Privacy Policy
Last updated: [Effective Date]
This Privacy Policy explains how [Company Legal Name] (“we,” “us”) collects, uses, and shares information in connection with our platform (the “Service”).
Our Roles
For our subscribing businesses’ account information, we act as a data controller. For the end-customer information our business customers collect and manage through the Service (e.g., their leads’ contact details and messages), we act as a processor on that business’s behalf — that business is responsible for the lawful basis and notices for those individuals.
Information We Collect
- Account & business data: name, business name, email, phone, login credentials, tier and settings.
- Billing data: processed by Stripe; we receive limited billing metadata, not full card numbers.
- End-customer (lead) data our customers capture: names, phone numbers, emails, service requests, messages, chat transcripts, call records, and appointment details.
- Consent records: SMS/email opt-in status and proof (timestamp, IP, source) where applicable.
- Usage & technical data: log data, device/browser info, and cookies needed to run the app.
How We Use Information
- To provide, operate, secure, and improve the Service;
- To process payments and manage subscriptions;
- To send transactional messages and, where authorized, marketing/follow-up communications on a customer’s behalf;
- To power the AI receptionist and automations;
- To comply with law and enforce our Terms.
SMS / Text Messaging
Where messaging is enabled, contacts are messaged only with appropriate consent. Recipients can opt out at any time by replying STOP, and can get help by replying HELP. Message and data rates may apply. Consent to receive messages is not a condition of any purchase. SMS originator and consent obligations rest with the sending business under the TCPA and carrier A2P 10DLC rules.
How We Share Information & Subprocessors
We do not sell personal information. We share data with service providers that help us run the Service:
- Supabase — database, authentication, and storage;
- Vercel — application hosting;
- Stripe — payment processing;
- Twilio — SMS and voice;
- Anthropic — AI model for the chat receptionist;
- Resend — transactional/marketing email;
- Cal.com — appointment scheduling;
- Inngest — background job/workflow execution;
- Upstash — rate limiting/caching (if enabled).
We may also disclose information to comply with law or protect rights, and in a business transfer.
Data Retention & Deletion
We retain information for as long as an account is active and as needed to provide the Service or comply with law. Customers may export or request deletion of their data; on account termination we delete or de-identify data after a reasonable retention window, subject to legal requirements.
Security
We use industry-standard safeguards, including encryption in transit (TLS), encryption at rest for sensitive secrets, and database-level tenant isolation (row-level security) so each business’s data is segregated. No method of transmission or storage is 100% secure.
Your Rights
Depending on your location, you may have rights to access, correct, delete, or port your information, or to object to certain processing. Submit requests to [privacy@yourdomain.com]. For end-customer data managed by one of our business customers, please contact that business directly.
Children’s Privacy
The Service is not directed to children under 13 and we do not knowingly collect their information.
Data Location
The Service is operated in the United States; by using it you understand your data is processed there.
Cookies
We use strictly necessary cookies for authentication and app functionality. We do not use third-party advertising cookies.
Changes
We may update this Policy; material changes will be communicated and the “Last updated” date revised.
Contact
[Company Legal Name], [Mailing Address], [privacy@yourdomain.com].
This document is a starting template and not legal advice. Have it reviewed by a licensed attorney and complete all [bracketed] fields before relying on it.