Data Policy & CPNI Notice

This notice describes how we handle Customer Proprietary Network Information (CPNI) and other sensitive customer data. It supplements our Privacy Notice and Terms of use.

We are a telecom services broker. We are not a carrier ourselves, but we receive and process CPNI from customers (typically through uploaded carrier bills) so that we can source competing quotes from carriers and master agents. We treat that information under the FCC's CPNI safeguard framework at 47 CFR § 64.2001 et seq.

What is CPNI

CPNI is information about the quantity, technical configuration, type, destination, and amount of use of telecom services subscribed to by a customer, plus information from the customer's bill. In this service, your CPNI typically includes:

• Your current carrier and the services you take from them.
• Monthly recurring charge (MRC) and any non-recurring charges.
• Service location, circuit IDs, account numbers, phone numbers.
• Contract term, term-end date, and termination provisions.
• The bill PDF or image itself, when you upload one.

How we use your CPNI (§ 64.2007)

We use your CPNI only to:

• Generate competing quotes for the services described in your bill, when you ask us to.
• Forward your bill or its extracted data to carriers and master agents you authorize us to contact, so they can return a comparable quote.
• Maintain audit and dispute-resolution records required by our agreements with those carriers and master agents.

We do not use your CPNI for marketing, lead enrichment, audience targeting, or sale to third parties.

Your authorization

When you upload a bill or share CPNI in chat, you authorize us to use that information for the purposes above. We record the authorization with the timestamp and the exact text of the consent shown to you at the time of upload, so we can demonstrate the basis on which we processed your data.

You can withdraw your authorization for future processing at any time by emailing us. Withdrawal does not affect (a) processing already in progress for an open RFQ cycle, or (b) retention of records we are required to keep for audit, dispute resolution, or compliance with our carrier agreements.

Safeguards (§ 64.2009)

• Encryption at rest. Bill files and the sensitive extracted fields (vendor, MRC, services, circuit / account identifiers, location) are stored as AES-256-GCM ciphertext under a server-held master key.
• Encryption in transit. TLS to your browser; TLS (STARTTLS where supported) to carriers and master agents on outbound RFQs.
• Access control. Only authorized operators with server-level access can decrypt. Customer-facing interfaces do not have decryption keys.
• Access logging. Every operator-initiated decryption of CPNI is recorded with actor, resource, timestamp, and stated purpose. The log is itself retained as an audit record.
• Third-party processors. AI model providers we use to read bills and generate quotes process your data under enterprise agreements that prohibit training on customer data and require deletion within the provider's retention window.

Authentication for CPNI access requests (§ 64.2010)

If you ask us to share your CPNI with you, with another party you designate, or with law enforcement under valid legal process, we will authenticate you before disclosing. For account holders, authentication is via a signed-in portal session. For unauthenticated requests, we will require out-of-band confirmation (call-back to a number on the bill, or email to an address previously on file) before releasing CPNI.

Breach notification (§ 64.2011)

If we discover that an unauthorized party has accessed CPNI we hold on your behalf, we will:

• Notify the United States Secret Service and the Federal Bureau of Investigation through the FCC's reporting portal as soon as practicable after discovery, and no later than seven (7) business days, in accordance with § 64.2011(b).
• Wait at least seven (7) business days after that notification before notifying you of the breach, unless law enforcement directs an extension, in accordance with § 64.2011(b)(1).
• Maintain a record of the breach, including its date of discovery, the date of notification to law enforcement, and the circumstances, for at least two (2) years.

Retention

We retain CPNI indefinitely as part of the encrypted audit record for each opportunity, consistent with our retention posture under the Privacy Notice. Retention is supported by the legal-claims and transaction-completion exceptions under CCPA § 1798.105(d)(1) and (4) and analogous frameworks, and by our contractual obligations to carriers and master agents.

Your rights

• Request a copy of the CPNI we hold for you (after authentication).
• Request correction of inaccurate CPNI we hold for you.
• Withdraw your authorization for future processing.
• Object to specific uses; we will accommodate where it does not conflict with audit and legal-claims obligations.

Changes

We may update this notice; the “last updated” date at the top reflects the most recent change. Material changes are emailed to active account holders 14 days in advance.

Contact

To exercise any of the rights above, to ask a question about our CPNI handling, or to report a suspected breach, email us at the contact-of-record address visible at the bottom of any RFQ we've sent on your behalf.

Related

• Terms of use
• Privacy Notice