Privacy Policy

We provide AI-powered phone receptionist services to businesses ("Customers"). Two groups are covered by this Policy:

• Customers — businesses that sign up for an account and use our platform to operate an AI receptionist. We act as the data controller for Customer account data.
• Callers — end-users who call a phone number operated by one of our Customers. For caller data captured during a call (transcripts, phone numbers, booking details), we act as a data processor on behalf of the Customer who operates that number.

From Customers

• Account information: name, email address, business name, phone number, billing address.
• Authentication data: Firebase Authentication user ID, password hash (we never see your raw password).
• Payment information: processed entirely by Stripe; we store only a Stripe customer ID and subscription status, never card numbers.
• Configuration data: AI prompt settings, business hours, appointment durations, knowledge base files you upload, contact phone numbers.
• Connected calendar data: if you connect a Google Calendar, we receive an OAuth refresh token (encrypted at rest), your Google account email, and free/busy intervals at the time of each availability check. See Section 4 for details.
• Usage data: log entries describing your interactions with the dashboard (page views, API requests, error events), IP address, browser type, and timestamps.

From Callers (collected on behalf of our Customers)

• Phone number (caller ID), where available.
• Call audio streamed in real time to our voice AI provider. Audio is not retained after the call ends.
• Call transcripts — text transcription of the conversation between caller and AI.
• Booking details mentioned during the call (name, requested time, notes).
• Twilio call metadata (start/end time, duration, call SID).

Automatically collected

• Cookies and similar technologies used for authentication session management. We do not use third-party advertising or behavioral tracking cookies.

We use information to:

• Operate, maintain, and improve the Services;
• Authenticate Customer accounts and authorize access;
• Process payments and manage subscriptions through Stripe;
• Place and receive phone calls on behalf of Customers via Twilio;
• Generate AI voice responses and transcripts using ElevenLabs and Anthropic;
• Read and write Customer calendar availability via Google Calendar to schedule confirmed appointments;
• Send transactional SMS notifications (call summaries, appointment confirmations) via Twilio to Customers and, where applicable, to callers;
• Detect, investigate, and prevent fraud, abuse, and security incidents;
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information, we do not use it to train third-party AI models outside of the immediate processing required to deliver the Services, and we do not use it for advertising.

Our use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request

• auth/calendar.readonly — to read free/busy intervals on the Customer's primary calendar so the AI can quote real availability.
• auth/calendar.events — to create confirmed appointment events on the Customer's calendar after a call.
• auth/userinfo.email — to display which Google account is connected in the Customer dashboard.

How we use Google data

• We read busy times only at the moment they are needed (immediately before a call to compute available slots, and immediately before creating an event).
• We create calendar events only in response to a confirmed booking detected during a call.
• We do not modify, delete, or read events outside the ones our application creates.
• We do not share Google user data with third parties for advertising, analytics, or any purpose unrelated to delivering the Services.
• We do not use Google user data to train artificial intelligence or machine learning models.
• Refresh tokens are encrypted at rest using AES-256-GCM. Customers can disconnect at any time from the dashboard, which immediately removes our stored credentials.

Revoking access

You may revoke our access at any time by clicking Disconnect Google Calendar in your dashboard, or by visiting myaccount.google.com/permissions.

We share information only with the service providers required to operate the Services, and only to the extent necessary. We do not sell or rent personal information.

Service providers (sub-processors)

• Google LLC — Firebase Authentication, Firestore database, Cloud Storage, Google Calendar API.
• Twilio Inc. — phone number provisioning, voice call routing, SMS delivery.
• ElevenLabs, Inc. — real-time AI voice synthesis and speech-to-text during calls.
• Anthropic PBC — post-call analysis (summary generation, booking detection) using the Claude API.
• Stripe, Inc. — payment processing and subscription management.
• Railway Corp. — application hosting infrastructure.
• Amazon Web Services, Inc. — file storage (S3) for uploaded knowledge base documents.

Legal disclosures

We may disclose information when required by law, subpoena, or court order, or when we believe in good faith that disclosure is necessary to protect rights, property, or safety.

Business transfers

If we are involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you (via email or a notice on the Services) before your information becomes subject to a different privacy policy.

When a caller dials a phone number operated by one of our Customers, the call is answered by an AI receptionist. The conversation is transcribed in real time and stored for the Customer's review.

Recording and transcription laws vary by U.S. state and country (one-party vs. two-party consent). The Customer who operates the phone number is solely responsible for providing any legally required disclosure or consent at the start of a call. We provide configuration tools to support this but do not enforce it on the Customer's behalf.

Callers who wish to have their transcript or contact information removed should contact the Customer they called. If you cannot reach the Customer, contact us at privacy@automationly.ai and we will route the request appropriately.

We retain Customer account data for the duration of your subscription and for a reasonable period thereafter as required for legal, accounting, or legitimate business purposes (typically up to 24 months).

Call transcripts and booking records are retained for as long as the Customer's account is active, unless the Customer instructs otherwise. Real-time call audio is not retained — only the resulting transcript is stored.

Upon written request following account termination, we will delete or anonymize your data within thirty (30) days, subject to any legal retention obligations.

Depending on your location, you may have rights under laws such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA/CPRA), and similar state privacy laws. These may include the right to:

• Access the personal information we hold about you;
• Request correction of inaccurate information;
• Request deletion of your information;
• Object to or restrict certain processing;
• Receive a portable copy of your information;
• Withdraw consent (where processing is based on consent);
• Lodge a complaint with a supervisory authority.

To exercise these rights, email privacy@automationly.ai. We will respond within the timeframe required by applicable law (typically 30–45 days).

California residents: we do not "sell" personal information as defined by the CCPA, and we do not "share" it for cross-context behavioral advertising.

We implement administrative, technical, and physical safeguards designed to protect your information, including:

• HTTPS/TLS for all data in transit;
• Encryption at rest for sensitive credentials (e.g., Google Calendar refresh tokens are encrypted with AES-256-GCM);
• Authentication and access controls scoped per organization;
• Use of vetted, SOC 2 / ISO 27001-certified infrastructure providers;
• Routine review of access logs and dependency vulnerabilities.

No system is completely secure. If you believe your account has been compromised or you identify a vulnerability, contact us immediately at privacy@automationly.ai.

We are based in the United States, and our service providers may process information in the U.S. or other countries. If you access the Services from outside the United States, you understand that your information will be transferred to, stored, and processed in the U.S. and other jurisdictions where data protection laws may differ from those in your country.

The Services are intended for businesses and adult users. We do not knowingly collect personal information from anyone under 16. If you believe a minor has provided us with personal information, contact us at privacy@automationly.ai and we will take appropriate steps to delete it.

We use a small number of strictly necessary cookies and local-storage entries to keep you signed in to the dashboard and to remember preferences. We do not use third-party advertising cookies, behavioral tracking, or cross-site identifiers.

The Services may contain links to third-party websites or services (e.g., Stripe billing portal, Google account permissions page). We are not responsible for the privacy practices of those third parties. We encourage you to review their policies.

We send transactional SMS messages (account, billing, and call-related notifications) via Twilio. We do not send marketing SMS without separate, explicit opt-in. Standard message and data rates may apply. Reply STOP to opt out of further messages from any of our numbers; reply HELP for assistance.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Material changes will be communicated by email or a notice in the dashboard. Your continued use of the Services after a change constitutes acceptance of the updated Policy.

For privacy questions, requests, or complaints, contact:

Automationly AI, LLC
Privacy: privacy@automationly.ai
Support: support@automationly.ai

Automationly AI, LLC is a Florida limited liability company.