Draft Notice: This privacy policy is a working draft and has not yet been reviewed by legal counsel. It is provided for transparency purposes. Please contact privacy@bookofbusiness.ai with any questions.
Privacy Policy
Effective Date: 2026-02-20 · Version 1.0
1. Introduction
BookOfBusiness.ai Inc. ("we," "us," or "our") operates the BookOfBusiness.ai platform, an AI-powered business management tool for home service contractors. This Privacy Policy describes how we collect, use, share, and protect personal information when you use our services.
By using our platform, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect your name, email address, and organization details through our authentication provider (Clerk).
2.2 Contact & Lead Data
When you or your customers interact with the platform, we may collect:
- Names (first name, last name)
- Email addresses
- Phone numbers
- Mailing addresses (street, city, state, zip code)
- Service requests and descriptions
2.3 Communication Data
When calls, chats, or emails are processed through our platform, we may collect:
- Call recordings and transcripts (voice AI interactions)
- Chat conversation logs
- Email content for draft generation
2.4 Usage & Analytics Data
- Page URLs and referrer information
- Feature usage metrics (calls, messages, searches)
- Browser and device information (via cookies)
2.5 Payment Information
Payment processing is handled by Stripe. We do not store credit card numbers. We retain subscription status and billing identifiers.
3. How We Use Your Information
We use personal information to:
- Provide, maintain, and improve our services
- Process voice calls and generate AI-powered insights
- Score and qualify leads using AI analysis
- Generate business research reports
- Send transactional emails (appointment confirmations, notifications)
- Process payments and manage subscriptions
- Detect and prevent fraud or abuse
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process personal data based on:
- Contract performance: Processing necessary to provide services you have requested
- Legitimate interests: Fraud prevention, security, and platform improvement
- Consent: Marketing communications and optional analytics cookies
- Legal obligation: Tax and financial reporting requirements
5. Third-Party Service Providers
We share personal data with the following categories of service providers to operate our platform:
| Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Authentication and user management | Email, name, user ID |
| Stripe | Payment processing and billing | Email, subscription details |
| Twilio | Phone calls and SMS messaging | Phone numbers |
| VAPI | AI voice agent calls | Phone numbers, call transcripts |
| Anthropic | AI-powered analysis and content generation | Business context for AI processing |
| Resend | Transactional email delivery | Email addresses, names |
| Calendar and email integration (optional) | Email, calendar events (with OAuth consent) | |
| Vercel | Application hosting and deployment | Application data in transit |
| Supabase | Database hosting | All stored data (encrypted at rest) |
| Upstash | Rate limiting | IP addresses, tenant identifiers |
| Tavily | Web search for business research | Search queries |
| Perplexity | AI-powered research | Search queries |
6. AI Data Processing
Our platform uses AI providers (Anthropic, VAPI) to analyze calls, generate content, and score leads. When processing data through AI providers:
- Personal identifiers are redacted before sending to AI providers where feasible
- AI providers process data only for our requested purposes
- AI-generated outputs (summaries, scores, insights) are stored in your tenant database
- We do not use your data to train third-party AI models
7. Data Retention
We retain personal data only as long as necessary:
- Call recordings: 90 days
- Closed leads: 2 years
- Chat conversations (closed): 30 days
- Audit logs: 1 year
- Financial records: 7 years (legal requirement)
- Soft-deleted records: permanently purged after 30 days
When data exceeds its retention period, it is automatically and irreversibly deleted.
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your personal data
- Data portability: Export your data in a structured, machine-readable format
- Restriction: Request we limit how we process your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, you may withdraw it at any time
To exercise any of these rights, contact us at privacy@bookofbusiness.ai. We will respond within 30 days (or 72 hours for GDPR requests where required).
9. Cookies
We use cookies and similar technologies to operate our platform. For details on the types of cookies we use and how to manage your preferences, see our Cookie Policy.
10. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
- AES-256-GCM encryption for sensitive credentials
- TLS 1.3 for all data in transit
- Tenant-level data isolation at the database layer
- Rate limiting on all API endpoints
- Input validation and parameterized database queries
For more details, see our Security Practices page.
11. International Data Transfers
Our services are primarily hosted and processed in the United States. If you access our platform from the European Economic Area (EEA), United Kingdom, Switzerland, Japan, or other jurisdictions with data transfer restrictions, your personal data will be transferred to the United States for processing.
11.1 Transfer Mechanisms
We rely on the following legal mechanisms to transfer personal data outside of the EEA/UK:
- Standard Contractual Clauses (SCCs) — We use EU-approved Standard Contractual Clauses with our data processors where required. These clauses are incorporated into our Data Processing Agreements.
- Data Processing Agreements (DPAs) — We maintain DPAs with all third-party processors that handle personal data on our behalf, specifying appropriate safeguards, data handling obligations, and breach notification requirements.
- Adequacy Decisions — Where applicable, we transfer data to countries recognized by the European Commission as providing adequate data protection.
11.2 Processor Locations
Our primary third-party processors and their data processing locations:
| Processor | Processing Location | Safeguard |
|---|---|---|
| Vercel (Hosting) | United States / Global Edge | DPA + SCCs |
| Supabase (Database) | United States | DPA + SCCs |
| Clerk (Auth) | United States | DPA + SCCs |
| Stripe (Payments) | United States | DPA + SCCs |
| Anthropic (AI) | United States | DPA + PII Redaction |
| Twilio (Communications) | United States | DPA + SCCs |
| VAPI (Voice AI) | United States | DPA |
| Resend (Email) | United States | DPA |
11.3 Supplementary Measures
In addition to contractual safeguards, we implement the following supplementary technical measures for international transfers:
- Encryption in transit — All data transfers use TLS 1.3 encryption
- Encryption at rest — Database encrypted at the infrastructure layer; sensitive fields encrypted at the application layer using AES-256-GCM
- PII redaction — Personal data is tokenized before being sent to AI processors, minimizing exposure
- Data minimization — Only the minimum necessary data is shared with each processor
- Access controls — Multi-tenant isolation ensures processors cannot access data across organizational boundaries
11.4 Your Rights Regarding Transfers
You have the right to obtain a copy of the Standard Contractual Clauses or other safeguards we use for international transfers. Contact us at privacy@bookofbusiness.ai to request this information.
11.5 Japan (APPI)
For users in Japan, we comply with the Act on Protection of Personal Information (APPI) Article 28 regarding cross-border transfers. We ensure that recipient countries provide equivalent protection or that appropriate measures are in place.
11.6 APEC CBPR
We support the APEC Cross-Border Privacy Rules framework and implement accountability measures for cross-border data flows within the Asia-Pacific region.
12. Children's Privacy
Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a child, please contact us to have it removed.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new effective date. Your continued use of the platform after such changes constitutes acceptance.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: