AutomatedFront provides AI-powered phone answering and appointment booking to small businesses. This policy explains what data we collect from callers and clients, how it's used, and your rights under US law — including CCPA, CPRA, and TCPA.
INFORMATION WE COLLECT
1.1 — Business Client Data
When a business signs up for AutomatedFront services, we collect:
- Business name, owner name, and contact information
- Email address and phone number
- Business type / niche (e.g., Plumber, HVAC, Dental, Electrician, Locksmith, Barbershop, Beauty Salon, Hair Salon)
- City, state, and timezone
- Google Calendar OAuth credentials (for appointment sync)
- Payment information processed via Stripe
1.2 — Inbound Caller Data (via Alex AI)
When a consumer calls a phone number powered by AutomatedFront's Alex AI assistant, we may collect:
- Caller's name and phone number
- Service address
- Description of the service request or emergency
- Preferred appointment time
- Audio recording of the call
- Machine-generated transcript of the call
- Metadata: call timestamp, duration, area code
1.3 — Automated Usage Data
We automatically collect technical data including browser type, IP address, pages visited, and interaction timestamps when you access our website or dashboard.
HOW WE USE INFORMATION
- Service Delivery: Answering inbound calls, booking appointments, and syncing with client calendars.
- Lead Qualification: Identifying emergency vs. routine service requests and routing them appropriately.
- SMS Confirmations: Sending appointment confirmation text messages to callers.
- ROI Reporting: Generating weekly reports for business clients showing call volume and estimated revenue recovered.
- Billing: Processing subscription payments and managing trial periods via Stripe.
- Product Improvement: Analyzing call transcripts in aggregate to improve AI accuracy. No individual caller data is used for model training without explicit consent.
- Legal Compliance: Maintaining TCPA consent records and honoring opt-out requests.
AutomatedFront does not sell, rent, or trade personal information — whether from business clients or inbound callers — to any third party for advertising or marketing purposes.
AI VOICE & AUDIO RECORDING
Alex is an artificial intelligence voice assistant. Calls answered by Alex are handled by AI, not a human. Alex will disclose its AI nature to any caller who sincerely asks.
3.1 — Call Recording
All calls handled by the Alex AI assistant are recorded and transcribed. Recordings are stored securely via Vapi.ai's infrastructure. Business clients may access call recordings through their AutomatedFront dashboard.
3.2 — Inbound Consent
Callers who dial a phone number powered by AutomatedFront have provided implicit inbound consent by initiating the call. The business operating the number is responsible for maintaining any additional state-law disclosures (e.g., two-party consent states such as California, Illinois, and Washington).
3.3 — State-Specific Recording Notice
In all-party consent states (including CA, FL, IL, MD, MI, MA, NV, NH, OR, PA, WA), the Alex AI assistant issues a verbal recording notice at the start of each call.
3.4 — Transcript Retention
Call transcripts are retained for a default period of 90 days. Business clients may request extended retention or early deletion. Access is restricted to the business client and authorized AutomatedFront personnel.
TCPA COMPLIANCE
AutomatedFront's AI calling infrastructure is designed to comply with TCPA and FCC regulations. Violations carry statutory damages of $500–$1,500 per call. We take compliance seriously.
4.1 — Inbound Calls (Alex AI)
Alex AI only answers inbound calls initiated by the consumer. No outbound calls are made to consumers via Alex without prior express written consent. Inbound callers have implicitly consented by dialing the number.
4.2 — Outbound AI Sales Calls (Jordan AI)
Jordan AI places outbound calls only to individuals who have submitted a web form containing this exact consent language:
"By submitting this form, I expressly consent to receive an automated AI-powered phone call from AutomatedFront at the number provided. I understand the call may use artificial voice technology. Message and data rates may apply."
The form submission timestamp is logged in our CRM as proof of prior express written consent.
4.3 — SMS Messages
Appointment confirmation SMS messages are sent following inbound conversations with Alex AI. These are transactional communications permitted under TCPA. Every SMS includes a STOP opt-out mechanism.
4.4 — Do Not Call & Opt-Out
AutomatedFront honors all opt-out requests immediately. If a caller says "remove me," "stop calling," or "don't contact me," their number is flagged within minutes. Business clients are notified of opt-outs and are responsible for honoring them in follow-up communications.
4.5 — National Do Not Call Registry
AutomatedFront does not place outbound telemarketing calls to numbers registered on the National DNC Registry. Outbound calls are limited to individuals who provided prior express written consent per Section 4.2.
THIRD-PARTY PROCESSORS
To provide our services, AutomatedFront shares certain data with the following sub-processors. Each has been evaluated for security and US law compliance.
All sub-processors are required to use data only for specified purposes and maintain appropriate security measures under Data Processing Agreements.
CCPA / CPRA RIGHTS
If you are a California resident, the CCPA as amended by the CPRA grants you specific rights regarding your personal information.
6.1 — Categories Collected
- Identifiers: Name, email, phone number, IP address
- Commercial Information: Subscription status, billing history
- Audio Data: Call recordings and voice interactions with Alex AI
- Geolocation Data: City and state (not precise GPS)
- Internet Activity: Browser/device info, page visits
- Inferences: Service type and urgency level derived from call content
6.2 — Your Rights
6.3 — How to Submit a Request
Email privacy@automatedfront.com with subject line CCPA Privacy Request. We respond within 45 days (extendable by 45 days with notice). Identity verification required before processing.
6.4 — Shine the Light (Cal. Civil Code § 1798.83)
AutomatedFront does not disclose personal information to third parties for direct marketing purposes.
GDPR & EU/UK RIGHTS
If you are located in the EU, EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent laws (UK GDPR, Swiss FADP) grant you additional rights regarding your personal data.
7.1 — Lawful Basis for Processing
- Contract performance (Art. 6(1)(b)): processing necessary to deliver the AI receptionist service you signed up for
- Consent (Art. 6(1)(a)): for analytics cookies, marketing communications, and AI voice recording where required by national law
- Legitimate interests (Art. 6(1)(f)): service security, fraud prevention, and product improvement (balanced against your rights)
- Legal obligation (Art. 6(1)(c)): tax, accounting, and regulatory record-keeping
7.2 — Your GDPR Rights
7.3 — International Data Transfers
Some sub-processors (Vapi, OpenAI, ElevenLabs, Twilio) are based in the United States. Where personal data is transferred outside the EEA/UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) and supplementary technical measures (encryption in transit and at rest). The UK extension to the SCCs is applied for UK data transfers.
7.4 — How to Exercise Your GDPR Rights
Email privacy@automatedfront.com with subject line GDPR Request — [type]. We respond within 30 days (extendable by 60 days for complex requests). Identity verification required.
DATA RETENTION
- Business client data: Duration of subscription + 12 months post-cancellation.
- Call recordings & transcripts: 90 days default. Extended retention on request.
- TCPA consent records: Minimum 4 years (TCPA litigation window).
- Payment records: Per Stripe's policies and applicable tax law (typically 7 years).
- Opt-out / suppression records: Retained indefinitely to prevent re-contacting opted-out individuals.
Upon cancellation, personal data is deleted or anonymized within 30 days of a written deletion request, except where legally required.
SECURITY
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- OAuth2 for Google Calendar access (no passwords stored)
- API keys stored as environment variables, never in source code
- Access controls limiting data access to authorized personnel only
- Regular security reviews of third-party integrations
In the event of a breach affecting personal information, affected parties will be notified within the timeframes required by applicable state law (e.g., 72 hours under California law for certain breaches).
CHILDREN'S PRIVACY
AutomatedFront's services are intended for small business operators and are not directed at individuals under 18. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will delete it promptly. Contact us at privacy@automatedfront.com if you believe a child's data has been collected.
CHANGES TO THIS POLICY
When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Email all active business clients at least 14 days before the change takes effect
- For significant changes affecting TCPA consent terms, obtain fresh consent where required
Continued use of AutomatedFront services after the effective date constitutes acceptance of the updated policy.
CONTACT US
For privacy inquiries, CCPA requests, TCPA opt-outs, or data deletion requests:
We respond to all privacy requests within 5 business days. CCPA requests handled within the 45-day statutory window.
