Privacy Policy

This Privacy Policy ("Policy") describes how ALL IN ONE MARKETING.COM, INC., a New York corporation ("Company," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with the All In One Ai Bot platform and related services (collectively, the "Service"). The Service is a software-as-a-service ("SaaS") platform that enables businesses ("Subscribers") to deploy AI-powered chatbots that communicate with their customers, prospects, and leads ("End Users") via SMS, iMessage, RCS, and other messaging channels.

By accessing or using the Service, you agree to this Policy. If you do not agree, you must not use the Service.

1. Definitions

• "Subscriber" means any business or individual who creates an account on the Service to use the AI chatbot platform.
• "End User" means any individual whose information is uploaded to, collected by, or processed through the Service by a Subscriber, including leads, prospects, and customers of the Subscriber.
• "Subscriber Data" means all data that a Subscriber uploads to, transmits through, or generates using the Service, including End User data, conversation content, and business information.
• "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to a particular individual.

2. Information We Collect

2.1 Information Collected from Subscribers

When you register for and use the Service, we collect:

• Account Information: Full name, email address, password (encrypted via Supabase Auth), business name, agent/representative name, phone number, and website URL.
• Business Profile Data: Industry classification, company description, products/services offered, unique selling points, license numbers, and licensed states/jurisdictions.
• Billing Information: Payment details processed and stored by Stripe, Inc. We store only Stripe customer and subscription identifiers — not credit card numbers or bank account details.
• Messaging Provider Credentials: API keys, account SIDs, auth tokens, and phone numbers for third-party messaging providers (Twilio, Linq, and/or Blooio). These are encrypted at rest using AES-256-GCM encryption.
• AI Configuration: Custom AI instructions, conversation strategies, extraction schemas, personality settings, and knowledge base entries you provide to train your chatbot.
• Calendar Integration Data: When you connect a calendar (via Nylas), we access your calendar availability, event details, and calendar identifiers to facilitate booking.
• Usage Data: Login timestamps, feature usage, API call volumes, message counts, and platform interaction patterns.

2.2 Information Collected from End Users (on Behalf of Subscribers)

When Subscribers use the Service to communicate with their End Users, the following End User information may be collected and processed:

• Contact Information: Name, phone number, email address, and mailing address.
• Demographic Data: Date of birth, marital status, employment status, estimated income range, and number of dependents.
• Conversation Content: The full text of all inbound and outbound SMS, iMessage, and RCS messages exchanged between the Subscriber's AI chatbot and the End User.
• AI-Extracted Information: Information automatically extracted from conversations by AI, including but not limited to: personal preferences, budget indicators, service interests, family/household details, health and lifestyle information, decision-making factors, and scheduling preferences. This information is stored in structured fields and may include data the End User voluntarily shares during conversation.
• Interaction Metadata: Message timestamps, delivery status, response times, conversation scores, intent classifications, opt-in/opt-out status, and consent timestamps.
• Booking Information: Appointment dates, times, attendee information, and booking confirmation status.
• Custom Fields: Any additional data fields defined by the Subscriber's extraction schema, which varies by industry and business type.

2.3 Information Collected Automatically

• Device and Browser Information: IP address, browser type, operating system, device identifiers, and referring URLs.
• Cookies and Similar Technologies: Session cookies for authentication, preference cookies, and analytics cookies. See Section 9 for details.
• Log Data: Server logs, error reports, and performance metrics.

3. How We Use Information

3.1 Subscriber Information

• To provide, maintain, and improve the Service.
• To authenticate your identity and manage your account.
• To process payments and manage subscriptions.
• To send transactional communications (account alerts, billing notices, security notifications).
• To provide customer support.
• To enforce our Terms and Conditions and prevent fraud or abuse.
• To comply with legal obligations.

3.2 End User Information

We process End User information solely on behalf of and as directed by the Subscriber. Specifically:

• To facilitate AI-powered conversations between the Subscriber's chatbot and End Users.
• To extract and organize lead information as configured by the Subscriber.
• To route messages through the Subscriber's chosen messaging provider.
• To schedule and manage appointments on the Subscriber's calendar.
• To generate conversation summaries and analytics for the Subscriber.
• To execute automated follow-up sequences as configured by the Subscriber.

3.3 AI Processing

The Service uses artificial intelligence models provided by OpenAI (GPT-4o, GPT-4o-mini) and Anthropic (Claude) to process conversations. When messages are processed:

• Message content is sent to these AI providers' APIs for response generation, intent classification, and information extraction.
• AI providers process this data according to their respective privacy policies and data processing agreements.
• We do not use End User conversation data to train our own AI models or to train the underlying third-party AI models.
• AI-generated responses are reviewed for safety, compliance, and quality through automated systems including content filtering and opt-out detection.

4. Data Sharing and Disclosure

We do not sell Personal Information. We share information only in the following circumstances:

4.1 Third-Party Service Providers

We share data with the following categories of service providers who process data on our behalf:

• Messaging Providers: Twilio, Linq, and/or Blooio — to send and receive SMS, iMessage, and RCS messages. These providers receive End User phone numbers and message content.
• AI Providers: OpenAI and Anthropic — to generate AI responses. These providers receive conversation content and contextual information necessary for response generation.
• Calendar Provider: Nylas — to manage calendar integrations. Nylas receives calendar availability data and booking details.
• Payment Processor: Stripe — to process subscription payments. Stripe receives billing information as described in Stripe's privacy policy.
• Authentication Provider: Supabase — to manage user authentication, including OAuth flows for social login (e.g., Google). Supabase receives authentication credentials.
• Database Hosting: Supabase — to host our PostgreSQL database. All Subscriber and End User data is stored in Supabase-hosted infrastructure.

4.2 Legal Requirements

We may disclose information if required to do so by law or in the good faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, or governmental request.
• Protect and defend our rights or property.
• Prevent or investigate possible wrongdoing in connection with the Service.
• Protect the personal safety of users of the Service or the public.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected parties of any such transfer and any choices they may have regarding their information.

5. Data Processor Role and Subscriber Responsibilities

With respect to End User data, the Company acts as a data processor (or "service provider" under applicable law). The Subscriber is the data controller (or "business") and is responsible for:

• Obtaining all necessary consents from End Users before uploading their data to the Service or initiating automated communications, including express written consent as required by the Telephone Consumer Protection Act (TCPA), CAN-SPAM Act, and applicable state laws.
• Providing End Users with appropriate privacy notices and disclosures about how their data will be used, including disclosure that AI-powered chatbots may be used for communication.
• Complying with all applicable federal, state, and local laws regarding telemarketing, text messaging, data protection, and consumer privacy, including but not limited to the TCPA, CCPA/CPRA, state mini-TCPA laws, FCC regulations, and CTIA guidelines.
• Honoring End User opt-out requests and maintaining accurate consent records.
• Ensuring that all data uploaded to the Service was lawfully collected.
• Responding to End User data access, deletion, and correction requests, with our reasonable assistance.

The Company does not independently verify that Subscribers have obtained proper consent from End Users. Subscribers bear full responsibility for their compliance with all applicable laws and regulations governing their use of the Service.

6. SMS/Text Messaging Compliance

The Service facilitates SMS, iMessage, and RCS messaging. The following applies:

• The Company provides tools and technology for Subscribers to send messages. The Company does not initiate messages to End Users on its own behalf.
• All messages are sent under the Subscriber's phone number, brand, and authority.
• The Service includes automated opt-out detection. When an End User sends a message indicating they wish to stop receiving messages (e.g., "STOP," "UNSUBSCRIBE," "OPT OUT"), the system automatically flags the lead and ceases automated messaging.
• The Service includes configurable quiet hours functionality that allows Subscribers to restrict messaging to specific days and times. This feature is provided as a convenience tool to assist Subscribers in managing their messaging schedules. The quiet hours feature does not guarantee compliance with the TCPA, state mini-TCPA laws, or any other applicable regulation. The Service allows Subscribers to modify or disable quiet hours settings at their sole discretion.
• The Company does not control, monitor, or verify the timing of messages sent by Subscribers and is not responsible for messages sent outside of legally permissible hours. Subscribers are solely responsible for configuring their messaging hours in compliance with all applicable laws based on the jurisdictions in which their End Users are located, including state-specific restrictions on evening, Sunday, and weekend messaging.
• The Service includes automated opt-out detection that identifies common opt-out keywords and flags leads accordingly. This automated detection is a convenience tool and does not replace the Subscriber's obligation to maintain a comprehensive opt-out and do-not-contact ("DNC") list. The Company does not maintain, manage, or verify Subscriber opt-out or DNC lists and is not responsible for messages sent to individuals who have opted out through any channel.
• Subscribers are solely responsible for honoring all opt-out requests received through any channel (SMS, phone, email, verbal, or otherwise), maintaining accurate opt-out records, cross-referencing against the National Do Not Call Registry and state DNC registries, and ensuring that opted-out individuals are not re-contacted without new valid consent.
• Subscribers are solely responsible for ensuring their messaging practices comply with the TCPA, CTIA Short Code Monitoring Handbook, carrier policies, A2P 10DLC registration requirements, and all applicable regulations.
• The Service does not provide legal advice regarding messaging compliance. Subscribers should consult with their own legal counsel to ensure compliance.

7. Data Security

We implement industry-standard security measures to protect your information:

• Encryption at Rest: Sensitive credentials (messaging provider API keys, tokens) are encrypted using AES-256-GCM.
• Encryption in Transit: All data transmitted between your browser and our servers uses TLS/HTTPS encryption.
• Authentication: User sessions are managed through Supabase Auth with secure, httpOnly cookies. Passwords are hashed using industry-standard algorithms.
• Access Controls: Multi-tenant architecture ensures that each Subscriber can only access their own data. Role-based access controls restrict administrative functions.
• Infrastructure Security: Our database and application are hosted on Supabase and Replit infrastructure, which maintain SOC 2 compliance and other security certifications.

While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

8. Data Retention

• Subscriber Data: We retain Subscriber account data for as long as the account is active and for a reasonable period thereafter for legal, tax, and audit purposes. Upon account termination, Subscriber data will be deleted within 90 days, unless retention is required by law.
• End User Data: End User data is retained for as long as the Subscriber's account is active. Subscribers may delete individual End User records at any time through the Service. Upon Subscriber account termination, all associated End User data will be deleted within 90 days.
• Conversation Logs: Message history is retained for the duration of the Subscriber's account. Subscribers may request bulk deletion of conversation data by contacting us.
• Audit Logs: Compliance and audit logs may be retained for up to 7 years to satisfy legal and regulatory requirements.

9. Cookies and Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings.

We do not use third-party advertising cookies or cross-site tracking on the Service.

10. Your Rights

10.1 Subscriber Rights

Depending on your jurisdiction, you may have the right to:

• Access, correct, or delete your Personal Information.
• Export your data in a portable format.
• Object to or restrict certain processing of your data.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, contact us at legal@allinonemarketing.com.

10.2 End User Rights

If you are an End User and wish to exercise your privacy rights (access, deletion, correction, opt-out), please contact the business (Subscriber) that communicated with you directly. As a data processor, we process End User data on the Subscriber's instructions and will assist Subscribers in fulfilling data subject requests.

If you are unable to reach the Subscriber or need additional assistance, you may contact us at legal@allinonemarketing.com, and we will make reasonable efforts to direct your request appropriately.

11. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: You may request disclosure of the categories and specific pieces of Personal Information we have collected about you.
• Right to Delete: You may request deletion of your Personal Information, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate Personal Information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share Personal Information for cross-context behavioral advertising.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

With respect to End User data, the Company acts as a "service provider" under the CCPA. Subscribers are the "businesses" responsible for CCPA compliance concerning their End Users' data.

12. New York Privacy Considerations

As a New York corporation, we comply with applicable New York State privacy laws, including the New York SHIELD Act. We maintain reasonable safeguards to protect the security, confidentiality, and integrity of private information, including administrative, technical, and physical safeguards.

In the event of a data breach involving private information of New York residents, we will provide notification in accordance with New York General Business Law Section 899-aa.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect Personal Information from children under 18. If we become aware that we have collected Personal Information from a child under 18, we will take steps to delete that information. If you believe a child has provided us with Personal Information, please contact us at legal@allinonemarketing.com.

14. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfers.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Subscribers of material changes by email or through a notice on the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: