Privacy Policy

Effective date: September 2, 2025
simplifyAi. Based in Beverly, MA, USA.
Contact: info@simplifyai.solutions

1) Scope & Roles

Scope: This policy covers our website, sales/marketing, and delivery of automation services (AI phone/email agents, booking, CRM updates, invoicing, etc.).
Controller vs Processor:
- We act as Controller for our own website, analytics, billing, and sales operations.
- We act as a Processor/Service Provider for client data processed inside workflows we build/operate. The client is the Controller for that data.
Territory: We serve US clients but may process data globally via trusted sub‑processors.

2) Data We Collect

A. Website & Marketing

Identifiers: name, email, phone, company, role; UTM/referrer.
Device/usage: IP address, pages viewed, timestamps, cookies/SDKs, approximate location.
Preferences: services of interest, meeting times.

B. Sales & Support Communications

Emails, messages, meeting recordings/transcripts/notes.
Prospect sources: forms you submit, events, referrals, publicly available business info.

C. Service Delivery (Client Projects)

End‑customer data necessary for automations you ask us to run (e.g., names, emails/phones, booking details, ticket/CRM records, order IDs, invoice status, social handles, limited content for templating).
AI/Voice/SMS: call audio (if enabled), voicemails, AI/chat transcripts, metadata (numbers, call length), SMS/MMS content.
Credentials & Keys: OAuth tokens, API keys, webhooks—stored in secure secrets vaults or in client‑owned platforms.
Payments: billing contact, invoice history. We do not collect full card numbers; payments are handled by third‑party processors.

D. Sensitive Data

We do not intentionally collect health, biometric, or precise geolocation data. Do not send PHI/PCI/SSN unless we have a signed agreement (e.g., BAA) and a documented compliant architecture.

3) Sources of Data

Directly from you (forms, emails, calls, contracts, uploads).
Your systems we connect (e.g., Google Workspace, CRM, Calendly/Cal.com, Slack, Notion, Shopify, QuickBooks/Stripe, Airtable/Sheets).
Third parties: referral partners, public business listings, social platforms, analytics.

4) Why We Use Data (Purposes)

Provide, operate, and monitor automations and related services.
Configure integrations, test/recover workflows, and deliver support.
Communicate about proposals, updates, invoices, and security notices.
Improve reliability and quality (debugging, logs, analytics, A/B tests).
Detect, prevent, and respond to fraud, abuse, and security issues.
Legal/regulatory compliance and recordkeeping.
With consent: marketing messages; testimonials/case studies.

5) Legal Bases (where applicable)

Performance of a contract; legitimate interests in running our business and securing systems; consent (for optional uses); compliance with law.

6) Cookies, Analytics & Ads

We use essential cookies for site functionality and security.
We use analytics (e.g., traffic, conversions) and may run retargeting ads. A banner and/or settings page lets you manage non‑essential cookies where required.
“Do Not Track” signals are not standardized; we honor applicable state/global opt‑out signals where required by law.

7) AI/LLM Use & Model Training

We use third‑party AI providers (e.g., for speech, chat, summarization) via API.
We configure providers not to use client data for model training where such controls exist, or we sign appropriate data processing terms.
We do not permit providers to use your client data for their marketing.
Fine‑tuning or dataset creation with client data occurs only with written approval and a documented data protection plan.

8) Call Recording & Telephony

Some workflows can record calls or store transcripts/voicemails. We only enable recording with notice and any consents required under applicable law.
Caller ID, numbers, timestamps, and SMS content may be stored to deliver/monitor the service.

9) Disclosures & Sub‑processors

We share data only as needed, under contract:

Infrastructure & DevOps: cloud hosting, backups, observability, error logging.
Automation & Integrations: n8n/Make/Zapier, webhook relays, RPA/ETL tools.
Productivity & Datastores: Google Workspace, Airtable/Sheets, Notion.
Comms: email, calendar, helpdesk, chat, telephony/SMS.
AI/ML: speech‑to‑text, text‑to‑speech, LLM inference.
Payments & Accounting: invoicing, payment processing, bookkeeping.
Compliance/Security: security scanning, access management, e‑signature.
We maintain a current list of key sub‑processors (request at contact@simplifyai.solutions). We require appropriate data protection terms and safeguard cross‑border transfers (e.g., SCCs where applicable).

10) Retention

Website analytics & marketing events: up to 26 months.
Sales/CRM records: up to 3 years after last interaction.
Client project data & logs (including AI transcripts/recordings): 90–180 days after project end, unless you request a different period or law requires longer.
Credentials/tokens: for the life of the engagement; deleted/revoked at termination.
Invoices and corporate records: as required by law (typically 7 years).

11) Security

TLS in transit; encryption at rest where supported by platform.
Least‑privilege access, role‑based controls, mandatory MFA for admins.
Segregated environments for staging/production; secrets vault; key rotation.
Monitoring, rate‑limits/quotas, retries with dead‑letter queues; audit logs.
Vendor due diligence and contractual security commitments.
Incident response plan; we will notify you and regulators where legally required.

12) Your Privacy Rights

Depending on your location, you may request:

Access/Portability (a copy of your data), Correction, Deletion.
Opt‑out of targeted advertising, “sale”/“sharing” of personal info, and certain profiling/automated decisions.
Limit use of sensitive personal information.
Withdraw consent for optional processing.
How to exercise: email contact@simplifyai.solutions. We may need to verify your identity and request details to locate data. Authorized agents may submit requests where permitted.

13) Children’s Privacy

Our services are for businesses and individuals 13+. We do not knowingly collect personal data from children under 13.

14) International Transfers

When we transfer personal data internationally, we use lawful mechanisms (e.g., SCCs) and require comparable protections from our vendors.

15) Client Responsibilities (When We Are Processor)

Provide us only the minimum data needed for the workflows.
Obtain and document required consents/authorizations from your users/customers (e.g., call recording, SMS marketing).
Configure retention and redaction settings that match your policies.
Keep your platform terms current (e.g., privacy notice, SMS terms) and maintain law‑compliant opt‑in/opt‑out flows.

16) Data Minimization & Optional Redaction

We aim to store the least amount of personal data necessary.
Optionally enable PII redaction in logs/transcripts and shortened retention per workflow.

17) Third‑Party Links

Our site and deliverables may link to third‑party sites/tools. Their privacy practices are their own. Review their policies.

18) Changes to This Policy

We may update this policy. Material changes will be posted with a new effective date. We will notify clients by email where appropriate.

19) Contact

Email: contact@simplifyai.solutions
Mail: simplifyAi LLC, 376 Hale St, Beverly, MA, 01915 USA
Data Requests: include: your name, contact info, relationship to us, and the systems you believe hold your data.

Short Form Summary (Non‑contractual)

We collect only what we need to run your automations and business relationship.
We don’t sell your personal information.
We use reputable vendors under contract and security controls.
You’re in control—ask for a copy, fix, or delete where allowed by law.
Recording/SMS/AI features are consent‑based and configurable.
Default retention: 90–180 days for project data after end of engagement; longer for invoices by law.

Need a signed DPA or BAA? Email contact@simplifyai.solutions and we’ll provide our standard agreement and sub‑processor list.