Last updated: March 29, 2026
When you sign up, we collect your name, email address, business name, phone number, and billing information (processed by Stripe — we never see your card number). When your AI agent handles calls, we collect caller area codes, call duration, sentiment classification, and AI-generated call summaries. We collect usage metrics (minutes used, SMS sent) for billing purposes.
We do not store raw call audio recordings. We do not store verbatim call transcripts. We do not store full SMS conversation text beyond 30 days. We do not collect or analyze voiceprints or biometric data. We do not store payment card numbers, CVVs, or full card details — Stripe handles all payment data. This is not just policy — it is architecture. Raw call data is never written to our database.
We use your data to provide the Service (routing calls, generating summaries, sending notifications), to process billing, to send transactional emails (call summaries, welcome emails, billing receipts), to improve the Service (aggregate, anonymized usage patterns), and to comply with legal obligations.
Call summaries are automatically deleted after 3 years. SMS logs are automatically deleted after 12 months. Opt-out records are never deleted (legal requirement). Consent timestamps are retained for 4 years minimum (TCPA requirement). These deletions run automatically via scheduled database jobs — no manual action required.
We share data with the following third-party services to provide the Service: Twilio (phone numbers and SMS delivery — your callers' phone numbers are transmitted to Twilio), Vapi (AI voice infrastructure — call audio is processed by Vapi in real time and not retained by us), Supabase (database hosting — your account and call summary data is stored here), Anthropic (AI model API — call transcripts are sent to Claude to generate summaries and immediately discarded), SendGrid (transactional email delivery), and Stripe (payment processing). Each of these services has their own privacy policy. We do not sell your data to any third party. Text messaging originator opt-in data and consent will not be shared with any third parties or affiliates for marketing or promotional purposes.
If your callers opt in to receive SMS messages via your SMB Sidekick AI agent, their consent data is collected and stored solely to deliver the requested messages (business information, scheduling links, call summaries). Consent is obtained via verbal confirmation during an inbound call, by texting START to the business's SMB Sidekick number, or by submitting the opt-in form at smbsidekick.ai/sms-signup. Consent is per-caller, voluntary, and never a condition of completing a call or receiving service. Callers may opt out at any time by replying STOP. Opt-out records are retained permanently as required by law. Message and data rates may apply. Message frequency varies based on caller requests and business owner settings. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.
If you connect Google Calendar, we store your Google OAuth refresh token encrypted with AES-256 encryption. We use this token only to check calendar availability and create events on your behalf. We do not read your email, contacts, or any data beyond calendar availability. You can disconnect Google Calendar at any time from Settings.
You have the right to access your data (available in your dashboard), to correct inaccurate data (update in Settings), to delete your account and data (contact us — deletion occurs within 30 days), to export your call summary history (available from the Calls page), and to opt out of marketing communications (unsubscribe link in any email). California residents have additional rights under CCPA. Contact us at reviewer@smbsidekick.ai to exercise any of these rights.
All data is transmitted over HTTPS/TLS. Google OAuth tokens are encrypted at rest with AES-256. Our database uses row-level security — your data is isolated from other customers at the database level. We perform regular security audits and follow responsible disclosure practices.
We will notify you by email at least 14 days before material changes to this Privacy Policy take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.
For privacy questions, data requests, or to report a concern, contact our privacy team at reviewer@smbsidekick.ai. We respond to all privacy requests within 10 business days.