PRIVACY POLICY
Crystalytics
Effective Date: May 15, 2026 | Last Updated: May 15, 2026
www.crystalyticsai.com | [email protected]
Business Address: [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING]
ACTION REQUIRED BEFORE PUBLISHING: Replace [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING] with your actual business address. Publishing a privacy policy without a physical address is non-compliant with CCPA and other privacy regulations. See the TOS document for recommended virtual mailbox services.
This Privacy Policy explains how Crystalytics ("we," "us," or "our"), a sole proprietorship operating under the laws of the State of New York, collects, uses, shares, and protects information in connection with our website (www.crystalyticsai.com) and our services, including AI voice agents, chatbots, and marketing automation for local businesses.
By using our website or services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our website or services.
This policy covers two groups of people: (1) our business clients who purchase our services, and (2) the customers of our clients who interact with AI Systems we build and operate on our clients' behalf.
SECTION 1 — INFORMATION WE COLLECT
1.1 Information We Collect From Our Clients
When you sign up for or use our services as a business client, we collect:
Full name, business name, and contact information
Email address and phone number
Business details including services offered, pricing, hours of operation, and policies
Payment information processed securely through Stripe (we do not store full card numbers)
Communications with us including emails, support messages, and onboarding form responses
Login credentials and account information for platforms connected to your services
1.2 Information We Collect From Our Clients' Customers
When we operate AI Systems on behalf of our clients, we may collect the following information from individuals who interact with those systems:
Name and contact information including phone number and email address
Call recordings and voice data from AI voice agent interactions
Chat transcripts from AI chatbot conversations
Appointment requests, booking details, and scheduling preferences
Responses to qualification questions asked by AI Systems
Any other information voluntarily provided during an interaction
This data is collected on behalf of and under the instruction of our clients. Our clients are responsible for ensuring they have the appropriate legal basis and disclosures in place to collect this information from their customers.
1.3 Information We Collect Automatically
When you visit our website, we automatically collect:
IP address and general location data
Browser type and version
Pages visited, time spent on pages, and referring URLs
Device information including operating system and screen size
Cookie data and similar tracking technologies (see Section 7 for full cookie policy)
SECTION 2 — HOW WE USE YOUR INFORMATION
2.1 How We Use Client Information
We use information collected from our business clients to:
Provide, configure, and manage your AI Systems and services
Process payments and send invoices through Stripe
Communicate with you about your services, updates, and support
Improve our services and develop new features
Comply with legal obligations
Send marketing communications about our services (you may opt out at any time)
2.2 How We Use End-Customer Information
Information collected from your customers through our AI Systems is used solely to:
Deliver the services you have configured (answering calls, booking appointments, sending follow-ups)
Improve the accuracy and performance of AI Systems configured for your business
Generate reports and analytics for your service dashboard
We do not sell, rent, or use your customers' information for our own marketing purposes.
2.3 AI-Specific Data Usage
Data processed through our AI Systems may be used to:
Train and refine the AI models configured specifically for your business
Improve response accuracy and natural language understanding within your AI System
Identify and correct errors or unexpected AI behaviors
We do not use data from one client's AI System to train AI Systems for another client without explicit permission. We do not share individual customer data with third-party AI training datasets.
SECTION 3 — CALL RECORDINGS AND TRANSCRIPTS
Our AI voice agent services may record and transcribe phone calls. Regarding this data:
Call recordings are stored securely and accessible only to you (our client) and authorized Crystalytics personnel for service management purposes.
Transcripts are generated automatically to enable follow-up automation and quality review.
You are solely responsible for ensuring all required call recording disclosures and consents are provided to callers under applicable federal and state law, including New York's one-party consent law and any two-party consent laws in states where your callers are located.
Call recordings are retained for 90 days by default, after which they are deleted unless you request a different retention period in writing.
Transcripts may be retained for up to 12 months to support follow-up automation and analytics.
SECTION 4 — HOW WE SHARE YOUR INFORMATION
4.1 Third-Party Service Providers
We share data with the following third-party platforms to deliver our services:
GoHighLevel: Our primary CRM, automation, and funnel platform used to manage client accounts, workflows, and AI system configurations.
Twilio: Our telephony provider used to route and handle AI voice agent calls and SMS communications.
OpenAI: The AI language model provider that powers our AI voice and chat responses.
Stripe: Our payment processor. Stripe handles all payment card data. We do not store full credit card numbers on our systems.
Google Analytics: Our website analytics tool used to understand visitor behavior on our website.
Each of these providers has their own privacy policy governing their use of data. We encourage you to review their policies. We enter into data processing agreements with providers where required by law.
4.2 Legal Disclosures
We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.
4.3 Business Transfers
In the event that Crystalytics is acquired, merged, or its assets are transferred to another entity, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership.
4.4 No Sale of Personal Data
We do not sell, rent, or trade your personal information or your customers' personal information to any third party for their own marketing purposes.
SECTION 5 — DATA RETENTION
We retain different types of data for different periods:
Client account information: Retained for the duration of the client relationship plus 3 years, or as required by law.
Payment records: Retained by Stripe according to their data retention policies. We retain transaction records for 7 years for accounting and legal compliance.
Call recordings: Retained for 90 days by default, then permanently deleted unless otherwise requested.
Chat transcripts: Retained for up to 12 months to support automation and analytics.
Analytics and usage data: Retained for 12 months, then aggregated or deleted.
AI training data and configurations: Retained for 30 days after service termination, then permanently deleted.
You may request earlier deletion of your data or your customers' data by contacting us at [email protected]. We will respond to deletion requests within 30 days.
SECTION 6 — YOUR PRIVACY RIGHTS
6.1 Rights for All Users
Regardless of your location, you have the right to:
Request access to the personal information we hold about you
Request correction of inaccurate or incomplete information
Request deletion of your personal information, subject to legal retention requirements
Opt out of marketing communications at any time
Lodge a complaint with a relevant data protection authority
6.2 California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
The right to know what personal information we collect, use, disclose, and sell
The right to delete personal information we have collected from you
The right to opt out of the sale of your personal information (we do not sell personal information)
The right to non-discrimination for exercising your CCPA rights
To exercise your CCPA rights, contact us at [email protected] with the subject line "CCPA Privacy Request." We will respond within 45 days.
6.3 European Users (GDPR)
If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR) including:
Right of access, rectification, and erasure
Right to restrict or object to processing
Right to data portability
Right to withdraw consent at any time where processing is based on consent
Our lawful basis for processing your data is typically contract performance (to deliver our services), legitimate interests (to improve our services and prevent fraud), or your consent where explicitly requested.
To exercise your GDPR rights, contact us at [email protected] with the subject line "GDPR Privacy Request."
6.4 How to Submit a Privacy Request
To exercise any of your privacy rights, email [email protected] with:
Your full name and contact information
A description of your request (access, deletion, correction, etc.)
The subject line: "Privacy Rights Request"
We will verify your identity before processing your request and respond within 30 days (or 45 days for CCPA requests).
SECTION 7 — COOKIE POLICY
7.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. We use cookies and similar tracking technologies on www.crystalyticsai.com to improve your experience and analyze website traffic.
7.2 Types of Cookies We Use
Strictly Necessary: Essential cookies required for the website to function properly, such as session management.
Functional: Cookies that remember your preferences and settings.
Analytics: Cookies from Google Analytics that help us understand how visitors use our website. This data is aggregated and anonymous.
Marketing: If we run advertising campaigns, we may use cookies to track conversions and ad performance.
7.3 Managing Cookies
You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing ones. Note that disabling cookies may affect the functionality of our website. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.
SECTION 8 — DATA SECURITY
We implement reasonable technical and organizational security measures to protect your information, including:
Encryption of data in transit using SSL/TLS
Access controls limiting data access to authorized personnel only
Secure, reputable third-party platforms (GoHighLevel, Twilio, Stripe) with their own robust security practices
Regular review of our data handling and security practices
Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. If you believe your information has been compromised, please contact us immediately at [email protected].
SECTION 9 — DATA BREACH NOTIFICATION
In the event of a data breach that affects your personal information, we will:
Notify affected clients within 72 hours of becoming aware of the breach, where feasible
Provide information about the nature of the breach, the data affected, and steps we are taking to address it
Notify relevant regulatory authorities as required by applicable law
Provide guidance on steps you can take to protect yourself
Breach notifications will be sent to the email address associated with your account. Please ensure your contact information is kept up to date.
SECTION 10 — INTERNATIONAL DATA TRANSFERS
Crystalytics is based in New York, USA. If you are located outside the United States, please be aware that your information may be transferred to and processed in the United States, where data protection laws may differ from those in your country.
For clients or users in the European Economic Area (EEA), we ensure that any international data transfers are conducted in compliance with GDPR requirements, including through the use of Standard Contractual Clauses or other appropriate transfer mechanisms where required.
Our third-party service providers (GoHighLevel, Twilio, OpenAI, Stripe, Google) may also process data in various countries. Each provider maintains their own international transfer compliance mechanisms.
SECTION 11 — CHILDREN'S PRIVACY
Our services are intended for business clients and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly.
If you believe we have collected information from a child under 18, please contact us immediately at [email protected].
SECTION 12 — MARKETING COMMUNICATIONS
We may send you marketing emails about our services, new features, and relevant updates. You can opt out of marketing communications at any time by:
Clicking the "Unsubscribe" link at the bottom of any marketing email
Emailing [email protected] with the subject line "Unsubscribe"
Please note that even if you opt out of marketing emails, we will still send you transactional communications related to your active services, such as invoices, service updates, and support responses.
If we use SMS marketing, you may opt out by replying STOP to any SMS message. Standard message and data rates may apply.
SECTION 13 — OPT-OUT PROCEDURES FOR AI COMMUNICATIONS
If you are a customer of one of our clients and you have interacted with an AI System operated by Crystalytics on their behalf, you have the right to:
Request that your interaction data be deleted by contacting the business whose AI System you interacted with, or by emailing [email protected]
Opt out of future automated communications by saying "Stop," "Unsubscribe," or "Opt out" during any AI interaction, or by contacting the business directly
Request information about what data was collected during your interaction
We will process opt-out requests within 10 business days and notify our client to ensure no further automated communications are sent to you.
SECTION 14 — THIRD-PARTY LINKS AND SERVICES
Our website or AI Systems may contain links to third-party websites or reference third-party services. This Privacy Policy applies only to Crystalytics. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.
SECTION 15 — CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
Update the "Last Updated" date at the top of this policy
Notify active clients by email at the address associated with their account
Post the updated policy at www.crystalyticsai.com/privacy
Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.
SECTION 16 — CONTACT US
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Company: Crystalytics
Email: [email protected]
Website: www.crystalyticsai.com
Mailing Address: [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING]
We aim to respond to all privacy-related inquiries within 5 business days.
IMPORTANT NOTICE: This Privacy Policy was prepared as a working draft for Crystalytics. It should be reviewed by a licensed attorney in New York before publishing, particularly regarding CCPA compliance, GDPR applicability, and telephone/AI communication regulations. Laws in this area are rapidly evolving. Remember to insert your physical business address before publishing this document.