PRIVACY POLICY

Crystalytics

Effective Date: May 15, 2026  |  Last Updated: May 15, 2026

www.crystalyticsai.com  |  [email protected]

Business Address: [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING]

ACTION REQUIRED BEFORE PUBLISHING: Replace [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING] with your actual business address. Publishing a privacy policy without a physical address is non-compliant with CCPA and other privacy regulations. See the TOS document for recommended virtual mailbox services.

This Privacy Policy explains how Crystalytics ("we," "us," or "our"), a sole proprietorship operating under the laws of the State of New York, collects, uses, shares, and protects information in connection with our website (www.crystalyticsai.com) and our services, including AI voice agents, chatbots, and marketing automation for local businesses.

By using our website or services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use our website or services.

This policy covers two groups of people: (1) our business clients who purchase our services, and (2) the customers of our clients who interact with AI Systems we build and operate on our clients' behalf.

SECTION 1 — INFORMATION WE COLLECT

1.1 Information We Collect From Our Clients

When you sign up for or use our services as a business client, we collect:

Full name, business name, and contact information

Email address and phone number

Business details including services offered, pricing, hours of operation, and policies

Payment information processed securely through Stripe (we do not store full card numbers)

Communications with us including emails, support messages, and onboarding form responses

Login credentials and account information for platforms connected to your services

1.2 Information We Collect From Our Clients' Customers

When we operate AI Systems on behalf of our clients, we may collect the following information from individuals who interact with those systems:

Name and contact information including phone number and email address

Call recordings and voice data from AI voice agent interactions

Chat transcripts from AI chatbot conversations

Appointment requests, booking details, and scheduling preferences

Responses to qualification questions asked by AI Systems

Any other information voluntarily provided during an interaction

This data is collected on behalf of and under the instruction of our clients. Our clients are responsible for ensuring they have the appropriate legal basis and disclosures in place to collect this information from their customers.

1.3 Information We Collect Automatically

When you visit our website, we automatically collect:

IP address and general location data

Browser type and version

Pages visited, time spent on pages, and referring URLs

Device information including operating system and screen size

Cookie data and similar tracking technologies (see Section 7 for full cookie policy)

SECTION 2 — HOW WE USE YOUR INFORMATION

2.1 How We Use Client Information

We use information collected from our business clients to:

Provide, configure, and manage your AI Systems and services

Process payments and send invoices through Stripe

Communicate with you about your services, updates, and support

Improve our services and develop new features

Comply with legal obligations

Send marketing communications about our services (you may opt out at any time)

2.2 How We Use End-Customer Information

Information collected from your customers through our AI Systems is used solely to:

Deliver the services you have configured (answering calls, booking appointments, sending follow-ups)

Improve the accuracy and performance of AI Systems configured for your business

Generate reports and analytics for your service dashboard

We do not sell, rent, or use your customers' information for our own marketing purposes.

2.3 AI-Specific Data Usage

Data processed through our AI Systems may be used to:

Train and refine the AI models configured specifically for your business

Improve response accuracy and natural language understanding within your AI System

Identify and correct errors or unexpected AI behaviors

We do not use data from one client's AI System to train AI Systems for another client without explicit permission. We do not share individual customer data with third-party AI training datasets.

SECTION 3 — CALL RECORDINGS AND TRANSCRIPTS

Our AI voice agent services may record and transcribe phone calls. Regarding this data:

Call recordings are stored securely and accessible only to you (our client) and authorized Crystalytics personnel for service management purposes.

Transcripts are generated automatically to enable follow-up automation and quality review.

You are solely responsible for ensuring all required call recording disclosures and consents are provided to callers under applicable federal and state law, including New York's one-party consent law and any two-party consent laws in states where your callers are located.

Call recordings are retained for 90 days by default, after which they are deleted unless you request a different retention period in writing.

Transcripts may be retained for up to 12 months to support follow-up automation and analytics.

SECTION 4 — HOW WE SHARE YOUR INFORMATION

4.1 Third-Party Service Providers

We share data with the following third-party platforms to deliver our services:

GoHighLevel: Our primary CRM, automation, and funnel platform used to manage client accounts, workflows, and AI system configurations.

Twilio: Our telephony provider used to route and handle AI voice agent calls and SMS communications.

OpenAI: The AI language model provider that powers our AI voice and chat responses.

Stripe: Our payment processor. Stripe handles all payment card data. We do not store full credit card numbers on our systems.

Google Analytics: Our website analytics tool used to understand visitor behavior on our website.

Each of these providers has their own privacy policy governing their use of data. We encourage you to review their policies. We enter into data processing agreements with providers where required by law.

4.2 Legal Disclosures

We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, or investigate fraud.

4.3 Business Transfers

In the event that Crystalytics is acquired, merged, or its assets are transferred to another entity, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership.

4.4 No Sale of Personal Data

We do not sell, rent, or trade your personal information or your customers' personal information to any third party for their own marketing purposes.

SECTION 5 — DATA RETENTION

We retain different types of data for different periods:

Client account information: Retained for the duration of the client relationship plus 3 years, or as required by law.

Payment records: Retained by Stripe according to their data retention policies. We retain transaction records for 7 years for accounting and legal compliance.

Call recordings: Retained for 90 days by default, then permanently deleted unless otherwise requested.

Chat transcripts: Retained for up to 12 months to support automation and analytics.

Analytics and usage data: Retained for 12 months, then aggregated or deleted.

AI training data and configurations: Retained for 30 days after service termination, then permanently deleted.

You may request earlier deletion of your data or your customers' data by contacting us at [email protected]. We will respond to deletion requests within 30 days.

SECTION 6 — YOUR PRIVACY RIGHTS

6.1 Rights for All Users

Regardless of your location, you have the right to:

Request access to the personal information we hold about you

Request correction of inaccurate or incomplete information

Request deletion of your personal information, subject to legal retention requirements

Opt out of marketing communications at any time

Lodge a complaint with a relevant data protection authority

6.2 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

The right to know what personal information we collect, use, disclose, and sell

The right to delete personal information we have collected from you

The right to opt out of the sale of your personal information (we do not sell personal information)

The right to non-discrimination for exercising your CCPA rights

To exercise your CCPA rights, contact us at [email protected] with the subject line "CCPA Privacy Request." We will respond within 45 days.

6.3 European Users (GDPR)

If you are located in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR) including:

Right of access, rectification, and erasure

Right to restrict or object to processing

Right to data portability

Right to withdraw consent at any time where processing is based on consent

Our lawful basis for processing your data is typically contract performance (to deliver our services), legitimate interests (to improve our services and prevent fraud), or your consent where explicitly requested.

To exercise your GDPR rights, contact us at [email protected] with the subject line "GDPR Privacy Request."

6.4 How to Submit a Privacy Request

To exercise any of your privacy rights, email [email protected] with:

Your full name and contact information

A description of your request (access, deletion, correction, etc.)

The subject line: "Privacy Rights Request"

We will verify your identity before processing your request and respond within 30 days (or 45 days for CCPA requests).

SECTION 7 — COOKIE POLICY

7.1 What Are Cookies

Cookies are small text files stored on your device when you visit a website. We use cookies and similar tracking technologies on www.crystalyticsai.com to improve your experience and analyze website traffic.

7.2 Types of Cookies We Use

Strictly Necessary: Essential cookies required for the website to function properly, such as session management.

Functional: Cookies that remember your preferences and settings.

Analytics: Cookies from Google Analytics that help us understand how visitors use our website. This data is aggregated and anonymous.

Marketing: If we run advertising campaigns, we may use cookies to track conversions and ad performance.

7.3 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to refuse cookies or delete existing ones. Note that disabling cookies may affect the functionality of our website. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on at tools.google.com/dlpage/gaoptout.

SECTION 8 — DATA SECURITY

We implement reasonable technical and organizational security measures to protect your information, including:

Encryption of data in transit using SSL/TLS

Access controls limiting data access to authorized personnel only

Secure, reputable third-party platforms (GoHighLevel, Twilio, Stripe) with their own robust security practices

Regular review of our data handling and security practices

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. If you believe your information has been compromised, please contact us immediately at [email protected].

SECTION 9 — DATA BREACH NOTIFICATION

In the event of a data breach that affects your personal information, we will:

Notify affected clients within 72 hours of becoming aware of the breach, where feasible

Provide information about the nature of the breach, the data affected, and steps we are taking to address it

Notify relevant regulatory authorities as required by applicable law

Provide guidance on steps you can take to protect yourself

Breach notifications will be sent to the email address associated with your account. Please ensure your contact information is kept up to date.

SECTION 10 — INTERNATIONAL DATA TRANSFERS

Crystalytics is based in New York, USA. If you are located outside the United States, please be aware that your information may be transferred to and processed in the United States, where data protection laws may differ from those in your country.

For clients or users in the European Economic Area (EEA), we ensure that any international data transfers are conducted in compliance with GDPR requirements, including through the use of Standard Contractual Clauses or other appropriate transfer mechanisms where required.

Our third-party service providers (GoHighLevel, Twilio, OpenAI, Stripe, Google) may also process data in various countries. Each provider maintains their own international transfer compliance mechanisms.

SECTION 11 — CHILDREN'S PRIVACY

Our services are intended for business clients and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information promptly.

If you believe we have collected information from a child under 18, please contact us immediately at [email protected].

SECTION 12 — MARKETING COMMUNICATIONS

We may send you marketing emails about our services, new features, and relevant updates. You can opt out of marketing communications at any time by:

Clicking the "Unsubscribe" link at the bottom of any marketing email

Emailing [email protected] with the subject line "Unsubscribe"

Please note that even if you opt out of marketing emails, we will still send you transactional communications related to your active services, such as invoices, service updates, and support responses.

If we use SMS marketing, you may opt out by replying STOP to any SMS message. Standard message and data rates may apply.

SECTION 13 — OPT-OUT PROCEDURES FOR AI COMMUNICATIONS

If you are a customer of one of our clients and you have interacted with an AI System operated by Crystalytics on their behalf, you have the right to:

Request that your interaction data be deleted by contacting the business whose AI System you interacted with, or by emailing [email protected]

Opt out of future automated communications by saying "Stop," "Unsubscribe," or "Opt out" during any AI interaction, or by contacting the business directly

Request information about what data was collected during your interaction

We will process opt-out requests within 10 business days and notify our client to ensure no further automated communications are sent to you.

SECTION 14 — THIRD-PARTY LINKS AND SERVICES

Our website or AI Systems may contain links to third-party websites or reference third-party services. This Privacy Policy applies only to Crystalytics. We are not responsible for the privacy practices of third-party websites or services. We encourage you to review the privacy policies of any third-party sites you visit.

SECTION 15 — CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

Update the "Last Updated" date at the top of this policy

Notify active clients by email at the address associated with their account

Post the updated policy at www.crystalyticsai.com/privacy

Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

SECTION 16 — CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company: Crystalytics

Email: [email protected]

Website: www.crystalyticsai.com

Mailing Address: [INSERT VIRTUAL MAILBOX ADDRESS HERE BEFORE PUBLISHING]

We aim to respond to all privacy-related inquiries within 5 business days.

IMPORTANT NOTICE: This Privacy Policy was prepared as a working draft for Crystalytics. It should be reviewed by a licensed attorney in New York before publishing, particularly regarding CCPA compliance, GDPR applicability, and telephone/AI communication regulations. Laws in this area are rapidly evolving. Remember to insert your physical business address before publishing this document.