Vendor Data Privacy Policy for Debt Call Transfers

Effective Date: Jan 1, 2025
Version: 1.0

1. Purpose

This Vendor Data Privacy Policy outlines the data protection and privacy obligations of all vendors who process, transfer, or access personal data related to debt collection calls on behalf of InsureFi (“Company”). This includes voice recordings, call metadata, account references, and personally identifiable information (PII) associated with debtors.

2. Scope

This policy applies to all third-party vendors, service providers, contractors, and agents (“Vendors”) who participate in the handling, transfer, processing, or storage of data related to outbound or inbound debt collection calls.

3. Definitions

  • Personal Data (PII): Any information that relates to an identified or identifiable individual, including but not limited to name, phone number, account number, address, or audio recordings.
  • Debt Call Transfers: The act of redirecting, forwarding, or otherwise transferring a phone call or call data involving a consumer with outstanding debt.
  • Processing: Any operation performed on personal data, whether or not by automated means (e.g., collection, storage, use, disclosure, transfer).

4. Data Handling Requirements

4.1 Data Minimization

Vendors must only access and process the minimum amount of data necessary to complete the purpose of the debt call transfer.

4.2 Lawful Processing

All personal data must be processed lawfully, fairly, and transparently, in accordance with applicable data protection laws (e.g., GLBA, FCRA, FDCPA, GDPR, CCPA).

4.3 Call Transfer Controls

  • Vendors must not transfer debt-related calls or call recordings to unauthorized recipients or jurisdictions without prior written consent from the Company.
  • All call transfers must be logged with the date, time, agent ID, call recipient, and reason for the transfer.

5. Data Security

5.1 Technical Safeguards

  • Use encrypted communications (e.g., TLS/SSL) for call transfer systems.
  • Store call recordings and metadata in encrypted environments.
  • Access controls must be enforced through role-based permissions and multi-factor authentication.

5.2 Physical Security

Vendors must implement safeguards at physical sites where call data is accessed or stored, including secure access controls, surveillance, and visitor logging.

5.3 Breach Notification

Vendors must notify the Company within 24 hours of discovering any suspected or actual data breach involving debt call information.

6. Data Retention and Destruction

  • Call recordings and associated metadata must be retained only as long as necessary to fulfill contractual or legal obligations.
  • Upon termination of the contract or upon Company’s request, Vendors must securely delete or return all personal data.

7. Subprocessors

Vendors may not engage any subprocessors to handle call data without prior written approval from the Company and must ensure all subprocessors comply with this policy.

8. Audits and Compliance

The Company reserves the right to audit Vendors’ systems and processes related to debt call transfers at reasonable intervals to verify compliance with this policy.

9. Employee Training

Vendors must ensure that employees with access to call transfer systems are trained in:

  • Data protection principles
  • Secure handling of sensitive consumer information
  • Recognizing and reporting potential privacy risks

10. Regulatory and Contractual Compliance

Vendors must comply with all relevant laws, including but not limited to:

  • Fair Debt Collection Practices Act (FDCPA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Telephone Consumer Protection Act (TCPA)
  • State and international privacy laws (e.g., CCPA, GDPR)