Privacy Policy

Midway Rebound is a software service operated by Midway Management, based in Ontario, Canada. This policy explains how we collect and use information from two groups of people: prospects who submit our marketing form, and customers who sign up to use the Midway Rebound product.

• Your name, phone number, email, and any optional fields you provide on our marketing form.
• The time you submitted the form and the IP address it came from.
• An audio recording and transcript of any demo call our AI places to you, with a verbal disclosure at the start of the call.
• Your consent indication (the checkbox you checked when submitting the form).

• Account details: name, email, business name, password (stored as a salted hash).
• Configuration you set up: scripts, business hours, phone numbers, integration keys (encrypted at rest).
• Operational data: leads you ingest, call recordings, transcripts, messages sent, billing events.
• Diagnostic logs that omit personally identifiable information wherever feasible.

• To deliver the service you asked for — placing the demo call, sending follow-up emails or texts, running your account.
• To prevent abuse — rate limits, fraud detection, anti-spam suppression lists.
• To improve the product — aggregate, de-identified metrics. We do not use call transcripts to train AI models.
• To meet legal obligations — CASL consent records, billing records, lawful requests.

We use a small set of vetted processors to operate the service. Each receives only the data needed for its function:

• Vapi — places outbound AI voice calls.
• Anthropic — powers the AI assistant. Anthropic processes call transcripts under their commercial terms and does not train models on them.
• Twilio — delivers SMS and the underlying voice transport.
• Postmark / Resend — delivers email.
• Slybroadcast — delivers ringless voicemail (when enabled).
• Neon — hosts our database.
• Upstash — hosts our job queue.
• Railway / Vercel — hosts our backend and frontend.
• Stripe — processes payments (we never see card numbers).
• Cloudflare — abuse / bot protection on the signup form.
• Sentry — captures error reports with PII scrubbed.

We do not sell personal information. We do not share data with advertisers.

By default we retain raw content (transcripts, recording URLs, message bodies, inbound replies) for 90 days, then blank those fields while keeping non-sensitive row metadata. Customers can configure a shorter retention window in their account settings. Aggregate / de-identified data may be kept longer.

• You can request access to or deletion of your personal data at any time by emailing david@midwaymanagement.ca.
• SMS recipients can reply STOP at any time to opt out — we honour it immediately and add the number to a permanent suppression list.
• Customers can delete their account from the dashboard, which removes all associated leads, recordings, and transcripts.
• If you're in Canada, you have rights under PIPEDA. If you're in the EU/UK, you have rights under GDPR. We will respond to verified requests within 30 days.

We use a single session cookie (lc_session) to keep you signed in. We do not use advertising or analytics cookies.

All traffic is HTTPS. Passwords are bcrypt-hashed. Tenant API keys are encrypted at rest with AES-256-GCM. Webhook payloads are signed where the upstream provider supports signing.

We will update the date at the top when we make material changes and email all account holders if the changes affect them.

Questions or requests: david@midwaymanagement.ca