Privacy Policy
DRAFT — generated starting point, NOT legal advice. Must be reviewed and finalized by qualified counsel before use. Reflects the planning corpus as of 2026-06; verify all statutory references.
> How to use this draft. This is a counsel-ready *skeleton* generated from the LocksmithTalk planning corpus
> (docs/reference/compliance-and-legal.md §4–§6, retention schedule §5, subprocessor list §6.2). Complete every
> [PLACEHOLDER] and resolve every [COUNSEL] flag with a licensed attorney before publishing. The retention
> periods below are engineering defaults proposed in the corpus, not legal determinations — confirm with
> counsel.
Effective date: [PLACEHOLDER — date]
Last updated: 2026-06-30 (draft)
Controller / operator: [PLACEHOLDER — legal entity name] ("LocksmithTalk," "we," "us").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you and your
callers use the LocksmithTalk platform and services (the "Services"). It covers both our **business
customers (locksmith businesses and agencies) and the end customers / callers** whose calls and messages are
handled by the Services.
> Roles. For most personal data of callers/end customers, LocksmithTalk acts as a **processor / service
> provider on behalf of our business customer (the locksmith business, the "Customer**"), who is the
> controller. For our own business-account and billing data, and for security/fraud-prevention purposes, we
> act as a controller. For agency-managed companies, the agency may be a controller of its managed companies'
> data. See the Data Processing Addendum for the processor terms. *(See
> compliance-and-legal.md §6.1.)*
> US-only at launch. The Services are offered to US business customers only at launch. We still honor the
> rights of any EU/UK data subject whose data we process (e.g., an EU caller who reaches a US Customer). EU
> data-residency and international onboarding are not offered at launch. *(See compliance-and-legal.md §1.)*
1. Information We Collect
1.1 Call data (callers / end customers)
- Call recordings (audio) and transcripts of inbound calls handled by the AI agent.
- Caller identifiers: phone number (ANI), and, where available, caller-ID enrichment — CNAM caller name,
line type, carrier, and spam/fraud risk signals obtained via a telephony lookup (US callers only for
name-enrichment). *(See compliance-and-legal.md §5, caller-ID enrichment row.)*
- Customer information captured by the agent during a call: name, callback number, service address/location,
and the nature of the job/request, as needed to qualify and dispatch.
- Consent and disclosure records: that the AI-identity disclosure and recording-consent notice played and
that consent was given, with timestamps.
1.2 Lead and dispatch data
- Lead-source data (e.g., Google Local Services message leads where you connect that source) and the resulting
job ticket, dispatch, technician assignment, and ETA records.
- Notification/delivery records for messages sent to your technicians and ETA messages to your customers.
1.3 Business-customer account data
- Account and contact details: business name, account owner/user names, emails, phone numbers, roles.
- Business configuration: your website content used to build your agent's knowledge base, service area, hours,
and settings.
- Billing data: plan, subscription status, wallet ledger entries (integer cents), invoices, and payment-method
metadata (card data is handled by our payment processor; we do not store full card numbers).
1.4 Technical and usage data
- Device/app and log data: IP address, device identifiers, app/browser type, pages/actions, and timestamps,
for security, fraud-prevention, and product analytics (PII-minimized in telemetry).
1.5 Data you provide for support and growth
- Support communications and, where applicable, referral/share-link attribution data.
2. How We Use Information (Purposes)
We use personal information to:
- Provide the Services — answer and record calls, qualify and classify them, create tickets, dispatch
technicians, confirm ETAs, and surface call records and summaries to you;
- Process leads you connect (e.g., reply to Google LSA message leads);
- Operate billing — subscriptions, the prepaid wallet, metered usage, and invoices;
- Secure the Services and prevent fraud/abuse — including the anti-phishing rule (the agent never reads back a
code) and spam/scam-call filtering;
- Provide support and communicate about your account and the Services;
- Improve the Services using de-identified/aggregated data;
- Comply with legal obligations and enforce our terms.
We do not use the AI agent's calls to make sales/marketing decisions about callers beyond delivering the
Service, and we do not sell personal information (see §6).
3. Legal Bases (where applicable)
Where required (e.g., for EU/UK data subjects), we rely on the following legal bases: consent (recording, per
the in-call consent notice); performance of a contract / provision of the Service (delivering call handling
and dispatch, on the Customer's instructions); legitimate interests (security, fraud prevention, anti-phishing,
service improvement); and legal obligation (record-keeping, tax, and compliance). For caller data processed on
a Customer's behalf, the Customer determines the applicable legal basis as controller; we process on the
Customer's documented instructions per the DPA. [COUNSEL — confirm legal-basis mapping.]
4. Recording Disclosure and Consent
The Services record and transcribe calls. A system-enforced disclosure informs the caller that they are
interacting with an automated AI assistant and that the call is recorded, and the Services apply an **all-party
(two-party) consent–safe** approach on every call regardless of the caller's state. Continuing the call after the
disclosure is treated as consent to recording, as described in our in-call notice. We retain the consent record
even after the recording itself is deleted, to evidence lawful recording. *(See compliance-and-legal.md §3–§4.)*
[COUNSEL — confirm consent model (implied-by-continuation vs. affirmative) for strict all-party states.]
5. Retention and Deletion Schedule
We retain personal information only as long as necessary for the purposes above and as required by law. The
periods below are proposed defaults from our planning corpus and are subject to counsel review; actual periods
may be set per Customer configuration and applicable law. *(Mirrors compliance-and-legal.md §5.)*
| Data class | Proposed retention (default — verify with counsel) | Deletion mechanism |
|---|---|---|
| Call recordings (audio) | ~90 days default, Customer-configurable (shorter is safer) | Purged from object storage on deletion request or expiry; storage pointer nulled; a deletion guard drops any late-arriving audio (M3 tombstone). |
| Transcripts (text) | Same as recordings (~90 days default) | Same deletion cascade; late transcript dropped by the tombstone. |
| Job ticket (non-PII fields) | Business-record retention (~2–7 years, verify) | On erasure, PII fields are scrubbed/pseudonymized; the non-identifying ticket shell (amount, timestamps, status) may be retained. |
| Customer/caller PII (name, phone, address) | Tied to ticket lifecycle; erased on request | Deleted/scrubbed across contact/customer/job records and propagated to service providers. |
| Caller-ID enrichment (CNAM/line-type/carrier/risk) | Same window as the call log; erased on request | Deleted/scrubbed with the call record; enrichment cache aged out. Purpose-limited to call handling + fraud/spam scoring; not sold/shared. |
| Wallet ledger entries | Permanent (append-only, immutable) | Not deleted on erasure (financial-record / legal-obligation exemption); references are pseudonymous, not raw PII. |
| Audit logs | Permanent (append-only, tamper-evident) | Not deleted on erasure (security/fraud + legal-obligation exemption); PII minimized at write-time. |
| Lead data (e.g., Google LSA) | Per ticket lifecycle + provider data policy | Deleted/scrubbed in the deletion cascade. |
| Notification/delivery records | Short, operational (~30–90 days) | Aged out by a retention job; PII-bearing fields scrubbed on erasure. |
| Consent records (disclosure/consent + timestamps) | Retained ≥ limitations window (propose ≥ 2 years, verify) | Retained even after recording deletion, stored separately, to prove lawful recording. |
Immutability vs. erasure. To honor an erasure request without breaking financial/audit integrity, we delete or
scrub the personal data (recordings, transcripts, contact identifiers, customer fields) and retain only the
non-identifying financial/audit skeleton (amounts, timestamps, event types, tenant id) where the law permits
(e.g., financial-record, fraud/security, and legal-obligation exemptions). A legal hold for litigation or
regulatory inquiry overrides erasure until the hold is lifted. *(See compliance-and-legal.md §5.)* [COUNSEL —
confirm periods and the specific exemptions relied upon.]
6. How We Share Information; Subprocessors; No Sale
6.1 We do not sell personal information and do not "share" it for cross-context behavioral advertising as
those terms are defined under California law. [COUNSEL — confirm.]
6.2 With your business (Customer). Caller data is made available to the Customer (the locksmith business) whose
line received the call, and, for agency-managed companies, to the managing agency under its ownership relationship.
6.3 Service providers (subprocessors). We share personal information with vendors that help us provide the
Services, under contracts that restrict their use of the data. Current subprocessors *(from
compliance-and-legal.md §6.2)*:
| Subprocessor | Purpose | Data involved |
|---|---|---|
| ElevenLabs | AI voice / agent brain | Live call audio + transcript |
| Telnyx / Twilio | Telephony (PSTN, SMS) | Call metadata, audio, SMS, number lookup |
| Meta (WhatsApp Cloud API) | WhatsApp messaging channel | Dispatch/notification messages |
| Telegram (Bot API) | Telegram messaging channel | Dispatch/notification messages |
| Postmark | Transactional email | Notification/ETA emails |
| Supabase (Postgres / Storage) | Primary database + storage | All tenant data |
| Cloudflare (R2, WAF, CDN, Turnstile) | Edge, storage, security | Recordings (R2), traffic metadata |
| Stripe (+ Connect) | Billing / payments | Billing PII; card data handled by Stripe (PCI) |
| Google (Ads / Local Services API) | Lead source | LSA lead data |
| Upstash (Redis) | Cache / counters / rate limits | Ephemeral counters (minimal PII) |
| Inngest | Durable workflows / timers | Job/event metadata |
| Expo | Mobile push notifications | Device push tokens, notification payloads |
| Sentry | Error monitoring | Telemetry (PII-redacted) |
| PostHog | Product analytics | Telemetry (PII-redacted) |
| Vercel | Web application hosting (Next.js) | App traffic metadata |
| Retell / Vapi | Fallback AI voice providers (engaged only on failover) | Live call audio + transcript (when active) |
| Google Maps Platform | Geocoding / ETA routing | Service addresses (no caller identity) |
A current subprocessor list is also maintained on our [PLACEHOLDER — Trust Center / subprocessor page], and we
provide notice of material changes as required by the DPA. [COUNSEL/OPS — keep this list synchronized with the DPA
and Trust Center as the single source of truth.]
6.4 Legal and safety. We may disclose information to comply with law, respond to lawful requests, enforce our
terms, or protect rights, safety, and security.
6.5 Business transfers. Information may be transferred in connection with a merger, acquisition, or sale of
assets, subject to this Policy.
7. Your Privacy Rights
7.1 California (CCPA/CPRA) and other US state rights
Depending on your state, you may have the right to know/access, delete, correct, and **opt out of
sale/sharing of personal information, and to non-discrimination for exercising rights. We do not sell or
share personal information** as defined under California law. We offer at least two methods to submit requests, will
confirm receipt within 10 business days, and will respond within 45 calendar days (extendable as the law
allows). [COUNSEL — confirm methods, verification, and authorized-agent handling.]
7.2 GDPR/UK GDPR (EU/UK data subjects)
Where applicable, you may have the right to access (Art. 15), erasure (Art. 17, "right to be forgotten"),
rectification, restriction, objection, and data portability. We honor erasure without undue delay,
subject to lawful exemptions (e.g., financial-record retention, defense of legal claims). For data we process on a
Customer's behalf, we will refer or assist the request to the relevant Customer (controller) per the DPA.
7.3 The deletion / offboarding mechanism
On a valid deletion request (or account offboarding), we run a deletion cascade that purges recordings and
transcripts from storage (including a tombstone guard that drops late-arriving audio so personal data cannot
re-appear), scrubs caller/customer PII, and propagates deletion to service providers, while retaining the
non-identifying financial/audit skeleton as permitted by law (§5). *(See compliance-and-legal.md §5.)*
7.4 How to exercise rights
Submit a request via [PLACEHOLDER — request methods: email, in-app form, web form, toll-free number]. If you are an
end customer/caller, you may also contact the locksmith business that handled your call (the controller). We will
verify your identity before acting. [COUNSEL]
8. Security
We maintain administrative, technical, and organizational measures to protect personal information, including
tenant data isolation (row-level security), encryption in transit and at rest, vault-held secrets, and
access controls and monitoring. No method of transmission or storage is fully secure; we cannot guarantee
absolute security. *(See security-threat-model.md; compliance-and-legal.md §7.)* In the event of a personal
data breach, we will notify affected parties as required by law and by the DPA.
9. International Data Transfers
We operate the Services for US Customers and process data in the United States. Where we process data of EU/UK data
subjects, any cross-border transfer is made under an appropriate transfer mechanism (e.g., Standard Contractual
Clauses), as set out in the DPA. [COUNSEL — confirm transfer mechanism per subprocessor;
compliance-and-legal.md §6.2.]
10. Children
The Services are for business use and are not directed to children, and we do not knowingly collect personal
information from children. [COUNSEL — confirm minors edge cases.]
11. Changes to This Policy
We may update this Policy. We will post the updated version with a new "Last updated" date and, for material
changes, provide additional notice as required by law.
12. Contact Us
For privacy questions or to exercise your rights:
[PLACEHOLDER — privacy contact email]
[PLACEHOLDER — mailing address]
[PLACEHOLDER — EU/UK representative or DPO, if applicable]
*DRAFT — generated from the LocksmithTalk planning corpus as a starting point for counsel. NOT legal advice.
Complete all [PLACEHOLDER] items and resolve all [COUNSEL] flags before publishing. Retention periods are
engineering defaults to be confirmed by counsel. Keep the subprocessor list synchronized with the DPA and the
Trust Center. Cross-references: docs/reference/compliance-and-legal.md (§4 consent, §5 retention, §6
subprocessors/roles), docs/legal/data-processing-addendum.md, docs/legal/terms-of-service.md.*