Privacy Policy

Vancom.io LLC ("Company," "we," "us," "our") operates the GetsYou.ai platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, store, and safeguard your information when you visit our website, create an account, or use our AI voice agent platform. It also describes your rights regarding your personal information and how you can exercise them.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, please do not use the Service.

This Privacy Policy applies to all users of the Service, including business customers ("Users" or "you") and the individuals whose contact information is processed through the Service ("Contacts"). If you are a Contact and have questions about how your data is being processed, please contact the business that communicates with you through our platform.

2.1 Account Information

When you create an account, we collect:

• Full name and email address
• Phone number (for verification and SMS features)
• Company/organization name, industry, and business address
• Billing information (credit/debit card details processed and stored by Stripe; we do not store full card numbers)
• Password (stored as a cryptographic hash; we never store plaintext passwords)
• Account preferences and settings

2.2 Call and Communication Data

When you use our calling and messaging features, we collect:

• Call recordings (audio files of inbound and outbound calls)
• Call transcripts (machine-generated text of call conversations)
• SMS and MMS message content (sent and received)
• Call metadata (timestamps, duration, caller/callee numbers, call direction, call outcome, connection status)
• AI-generated analysis results (sentiment scores, BANT lead qualification scores, conversation summaries, action items, and outcome classifications)
• Voicemail recordings and transcripts

2.3 Contact Data

Information about your Contacts that you upload or that is created through the Service:

• Contact names, phone numbers, and email addresses
• Company and job title information
• Lead qualification status and scores
• Communication history and preferences
• Pipeline stage and deal information
• Notes and tags
• Do-Not-Call status

2.4 Usage and Device Data

We automatically collect:

• IP address and approximate geolocation (city/region level)
• Browser type, version, and language settings
• Operating system and device type
• Pages visited, features used, and actions taken within the Service
• Referring URL and exit pages
• Date and time of access
• Error logs and performance data

2.5 Compliance and Consent Records

For regulatory compliance, we collect and immutably store:

• Records of your acceptance of our Terms of Service and Privacy Policy (timestamp, IP address, user agent, version)
• TCPA compliance consent records (checkboxes acknowledged, operating states, consent version)
• Do-Not-Call list entries and modification history

• Directly from you: When you create an account, configure settings, upload contacts, or interact with the Service
• Automatically: Through cookies, analytics tools, and server logs when you use the Service
• From third parties: From Stripe (payment status), Twilio (call/SMS delivery status), and integrations you connect (e.g., GoHighLevel CRM data)
• From AI processing: When our AI systems analyze calls and generate transcripts, scores, and insights

We use the information we collect for the following purposes:

4.1 Service Delivery

• Provide, operate, and maintain the Service
• Process and complete transactions
• Conduct AI voice calls and send messages on your behalf
• Generate call transcripts, analyses, and insights
• Manage your account and subscription

4.2 Service Improvement

• Improve AI agent performance, accuracy, and voice quality
• Analyze usage patterns to optimize the platform
• Develop new features and functionality
• Conduct internal research and analytics (using aggregated, de-identified data)

4.3 Communication

• Send transactional emails (billing confirmations, password resets, low-balance alerts)
• Notify you of Service updates, maintenance, and changes to our policies
• Respond to your support requests and inquiries

4.4 Security and Compliance

• Detect, prevent, and address fraud, abuse, and security incidents
• Enforce our Terms of Service
• Comply with legal obligations, court orders, and law enforcement requests
• Maintain audit trails for regulatory compliance (TCPA, CCPA)

We use cookies and similar technologies on the Service. Below is a breakdown of the types of cookies we use:

5.1 Essential Cookies

Required for the Service to function. These include authentication session cookies (managed by Supabase), CSRF protection tokens, and cookies that remember your login state. You cannot opt out of essential cookies without losing access to the Service.

5.2 Functional Cookies

Used to remember your preferences and choices, such as your cookie consent preference, referral tracking codes, and UI settings. These enhance your experience but are not strictly necessary.

5.3 Analytics Cookies

Used to understand how visitors interact with the Service. We use:

• Vercel Analytics: Page views, referrers, and performance metrics. Data is aggregated and not linked to individual users. Vercel Analytics does not use third-party cookies.
• Vercel Speed Insights: Core Web Vitals and page load performance. No personal data is collected.
• Sentry: Error monitoring and performance tracing. Collects IP address, browser info, and error context for debugging. Session replay is only activated when an error occurs (not for general browsing).

5.4 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. However, blocking essential cookies will prevent you from using the Service. We also display a cookie consent banner on your first visit.

5.5 Do Not Track

We do not currently respond to "Do Not Track" (DNT) browser signals. There is no uniform industry standard for recognizing or honoring DNT signals at this time.

6.1 How We Use AI

The Service uses third-party artificial intelligence services to conduct real-time voice conversations, analyze calls, generate transcripts, score leads, assess sentiment, and produce conversation summaries. When you use the Service, the following data is sent to third-party AI providers for processing:

• Call audio: Real-time voice data is streamed to our Voice AI Provider for speech synthesis, emotion detection, and conversation management
• Call transcripts: Machine-generated text of conversations is sent to our AI Analysis Provider for lead scoring, sentiment analysis, and conversation summaries
• Contact information: Name, phone number, and interaction history may be included in AI prompts to personalize conversations
• Speech audio: Inbound and outbound call audio is processed by our Speech Recognition Provider to generate accurate transcripts

By using the Service, you consent to this data being processed by third-party AI services as identified in Section 8.1. You are notified of this processing during account setup and can review our full list of AI sub-processors at any time.

6.2 Automated Lead Scoring

Our AI automatically generates lead qualification scores (0-100) based on BANT criteria (Budget, Authority, Need, Timeline) and may classify contacts as "qualified" or "unqualified" based on industry-specific thresholds. These scores are used to prioritize leads in your pipeline and may affect which contacts appear in default views.

You can manually override any AI-generated qualification decision at any time through the contact management interface. Automated scores are recommendations, not final determinations.

6.3 AI Model Training

We may use aggregated and de-identified call data to improve our AI models' general performance. However:

• Your call data is never shared with other customers
• Your data is never used to train models that would generate responses for other organizations
• Call recordings and transcripts remain isolated to your organization
• Our AI Sub-Processors (listed in Section 8.1) process your data under data processing agreements. OpenAI's API usage policy prohibits using API data for model training. Google's Gemini API processes data per their API terms. All providers are contractually bound to protect your data.

All calls made or received through the Service are recorded by default. Call recordings are used for:

• AI-powered transcription and analysis
• Quality assurance and compliance auditing
• Generating insights, lead scores, and conversation summaries
• Dispute resolution

IMPORTANT: Call recording laws vary by jurisdiction. Some states and countries require all-party consent (all parties on the call must consent to recording). You are solely responsible for ensuring that appropriate recording disclosures and consents are in place for all calls made through the Service. See our Terms of Service, Section 8, for a list of all-party consent states.

For Contacts: If you are a person who has been called by one of our Users through the Service, the call may have been recorded. For questions about how your data is being used, please contact the business that called you directly. If you believe your data is being processed without proper consent, you may contact us at admin@vancom.io.

We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. We share your information only in the following circumstances:

8.1 Sub-Processors

We use the following Sub-Processors to deliver the Service. Each processes data in accordance with its own privacy policy and under data processing agreements with us:

• Stripe, Inc. (San Francisco, CA) — Payment processing, subscription billing, and fraud prevention. Receives: billing information, email, name. Privacy Policy
• Twilio Inc. (San Francisco, CA) — Telephony, call routing, SMS/MMS delivery, and phone number provisioning. Receives: phone numbers, call audio, SMS content. Privacy Policy
• Supabase Inc. (San Francisco, CA) — Database hosting, user authentication, and file storage. Receives: all User Data stored in the Service. Privacy Policy
• OpenAI, Inc. (San Francisco, CA) — Natural language processing for call analysis, transcription enhancement, and lead scoring. Receives: call transcripts for analysis. Privacy Policy
• Hume AI, Inc. (New York, NY) — Voice AI platform for real-time voice conversations, emotion detection, and speech synthesis. Receives: call audio streams, conversation context. Privacy Policy
• Google LLC (Mountain View, CA) — AI language model for real-time conversation processing and response generation. Receives: conversation transcripts, system prompts. Privacy Policy
• Deepgram, Inc. (San Francisco, CA) — Speech-to-text transcription for real-time call processing. Receives: call audio streams. Privacy Policy
• ElevenLabs, Inc. (New York, NY) — Text-to-speech synthesis for AI voice generation. Receives: text responses for voice conversion. Privacy Policy
• Vercel Inc. (San Francisco, CA) — Web application hosting and content delivery. Receives: usage data, IP addresses, page views. Privacy Policy
• Functional Software, Inc. (Sentry) (San Francisco, CA) — Error monitoring and application performance. Receives: error context, IP addresses, browser info. Privacy Policy
• Resend Inc. (San Francisco, CA) — Transactional email delivery. Receives: email addresses and email content. Privacy Policy

We will update this list as Sub-Processors change and will provide notice of material changes via email or in-app notification.

8.2 User-Initiated Integrations

If you connect third-party services to your account (e.g., GoHighLevel CRM, Cal.com), data you choose to sync will be transmitted to those services. The data shared is determined by your configuration. We are not responsible for how those third parties handle your data after it leaves our Service.

8.3 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or illegal activity; (d) protect the personal safety of users or the public; or (e) protect against legal liability.

8.4 Business Transfers

In the event of a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction, your information may be transferred as part of the transaction. We will notify you via email and/or a prominent notice on the Service before your information becomes subject to a different privacy policy.

We retain your information for the following periods:

• Account information: Retained while your account is active. Upon account deletion, personal information is deleted within forty-five (45) days, except where retention is required by law.
• Call recordings: Retained for thirty (30) to three hundred sixty-five (365) days depending on your subscription tier. You may delete individual recordings at any time.
• Call transcripts and analysis: Retained for the same period as call recordings.
• SMS/MMS messages: Retained for ninety (90) days after sending/receiving.
• Contact data: Retained while your account is active. Deleted upon account termination after the 30-day grace period.
• Compliance records: Retained for a minimum of five (5) years after creation, as required for TCPA compliance. These records are immutable and cannot be deleted.
• Billing records: Retained for seven (7) years as required by tax law.
• Server logs: Retained for ninety (90) days.
• Cookie consent records: Retained for one (1) year or until consent is withdrawn.

After the applicable retention period, data is permanently deleted or de-identified. We may retain aggregated, de-identified data indefinitely for analytics and research purposes.

We implement industry-standard technical and organizational security measures to protect your information, including:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
• Encryption at rest: Sensitive data (including call recordings, API keys, and authentication tokens) is encrypted at rest using AES-256 encryption
• Authentication: Multi-factor authentication is available for all accounts. Passwords are stored using industry-standard cryptographic hashing
• Access controls: Role-based access controls (RBAC) limit access to data based on user roles within your organization
• Row-Level Security: Database-level security policies ensure that each organization can only access its own data
• Monitoring: We use real-time error monitoring (Sentry) and uptime monitoring to detect and respond to security incidents
• Sub-Processor security: Our Sub-Processors maintain SOC 2 Type II or equivalent certifications

Despite these measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors beyond our reasonable control. You are responsible for maintaining the confidentiality of your account credentials.

Depending on your location, you may have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal information we hold about you
• Right to Correction: Request correction of inaccurate or incomplete personal information
• Right to Deletion: Request deletion of your personal information, subject to certain legal exceptions
• Right to Portability: Request your data in a structured, machine-readable format (available via the data export feature in your account settings)
• Right to Restrict Processing: Request that we limit processing of your personal information in certain circumstances
• Right to Object: Object to processing of your personal information for certain purposes
• Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time
• Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights

To exercise any of these rights, you may use the self-service tools in your account settings (data export, account deletion request) or contact us at admin@vancom.io. We will respond to verifiable requests within forty-five (45) days. We may require you to verify your identity before processing your request.

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights:

12.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (e.g., data necessary to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech).

12.3 Right to Correct

You have the right to request correction of inaccurate personal information.

12.4 Right to Opt-Out of Sale/Sharing

We do not sell or share (as defined by the CCPA/CPRA) your personal information to third parties for cross-context behavioral advertising. Therefore, there is no need to opt out.

12.5 Right to Limit Use of Sensitive Information

We do not use or disclose sensitive personal information for purposes other than those permitted by the CCPA/CPRA.

12.6 Non-Discrimination

We will not deny you goods or services, charge different prices, provide a different level of quality, or suggest any of these, for exercising your CCPA/CPRA rights.

12.7 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. We may require the agent to provide proof of authorization and may require you to directly verify your identity.

12.8 Categories of Personal Information

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email, phone number, IP address, account ID
• Customer records: Name, address, phone, payment information
• Commercial information: Transaction history, subscription records, wallet balance
• Internet/electronic activity: Browsing history, search history, interaction data
• Audio/electronic information: Call recordings, voicemails
• Professional/employment information: Company name, job title, industry
• Inferences: AI-generated lead scores, sentiment analysis, qualification determinations

To submit a CCPA/CPRA request, contact us at admin@vancom.io or use the account deletion request feature in your account settings. We will respond within forty-five (45) days.

When our Users upload contact data or communicate with Contacts through the Service, we act as a "service provider" (under CCPA) or "processor" (under GDPR-like frameworks) with respect to that Contact data. This means:

• Our Users are the "controllers" of their Contact data and are responsible for obtaining appropriate consents and providing privacy notices to their Contacts
• We process Contact data only on behalf of and as instructed by our Users
• We do not independently use Contact data for our own purposes beyond providing the Service
• We do not sell Contact data or use it for targeted advertising

If you are a Contact and wish to exercise your privacy rights (access, deletion, correction), please contact the business that communicates with you through our platform. If you are unable to reach them or believe your data is being processed unlawfully, you may contact us at admin@vancom.io.

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. By using the Service, you explicitly consent to the transfer, processing, and storage of your information in the United States, where data protection laws may differ from those in your jurisdiction.

Our Sub-Processors are primarily based in the United States. We rely on their respective data protection practices and agreements to ensure appropriate safeguards for any data they process.

In the event of a data breach that compromises the security, confidentiality, or integrity of your personal information, we will:

• Investigate the breach promptly and take steps to contain and remediate it
• Notify affected users via email within seventy-two (72) hours of becoming aware of the breach, where feasible
• Notify applicable regulatory authorities as required by law
• Provide you with information about the nature of the breach, the data involved, the steps we are taking, and recommendations for protecting yourself

The Service is not directed to individuals under the age of eighteen (18). We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as soon as possible. If you believe that we have inadvertently collected information from a child under 18, please contact us immediately at admin@vancom.io.

The Service may contain links to third-party websites, services, or advertisements that are not operated by us. We are not responsible for the content, privacy practices, or security of any third-party websites or services. We encourage you to review the privacy policies of any third-party websites you visit. A link to a third-party website does not constitute an endorsement.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Provide at least thirty (30) days' advance notice via email to the address associated with your account
• Post a prominent notice on the Service
• For changes that materially affect your rights, require you to affirmatively accept the updated Privacy Policy

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. If you do not agree with the updated Privacy Policy, you must stop using the Service.

For questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Vancom.io LLC
Email: admin@vancom.io

For CCPA/CPRA requests, you may also use the self-service data export and account deletion features available in your account settings at getsyou.ai/dashboard/settings.