Privacy Policy

This Privacy Policy ("Policy") describes how ALL IN ONE MARKETING.COM, INC., a New York corporation ("Company," "we," "us," or "our"), collects, uses, discloses, and protects information in connection with the All In One AI Bot platform and related services (collectively, the "Service"). The Service is a software-as-a-service ("SaaS") platform that enables businesses ("Subscribers") to deploy AI-powered chatbots that communicate with their customers, prospects, and leads ("End Users") via SMS, MMS, iMessage, and RCS messaging channels.

By accessing or using the Service, you agree to this Policy. If you do not agree, you must not use the Service.

This Policy is incorporated into and supplements our Terms and Conditions and our Acceptable Use Policy.

1. Definitions

• "Agency Subscriber" means a Subscriber on the Agency Plan tier who makes the Service available to its own customers under its own brand pursuant to Section 4 of the Terms and Conditions.
• "Sub-Subscriber" means a customer of an Agency Subscriber who accesses the Service through the Agency Subscriber's white-label instance.
• "Subscriber" means any business or individual who creates an account on the Service to use the AI chatbot platform, including Agency Subscribers and Sub-Subscribers.
• "End User" means any individual whose information is uploaded to, collected by, or processed through the Service by a Subscriber, including leads, prospects, customers, patients, clients, and other contacts of the Subscriber.
• "Subscriber Data" means all data that a Subscriber uploads to, transmits through, or generates using the Service, including End User data, conversation content, and business information.
• "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked to a particular individual or household.
• "Sensitive Personal Information" means the categories of Personal Information identified as "sensitive personal information," "sensitive data," or comparable terms under applicable privacy laws, which generally include government-issued identifiers, financial account information, precise geolocation, racial or ethnic origin, religious beliefs, union membership, genetic data, biometric data, health information, and information about sex life or sexual orientation.

2. Information We Collect

2.1 Information Collected from Subscribers

When you register for and use the Service, we collect:

• Account Information: Full legal business name, doing-business-as name, authorized representative name, email address, password (hashed and stored via Supabase Auth), business phone number, and website URL.
• Business Profile and Compliance Data: Industry classification, company description, products or services offered, unique selling points, EIN or business tax identifier (where applicable), license numbers, licensed states or jurisdictions, business address, mobile phone number for verification, IP address at registration, and other information required for identity verification and A2P 10DLC registration.
• Billing Information: Payment details processed and stored by Stripe, Inc. We store only Stripe customer and subscription identifiers — not credit card numbers or bank account details.
• Messaging Provider Credentials: API keys, account SIDs, auth tokens, and phone numbers for third-party messaging providers (Twilio, Linq, and/or Blooio). These are encrypted at rest using AES-256-GCM encryption.
• AI Configuration: Custom AI instructions, conversation strategies, extraction schemas, personality settings, knowledge base entries, and prompt templates you provide to configure your chatbot.
• Calendar Integration Data: When you connect a calendar (via Nylas), we access calendar availability, event details, and calendar identifiers to facilitate booking.
• Custom Domain and Branding Data (Agency Subscribers): Custom domain configurations, DNS records, brand assets (logos, color schemes, product names), and Stripe Connect account identifiers used for white-label and reseller functionality.
• Usage Data: Login timestamps, feature usage, API call volumes, message counts, conversation outcomes, and platform interaction patterns.

2.2 Information Collected from End Users (on Behalf of Subscribers)

When Subscribers use the Service to communicate with their End Users, the following End User information may be collected and processed:

• Contact Information: Name, phone number, email address, and mailing address.
• Demographic Data: Date of birth, marital status, employment status, estimated income range, number of dependents, and other demographic information voluntarily provided.
• Conversation Content: The full text of all inbound and outbound SMS, MMS, iMessage, and RCS messages exchanged between the Subscriber's AI chatbot and the End User, including any media (images, audio recordings) sent through the Service.
• AI-Extracted Information: Information automatically extracted from conversations by AI, including personal preferences, budget indicators, service interests, family and household details, scheduling preferences, decision-making factors, and other information voluntarily shared during conversations.
• Sensitive Personal Information: Subscribers may configure the Service to operate in industries or use cases (such as insurance, healthcare-adjacent services, financial services, or legal services) in which End Users voluntarily share Sensitive Personal Information during conversations. This may include health and lifestyle information (e.g., smoking status, medical conditions, prescriptions), financial information (e.g., income, debt, credit status), and similar categories. Where Sensitive Personal Information is processed:
  • It is processed only for the limited business purposes for which it was provided (e.g., generating a quote, qualifying a lead, scheduling a service);
  • It is not used for cross-context behavioral advertising or sold;
  • Subscribers are responsible for providing End Users with appropriate notice and obtaining consent under applicable law, and for limiting use of Sensitive Personal Information to purposes disclosed at collection;
  • End Users in California and certain other states may have the right to limit our use and disclosure of Sensitive Personal Information to those uses necessary to perform the services they requested. To exercise this right, End Users should contact the Subscriber that communicated with them.
• Interaction Metadata: Message timestamps, delivery status, response times, conversation scores, intent classifications, opt-in and opt-out status, consent timestamps, source URL or method of opt-in (where Subscriber records this), and inferred attributes derived from conversation analysis.
• Booking Information: Appointment dates, times, attendee information, and booking confirmation status.
• Custom Fields: Any additional data fields defined by the Subscriber's extraction schema, which varies by industry and business type.

2.3 Information Collected Automatically

• Device and Browser Information: IP address, browser type, operating system, device identifiers, and referring URLs.
• Cookies and Similar Technologies: Session cookies for authentication and preference cookies. See Section 10 for details, including how we respond to Global Privacy Control signals.
• Log Data: Server logs, error reports, performance metrics, and security event logs.

2.4 Information from White-Label and Agency Channels

For Sub-Subscribers signing up through an Agency Subscriber's white-label instance, the Company collects the same categories of information described in Section 2.1, even though the user-facing branding may reflect the Agency Subscriber. Sub-Subscriber data is processed by the Company as the underlying technology provider and shared with the Agency Subscriber consistent with the white-label relationship.

3. How We Use Information

3.1 Subscriber Information

• To provide, maintain, secure, and improve the Service.
• To authenticate identity, verify business legitimacy, and manage accounts.
• To submit information to The Campaign Registry ("TCR"), mobile carriers, and identity verification providers for A2P 10DLC Brand and Campaign registration, as described in Section 4.2.
• To process payments and manage subscriptions.
• To send transactional communications (account alerts, billing notices, security notifications, compliance notices, A2P registration updates).
• To detect, prevent, and respond to fraud, abuse, security incidents, and violations of the Terms or AUP.
• To monitor messaging behavior for compliance with carrier rules, AUP, and applicable law.
• To provide customer support.
• To enforce our Terms and Conditions and to comply with legal obligations.

3.2 End User Information

We process End User information solely on behalf of and as directed by the Subscriber. Specifically:

• To facilitate AI-powered conversations between the Subscriber's chatbot and End Users.
• To extract and organize lead and conversation information as configured by the Subscriber.
• To route messages through the Subscriber's chosen messaging provider.
• To enforce automated opt-out detection and propagation across the platform.
• To schedule and manage appointments.
• To generate conversation summaries, transcripts, and analytics for the Subscriber.
• To execute automated follow-up sequences as configured by the Subscriber.
• To meet carrier and regulatory compliance obligations, including providing consent records and message logs to carriers, TCR, or regulatory authorities upon request.

3.3 AI Processing

The Service uses third-party artificial intelligence models, currently provided by OpenAI and Anthropic, to process conversations. When messages are processed:

• Message content, conversation context, AI configuration, and extraction schemas are transmitted to these AI providers' APIs for response generation, intent classification, and information extraction.
• AI providers process this data under their respective contractual commitments to the Company, which include provisions against using customer data to train their foundation models without explicit opt-in.
• We do not use End User conversation data to train the Company's own AI models or to train third-party AI providers' foundation models.
• AI-generated responses are subject to automated review for safety, opt-out detection, and prohibited content before delivery, but the Company does not manually review the substantive content of conversations except as necessary for support, compliance, audit, or security investigations.
• End Users may be interacting with an automated system. Subscribers are responsible for disclosing AI/automated interaction to End Users where required by applicable law (such as the California Bot Disclosure Law).

3.4 Aggregated and De-identified Data

We may use aggregated and de-identified data derived from Subscriber Data and End User information for analytics, benchmarking, product development, and Service improvement, provided that such data does not identify any Subscriber or End User and is not re-identifiable.

4. Data Sharing and Disclosure

We do not sell Personal Information, and we do not share Personal Information for cross-context behavioral advertising. We share information only in the circumstances described below.

4.1 Third-Party Service Providers and Sub-Processors

We share data with the following service providers and sub-processors who process data on our behalf:

The current list of sub-processors is available upon request by emailing legal@allinonemarketing.com. The Company may update this list from time to time and will provide notice of new sub-processors to Subscribers who have executed a Data Processing Addendum, as required by that DPA.

4.2 Regulators, Carriers, and TCR

In connection with our role as a registered Independent Software Vendor and Campaign Service Provider for A2P 10DLC messaging, we share information with:

• The Campaign Registry (TCR) — for Brand and Campaign registration, vetting, and audits.
• Mobile carriers (AT&T, T-Mobile, Verizon, and others) — for carrier vetting, audits, complaint investigations, and trust score determinations.
• Identity verification providers — for KYC, business verification, fraud prevention, and brand vetting (including Aegis Mobile / Vet+ where applicable).

Information shared may include Subscriber business name, EIN, address, authorized representative, sample messages, opt-in language, message content, and consent records.

4.3 Agency Subscribers and Sub-Subscriber Data

For data processed through an Agency Subscriber's white-label instance:

• The Agency Subscriber receives Sub-Subscriber account information, usage information, and billing information for purposes of operating the Agency Subscriber's reseller business and complying with the Agency Subscriber's obligations under the Terms.
• The Agency Subscriber is responsible for providing Sub-Subscribers with a privacy notice consistent with this Policy and for honoring Sub-Subscriber data subject requests.
• The Company retains the underlying technology provider relationship with Sub-Subscriber data and may directly communicate with Sub-Subscribers regarding compliance, security, and account migration matters.

4.4 Legal Requirements

We may disclose information if required by law or in good faith belief that such action is necessary to:

• Comply with a legal obligation, subpoena, court order, governmental request, or regulatory inquiry;
• Comply with carrier rules, TCR requirements, or A2P 10DLC investigation requests;
• Protect and defend our rights, property, or safety, or that of our Subscribers, End Users, or the public;
• Prevent or investigate possible wrongdoing in connection with the Service;
• Enforce our Terms, AUP, or other agreements.

4.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, financing transaction, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify affected parties of any such transfer.

4.6 With Your Consent

We may share information with third parties when you direct us to do so or with your explicit consent.

5. Roles Under Privacy Law and Subscriber Responsibilities

5.1 Roles

With respect to End User Personal Information, the Company acts as a "service provider" under CCPA/CPRA, a "processor" under Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and other comparable state privacy laws, and a "data processor" generally. The Subscriber acts as the "business," "controller," or "data controller" depending on the applicable law.

For Subscriber account information, the Company acts as a "business" or "controller" with respect to that information, processing it for the purposes described in this Policy.

5.2 Subscriber Responsibilities

The Subscriber is responsible for:

• Obtaining all necessary consents from End Users before uploading their data to the Service or initiating automated communications, including prior express written consent as required by the TCPA, CAN-SPAM Act, and applicable state laws.
• Providing End Users with appropriate privacy notices and disclosures, including disclosure that AI-powered chatbots may be used and that sensitive personal information may be processed.
• Complying with all applicable federal, state, and local laws regarding telemarketing, text messaging, data protection, and consumer privacy, including the TCPA, CCPA/CPRA, state mini-TCPA laws, FCC regulations, CTIA guidelines, and A2P 10DLC requirements.
• Honoring End User opt-out requests received through any channel and maintaining accurate consent and opt-out records.
• Ensuring that all data uploaded to the Service was lawfully collected.
• Responding to End User data access, deletion, correction, and other rights requests, with reasonable assistance from the Company.

5.3 Data Processing Addendum

Subscribers requiring a Data Processing Addendum ("DPA") to satisfy their obligations under CCPA/CPRA or other applicable laws may request the Company's standard DPA by emailing legal@allinonemarketing.com.

The Company does not independently verify Subscriber compliance with applicable laws beyond the automated controls described in this Policy and the Terms.

6. SMS, MMS, and Messaging Compliance

6.1 Platform Role

The Service facilitates SMS, MMS, iMessage, and RCS messaging between Subscribers and their End Users. The Company does not initiate messages to End Users on its own behalf except for transactional and platform-level communications to Subscribers (such as account verification, billing notices, and compliance alerts).

6.2 Sender Identity

All Subscriber-originated messages are sent under the Subscriber's phone number, brand identity, and authority. During the A2P 10DLC Initial Period for new Subscribers, messages are sent under the Company's platform-level Brand and Campaign registration with TCR while the Subscriber's individual registration is pending; this is disclosed in the Terms.

6.3 Automated Opt-Out Detection

The Service includes automated detection of opt-out keywords (including STOP, UNSUBSCRIBE, OPT OUT, CANCEL, END, and QUIT). When detected, the system automatically flags the End User as opted out and ceases automated messaging. This automation is a convenience tool and does not replace the Subscriber's obligation to honor opt-outs received through any channel.

6.4 Quiet Hours

The Service includes configurable quiet hours functionality. This feature is provided as a convenience tool and does not guarantee compliance with the TCPA, state mini-TCPA laws, or any other regulation. The Service permits Subscribers to override or disable quiet hours; if Subscribers do so, they assume all resulting risk and liability.

6.5 Subscriber Compliance Responsibility

Subscribers are solely responsible for:

• Ensuring messaging practices comply with the TCPA, CTIA guidelines, carrier policies, A2P 10DLC requirements, and all applicable regulations.
• Maintaining comprehensive opt-out and Do-Not-Contact lists across all channels.
• Configuring quiet hours and messaging schedules in compliance with all applicable federal, state, and local laws.
• Honoring opt-outs received through any channel within timeframes required by law.

The Service does not provide legal advice. Subscribers should consult their own counsel.

7. Data Security

7.1 Security Measures

We implement industry-standard administrative, technical, and physical safeguards to protect Personal Information, including:

• Encryption in Transit: All data transmitted between users and our infrastructure uses TLS 1.2 or higher.
• Encryption at Rest: Sensitive credentials (messaging provider API keys, tokens) are encrypted using AES-256-GCM. Database-level encryption at rest is provided by Supabase and underlying AWS infrastructure.
• Authentication: User sessions are managed through Supabase Auth with secure, httpOnly cookies. Passwords are hashed using industry-standard algorithms.
• Access Controls: Multi-tenant architecture isolates each Subscriber's data. Role-based access controls and least-privilege principles restrict administrative access. Multi-factor authentication is required for administrative access.
• Logging and Monitoring: Access to Personal Information is logged. Security events are monitored.
• Personnel Security: Personnel with access to Personal Information are subject to confidentiality obligations and security training.
• Infrastructure Security: Underlying cloud infrastructure providers (AWS, Supabase, Replit, Cloudflare) maintain SOC 2 and other security certifications.
• Incident Response: We maintain an incident response plan and procedures for investigating and responding to Security Incidents.

7.2 SHIELD Act Safeguards

In compliance with the New York SHIELD Act (N.Y. Gen. Bus. Law § 899-bb), we maintain reasonable administrative safeguards (including designated personnel, risk assessments, training, vendor selection, and adjustment of safeguards in light of changing circumstances), technical safeguards (including risk assessments of network and software design, information processing, and detecting and responding to attacks or system failures), and physical safeguards (including detecting, preventing, and responding to intrusions, protecting against unauthorized access during or after collection, transportation, and destruction or disposal of data).

7.3 No Absolute Security

While we implement reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

Subscribers may delete individual End User records at any time through the Service. Upon Subscriber account termination, associated End User data will be deleted within 90 days, except where retention is required by law, regulation, ongoing legal proceeding, or carrier compliance investigation.

9. Your Rights

9.1 Subscriber Rights

Depending on your jurisdiction, you may have the right to:

• Access the Personal Information we hold about you;
• Correct inaccurate Personal Information;
• Delete your Personal Information, subject to legal exceptions;
• Port your data in a structured, machine-readable format;
• Restrict or object to certain processing;
• Withdraw consent where processing is based on consent;
• Opt out of sale, sharing, or targeted advertising (we do not engage in any of these);
• Limit the use and disclosure of Sensitive Personal Information;
• Lodge a complaint with a supervisory authority.

To exercise these rights, contact us at legal@allinonemarketing.com. We will respond within 45 days, with the possibility of a 45-day extension where reasonably necessary, consistent with applicable law.

9.2 Verification

To protect your information, we will verify your identity before fulfilling rights requests. The verification method will depend on the nature of the request and the sensitivity of the information.

9.3 Authorized Agents

You may designate an authorized agent to make a request on your behalf. We may require proof of the agent's authorization and verification of your identity.

9.4 No Discrimination

We will not discriminate against you for exercising your privacy rights. We do not deny goods or services, charge different prices, provide different quality, or suggest you will receive different treatment for exercising rights.

9.5 End User Rights

If you are an End User and wish to exercise privacy rights regarding data processed on a Subscriber's behalf, contact the Subscriber business that communicated with you. As a service provider/processor, we process End User data on the Subscriber's instructions and will assist Subscribers in fulfilling rights requests.

If you are unable to reach the Subscriber, contact us at legal@allinonemarketing.com and we will make reasonable efforts to direct your request appropriately.

10. Cookies, Tracking, and Global Privacy Control

10.1 Cookies

We use the following types of cookies:

• Essential Cookies: Required for authentication and session management. Cannot be disabled.
• Functional Cookies: Remember preferences and settings.

We do not use third-party advertising cookies or cross-site behavioral advertising tracking.

10.2 Do Not Track and Global Privacy Control

We do not currently respond to traditional Do Not Track ("DNT") browser signals because there is no industry consensus on how to interpret them.

We do honor Global Privacy Control ("GPC") signals as a valid opt-out of "sale" and "sharing" under CCPA/CPRA and comparable state laws. Because we do not sell or share Personal Information for cross-context behavioral advertising, the practical effect of a GPC signal is to confirm a status that already applies; we honor GPC as a request to exclude the user's information from any future processing that would constitute sale or sharing.

10.3 Opt-Out

Most browsers allow you to refuse cookies or notify you when cookies are sent. If you refuse cookies, certain features of the Service may not function properly.

11. California Privacy Rights (CCPA/CPRA)

11.1 Categories of Personal Information

In the past 12 months, we have collected the categories of Personal Information described in Section 2. The table below summarizes:

11.2 California Rights

If you are a California resident, you have the right to:

• Know the categories and specific pieces of Personal Information we have collected, the sources, the purposes, and the categories of third parties with whom we share it;
• Delete Personal Information, subject to exceptions;
• Correct inaccurate Personal Information;
• Opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising);
• Limit use and disclosure of Sensitive Personal Information;
• Non-discrimination for exercising rights.

11.3 Service Provider Status

With respect to End User data, the Company acts as a "service provider" under CCPA/CPRA. Subscribers are the "businesses" responsible for CCPA/CPRA compliance regarding their End Users.

11.4 Notice at Collection

This Policy serves as our notice at collection under CCPA/CPRA.

11.5 Shine the Light

California Civil Code § 1798.83 permits California residents to request information regarding our disclosure of Personal Information to third parties for direct marketing. We do not disclose Personal Information to third parties for their direct marketing purposes.

12. Other State Privacy Rights

12.1 Virginia, Colorado, Connecticut, Utah, Oregon, and Texas

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Oregon (OCPA), and Texas (TDPSA) have rights similar to California residents, including rights of access, correction, deletion, portability, and opt-out of sale, targeted advertising, and certain profiling. We do not engage in sale, targeted advertising, or significant profiling for legal-effect decisions.

To exercise these rights, contact legal@allinonemarketing.com.

If we deny your rights request, you may have the right to appeal. To submit an appeal, reply to our denial response or contact legal@allinonemarketing.com with "Appeal" in the subject line.

12.2 New York

As a New York corporation, we comply with applicable New York State privacy laws, including the SHIELD Act. In the event of a data breach involving private information of New York residents, we will provide notification in accordance with New York General Business Law § 899-aa.

12.3 Other States

Where additional state privacy laws apply, residents of those states have rights consistent with those laws. Contact us at legal@allinonemarketing.com to exercise rights or for more information.

13. Children's Privacy

The Service is intended for business use by adults. We do not knowingly direct the Service to children, and we do not knowingly collect Personal Information from children under the age of 13 (or under 16 where a higher age applies under state law) without verifiable parental consent.

If we become aware that we have collected Personal Information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with Personal Information, contact us at legal@allinonemarketing.com.

Subscribers are responsible for ensuring that their use of the Service does not target minors and that any End User data uploaded to the Service was collected in compliance with COPPA and applicable state laws.

14. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to such transfers.

We do not currently offer cross-border data transfer mechanisms (such as Standard Contractual Clauses) for data subjects in the European Economic Area, United Kingdom, or Switzerland. Subscribers and End Users in those regions should consider whether use of the Service is appropriate for their needs.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify Subscribers of material changes by email or through a notice on the Service at least 30 days before the changes take effect. Non-material changes (clarifications, typo corrections, updates to reflect new laws) may take effect immediately upon posting.

Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

16. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at: