Privacy Policy

From business owners (you): name, email, phone, business name and type, hours, languages, services and pricing, optional team member names + schedules, and your billing details (handled by Stripe — we never see your card number).

From callers to your AI: phone number, anything they say during the call (transcribed to text), the time of the call, and any details they share to book or message you (name, address, appointment reason).

Automatic: minimal server logs (IP, timestamp, route, response code) for debugging and security; cookies described below.

• Answer calls and book appointments on your behalf — the core function of the Service.
• Show you a dashboard of what the AI did (transcripts, bookings, messages).
• Send you operational notifications (failed payment, etc.).
• Detect and stop abuse (rate limiting, fraud, prompt injection attempts).

We do not sell your data. We do not use your call data or transcripts to train AI models that other customers benefit from.

• Anthropic— we send conversation context to Claude to generate responses. Anthropic’s data policy applies; they do not retain enterprise API content beyond 30 days unless we opt in for abuse monitoring (we have not).
• ElevenLabs — we send response text to ElevenLabs to generate spoken audio. Audio is streamed and not retained.
• Twilio (when telephony is wired) — provides the phone line and routes audio to/from your AI.
• Stripe — handles all subscription payments. We never see or store full card numbers.
• Fly.io — hosting (iad-region machines, edge-cached static assets, SQLite for owner-dashboard data).
• Resend — transactional email (booking summaries, daily digests, payment-failure notices).
• Sentry — anonymized client + server error monitoring so we catch issues before customers report them.

Your AI is required to disclose that it is an AI and that the call may be recorded, on every call, before collecting any information. This satisfies California SB 1001 and the EU AI Act transparency rules.

By providing your mobile phone number during onboarding, you consent to receive transactional text messages from RingDispatch — typically booking confirmations from your AI receptionist, urgent caller alerts sent to you as the business owner, payment-failure notices, and other account notifications. Message frequency varies with your call volume (typically a few messages per business day at normal usage).

Mobile information we collect: your phone number, the time you opted in, opt-out status, and message delivery receipts. We share this information with Twilio (our SMS carrier) solely to deliver the messages. We do not sell mobile information and we do not share mobile information with third parties or affiliates for marketing or promotional purposes. Mobile opt-in data is not shared with third parties for any purpose other than message delivery.

Reply STOP to any text to opt out of all messages. Reply HELP for help. Message and data rates may apply — check with your carrier. Carriers are not liable for delayed or undelivered messages.

We set two cookies: phoneai_owner (a signed session token, HttpOnly, expires after 30 days) and phoneai_owner_locale (your dashboard language, no expiry). Both are first-party. No third-party advertising cookies.

If you are an owner, you can export or delete your data from Settings. If you are a caller and want your data redacted from a business’s records, ask the business owner — they can erase your phone number, name, and transcript via their dashboard. We respect “right to be forgotten” requests (irreversible PII redaction; booking row stays for accounting).

Active booking data is retained as long as the owner’s account is active. Cancelled bookings are soft-deleted after 90 days and hard-deleted after 18 months. Transcripts follow the booking they belong to. Server logs are kept 30 days.

Data is encrypted in transit (TLS). Owner sessions are cryptographically signed. Webhook signatures from Stripe and Twilio are verified before processing. We rate-limit destructive endpoints. The dashboard, every API route, and every state-changing action are protected by an owner-session cookie that’s constant-time compared on every request.

Data is processed in the United States. EU/UK customers consent to international transfer when they sign up. We use Standard Contractual Clauses where required.

We’ll update the date above when this policy changes. Material changes will be emailed to active customers.