Privacy Policy
26 Connect is the mobile app of 26 Telecom, a brand of 26 Branding Agency Inc. This policy describes, in plain language, what we collect, why, who we share it with, how long we keep it, and the choices you have.
26 Connast updated: April 25, 2026
26 Connect is a VoIP service. It does not replace a landline and does not guarantee access to 911 / E911. In an emergency, use a traditional phone or a mobile with active cellular service. Automatic location (E911) is not supported.
Our head office is in Montreal, Quebec, Canada. We comply with Quebec Law 25, federal PIPEDA, the EU/UK GDPR when applicable, and the App Privacy (Apple) and Data Safety (Google Play) platform standards.
1. Important: subscriptions are managed outside the app
26 Connect is the runtime interface. Sign-up, plan selection, number purchase, SMS activation, payment, and subscription changes are managed exclusively on 26telecom.com or in your Client area. The mobile app does not present in-app purchases, pricing tiers, or upgrade flows. This is intentional: billing stays in your control inside a certified web environment.
2. Information we collect
2.1 Account identity
First name, last name, email address, password (hashed with bcrypt, never readable by us), company name (optional), contact phone (optional), preferred language.
2.2 Telephony service
Phone numbers (DIDs) assigned to your account, SIP extension identifiers, voicemail box settings (PIN, forwarding email), subscription tier, status, next billing date.
2.3 Communication content
Call metadata (dialed number, inbound number, duration, timestamp, status), SMS content sent and received, voicemail recordings, automated transcriptions generated by our local whisper.cpp instance, never sent to a third-party AI service.
2.4 Address book (on your initiative)
If you choose to import contacts from your device, we store the names, numbers, and emails you submit. The app requests iOS / Android permission before reading the address book.
2.5 Technical data
Push notification tokens (Apple APNs, Google FCM), SIP extension credentials, IP addresses used to connect, device type, OS version, app version, system language.
2.6 Diagnostics
Server logs (HTTP codes, API errors, latency), client-side error logs without personal content. No third-party behavioral analytics tool (Google Analytics, Mixpanel, Amplitude, Firebase Analytics, Crashlytics) is integrated. Firebase is used only to deliver Android push notifications via FCM.
2.7 Financial data (limited)
When you make a payment, you enter your card directly on Moneris's form. No card number, CVV, or expiry ever transits our servers. We retain only the Moneris transaction reference, amount, currency, date, and status.
2.8 Data we do NOT collect
- No biometric data (fingerprint, face, voice).
- No advertising identifier (Apple IDFA, Google AAID).
- No device fingerprinting.
- No GPS, Wi-Fi, or Bluetooth location.
- No cross-app, cross-site, or data-broker tracking.
- No third-party advertising in the app.
- No analytics or behavioral cookies on our website.
3. How we use your information
- Place and route your VoIP calls through FusionPBX and our partner Telnyx.
- Deliver inbound and outbound SMS through Telnyx (when SMS is enabled).
- Notify you of incoming calls even when the app is closed.
- Store and transcribe your voicemails for later review.
- Process recurring payments through Moneris.
- Diagnose technical failures and secure your account.
- Respond to your support requests.
- Comply with legal obligations (taxes, accounting records, lawful authority requests).
We never use your information for targeted advertising, sale to third parties, or training of external AI models.
4. Sharing with third parties
We never sell your personal information. We share it only with the processors required to operate the service.
| Provider | Country | Data transmitted | Reason |
|---|---|---|---|
| Telnyx | United States | Numbers, SMS, audio in transit | Public-network call and SMS routing |
| Apple (APNs) | United States | Device token, call metadata | iOS push and CallKit VoIP |
| Google (FCM) | United States | Device token, call metadata | Android push notifications |
| Moneris | Canada | Card (entered directly), amount, reference | Payment processing |
| OVH Cloud | Canada (Beauharnois, Quebec) | All of the above | Cloud hosting of backend, database, voicemail |
| Hostinger | Lithuania / global CDN | Public marketing pages only | Static hosting of 26telecom.com |
When delivering a call or SMS, certain metadata is transmitted to the recipient's carrier (Bell, Rogers, Telus, AT&T, Verizon, T-Mobile) per public-network standards. We do not control these downstream carriers.
5. Transfers outside Quebec and Canada
Your data is stored primarily in Canada (OVH Beauharnois, Quebec). Telnyx and Apple process some data in the United States. In line with Quebec Law 25 and GDPR, we have assessed the protections offered and imposed contractual safeguards on each processor.
6. Financial data and PCI compliance
Credit card numbers never transit our servers. The payment form is served directly by Moneris, certified PCI-DSS Level 1. We retain only the transaction reference, amount, currency, date, status, last four digits, and a payment token (data_key) that lets us re-charge a recurring payment without re-exposing the card. The token is revoked within 30 days after account closure.
7. Data retention
| Category | Duration |
|---|---|
| Active account | While the account exists |
| Call logs and SMS history | 24 months |
| Voicemail recordings | Until you delete; auto-deleted 12 months after closure |
| Voicemail transcripts | Same rule as recordings |
| Imported contacts | While the account is active |
| Invoices and receipts | 7 years (Revenu Quebec / CRA accounting obligation) |
| Server logs | 90 days |
| Moneris payment token | Revoked within 30 days after closure |
8. Your rights
Under Quebec Law 25, PIPEDA, and GDPR (where applicable), you can:
- Access your personal information and obtain a structured copy (JSON).
- Rectify inaccurate or incomplete information.
- Erase your account and all associated data (subject to the 7-year accounting retention for invoices).
- Withdraw consent at any time.
- Data portability to another provider.
- Object to processing for legitimate reasons.
- Lodge a complaint with the Quebec Commission d'acces a l'information, the Office of the Privacy Commissioner of Canada, or your European supervisory authority.
To exercise these rights, write to privacy@26telecom.com or use our contact form. We respond within 30 calendar days maximum.
Privacy Officer
In line with Quebec Law 25, 26 Branding Agency Inc. designates a Personal Information Officer.
Email: privacy@26telecom.com
9. Security
- In transit: TLS 1.3 on all communications.
- At rest: server disk encryption (LUKS / dm-crypt).
- Passwords: hashed with bcrypt (cost 12), never readable in cleartext.
- Two-factor authentication: available in the Client area (TOTP RFC 6238 plus 8 bcrypt-hashed recovery codes).
- Signing keys: APNs and FCM stored with restricted filesystem access.
- Administrator access: limited to authorized employees, logged.
If a data breach occurs, we will notify you within 72 hours and we will also notify the Quebec Commission d'acces a l'information.
10. Push notifications and CallKit
To alert you of incoming calls even when the app is closed, we send a push notification to your device via Apple APNs (iOS) or Google FCM (Android). The notification contains the calling number and a call identifier, the strict minimum needed to ring your phone via CallKit. No additional data is attached.
11. Mobile app permissions
| Permission | Why | Optional |
|---|---|---|
| Microphone | Capture your voice during a VoIP call | No, required to call |
| Notifications | Alert you to an incoming call or SMS | No, required to receive |
| Contacts | Read the address book if you import contacts | Yes, on your initiative |
| Camera, location, photos | Not used | N/A |
12. Children and teenagers
26 Connect is a product for professionals and small businesses. The service is not intended for persons under 16 (Quebec Law 25 / GDPR) or under 13 (US COPPA, Apple App Store). We do not knowingly collect children's information. If you believe a child has provided us information, write to us and we will delete the account.
13. Cookies and website
- Technical session cookie (keeps you signed in).
- reCAPTCHA v2 invisible on the contact form only, with text attribution under the form button.
- No advertising or analytics cookies. No Google Analytics, no Meta Pixel, no TikTok Pixel.
14. Changes to this policy
We may update this policy. The last-updated date appears at the top. Significant changes will be communicated at least 30 days before they take effect by email to your account address and by notice in the Client area.
15. Contact us
26 Branding Agency Inc. (doing business as 26 Telecom and 26 Connect)
Montreal, Quebec, Canada
- Privacy and Law 25 / GDPR rights: privacy@26telecom.com
- General support, billing, account closure: contact form
- Abuse reports: contact form