BRCKTalk to Us

Legal

Privacy Policy

Effective date: June 17, 2026

Turkana, LLC, a North Carolina limited liability company, doing business as “BRCK” (“BRCK,” “we,” “us,” or “our”), respects your privacy. (BRCK is a trade name of Turkana, LLC.) This Privacy Policy explains what personal information we collect, how we use and disclose it, the choices and rights you have, and how to exercise them. Your use of BRCK’s Services is also subject to our Terms of Service, which incorporate this Privacy Policy. Any capitalized terms we use here without defining them have the meanings given in the Terms of Service.

This Policy applies to personal information we collect through our websites, applications, and Services (collectively, the “Services”). It does not apply to the practices of companies we do not own or control, or to people we do not manage.

1. Our Role: When We Are a Controller/Business vs. a Service Provider/Processor

BRCK is a communications provider, and most of our customers are businesses that route their own end users’ calls, messages, and other communications through our Services. Because of this, we handle two very different populations of personal information, and we play a different role for each. It is important to understand which role applies to a given set of data, because that role determines whose privacy notice and whose instructions govern it.

1.1 When BRCK is a controller / “business”

For the personal information we collect and process for our own purposes— including visitors to and users of our websites, our marketing and communications, our account holders, and our billing and account administration — BRCK acts as a “controller” (and as a “business” under the CCPA/CPRA and equivalent state laws). This Privacy Policy governs that information, and the choices and rights described in this Policy apply to it. Sections of this Policy that describe how we collect, use, disclose, and retain personal information, and the privacy rights you can exercise, are written primarily with this controller/business data in mind.

1.2 When BRCK is a service provider / processor

For the content and metadata of communications that flow through our Services on behalf of a business customer — including the content of calls and messages, call detail records, routing and configuration data, and Customer Proprietary Network Information (CPNI) generated by that customer’s end users — BRCK acts as a “service provider” / “processor” on behalf of that business customer (the controller). We process that end-user data only to provide the Services and only on the documented instructions of the business customer, as set out in the applicable services agreement and Data Processing Addendum (DPA) (see Section 1.3). We do not use that end-user data for our own independent purposes, and we do not sell or share it for cross-context behavioral advertising.

If you are an end user who interacts with a business through services that business provides using BRCK (for example, you place or receive a call or message handled by a BRCK customer), the business — not BRCK — is the controller of your communications data, and you should direct any privacy requests to that business. We will assist our business customers in responding to such requests as required by our agreement with them and applicable law. Where BRCK collects information directly from you for our own purposes, BRCK is the controller and this Policy applies.

1.3 Data Processing Addendum (DPA)

Business customers may enter into, or be covered by, a Data Processing Addendum (DPA)that governs BRCK’s processing of end-user personal information as a service provider/processor, including the subject matter, duration, nature and purpose of processing, the types of personal information and categories of data subjects, and the security, confidentiality, sub-processing, and assistance obligations required by applicable law. Our DPA is published at brck.com/dpa, is available to business customers on request, and is incorporated into the applicable services agreement where executed.

1.4 Sub-processors

To provide the Services, BRCK engages sub-processors— third parties that process personal information on BRCK’s behalf, such as cloud infrastructure and hosting, analytics, customer support, payment processing, and messaging/voice carrier and routing partners. BRCK imposes data-protection obligations on its sub-processors consistent with this Policy and the applicable DPA. A current list of BRCK’s sub-processors is maintained and made available at brck.com/sub-processors, together with a change-notification commitment for business customers. References elsewhere in this Policy to specific analytics, advertising, and other vendors are addressed through this maintained sub-processor list rather than by naming each vendor inline.

2. Personal Information We Collect

2.1 Information you provide to us

When you create a BRCK account or use the Services, you provide personal information such as your name, email address, phone number(s), password, billing and payment information, place of employment, time zone, and any profile information or images you upload.

If you provide third-party account credentials or sign in through a third-party service (such as Microsoft 365 or Google), some information from those accounts (“Third Party Account Information”) may be transmitted into your BRCK account if you authorize it. That information is covered by this Policy. BRCK’s use and transfer to any other app of information received from Google Accounts will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

You can choose not to disclose certain information to us, but some information is necessary to register or to use particular features.

2.2 Information we collect automatically as you use the Services

  • Device and session information. Your IP address, device IDs and other unique identifiers, cookie and similar-technology data, browser and device type, and the page or feature you requested. We use this to deliver, customize, and improve the Services.
  • Usage information. How often and for how long features are used, navigation patterns, and product/service preferences. To the extent we use analytics or related vendors to help with this, those vendors are identified through our maintained sub-processor list (see Section 1.4).

2.3 Telephony and communications information

As a communications provider, we maintain customer call records such as the time, duration, and the called/calling party number, and information about the routing and configuration of your Services. Like other telephony services, we may maintain temporary copies of call audio for up to 48 hours for quality assurance. For voice and VoIP/E911 functionality, we may collect and use your registered service address and geographic location for call routing and emergency-services purposes.

2.4 Sources of personal information

We collect personal information (a) directly from you, (b) automatically from your devices and use of the Services, (c) from third-party services you connect or sign in through, and (d) from service providers and partners that help us operate, secure, and improve the Services.

3. Categories of Personal Information (state-law disclosure)

For the purposes of US state privacy laws, the categories of personal information we collect, the sources, the business/commercial purposes, and the categories of third parties to which we disclose them are summarized below.

CategoryExamplesSourcesPurposeDisclosed to
IdentifiersName, email, phone number, account ID, IP address, device IDsYou; automatic; connected accountsAccount, delivery of Services, securityService providers; as required by law
Customer records / financialBilling and payment information, place of employmentYouBilling, account managementPayment processors
Commercial informationServices purchased/used, preferencesYou; automaticDelivery and improvement of ServicesService providers
Internet/network activityBrowsing/usage data, cookies, analyticsAutomaticAnalytics, improvement, advertisingAnalytics & advertising partners
GeolocationRegistered/service address; coarse location for routing & E911You; automaticCall routing, emergency servicesRouting & emergency-services partners; as required by law
Telephony / CPNICall detail records, routing/config, temporary call audio (≤48 hrs)Your use of the ServicesService delivery, QA, fraud preventionAs permitted by 47 U.S.C. § 222; as required by law
Sensitive personal informationAccount credentials, precise geolocation, contents of communications, government IDs/payment data (to the extent collected)You; automaticAuthentication, delivery of Services, fraud preventionLimited; see Section 8
Audio/electronicCall audio (temporary QA copies)Your use of the ServicesQuality assuranceService providers under contract

We do not knowingly collect personal information from children (see Section 10).

4. How We Use Personal Information

We use personal information to:

  • Deliver the Services, including placing and receiving voice calls, sending and receiving messages, and determining your geographic location for efficient call routing and emergency services;
  • Manage your account and billing, enable secure login and single sign-on, and allow authorized third-party integrations;
  • Prevent, detect, and investigate prohibited or illegal activity, including fraud and violations of our Terms of Service and Acceptable Use Policy;
  • Improve and validate the Services, including securely sharing information with contractors who perform this work on our behalf;
  • Communicate with you about the Services and, where permitted, send promotional communications. You can opt out of marketing emails at any time using the unsubscribe link in our emails or by contacting us.
  • Operate, develop, and improve our products, services, and AI/ML models using de-identified and aggregated data, as described in Section 4.1.

4.1 De-identified and Aggregated Data; AI/ML Development

We may create and use de-identified and aggregated data— data that has been processed so that it cannot reasonably be used to identify, and is not linked or reasonably linkable to, an individual — to operate, secure, analyze, develop, train, and improve our products, services, and artificial-intelligence and machine-learning models. We maintain such data in de-identified or aggregated form and do not attempt to re-identify it, except as permitted by law to test that our de-identification is effective.

5. How We Disclose Personal Information

  • Service providers and sub-processors. We use other companies and people to perform tasks on our behalf (for example, payment processing, hosting, analytics, and customer support). They may use the information only as necessary to provide services to us and not for their own marketing. A current list of our sub-processors is maintained and made available as described in Section 1.4.
  • Analytics and marketing providers. To the extent we use cookies and similar technologies (such as web analytics) on our own websites, any analytics or marketing providers we engage act as our service providers: they are contractually permitted to process the information only to provide services to us and are barred from using it for their own purposes, so these engagements do not constitute a “sale” or a “share” for cross-context behavioral advertising. Any such providers are addressed through our maintained sub-processor list (see Section 1.4).
  • Business transfers. If we (or our assets) are acquired, or if we enter bankruptcy or another change of control, personal information may be among the assets transferred.
  • Legal and protective purposes. We may access, preserve, and disclose personal information when we believe it is necessary to comply with law; to respond to lawful requests, court orders, or subpoenas; to enforce our agreements; or to protect the rights, property, or safety of BRCK, our users, or others.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising, and we have no plans to do so. Any analytics or marketing providers we engage are contractually barred from using personal information for their own purposes.

6. Cookies and Tracking Technologies

We and third-party providers use cookies, web beacons, tags, and similar technologies to operate, secure, and analyze the Services and to support advertising. You can change your browser or device settings to limit or block cookies, though some features may not work as a result.

Global Privacy Control (GPC) and universal opt-out signals.We honor recognized universal opt-out preference signals, including the Global Privacy Control (GPC), as a valid request to opt out of the sale and sharing of personal information for the browser or device from which the signal is sent, where required by applicable law. This replaces the prior policy’s statement that the Services did not honor Do Not Track. We will treat Do Not Track signals as disclosed-only where not legally required to be honored.

7. Do Not Sell or Share My Personal Information; Opt Out of Targeted Advertising

As stated in Section 5, BRCK does not sell your personal information and does not share it for cross-context behavioral advertising, and has no plans to do so. We nonetheless make the following opt-out mechanisms available, to the extent applicable, should our practices ever change. Depending on your state and our data practices, you may have the right to opt out of:

  • the sale of your personal information;
  • the sharing of your personal information for cross-context behavioral / targeted advertising; and
  • profiling in furtherance of decisions that produce legal or similarly significant effects.

You can exercise these rights by:

  • visiting our “Do Not Sell or Share My Personal Information” page (opt-out request page, also available on request);
  • enabling the Global Privacy Control (GPC) in your browser (see Section 6); or
  • contacting us at privacy@brck.com or +1 (855) 244-2026.

We will not discriminate against you for exercising any privacy right (see Section 9).

8. Your Privacy Rights and How to Exercise Them

Subject to your state of residence and applicable law, you may have the following rights:

  • Right to know / access— to confirm whether we process your personal information and to obtain a copy and details about our processing.
  • Right to correct— to correct inaccurate personal information.
  • Right to delete— to request deletion of personal information we have collected from you.
  • Right to data portability— to obtain a copy of your personal information in a portable, usable format.
  • Right to opt out of the sale or sharing of personal information and of targeted advertising (see Section 7).
  • Right to opt out of profiling that produces legal or similarly significant effects.
  • Right to limit the use of sensitive personal information (where applicable).
  • Right to non-discrimination for exercising your rights (see Section 9).

8.1 How to submit a request

You may submit a request through any of the following designated methods:

Many account fields can also be reviewed, updated, or deleted directly in your account settings, including: name and password; email address; phone number(s); location and time zone; place of employment; call history (incoming/outgoing number and duration); profile information and uploaded images; billing information; contacts; and connected third-party account information. The fields available may change as the Services change.

8.2 Identity verification

To protect your information, we will take reasonable steps to verify your identity before fulfilling a request, which may require you to confirm information already associated with your account. We do not use verification information for any other purpose.

8.3 Authorized agents

You may use an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization and may require you to verify your identity directly or confirm that you authorized the agent.

8.4 Response timelines

We will acknowledge rights requests promptly and respond within the time required by applicable law — generally 45 days under CCPA and most state laws (extendable by an additional 45 days where permitted, with notice), and within the period required by other applicable state laws. There is generally no charge for a request unless it is excessive, repetitive, or manifestly unfounded.

8.5 Appeals

If we decline to act on your request, you may appeal our decision by emailing privacy@brck.comwith the subject line “Privacy Appeal.” We will respond to your appeal within the time required by applicable law (generally 60 days) and explain our decision. If your appeal is denied, you may contact your state Attorney General (or, in California, the California Privacy Protection Agency) to submit a complaint. This appeal right is required by Virginia, Colorado, Connecticut, and other states that follow the Virginia model.

9. Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights, including by denying Services, charging different prices, or providing a different level or quality of Services, except where a difference is reasonably related to the value provided by your data and permitted by law.

10. Children’s Privacy

BRCK does not provide Services designed for children and does not knowingly collect or solicit personal information from children under 13. If we learn we have collected personal information from a child under 13, we will delete it as quickly as possible. If you believe a child under 13 has provided us personal information, contact us at privacy@brck.com.

We also do not knowingly sell or share the personal information of consumers we know to be under 16 without the opt-in consent required by law, and we honor applicable state-law protections for minors.

11. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, including to deliver the Services, comply with our legal, tax, accounting, and regulatory obligations, resolve disputes, and enforce our agreements. The criteria we use to determine retention periods include the nature and sensitivity of the data, the purpose for which it was collected, applicable legal/telecom record-keeping requirements, and whether the purpose can be achieved by other means.

  • Temporary call audio retained for QA is deleted after up to 48 hours.
  • Call detail records and CPNI are retained for the period required by applicable telecom law and our legitimate business needs.
  • Following cancellation of your Services or deletion of your account, we will delete and/or anonymize personal information associated with your account unless retention is required by law. We may continue to use anonymized and aggregated data that does not identify you.

12. Telecom Customer Information (CPNI) and Data-Breach Posture

As a communications provider, we handle Customer Proprietary Network Information (CPNI)— such as the type, configuration, destination, and amount of your use of our voice and messaging Services — in accordance with Section 222 of the Communications Act (47 U.S.C. § 222) and applicable FCC rules. We use and disclose CPNI only as permitted by law, including to provide and bill for the Services, prevent fraud, and respond to lawful requests.

In the event of a data breach affecting covered customer information, we will provide notifications as required by applicable law, including the FCC’s breach-notification rules for carriers, interconnected VoIP, and TRS providers (47 CFR § 64.2011 / FCC 23-111), which may require notice to the FCC and federal law enforcement (the FBI and U.S. Secret Service), as well as to affected customers, and which do not impose a mandatory waiting period before customer notice. We will also comply with applicable state breach-notification laws.

13. How We Secure Personal Information

Your account is protected by a password, and we encrypt personal information in transit and at rest using industry-standard encryption. If you sign in through a third party, additional or different protections may apply through that service. You are responsible for protecting your password and limiting access to your devices, including by signing off after use. While we work to protect your information, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

14. State-Specific Privacy Disclosures

This Section describes how this Policy applies under US state comprehensive privacy laws. The rights described in Sections 7–9 are available to residents of states whose laws grant them, subject to that state’s specific requirements and exemptions.

As of the effective date of this Policy, comprehensive consumer-privacy laws are in force in the following states, and we honor the rights they provide to their residents:

  • California (CCPA, as amended by the CPRA)
  • Virginia (VCDPA)
  • Colorado (CPA)
  • Connecticut (CTDPA)
  • Utah (UCPA)
  • Texas (TDPSA)
  • Oregon (OCPA)
  • Montana (MCDPA)
  • Delaware (DPDPA)
  • Iowa (ICDPA)
  • Nebraska (NDPA)
  • New Hampshire (NHDPA)
  • New Jersey (NJDPA)
  • Tennessee (TIPA)
  • Minnesota (MCDPA)
  • Maryland (MODPA)
  • Indiana (ICDPA) — effective January 1, 2026
  • Kentucky (KCDPA) — effective January 1, 2026
  • Rhode Island (RIDTPPA) — effective January 1, 2026

California “Shine the Light.” California residents may request information about our disclosure of personal information to third parties for their direct-marketing purposes. To make such a request, email privacy@brck.com.

Universal opt-out / GPC.Residents of states that require us to honor universal opt-out preference signals — California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, and Texas— may exercise their opt-out of sale/sharing/targeted advertising via the GPC (see Section 6).

Appeals. Residents of states that provide an appeal right (including Virginia, Colorado, Connecticut, and others) may appeal as described in Section 8.5.

15. International Users

The Services are provided from the United States and are intended for users in the United States. We operate under, and this Policy is governed by, United States law. If you access the Services from outside the United States, you understand and agree that your information will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those of your jurisdiction.

BRCK does not offer the Services to, and does not target or monitor, individuals located in the European Union or the United Kingdom, and provisioning of international or EU phone numbers does not constitute an offering of services to EU residents. You are solely responsible for your own compliance with any foreign, EU, or UK data-protection or privacy law that applies to you, and you must not use the Services to target, market to, or monitor individuals located in the EU or UK without your own lawful basis for doing so. If your use of the Services would subject BRCK to the EU GDPR or UK GDPR, contact us before proceeding; BRCK does not currently offer GDPR/UK GDPR transfer terms (such as Standard Contractual Clauses), and any such terms would be added only if BRCK begins serving EU/UK data subjects.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will alert you to material changes by posting a notice on the BRCK website, by emailing you, and/or by other means. If you have opted out of legal-notice emails (or have not given us your email), those changes still govern your use of the Services. We will review this Policy at least annually. Use of information we collect is subject to the Policy in effect at the time the information is used.

17. How to Contact Us

For general questions or questions about this Privacy Policy:

To exercise your privacy rights or submit a privacy request:

Turkana, LLC d/b/a BRCK
16928 Lancaster Hwy, Suite 109
Charlotte, NC 28277