Privacy Policy

Call and chat transcripts. When our AI agent handles a phone call or chat conversation on behalf of a business client, we record and store the transcript of that interaction. This may include the caller's name, phone number, stated service needs, and any other information they share during the conversation.

Prospect and contact information. Business clients may upload or sync contact lists containing prospect names, email addresses, phone numbers, and business details. We process this data to deliver outreach, appointment booking, and follow-up services.

Billing information. Payments are processed through Stripe. We store your billing email, subscription status, and transaction history. We do not store raw credit card numbers — Stripe handles and tokenizes payment credentials.

Account information. When you create a 1stRing AI account, we collect your name, email address, business name, and configuration preferences.

Usage data. We automatically collect log data such as IP addresses, browser type, pages visited, API call metadata, and error reports to operate and improve the service.

To provide and operate the service. Call transcripts and contact data are used to answer inbound calls, book appointments, send confirmations, draft outreach messages, and surface relevant information to business clients.

To improve our AI. Transcripts and interaction data may be used in aggregate and anonymized form to improve the accuracy, tone, and coverage of our AI models. We do not use individual customer conversations to train general AI models without appropriate agreements in place.

Billing and account management. We use your billing data to process payments, issue invoices, and manage subscription status.

Customer support. We may access account and conversation data when you contact support or when we proactively identify service issues.

Communications. We may send you transactional emails (receipts, alerts, confirmations) and, where permitted, product updates. You can opt out of non-transactional communications at any time.

Where GDPR applies, we rely on the following lawful bases for processing personal data:

• Performance of a contract (Art. 6(1)(b)). Processing of business-client account and billing data, and processing of caller / prospect data on behalf of business clients under their direction, is necessary to perform the services we have contracted to provide.
• Legitimate interests (Art. 6(1)(f)). Service operation, security, fraud prevention, anonymized analytics, and product improvement are based on our legitimate interest in delivering a reliable, secure service — balanced against the data subject's rights and reasonable expectations.
• Consent (Art. 6(1)(a)). Where we send non-transactional marketing communications, or where you provide special-category data, we rely on your explicit consent, which you may withdraw at any time.
• Legal obligation (Art. 6(1)(c)). Tax, accounting, record-keeping, lawful intercept, and similar obligations imposed on us by applicable law.

International transfers. Our processors are primarily located in the United States. Where personal data of EU/UK residents is transferred to the U.S., we rely on the European Commission's Standard Contractual Clauses (SCCs) and equivalent UK addenda, plus supplementary measures (encryption in transit and at rest, role-based access controls). A copy of the SCCs we use is available on request via privacy@1string.ai.

Data Protection Officer / EU Representative. We have not appointed a DPO because our processing does not meet the Art. 37 thresholds. For Art. 27 representation, EU/UK residents may contact privacy@1string.ai and we will route the request appropriately.

If you are a California resident, the CCPA grants you the following rights with respect to your personal information:

• Right to know. You may request the categories and specific pieces of personal information we have collected about you, the sources, the purposes for collection, and the categories of third parties with whom we have shared it.
• Right to delete. You may request deletion of personal information we have collected, subject to legal-retention exceptions.
• Right to correct. You may request that we correct inaccurate personal information we maintain.
• Right to opt out of sale / sharing. Although we do not “sell” personal information for money, the CCPA defines “sale” and “sharing” broadly. Out of an abundance of caution, we offer an opt-out below.
• Right to limit use of sensitive personal information. We do not use sensitive PI for purposes beyond what is necessary to deliver the service.
• Right to non-discrimination. We will not deny services, charge different prices, or provide a different level of service in retaliation for exercising any CCPA right.

Do Not Sell or Share My Personal Information
California residents may use the link above to submit an opt-out request. We honor Global Privacy Control (GPC) signals as an opt-out request where the law requires. We will respond within 15 business days and honor the request within the period set by the CCPA.

Authorized agents. An authorized agent may submit a request on your behalf by providing signed written authorization. We may require you to verify your identity directly before honoring an agent request.

Categories collected (12-month look-back). Identifiers (name, email, phone, business name, IP), commercial information (subscription, billing history), audio and electronic information (call recordings, chat transcripts), internet activity (usage logs), geolocation (coarse, derived from IP), and inferences drawn from the foregoing.

We do not sell your data to advertisers or data brokers. We share data only with the sub-processors necessary to deliver the service. The current sub-processor list is below; we keep this list current and notify business clients at least 30 days in advance of adding a material new sub-processor (see Section 9, “Sub-processor change notice”).

Each sub-processor is bound by a data-processing agreement that requires encryption in transit and at rest, role-based access, breach notification, and use limited to delivering the contracted service to 1stRing. We may also disclose information if required by law, court order, or to protect the rights and safety of 1stRing AI, our clients, or the public.

You have the following rights with respect to your personal data:

• Access. You may request a copy of the personal data we hold about you.
• Deletion. You may request that we delete your personal data. We will honor deletion requests within 30 days, subject to legal-retention requirements.
• Export. You may request an export of your data in a common machine-readable format.
• Correction. You may request correction of inaccurate data we hold about you.
• Object / restrict. Where GDPR applies, you may object to processing based on legitimate interests, or request restriction of processing in defined circumstances.
• Complain. EU/UK residents may lodge a complaint with their local supervisory authority.

To exercise any of these rights, email privacy@1string.ai. We will respond within 30 days (or the period mandated by applicable law, whichever is shorter).

Our website uses Vercel Analytics to understand aggregate traffic patterns (page views, session counts, referrers). This is privacy-respecting analytics that does not use third-party tracking cookies or build individual profiles.

We do not use advertising pixels, remarketing tags, or cross-site tracking cookies. We do not share browsing data with ad networks.

We retain personal data only as long as needed to deliver the service, meet legal obligations, and resolve disputes. Default retention by data type:

You may request earlier deletion by contacting privacy@1string.ai. Where legal-retention obligations apply (e.g., billing records), we will honor the deletion request after the retention window expires.

Breach notification. If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify affected business clients without undue delay and, where feasible, within 72 hours of becoming aware of the breach. The notice will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the mitigation measures we have taken or propose to take. Where required by law, we will also notify the relevant supervisory authority and affected data subjects directly. Business clients acting as data controllers remain responsible for any data-subject-facing notifications required of them.

Sub-processor change notice. We will provide business clients with at least 30 days' advance notice (by email to the account billing contact) before engaging a new sub-processor or materially changing the role of an existing one. Business clients have the right to object to the change during the notice period for any reasonable data-protection ground. If the objection cannot be resolved, either party may terminate the affected service with a prorated refund of unused subscription fees.

We implement commercially reasonable technical and organizational safeguards including encryption in transit (TLS 1.2+), encryption at rest (AES-256 via Supabase), role-based access controls, audit logging, secret rotation, and least-privilege service accounts. We perform periodic security reviews and maintain an incident-response runbook. No transmission over the internet is 100% secure, and we cannot guarantee absolute security.