8x · Sales

Prospect Privacy Notice (Indirect Collection)

⚠️ DRAFT — NOT LEGAL ADVICE. This document was generated to scope compliance work and MUST be reviewed and adapted by qualified counsel licensed in each operating jurisdiction (US, Brazil, Mexico, India) before any reliance or publication. Bracketed [PLACEHOLDERS] require confirmation.

Document version: [DRAFT v0.1 — YYYY-MM-DD to be set on counsel sign-off]

0. How to read this notice / Como ler este aviso / Cómo leer este aviso

This notice explains how 8x handles the personal data of business prospects — people we contact by phone or email about our products and services, who did not sign up with us. You are receiving or reading this notice because we obtained your business contact details from a third-party or public source (see Section 3) and contacted you, or because a call disclosure or outreach email pointed you here.

Publication and language requirements [DECISION REQUIRED]:

  • A Brazilian Portuguese (PT-BR) version MUST be published and treated as the binding version for prospects in Brazil. [TRANSLATION REQUIRED — counsel-reviewed PT-BR.]
  • A Mexican Spanish (ES-MX) version MUST be published as the formal aviso de privacidad and treated as binding for prospects in Mexico. [TRANSLATION REQUIRED — counsel-reviewed ES-MX.]
  • For prospects in India, an India-specific DPDP itemized notice applies (see Section 12). Important: in India a notice is NOT a substitute for consent. 8x continues India (+91) outreach as an accepted CRITICAL DPDP non-compliance risk pending a consent-first redesign (founder decision, 2026-06-18); the India notice is still published. See the India warning in Section 12.
  • For all other prospects, the English / applicable-locale version applies.

This notice is published at a short, stable URL: [https://8x.social/privacy/prospects OR PLACEHOLDER SHORT URL], which is the URL referenced in our call disclosures and in every outreach email.

1. Who we are (controller identity and role)

The data controller is [8x LEGAL ENTITY NAME, a Delaware corporation] ("8x", "we", "us"), with registered address at [REGISTERED ADDRESS].

Our role. For both the contact data and the call data described in this notice, 8x acts as the data controller (in LGPD terms, the controlador; in Mexican terms, the responsable; in DPDP terms, the Data Fiduciary). We decide why and how your personal data is processed. We are not processing your data on behalf of any customer.

Where we operate. 8x is a US (Delaware) company. The United States is our home jurisdiction. Brazil, Mexico, and India are markets we serve. The European Union / United Kingdom ARE in scope — see Section 11. GDPR and the ePrivacy Directive apply, and the additional EU/UK terms in Section 11 (including the appointment of an Article 27 EU representative, and a UK representative if the UK is in scope) apply.

Governing law. [Delaware / United States, confirm], without prejudice to the mandatory data-protection laws of the jurisdiction where you are located (Brazil — LGPD; Mexico — the Federal Law on Protection of Personal Data Held by Private Parties; India — DPDP Act 2023; and, if applicable, EU/UK GDPR).

2. How to contact us about your data

ContactDetails
Privacy / data-protection contactprivacy@8x.social (proposed role address)
Postal address[REGISTERED ADDRESS]
Data Protection Officer / Privacy Officer[DPO/PRIVACY CONTACT NAME], reachable at privacy@8x.social
Brazil — Encarregado (DPO)[ENCARREGADO NAME], privacy@8x.socialA Brazilian encarregado is appointed because the high-risk processing described here (cold outreach, voice recording, AI evaluation) does not qualify for the small-agent exemption.
Mexico — Privacy contact (responsable)[MX PRIVACY CONTACT], privacy@8x.social [CONFIRM WITH MEXICAN COUNSEL]
India — DPDP contact / Data Protection Officer[INDIA DPO/CONTACT], privacy@8x.social [CONFIRM — DPDP designation requirements]

To stop hearing from us immediately, use the opt-out / suppression routes in Section 9.

3. Where we got your data and the category of source (indirect collection)

We did not collect your personal data directly from you. We obtained it indirectly. This section is provided to satisfy LGPD Art. 9, GDPR Art. 14 (where applicable), and the DPDP notice requirements.

  • Categories of source: [DECISION REQUIRED / CONFIRM — list the actual sources used, e.g.: publicly available business sources (company websites, public business directories), professional networking profiles (e.g., LinkedIn public profiles), and/or third-party B2B lead/data providers]. See sub-processors.md and any data-provider list for the specific suppliers.
  • What we got from the source: typically your business name, the company you work for, a business phone number and/or business email address, your country, a link to a professional profile, and basic firmographic information about your company.
  • We do not knowingly source or process special-category / sensitive data about you for prospecting (see Section 4).

[DECISION REQUIRED — DATA-SOURCE TRANSPARENCY]: 8x must be able to identify, for any given prospect, the specific source of their data. Recommended default: record the source per record and disclose the specific source on request as part of the access right (Section 8).

4. Categories of personal data we hold

Depending on the interaction, we may hold the following categories of personal data about you:

Contact and firmographic data (obtained indirectly per Section 3):

  • Name
  • Company / employer
  • Business phone number
  • Business email address
  • Professional profile link (e.g., LinkedIn)
  • Country
  • Firmographic information about your company (e.g., industry, category, company website, size indicators)

Data we generate when our sales representatives contact you:

  • Free-text notes written by our representatives about the interaction
  • Voice recordings of cold calls (where we have provided the recording disclosure — see Section 6 and the in-call disclosure)
  • AI-generated transcripts of those calls (machine transcription)
  • AI-generated evaluations / scores of the call (an automated assessment of the sales interaction — see Section 7)

A bare voice recording is treated as ordinary (non-sensitive) personal data. 8x does not create biometric voice-identification ("voiceprint") data, and does not process your voice as sensitive/special-category data. [Engineering invariant — do not build biometric voice-ID.]

5. Why we use your data (purposes)

We process your personal data for the following purposes:

  1. Business-to-business (B2B) prospecting and outreach — to contact you by phone and/or email to introduce, and assess your potential interest in, products and services, and to schedule meetings.
  2. Operating and recording calls — to place calls, and to record them where disclosed, for the purposes below.
  3. AI transcription and AI evaluation of calls — we use automated speech-to-text to transcribe calls and an AI model to evaluate the sales interaction. This AI evaluation determines whether an outreach resulted in a qualified meeting and is used to calculate what our sales representatives are paid. This is an automated decision affecting our representatives; for how it may concern you and your rights, see Section 7.
  4. Scheduling — if you agree to a meeting, to book and manage that meeting.
  5. Record-keeping, quality, training, and compliance — to maintain records of outreach, train and supervise our representatives, demonstrate compliance (including consent/opt-out records), and handle disputes, complaints, and legal obligations.
  6. Security and abuse prevention — to protect our systems and prevent misuse.

We will not use your data for purposes incompatible with the above without providing a further notice or, where required, obtaining your consent.

6. Legal basis for processing (by region)

Our legal basis depends on where you are located.

Brazil (LGPD)

  • B2B prospecting: legitimate interest (legítimo interesse), LGPD Art. 7, IX and Art. 10. We maintain a documented Legitimate Interest Assessment (LIA) balancing our interest in B2B outreach against your rights. See the LIA in internal-compliance-artifacts.md.
  • Voice recording / AI evaluation: processed under the same legitimate-interest basis as ordinary data, subject to the recording disclosure and your unconditional right to object to direct marketing (Section 9). Sensitive data is not processed on this basis (and we do not create biometric voice-ID; see Section 4).
  • Consumer-protection overlay (CDC): our outreach identifies the sender, and we honor opt-out requests.
  • Do-not-call: we honor applicable state Procon "Não Me Ligue" do-not-call registries (e.g., São Paulo Law 13.226/2008, as amended). [CONFIRM applicable state registries 8x will scrub against.]

Mexico

  • We provide this notice as our aviso de privacidad under the Federal Law on Protection of Personal Data Held by Private Parties (published 20-Mar-2025, in force 21-Mar-2025). For ordinary data, consent is, by default, tacit (opt-out) — you may object at any time using Section 9.
  • Transfers disclosed: under Art. 35, we disclose that your data is transferred to third parties (sub-processors) located in the United States. See Sections 8 and 10. [CONFIRM WITH MEXICAN COUNSEL — exact aviso wording, transfer-disclosure formatting, and any consent prompts required.]
  • Do-not-call: we honor the Registro Público para Evitar Publicidad (REPEP) under the Federal Consumer Protection Law (LFPC), Art. 18 Bis; we scrub against REPEP and apply suppression. [CONFIRM WITH MEXICAN COUNSEL.]

India (DPDP Act 2023)

  • See Section 12. In India we cannot rely on a "legitimate interest" basis for cold outreach, and a notice is not a substitute for consent. ACCEPTED RISK — 8x continues India (+91) outreach pending a consent-first redesign; this is a known CRITICAL DPDP non-compliance accepted by the founder (2026-06-18). The India prospect privacy notice is still published; Indian-counsel sign-off is still required before scaling.

United States

  • We rely on our legitimate business interest in B2B prospecting, consistent with applicable US law. We do not sell or share your personal data for cross-context behavioral advertising. A direct CCPA notice-at-collection to prospects is excused under 11 CCR 7012(h) because we neither sell nor share, but this public notice covers our handling of prospect data. See Section 8 for your US rights.
  • Call recording: we adopt all-party consent as our baseline (the conservative posture across US states, including California Penal Code §§ 632 and 632.7), implemented via the in-call recording disclosure. [CONFIRM call-disclosure script with counsel.]

European Union / United Kingdom

  • See Section 11. EU/UK IS in scope — GDPR and the ePrivacy Directive apply. Electronic/automated direct marketing requires prior consent under the ePrivacy Directive Art. 13 (a legitimate-interest assessment does not clear marketing email or automated calls).

7. Automated processing and AI evaluation — your rights

We use AI to transcribe calls and to evaluate the sales interaction. The AI evaluation scores the call against a defined rubric (its dimensions include, for example, [RUBRIC DIMENSIONS — e.g., discovery quality, objection handling, conduct/compliance, conversation outcome; CONFIRM final rubric list]).

What it decides. This evaluation drives whether an outreach is treated as a qualified meeting and is used to determine our representatives' pay. It is a solely or significantly automated decision affecting our representatives.

As a prospect, you can:

  • Object to this automated processing where it evaluates aspects relating to you (e.g., your behavior or responses on the call), particularly where it could produce undesired effects, and
  • request human review of, and information about, the automated processing as it concerns you.

We provide a human-review / contest route for any pay-affecting evaluation (this is primarily a representative-facing right but is extended to prospects who object). To exercise these rights, contact us per Section 2.

Mexico specifically recognizes a right to object to solely-automated processing producing undesired effects that evaluates behavior/performance — this is engaged by our evaluation. [CONFIRM WITH MEXICAN COUNSEL.] In the EU/UK (in scope), Art. 22 GDPR grants rights to human intervention, to contest, and to meaningful information (see Section 11).

8. Who receives your data (recipients / sub-processors)

We share your personal data with service providers ("sub-processors") who help us operate. The full, current list — including each provider's role and processing region — is maintained in sub-processors.md. As of this draft they include:

RecipientRoleData involvedRegion
TwilioTelephony (placing/recording calls)Phone number, call audioUS
OpenAIAI transcription (whisper-1) + AI evaluation (gpt-4.1)Call audio, transcriptsUS — [DECISION REQUIRED: elect zero-data-retention / enterprise endpoint]
AnthropicAI evaluation / summarization (Claude)TranscriptsUS
SupabaseDatabase, authentication, and storageAll categories, incl. recordings[REGION — CONFIRM]
VercelApplication hostingIP address in request logsUS / global
ResendTransactional and outreach emailName, email, related contact dataUS
Cal.comMeeting schedulingData you enter when booking[REGION — CONFIRM]
LinkedInOAuth/OIDC sign-in(Intended; not yet live)

We may also disclose data where required by law, to enforce our rights, or in connection with a corporate transaction, subject to applicable law.

9. Your right to object to marketing and to opt out / be suppressed

You have an unconditional right to object to direct marketing. If you tell us to stop, we will stop contacting you for marketing purposes and add you to our suppression list. You can do this:

  1. By email: send a request to privacy@8x.social (subject: "Opt out / suppression"); or
  2. During a call: tell the representative you do not wish to be contacted — your objection is recorded and honored; or
  3. By the unsubscribe link / instructions in any outreach email.

What happens when you opt out: we suppress your contact details from further outreach. We honor opt-outs everywhere as a matter of policy (including in jurisdictions without a B2B carve-out), and we apply applicable do-not-call registries (Brazil state Procon "Não Me Ligue"; Mexico REPEP with a 30-day suppression cycle [CONFIRM]; US internal do-not-call). For email, we honor opt-outs consistent with CAN-SPAM (within 10 business days; we aim to act faster). [CONFIRM operational timelines.]

For outreach email, this promise is fulfilled technically by a suppression list: every outreach email carries a one-click unsubscribe link (and List-Unsubscribe header), and clicking it adds your email address to our suppression list immediately. Before any outreach email is sent, we check that list and will not email an address on it. This suppression record is retained for as long as needed to keep honoring your request — including if we otherwise delete your data on request, your suppression entry is kept (with your address no longer linked to any other record) so we do not accidentally contact you again.

We retain a minimal record that you opted out, solely to ensure we continue to honor your request.

10. International transfers

8x is based in the United States, and several of our sub-processors are in the United States (see Section 8). This means your personal data is transferred to, and processed in, the United States and potentially other countries.

We rely on the following transfer mechanisms:

  • Brazil → US: the ANPD Standard Contractual Clauses (Resolution CD/ANPD 19/2024). [DECISION REQUIRED / REMEDIATION: the mandatory implementation deadline elapsed 23-Aug-2025; 8x must execute ANPD SCCs with its US recipients to come into compliance before launch.]
  • EU/UK → US (EU/UK is in scope — see Section 11): the EU Standard Contractual Clauses (Module 2) plus a documented Transfer Impact Assessment (TIA). We default to SCCs + TIA; the EU-US Data Privacy Framework is treated as unstable pending the Latombe appeal and is not relied on alone.
  • Mexico → US: transfers to US sub-processors are disclosed in this aviso under Art. 35. [CONFIRM WITH MEXICAN COUNSEL — any additional formalities/consent.]
  • India → US: transfers are subject to DPDP transfer requirements. [CONFIRM.] Note that the lawful-basis gap for India cold outreach is an accepted risk (see Section 12), separate from the transfer mechanics.

You may request information about the safeguards applicable to transfers of your data by contacting us per Section 2.

11. EU / UK prospects

EU/UK IS in scope — GDPR and the ePrivacy Directive apply. 8x accepts the extraterritorial reach of GDPR Art. 3(2); there is no EU-exclusion gate. The following obligations are in force:

  • Marketing basis: electronic and automated direct marketing requires prior consent under ePrivacy Directive Art. 13 (lex specialis); a legitimate-interest assessment does not clear marketing email or automated/recorded calls.
  • Representative: 8x appoints an Art. 27 EU representative (and a UK representative if the UK is in scope). [APPOINT — name/address PLACEHOLDER.]
  • Transfers: SCCs Module 2 + a documented TIA (see Section 10); the EU-US Data Privacy Framework is treated as unstable pending the Latombe appeal, so 8x defaults to SCCs + TIA.
  • DPIA: a Data Protection Impact Assessment is required (multiple high-risk criteria stack: cold outreach, voice recording, AI evaluation, profiling).
  • Automated decisions: Art. 22 grants you rights to human intervention, to contest the decision, and to meaningful information about the logic involved (see Section 7).

12. India prospects (DPDP Act 2023 + DPDP Rules 2025) — itemized notice

⚠️ INDIA WARNING. Under the DPDP Act 2023 and the DPDP Rules 2025 (final, notified 13 Nov 2025; substantive obligations phasing to approximately 13 May 2027), there is no "legitimate interest" basis for cold outreach in India, and you generally cannot even cold-contact someone in order to obtain consent. This notice is NOT a substitute for consent. Penalties reach up to ₹250 crore (security-safeguard tier). ACCEPTED RISK — 8x continues India (+91) outreach pending a consent-first redesign; this is a known CRITICAL DPDP non-compliance accepted by the founder (2026-06-18). This India prospect privacy notice is still published; Indian-counsel sign-off is still required before scaling. The itemized notice below is provided for transparency and is not a representation that notice alone makes the processing lawful.

Itemized DPDP notice:

  • Data Fiduciary: [8x LEGAL ENTITY NAME, a Delaware corporation] (Section 1).
  • Personal data processed: the categories in Section 4.
  • Purposes: the purposes in Section 5.
  • How to exercise your rights: access, correction, completion, updating, erasure, grievance redressal, and nomination — contact [INDIA DPO/CONTACT] / privacy@8x.social (Section 2).
  • How to withdraw consent: [CONSENT-WITHDRAWAL MECHANISM — must be as easy as giving consent].
  • How to complain: to the Data Protection Board of India (Section 13), in addition to our grievance contact.
  • Telemarketing: any telephone outreach is also subject to TRAI TCCCPR Second Amendment Regulations 2025 (140-series promotional / 1600-series transactional numbering). [CONFIRM operational compliance.]

13. Your rights and how to complain

Subject to your local law, you have rights to:

  • Access the personal data we hold about you (and information about its source — Section 3);
  • Correct / complete / update inaccurate or incomplete data;
  • Delete / erase your data;
  • Object to processing, including the unconditional right to object to direct marketing (Section 9);
  • Object to / request human review of automated decisions (Section 7);
  • Data portability, where applicable;
  • Withdraw consent, where processing is based on consent (e.g., India);
  • Information about international transfers (Section 10);
  • (Brazil/LGPD) other rights under Art. 18.

How to exercise: contact us per Section 2. Response times: Brazil — within 15 days (LGPD Art. 19); other jurisdictions — within the statutory period, and otherwise without undue delay. [CONFIRM per-jurisdiction SLAs.]

Supervisory authorities / regulators — you may complain to:

  • Brazil: Autoridade Nacional de Proteção de Dados (ANPD).
  • Mexico: the Secretaría Anticorrupción y Buen Gobierno (data-protection enforcement following the abolition of INAI); and PROFECO for consumer/telemarketing (REPEP) matters. [CONFIRM WITH MEXICAN COUNSEL — current filing channels.]
  • India: the Data Protection Board of India.
  • EU/UK (in scope): your national data protection authority / the UK ICO.
  • United States: the relevant state Attorney General and/or the California Privacy Protection Agency, as applicable.

14. Data retention

We keep personal data only as long as needed for the purposes above, then delete or anonymize it. Our retention windows:

DataRetention
Cold-call audio recordingsPurged at approximately 90 days.
Live transcript segmentsRetained 12 months, then purged.
Uploaded call records and metadata (real_calls)Retained 12 months, then purged.
Post-call AI transcript and AI assessmentsRetained for a finite period of [RETENTION PERIOD — DECISION REQUIRED, e.g., 12 months], then purged on a defined schedule.
Suppression / opt-out recordsRetained as long as needed to honor your opt-out.
Compliance / dispute recordsRetained as required by law. [CONFIRM.]

⚠️ REMEDIATION REQUIRED (do not publish a retention figure 8x cannot meet): at the time of this draft, the post-call accurate-transcript data and AI assessments are not yet purged on a schedule (effectively indefinite). 8x commits to implementing a finite, scheduled purge for this data and must build the purge job before this notice goes live so the stated retention is true. [ENGINEERING — IMPLEMENT PURGE; DECISION REQUIRED — confirm the exact period.]

15. Cookies and tracking (website)

Our website uses only first-party, essential and functional cookies (e.g., authentication session, display-locale preference, and limited internal-tooling cookies). We do not use analytics or advertising trackers, so no consent banner is required; this is disclosure only. [VERIFY no third-party edge trackers on the live site.] For full detail, see cookie-notice.md.

16. Changes to this notice

We may update this notice. The current version and its date appear at the top. Material changes will be reflected at the published URL (Section 0). [CONFIRM change-notification approach.]

Cross-references: see sub-processors.md (recipients and regions), internal-compliance-artifacts.md (Brazil/EU LI basis + roles & contacts roster), cookie-notice.md (cookies), and call-recording-disclosures.md (the call-disclosure scripts that link to this notice).