subject lines, and body content
• Email metadata such as timestamps, thread IDs, message IDs, labels, and read status
• Attachment metadata (we detect the presence of attachments but do not store attachment content)

We process this data to classify emails, analyze intent, detect property-related information, recommend next actions, and generate draft responses on your behalf.

1.3 Calendar Data

When you grant calendar access, we retrieve calendar events within relevant date ranges to provide scheduling context for your communications.

1.4 Contact and Client Information

We store and manage a contact database on your behalf, which may include:

• Contact names, email addresses, and phone numbers
• Job titles and company information
• Contact categories, status, and preferences
• Communication history and activity timestamps
• AI-generated contact summaries
• Notes you add about contacts
• Property information linked to contacts (addresses, types, status)

Important: This database may include personal information about third parties — such as buyers, sellers, or other clients — who are not users of the Service and have not directly interacted with Worthington. We process this information solely on your behalf and at your direction, as your data processor. You, as the real estate professional using the Service, are responsible for ensuring you have a lawful basis for sharing this third-party personal information with us. Third parties whose personal information is stored in the Service may contact us at the address in Section 10 to request access, correction, or deletion of their information.

1.5 Conversation Data

We store conversations you have with the Worthington assistant, including:

• Messages sent and received via text, voice, web, or console channels
• Timestamps and channel information
• AI-generated responses

1.6 Voice and Phone Call Data

When you use voice calls through the Service:

• Your phone number is used to verify your identity
• Call audio is processed in real time by our AI voice system
• Transcripts may be generated from call audio
• Calls from unrecognized phone numbers are rejected

1.7 SMS Data

When you interact with the Service via SMS:

• Your phone number and message content are processed
• Notifications may be sent to you via SMS regarding email activity and recommended actions

SMS notifications are sent in compliance with Canada's Anti-Spam Legislation (CASL). We obtain your express consent before sending commercial electronic messages. You may withdraw your consent to receive SMS notifications at any time by adjusting your notification preferences within the Service.

1.8 Usage Data

We automatically collect certain usage information, including:

• AI processing token usage (tracked monthly)
• Event-level analytics (e.g., emails analyzed, drafts created, notifications sent)
• Service interaction patterns

1.9 Authentication Tokens

When you connect third-party services (such as Google), we store OAuth tokens that allow us to maintain your authorized connections. We do not store your third-party account passwords. These tokens can be revoked at any time by disconnecting the service from your account or through your third-party provider's settings.

2. How We Obtain Your Consent

2.1 Express Consent

We obtain your express consent before collecting, using, or disclosing sensitive personal information. Express consent is obtained:

• At account creation, for collection of your account information described in Section 1.1 and for enabling essential voice and SMS features, for processing of voice call audio, transcripts, and SMS content described in Sections 1.6 and 1.7
• At the time you connect third-party services (such as a Gmail account), for access to your email and calendar data described in Sections 1.2 and 1.3

Each consent is obtained through a clear, affirmative action (such as checking a consent box or clicking an "Authorize" button) accompanied by a plain-language explanation of what data will be collected and how it will be used.

2.2 Consent to Third-Party Processing

When you connect your Google account or enable voice and SMS features, we will inform you that your data — including email content and call audio — will be processed by third-party service providers, including OpenAI, Telnyx, and Google Cloud. You will be asked to provide express consent to this third-party processing before it begins. A description of each provider and their role is set out in Section 4.

2.3 Consent to Cross-Border Data Transfers

Your personal information may be transferred to and processed in the United States. Before enabling any feature that involves cross-border transfer, we will expressly notify you that:

• Your data will be processed in the United States by us or our service providers
• Once transferred, your data may be subject to access by U.S. government authorities under U.S. law, including the CLOUD Act and Foreign Intelligence Surveillance Act (FISA)
• The privacy protections available in the United States may differ from those in Canada or Ontario

By affirmatively enabling such features, you provide your express consent to these transfers.

2.4 Withdrawing Consent

You may withdraw your consent to any category of data collection or processing at any time by contacting us using the information in Section 10, or by disconnecting your connected accounts through the Service. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal. Depending on which consent you withdraw, some or all features of the Service may become unavailable to you.

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the Service, including email management, contact management, and communication features
• Process and classify your emails using AI to determine priority, category, and recommended actions
• Generate draft email responses based on your communication style and context
• Provide AI-powered voice and text assistant capabilities
• Send you SMS notifications about important communications and recommended actions
• Maintain and update your contact database with AI-generated summaries and insights
• Detect property-related information in your communications
• Analyze your business context to provide relevant recommendations
• Track usage for billing and service optimization purposes
• Improve and develop the Service

4. How We Share Your Information

We share your information with the following categories of third-party service providers who process data on our behalf:

4.1 AI Processing (OpenAI)

We send email content, client context, and conversation history to OpenAI for:

• Email classification and intent analysis
• Property detection in communications
• Draft email generation
• Tone of voice analysis
• Real-time voice conversation processing

We use OpenAI's API services under a data processing agreement. OpenAI does not use data submitted through its API to train its models. OpenAI processes this data in accordance with its API usage policies and data processing addendum, which provide contractual protections for your information.

4.2 Communications (Telnyx)

We use Telnyx to facilitate:

• Inbound and outbound SMS messaging
• Voice call routing and SIP connectivity

Telnyx processes phone numbers, SMS content, and voice call data as needed to deliver these services.

4.3 Email and Calendar (Google)

We access your Gmail and Google Calendar data through Google's APIs using OAuth 2.0 authorization. We use this access to read, classify, and draft responses to your emails, and to retrieve calendar events for scheduling context. Our use of Google user data complies with Google's API Services User Data Policy, including the Limited Use requirements.

4.4 Analytics (PostHog)

We use PostHog for product analytics. We send event-level data such as the types of actions performed (e.g., emails analyzed, draft created, notification sent) along with anonymized identifiers. We do not send the content of your emails or messages to our analytics provider.

4.5 Infrastructure (Google Cloud / Firebase)

Your data is stored in Google Cloud Firebase, which provides our database and authentication infrastructure. Data is stored in accordance with Google Cloud's security and compliance standards.

4.6 Memory Services

We may use AI memory services to store contextual information from your conversations to provide more personalized and relevant assistance over time. This may include extracted facts and semantic representations of conversation content, such as your communication preferences, recurring topics, and key client details you have shared with the assistant. Memory services processes this data solely to provide memory capability and does not use it for any other purpose.

We do not sell your personal information to third parties.

5. Data Retention

• Account information is retained for as long as your account is active.
• Email data is stored in our system after processing. Raw email data, classification results, and generated drafts are retained to provide continuity of service.
• Conversation history is retained to maintain context across interactions.
• Contact database records are retained until you delete them or close your account.
• Usage data is aggregated on a monthly basis and retained for billing and service improvement.
• OAuth tokens are retained until you revoke access or they expire and cannot be refreshed.

You may request deletion of your data at any time by contacting us (see Section 10).

6. Data Security

We implement appropriate technical and organizational measures to protect your information, including:

• Encryption of data in transit using TLS/SSL
• Secure storage of authentication tokens and API keys
• Role-based access controls within the application
• Secure cloud infrastructure provided by Google Cloud Platform

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security of your data.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

7.1 Access and Portability

You may request a copy of the personal information we hold about you.

7.2 Correction

You may request that we correct inaccurate personal information.

7.3 Deletion

You may request that we delete your personal information, subject to certain legal exceptions.

7.4 Revoke Connected Services

You may disconnect your Google account or other connected services at any time by revoking OAuth access through your Google Account settings or through the Service.

7.5 Opt Out of Analytics

You may request to opt out of analytics tracking by contacting us.

7.6 Communication Preferences

You may adjust your SMS notification preferences or opt out of notifications through the Service.

To exercise any of these rights, please contact us using the information in Section 10.

8. Automated Decision-Making

The Service uses AI and automated processing to:

• Classify and prioritize your emails
• Recommend actions (e.g., draft a response, notify you, take no action)
• Generate draft email responses
• Analyze communication tone and intent
• Detect property-related information in communications
• Generate summaries of contacts and conversations

These automated processes are designed to assist you and do not make final decisions without your review. Email drafts are generated as suggestions and are not sent without your approval. Notifications are informational and recommend actions for your consideration.

If you are located in Quebec, you have the right to be informed of and to contest significant decisions made through automated processing. To the extent any automated recommendation materially affects you, you may contact us to request human review.

9. Cross-Border Data Transfers

The Service is available to users in the United States and Canada. Depending on your location, your information may be transferred to and processed in the United States by us or our service providers (including Google Cloud, OpenAI, Telnyx, and PostHog).

As described in Section 2.3, we obtain your express consent to cross-border transfers before they occur. You are advised that personal information transferred to the United States may be accessible to U.S. government authorities under applicable U.S. law, including the CLOUD Act and the Foreign Intelligence Surveillance Act (FISA). The level of privacy protection in the United States may differ from that available under Canadian law.

We take reasonable contractual and technical steps to protect your information during and after transfer, including entering into data processing agreements with our U.S.-based service providers. However, we cannot guarantee the same level of protection as is available under Canadian privacy law.

10. Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact our Privacy Officer at:

privacy@worthington.ai
PO Box 23024 Kitchener RPO Frederick, ON, N2B 3V1

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy and revising the "Last Updated" date at the top of this document. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us so we can promptly delete it.

13. United States State Privacy Rights

13.1 California

If you are a California resident, the California Consumer Privacy Rights Act (CPRA, as amended from CCPA) provides you with additional rights regarding your personal information, including the right to know what personal information we collect, the right to delete your personal information, the right to correct inaccurate personal information, and the right to opt out of the sale or sharing of your personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise your rights, please contact us using the information in Section 10.

13.2 Other U.S. States

Residents of other states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have similar rights under their respective state privacy laws, including rights to access, delete, correct, and opt out of certain processing of personal information. To exercise your rights, please contact us using the information in Section 10.

14. Canadian Privacy Rights

14.1

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation (including Alberta's Personal Information Protection Act, British Columbia's Personal Information Protection Act, and Quebec's Act Respecting the Protection of Personal Information in the Private Sector) may provide you with additional rights regarding your personal information.

14.2

Under Canadian privacy law, you have the right to:

• Access the personal information we hold about you
• Request correction of inaccurate or incomplete personal information
• Withdraw consent to the collection, use, or disclosure of your personal information (subject to legal or contractual restrictions)
• File a complaint with the Office of the Privacy Commissioner of Canada or the applicable provincial privacy commissioner

14.3

We collect, use, and disclose your personal information only for the purposes identified in this Privacy Policy and with your knowledge and consent. We retain your personal information only as long as necessary to fulfill the purposes for which it was collected or as required by law.

14.4 Quebec Residents

If you are located in Quebec, in addition to rights under PIPEDA, you have the following rights under Quebec's Act Respecting the Protection of Personal Information in the Private Sector (Law 25):

• The right to data portability — to receive a copy of your personal information in a structured, commonly used technological format
• The right to be informed of and to contest automated decision-making that produces legal or significant effects on you (see Section 8)
• The right to know where your personal information is stored geographically (see Sections 4.5 and 9)
• The right to file a complaint with the Commission d'acces a l'information du Quebec

Our Privacy Officer is our designated person responsible for the protection of personal information as required under Law 25.

To exercise any of these rights, please contact us using the information in Section 10.

15. Google API Services User Data Policy

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only use Google user data for the purposes described in this Privacy Policy and as authorized by you. We do not use Google user data for serving advertisements. We limit our use of Google user data to providing and improving the Service.