Privacy Policy

Working draft · 2026
This is our current working draft, provided for transparency. Final terms are subject to legal review. Questions? hello@locksmithtalk.ai

DRAFT — generated starting point, NOT legal advice. Must be reviewed and finalized by qualified counsel before use. Reflects the planning corpus as of 2026-06; verify all statutory references.


> How to use this draft. This is a counsel-ready *skeleton* generated from the LocksmithTalk planning corpus

> (docs/reference/compliance-and-legal.md §4–§6, retention schedule §5, subprocessor list §6.2). Complete every

> [PLACEHOLDER] and resolve every [COUNSEL] flag with a licensed attorney before publishing. The retention

> periods below are engineering defaults proposed in the corpus, not legal determinations — confirm with

> counsel.

Effective date: [PLACEHOLDER — date]

Last updated: 2026-06-30 (draft)

Controller / operator: [PLACEHOLDER — legal entity name] ("LocksmithTalk," "we," "us").

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you and your

callers use the LocksmithTalk platform and services (the "Services"). It covers both our **business

customers (locksmith businesses and agencies) and the end customers / callers** whose calls and messages are

handled by the Services.

> Roles. For most personal data of callers/end customers, LocksmithTalk acts as a **processor / service

> provider on behalf of our business customer (the locksmith business, the "Customer**"), who is the

> controller. For our own business-account and billing data, and for security/fraud-prevention purposes, we

> act as a controller. For agency-managed companies, the agency may be a controller of its managed companies'

> data. See the Data Processing Addendum for the processor terms. *(See

> compliance-and-legal.md §6.1.)*

> US-only at launch. The Services are offered to US business customers only at launch. We still honor the

> rights of any EU/UK data subject whose data we process (e.g., an EU caller who reaches a US Customer). EU

> data-residency and international onboarding are not offered at launch. *(See compliance-and-legal.md §1.)*


1. Information We Collect

1.1 Call data (callers / end customers)

  • Call recordings (audio) and transcripts of inbound calls handled by the AI agent.
  • Caller identifiers: phone number (ANI), and, where available, caller-ID enrichment — CNAM caller name,

line type, carrier, and spam/fraud risk signals obtained via a telephony lookup (US callers only for

name-enrichment). *(See compliance-and-legal.md §5, caller-ID enrichment row.)*

  • Customer information captured by the agent during a call: name, callback number, service address/location,

and the nature of the job/request, as needed to qualify and dispatch.

  • Consent and disclosure records: that the AI-identity disclosure and recording-consent notice played and

that consent was given, with timestamps.

1.2 Lead and dispatch data

  • Lead-source data (e.g., Google Local Services message leads where you connect that source) and the resulting

job ticket, dispatch, technician assignment, and ETA records.

  • Notification/delivery records for messages sent to your technicians and ETA messages to your customers.

1.3 Business-customer account data

  • Account and contact details: business name, account owner/user names, emails, phone numbers, roles.
  • Business configuration: your website content used to build your agent's knowledge base, service area, hours,

and settings.

  • Billing data: plan, subscription status, wallet ledger entries (integer cents), invoices, and payment-method

metadata (card data is handled by our payment processor; we do not store full card numbers).

1.4 Technical and usage data

  • Device/app and log data: IP address, device identifiers, app/browser type, pages/actions, and timestamps,

for security, fraud-prevention, and product analytics (PII-minimized in telemetry).

1.5 Data you provide for support and growth

  • Support communications and, where applicable, referral/share-link attribution data.

2. How We Use Information (Purposes)

We use personal information to:

  • Provide the Services — answer and record calls, qualify and classify them, create tickets, dispatch

technicians, confirm ETAs, and surface call records and summaries to you;

  • Process leads you connect (e.g., reply to Google LSA message leads);
  • Operate billing — subscriptions, the prepaid wallet, metered usage, and invoices;
  • Secure the Services and prevent fraud/abuse — including the anti-phishing rule (the agent never reads back a

code) and spam/scam-call filtering;

  • Provide support and communicate about your account and the Services;
  • Improve the Services using de-identified/aggregated data;
  • Comply with legal obligations and enforce our terms.

We do not use the AI agent's calls to make sales/marketing decisions about callers beyond delivering the

Service, and we do not sell personal information (see §6).


3. Legal Bases (where applicable)

Where required (e.g., for EU/UK data subjects), we rely on the following legal bases: consent (recording, per

the in-call consent notice); performance of a contract / provision of the Service (delivering call handling

and dispatch, on the Customer's instructions); legitimate interests (security, fraud prevention, anti-phishing,

service improvement); and legal obligation (record-keeping, tax, and compliance). For caller data processed on

a Customer's behalf, the Customer determines the applicable legal basis as controller; we process on the

Customer's documented instructions per the DPA. [COUNSEL — confirm legal-basis mapping.]


4. Recording Disclosure and Consent

The Services record and transcribe calls. A system-enforced disclosure informs the caller that they are

interacting with an automated AI assistant and that the call is recorded, and the Services apply an **all-party

(two-party) consent–safe** approach on every call regardless of the caller's state. Continuing the call after the

disclosure is treated as consent to recording, as described in our in-call notice. We retain the consent record

even after the recording itself is deleted, to evidence lawful recording. *(See compliance-and-legal.md §3–§4.)*

[COUNSEL — confirm consent model (implied-by-continuation vs. affirmative) for strict all-party states.]


5. Retention and Deletion Schedule

We retain personal information only as long as necessary for the purposes above and as required by law. The

periods below are proposed defaults from our planning corpus and are subject to counsel review; actual periods

may be set per Customer configuration and applicable law. *(Mirrors compliance-and-legal.md §5.)*

| Data class | Proposed retention (default — verify with counsel) | Deletion mechanism |

|---|---|---|

| Call recordings (audio) | ~90 days default, Customer-configurable (shorter is safer) | Purged from object storage on deletion request or expiry; storage pointer nulled; a deletion guard drops any late-arriving audio (M3 tombstone). |

| Transcripts (text) | Same as recordings (~90 days default) | Same deletion cascade; late transcript dropped by the tombstone. |

| Job ticket (non-PII fields) | Business-record retention (~2–7 years, verify) | On erasure, PII fields are scrubbed/pseudonymized; the non-identifying ticket shell (amount, timestamps, status) may be retained. |

| Customer/caller PII (name, phone, address) | Tied to ticket lifecycle; erased on request | Deleted/scrubbed across contact/customer/job records and propagated to service providers. |

| Caller-ID enrichment (CNAM/line-type/carrier/risk) | Same window as the call log; erased on request | Deleted/scrubbed with the call record; enrichment cache aged out. Purpose-limited to call handling + fraud/spam scoring; not sold/shared. |

| Wallet ledger entries | Permanent (append-only, immutable) | Not deleted on erasure (financial-record / legal-obligation exemption); references are pseudonymous, not raw PII. |

| Audit logs | Permanent (append-only, tamper-evident) | Not deleted on erasure (security/fraud + legal-obligation exemption); PII minimized at write-time. |

| Lead data (e.g., Google LSA) | Per ticket lifecycle + provider data policy | Deleted/scrubbed in the deletion cascade. |

| Notification/delivery records | Short, operational (~30–90 days) | Aged out by a retention job; PII-bearing fields scrubbed on erasure. |

| Consent records (disclosure/consent + timestamps) | Retained ≥ limitations window (propose ≥ 2 years, verify) | Retained even after recording deletion, stored separately, to prove lawful recording. |

Immutability vs. erasure. To honor an erasure request without breaking financial/audit integrity, we delete or

scrub the personal data (recordings, transcripts, contact identifiers, customer fields) and retain only the

non-identifying financial/audit skeleton (amounts, timestamps, event types, tenant id) where the law permits

(e.g., financial-record, fraud/security, and legal-obligation exemptions). A legal hold for litigation or

regulatory inquiry overrides erasure until the hold is lifted. *(See compliance-and-legal.md §5.)* [COUNSEL —

confirm periods and the specific exemptions relied upon.]


6. How We Share Information; Subprocessors; No Sale

6.1 We do not sell personal information and do not "share" it for cross-context behavioral advertising as

those terms are defined under California law. [COUNSEL — confirm.]

6.2 With your business (Customer). Caller data is made available to the Customer (the locksmith business) whose

line received the call, and, for agency-managed companies, to the managing agency under its ownership relationship.

6.3 Service providers (subprocessors). We share personal information with vendors that help us provide the

Services, under contracts that restrict their use of the data. Current subprocessors *(from

compliance-and-legal.md §6.2)*:

| Subprocessor | Purpose | Data involved |

|---|---|---|

| ElevenLabs | AI voice / agent brain | Live call audio + transcript |

| Telnyx / Twilio | Telephony (PSTN, SMS) | Call metadata, audio, SMS, number lookup |

| Meta (WhatsApp Cloud API) | WhatsApp messaging channel | Dispatch/notification messages |

| Telegram (Bot API) | Telegram messaging channel | Dispatch/notification messages |

| Postmark | Transactional email | Notification/ETA emails |

| Supabase (Postgres / Storage) | Primary database + storage | All tenant data |

| Cloudflare (R2, WAF, CDN, Turnstile) | Edge, storage, security | Recordings (R2), traffic metadata |

| Stripe (+ Connect) | Billing / payments | Billing PII; card data handled by Stripe (PCI) |

| Google (Ads / Local Services API) | Lead source | LSA lead data |

| Upstash (Redis) | Cache / counters / rate limits | Ephemeral counters (minimal PII) |

| Inngest | Durable workflows / timers | Job/event metadata |

| Expo | Mobile push notifications | Device push tokens, notification payloads |

| Sentry | Error monitoring | Telemetry (PII-redacted) |

| PostHog | Product analytics | Telemetry (PII-redacted) |

| Vercel | Web application hosting (Next.js) | App traffic metadata |

| Retell / Vapi | Fallback AI voice providers (engaged only on failover) | Live call audio + transcript (when active) |

| Google Maps Platform | Geocoding / ETA routing | Service addresses (no caller identity) |

A current subprocessor list is also maintained on our [PLACEHOLDER — Trust Center / subprocessor page], and we

provide notice of material changes as required by the DPA. [COUNSEL/OPS — keep this list synchronized with the DPA

and Trust Center as the single source of truth.]

6.4 Legal and safety. We may disclose information to comply with law, respond to lawful requests, enforce our

terms, or protect rights, safety, and security.

6.5 Business transfers. Information may be transferred in connection with a merger, acquisition, or sale of

assets, subject to this Policy.


7. Your Privacy Rights

7.1 California (CCPA/CPRA) and other US state rights

Depending on your state, you may have the right to know/access, delete, correct, and **opt out of

sale/sharing of personal information, and to non-discrimination for exercising rights. We do not sell or

share personal information** as defined under California law. We offer at least two methods to submit requests, will

confirm receipt within 10 business days, and will respond within 45 calendar days (extendable as the law

allows). [COUNSEL — confirm methods, verification, and authorized-agent handling.]

7.2 GDPR/UK GDPR (EU/UK data subjects)

Where applicable, you may have the right to access (Art. 15), erasure (Art. 17, "right to be forgotten"),

rectification, restriction, objection, and data portability. We honor erasure without undue delay,

subject to lawful exemptions (e.g., financial-record retention, defense of legal claims). For data we process on a

Customer's behalf, we will refer or assist the request to the relevant Customer (controller) per the DPA.

7.3 The deletion / offboarding mechanism

On a valid deletion request (or account offboarding), we run a deletion cascade that purges recordings and

transcripts from storage (including a tombstone guard that drops late-arriving audio so personal data cannot

re-appear), scrubs caller/customer PII, and propagates deletion to service providers, while retaining the

non-identifying financial/audit skeleton as permitted by law (§5). *(See compliance-and-legal.md §5.)*

7.4 How to exercise rights

Submit a request via [PLACEHOLDER — request methods: email, in-app form, web form, toll-free number]. If you are an

end customer/caller, you may also contact the locksmith business that handled your call (the controller). We will

verify your identity before acting. [COUNSEL]


8. Security

We maintain administrative, technical, and organizational measures to protect personal information, including

tenant data isolation (row-level security), encryption in transit and at rest, vault-held secrets, and

access controls and monitoring. No method of transmission or storage is fully secure; we cannot guarantee

absolute security. *(See security-threat-model.md; compliance-and-legal.md §7.)* In the event of a personal

data breach, we will notify affected parties as required by law and by the DPA.


9. International Data Transfers

We operate the Services for US Customers and process data in the United States. Where we process data of EU/UK data

subjects, any cross-border transfer is made under an appropriate transfer mechanism (e.g., Standard Contractual

Clauses), as set out in the DPA. [COUNSEL — confirm transfer mechanism per subprocessor;

compliance-and-legal.md §6.2.]


10. Children

The Services are for business use and are not directed to children, and we do not knowingly collect personal

information from children. [COUNSEL — confirm minors edge cases.]


11. Changes to This Policy

We may update this Policy. We will post the updated version with a new "Last updated" date and, for material

changes, provide additional notice as required by law.


12. Contact Us

For privacy questions or to exercise your rights:

[PLACEHOLDER — privacy contact email]

[PLACEHOLDER — mailing address]

[PLACEHOLDER — EU/UK representative or DPO, if applicable]


*DRAFT — generated from the LocksmithTalk planning corpus as a starting point for counsel. NOT legal advice.

Complete all [PLACEHOLDER] items and resolve all [COUNSEL] flags before publishing. Retention periods are

engineering defaults to be confirmed by counsel. Keep the subprocessor list synchronized with the DPA and the

Trust Center. Cross-references: docs/reference/compliance-and-legal.md (§4 consent, §5 retention, §6

subprocessors/roles), docs/legal/data-processing-addendum.md, docs/legal/terms-of-service.md.*