Skip to main content

Legal

Privacy Policy

Last updated: May 13, 2026 · Effective date: May 13, 2026

1. Introduction

FLO Standard INC (“FLO Standard,” “PYREXA,” “we,” “us,” or “our”), a corporation registered in the State of Delaware, operates the PYREXA™ AI receptionist platform under the PYREXA brand, including our website at pyrexa.ai, our mobile applications, APIs, and all related services (collectively, the “Service”). PYREXA™ is a trademark of FLO Standard INC.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. We are committed to protecting your privacy and handling your data in an open and transparent manner. Please read this Privacy Policy carefully. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

2.1 Personal Information

We may collect personally identifiable information that you voluntarily provide when registering for the Service, including but not limited to:

  • Full name and business name
  • Email address and phone number
  • Billing address and payment information (processed securely via Stripe)
  • Job title and role within your organization
  • Account credentials

2.2 Call Data

When calls are handled through the PYREXA platform, we may collect:

  • Caller phone numbers and caller ID information
  • Call recordings and transcriptions (when enabled by the account owner)
  • Call duration, time, and date metadata
  • AI-generated call summaries and extracted action items
  • Voicemail recordings and transcriptions
  • Appointment scheduling data including dates, times, and participant details

2.3 Usage Data

We automatically collect certain information when you access the Service, including:

  • Pages visited, features used, and actions taken within the dashboard
  • API call logs and integration usage patterns
  • Configuration changes and workflow settings
  • Performance metrics and error logs

2.4 Device and Technical Information

We may collect information about the device and connection you use to access the Service:

  • IP address and approximate geolocation
  • Browser type, version, and language preference
  • Operating system and device type
  • Referring URLs and search terms
  • Session identifiers and timestamps

3. How We Use Your Information

3.1 Service Delivery

  • Operate, maintain, and provide the features and functionality of the Service
  • Process and manage incoming calls through our AI receptionist system
  • Generate call transcriptions, summaries, and action items
  • Facilitate appointment scheduling and CRM integrations
  • Process payments and manage subscriptions

3.2 Service Improvement

  • Analyze usage patterns to improve our AI models and call handling accuracy
  • Develop new features and enhance existing functionality
  • Conduct research and analysis to improve user experience
  • Monitor and analyze trends, usage, and activities in connection with our Service

3.3 Communication

  • Send transactional notifications (call summaries, appointment confirmations)
  • Provide customer support and respond to inquiries
  • Send service announcements, updates, and security alerts
  • Deliver marketing communications (with your consent, where required)

3.4 Security and Compliance

  • Detect, investigate, and prevent fraudulent or unauthorized activities
  • Enforce our Terms of Service and other agreements
  • Comply with legal obligations and respond to lawful requests
  • Protect the rights, privacy, safety, and property of PYREXA, our users, and the public

4. Call Recording and AI Processing

PYREXA uses artificial intelligence to answer, route, and manage phone calls on behalf of our customers. It is important that you understand how this technology interacts with your data:

4.1 AI-Powered Call Handling

Our AI receptionist processes voice data in real time to understand caller intent, provide responses, schedule appointments, and route calls. Voice data is processed by our AI models and may be temporarily stored in memory during the call for context continuity.

4.2 Call Recording

Call recording is an optional feature controlled by the account owner. When enabled, recordings are stored securely and encrypted at rest. Account owners are responsible for ensuring compliance with applicable call recording laws, including two-party consent requirements in their jurisdiction. PYREXA provides configurable disclosure announcements that can be played at the start of each call.

4.3 Transcription and Analysis

Calls may be transcribed using speech-to-text technology. These transcriptions are used to generate summaries, extract action items, and improve service quality. Transcription data is associated with the customer's account and subject to the same access controls and retention policies as other account data.

4.4 AI Model Training

We may use anonymized and aggregated call data to improve our AI models. Individual call recordings or personally identifiable call data are never used for model training without explicit written consent from the account owner. Enterprise customers may opt out of all data use for model improvement.

5. HIPAA Compliance

PYREXA offers HIPAA-compliant configurations for healthcare customers who handle Protected Health Information (PHI). The following provisions apply to accounts operating under a signed Business Associate Agreement (BAA):

  • Business Associate Agreement. Healthcare customers must execute a BAA with PYREXA prior to transmitting any PHI through the Service. PYREXA will not knowingly process PHI without a BAA in place.
  • PHI Safeguards. All PHI processed through the Service is encrypted in transit (TLS 1.3) and at rest (AES-256). Access to PHI is restricted to authorized personnel and subject to audit logging.
  • Minimum Necessary Standard. Our AI systems are designed to collect and process only the minimum amount of PHI necessary to perform the requested service functions.
  • Breach Notification. In the event of a breach of unsecured PHI, PYREXA will notify the affected customer without unreasonable delay and no later than 60 days after discovery, as required by the HITECH Act.
  • Subcontractor Obligations. All third-party service providers who may access PHI on our behalf are bound by equivalent confidentiality and security obligations through their own BAAs.
  • Data Segregation. PHI for HIPAA-covered accounts is logically segregated from non-HIPAA account data and subject to enhanced access controls and audit procedures.

Healthcare customers should contact us at [email protected] to initiate the BAA process and discuss HIPAA-specific configurations.

6. Data Sharing and Third Parties

We do not sell your personal information. We may share your information in the following circumstances:

SMS / Mobile Information Sharing. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

6.1 Service Providers

We engage trusted third-party companies to perform services on our behalf, including payment processing (Stripe), cloud infrastructure (AWS), telephony services (Twilio/Vapi), analytics, and customer support tools. These providers are contractually obligated to protect your data and may only use it to perform services for us.

6.2 Customer-Directed Integrations

When you connect third-party services through our integration features (e.g., Google Calendar, CRM platforms, EHR systems), data will be shared with those services as directed by you. These integrations are governed by the third party's own privacy policies.

6.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to comply with a legal obligation, protect and defend our rights or property, prevent fraud, or protect the personal safety of users or the public.

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.

7. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy. Specific retention periods are as follows:

Data TypeRetention Period
Account informationDuration of account plus 30 days after deletion
Call recordings90 days by default; configurable by account owner (30–365 days)
Call transcriptionsSame as call recordings, or as configured
Call metadata (logs)1 year from call date
Billing and payment records7 years (tax and legal compliance)
Usage analytics2 years in identifiable form; indefinitely in aggregated form
Support correspondence3 years from resolution date
HIPAA/PHI data6 years or as required by applicable law, whichever is longer

Upon account deletion, we will remove or anonymize your personal information within 30 days, except where retention is required by law or for legitimate business purposes (such as fraud prevention or financial record-keeping).

8. Your Rights

Depending on your location, you may have certain rights regarding your personal information. These may include:

  • Right of Access. You may request a copy of the personal information we hold about you.
  • Right to Rectification. You may request that we correct any inaccurate or incomplete personal information.
  • Right to Deletion. You may request that we delete your personal information, subject to certain exceptions (e.g., legal retention requirements).
  • Right to Data Portability. You may request a machine-readable copy of your personal information to transfer to another service.
  • Right to Restrict Processing. You may request that we limit our processing of your personal information in certain circumstances.
  • Right to Opt Out. You may opt out of marketing communications at any time by clicking the “unsubscribe” link in any marketing email, or by contacting us directly.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days, or within the timeframe required by applicable law.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) provides you with additional rights regarding your personal information:

  • Right to Know. You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
  • Right to Delete. You have the right to request deletion of your personal information, subject to certain statutory exceptions.
  • Right to Correct. You have the right to request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing. PYREXA does not sell personal information nor share it for cross-context behavioral advertising purposes. If this practice changes, we will provide a “Do Not Sell or Share My Personal Information” link on our website.
  • Right to Limit Use of Sensitive Personal Information. You may direct us to limit the use and disclosure of your sensitive personal information to what is necessary to perform the Service.
  • Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a request, contact us at [email protected] or call us at our toll-free number. We may need to verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

10. EU Data Rights (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following additional rights under the General Data Protection Regulation (GDPR):

  • Legal Basis for Processing. We process your personal data based on one or more of the following legal bases: performance of a contract (to provide the Service), legitimate interest (to improve and secure the Service), consent (for marketing and optional features), and legal obligation (for compliance purposes).
  • Right to Object. You have the right to object to our processing of your personal data based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority if you believe our processing of your personal data violates the GDPR.
  • Data Protection Officer. You may contact our Data Protection Officer at [email protected].

For EU customers, FLO Standard INC acts as the data controller. Where we process data on behalf of our customers (e.g., call data from their callers), we act as a data processor under the terms of our Data Processing Agreement (DPA), available upon request.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly. If you believe that we may have collected information from a child under 18, please contact us at [email protected].

12. International Data Transfers

PYREXA is based in the United States, and your information may be processed and stored in the United States or other countries where our service providers operate. If you are located outside the United States, please be aware that information may be transferred to, stored, and processed in jurisdictions that may not provide the same level of data protection as your home jurisdiction.

For transfers of personal data from the EEA, UK, or Switzerland to the United States, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate. We also monitor developments regarding the EU-U.S. Data Privacy Framework and will certify under it if and when applicable.

13. Security Measures

We implement industry-standard technical and organizational measures designed to protect your personal information, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Role-based access controls with multi-factor authentication for internal systems
  • Regular penetration testing and vulnerability assessments
  • SOC 2 readiness on AWS-audited infrastructure
  • 24/7 monitoring and intrusion detection systems
  • Employee security training and background checks for personnel with access to customer data
  • Incident response procedures with defined escalation paths
  • Regular backup procedures with encrypted off-site storage

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to maintaining and continuously improving our security posture.

14. Cookie Policy

We use cookies and similar tracking technologies to enhance your experience on our Service:

14.1 Essential Cookies

These cookies are necessary for the Service to function and cannot be switched off. They include session cookies, authentication tokens, and security cookies. They do not store any personally identifiable information beyond what is necessary for session management.

14.2 Analytics Cookies

We use analytics cookies (such as those provided by Google Analytics and Mixpanel) to understand how visitors interact with our website. These cookies collect information in an aggregated form to help us improve the Service. You can opt out of analytics cookies through your browser settings or through our cookie consent manager.

14.3 Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your preferences and settings. If you do not allow these cookies, some features may not function properly.

14.4 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all or some cookies, or to alert you when cookies are being sent. Please note that if you disable cookies, some parts of the Service may not function properly.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) and/or by posting a prominent notice on our website at least 30 days prior to the changes taking effect. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

FLO Standard INC (operating as PYREXA™)

Privacy Team

Email: [email protected]

Data Protection Officer: [email protected]

HIPAA Inquiries: [email protected]

Registered in the State of Delaware, United States