Last Updated: December 12, 2025

1. Introduction

Callzilla (“we,” “us,” or “our”) is a global business process outsourcing (BPO) provider operating in the United States, Colombia, and South Africa. We are committed to protecting the privacy and security of personal data entrusted to us—whether as a data controller (for our employees, clients, and vendors) or as a data processor/service provider (for end-user data on behalf of our clients).

This Privacy Policy explains how we collect, use, disclose, protect, and manage personal data across all jurisdictions in which we operate. It applies to all individuals whose data we process in connection with our services, websites (including https://www.callzilla.cx), and operations.

By using our services or providing us with personal data, you acknowledge that your information will be processed in accordance with this Policy and applicable data protection laws, including:

  • GDPR (EU),
  • CCPA/CPRA (California, USA),
  • Law 1581 of 2012 and Decree 1377 of 2013 (Colombia),
  • POPIA (Protection of Personal Information Act, South Africa).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Controller: The entity that determines the purposes and means of processing (Callzilla for its own data).
  • Processor: The entity that processes data on behalf of a controller (Callzilla for end-user data of clients).
  • End Users: Customers or individuals whose data is processed by our clients and handled by Callzilla under client instruction.

3. Scope of Processing

A. As a Data Controller

We process personal data of:

  • Employees: For HR, payroll, compliance, and employment lifecycle management.
  • Clients (B2B): For onboarding, service delivery, billing, and communication.
  • Vendors & Contractors: For procurement and operational support.

B. As a Data Processor / Service Provider

We do not own or control data belonging to your customers (End Users). We process such data only on documented instructions from our clients and do not retain it beyond the term of service unless required by law. We do not use End User data for our own purposes.

4. Types of Data Collected

Depending on context, we may collect:

  • Name, email, phone number, address
  • Job title, company, payment details (clients/vendors)
  • Employment records, ID documents, bank info (employees)
  • IP address, device type, browser, usage data (via cookies and logs)
  • CCTV footage (in Bogotá and other facilities, where deployed)

We do not knowingly collect data from children under 13 (or 16 in certain jurisdictions).

5. Legal Bases for Processing (by Jurisdiction)

Jurisdiction Legal Basis
United States Contract performance, legitimate business interest, and (where applicable) consent under CCPA. As a service provider, processing is governed by client instructions.
Colombia Prior, informed, and express consent (except where law permits otherwise), or contractual necessity.
South Africa (POPIA) Consent, contractual necessity, legal obligation, or legitimate interest.
EU/EEA (GDPR) Contract, legal obligation, legitimate interest, or explicit consent.

6. Use of Personal Data

We use data to:

  • Deliver and improve BPO services
  • Manage employment and vendor relationships
  • Comply with legal and regulatory obligations
  • Secure our systems and prevent fraud
  • Respond to inquiries and support requests
  • (For End Users) Only as instructed by our clients

We do not sell personal data. Under CCPA, we act solely as a Service Provider and do not “share” data for cross-context behavioral advertising.

7. Data Sharing & Third Parties

We may share data with:

  • Affiliates and service providers (e.g., cloud platforms like Microsoft Azure, HubSpot) under strict data processing agreements.
  • Regulators or law enforcement when required by law.
  • Successors in the event of merger, acquisition, or asset transfer (with notice where required).

All subprocessors are vetted for compliance with ISO 27001, SOC 2 Type II, and jurisdictional requirements.

8. International Data Transfers

Personal data may be transferred across borders (e.g., from Colombia to the U.S.). Such transfers comply with:

  • EU Standard Contractual Clauses (SCCs) where applicable,
  • POPIA’s cross-border conditions,
  • CCPA contractual restrictions,
  • And internal safeguards (encryption, access controls, audits).

9. Data Security

We implement technical and organizational measures aligned with ISO/IEC 27001, SOC 2 Type II, and PCI DSS v4.0, including:

  • Encryption at rest and in transit
  • Role-based access controls
  • Regular security testing and audits
  • Incident response protocols

While no system is 100% secure, we maintain commercially reasonable safeguards to protect your data.

10. Data Retention

We retain data only as long as necessary:

  • For employees: Duration of employment + statutory retention periods.
  • For clients/vendors: Duration of contract + legal/regulatory requirements.
  • For End Users: Only during active service engagement (unless law requires longer).

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access, correct, or delete your personal data
  • Restrict or object to processing
  • Withdraw consent (where applicable)
  • Receive data in a portable format (GDPR)
  • Opt out of “sales” or “sharing” (CCPA)

To exercise these rights, contact us at infosec@callzilla.cx. We will respond within:

  • 10 business days (Colombia),
  • 30 days (POPIA),
  • 45 days (CCPA — extendable by 45 more if needed).

For Colombian residents: Submit identity verification (CC, passport, or legal authorization) with your request.

12. Cookies & Tracking Technologies

Our website uses:

  • Essential cookies (required for functionality),
  • Analytics cookies (e.g., via Microsoft Power BI),
  • Preference cookies (to remember settings).

You can manage preferences via your browser. By using our site, you consent to cookie use as described.

13. CCTV & Physical Security

We use video surveillance at select facilities (e.g., Bogotá: Av. CRA 19 #82-18) to protect people, property, and assets. Notices are posted at entry points. Footage is retained per local law and not used for automated decision-making.

14. Children’s Privacy 

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13.

If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data, please contact Us. If We become aware that We have collected Personal Data from anyone under the age of 13 without verification of parental consent, We take steps to remove that information from Our servers.

If We need to rely on consent as a legal basis for processing Your information and Your country requires consent from a parent, We may require Your parent’s consent before We collect and use that information.

15. Changes to This Policy

We may update this Policy periodically. Material changes will be posted here with a revised “Last Updated” date. We encourage you to review it regularly.

16. Contact Us

For privacy inquiries, rights requests, or concerns, please contact our Data Protection Team:

📧 Email: infosec@callzilla.cx
📍 Addresses:

  • 2901 SW 149 Ave, Suite 480, Miramar, FL 33027, USA
  • Av. CRA 19 #82-18, Bogotá D.C., Colombia

For South African matters under POPIA, our registered Information Officer can be reached at the same email.

This Privacy Policy reflects Callzilla’s commitment to global compliance, operational transparency, and the highest standards of data protection.