Privacy Policy

Information you provide directly

• Account information: your name, email address, business name, business address, and phone number when you register.
• Business profile: industry, services, pricing, hours of operation, and other details you configure in your knowledge base.
• Payment information: billing address and payment card details. Payment data is processed and stored by Stripe; we do not store full card numbers.
• Communications: messages you send to our support team.

Information collected automatically

• Usage data: pages viewed, features used, clicks, and session duration.
• Log data: IP address, browser type, operating system, referring URLs, and timestamps.
• Cookies and similar technologies: session cookies required for authentication and preference storage. See Section 8 for details.

Information about your customers

When your customers contact your business through Pylor-powered channels, we process:

• Names, phone numbers, and email addresses;
• Conversation transcripts and call recordings;
• Appointment details and service history;
• Any other information your customers share during interactions.

You, as the business operator, are the controller of this customer data. Pylor processes it as a service provider on your behalf. You are responsible for obtaining any required consents from your customers and for ensuring your use of our Service complies with applicable law.

We use the information we collect to:

• Provide, maintain, and improve the Service;
• Process payments and manage subscriptions;
• Send transactional communications (receipts, account alerts, security notices);
• Send marketing communications about Pylor products and features (you may opt out at any time);
• Train and improve our AI models using anonymized and aggregated data;
• Detect, investigate, and prevent fraud, abuse, and security incidents;
• Comply with legal obligations;
• Enforce our Terms of Service.

We do not sell your personal information or your customers' personal information to third parties for their independent marketing purposes.

We may share information with:

Service providers

We share information with vendors that help us operate the Service under confidentiality obligations, including:

Legal requirements

We may disclose information if we believe in good faith that disclosure is required by law, legal process, or to protect the rights, property, or safety of Pylor, our users, or the public.

Business transfers

If Pylor is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is transferred and becomes subject to a different privacy policy.

We retain your account information for as long as your account is active, plus a reasonable period thereafter for legal and business purposes. Conversation transcripts and call recordings are retained for 12 months by default. You may request earlier deletion by contacting us.

Upon account termination, we delete your Customer Data within 90 days, except as required to comply with legal obligations, resolve disputes, or enforce our agreements.

We implement industry-standard technical and organizational measures to protect your information, including encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

If you discover a security vulnerability, please report it responsibly to security@pylorai.com.

All users

Regardless of where you live, you may contact us to:

• Access the personal information we hold about you;
• Correct inaccurate personal information;
• Request deletion of your personal information (subject to legal obligations);
• Opt out of marketing communications (via the unsubscribe link in any email).

California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, disclose, and sell;
• Delete personal information we hold about you, subject to exceptions;
• Correct inaccurate personal information;
• Opt out of the "sale" or "sharing" of personal information (we do not sell personal information);
• Limit the use of sensitive personal information;
• Not be discriminated against for exercising your privacy rights.

To exercise these rights, contact us at privacy@pylorai.com. We will respond to verifiable requests within 45 days.

EEA, UK, and Swiss residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, our legal basis for processing your personal data includes:

• Contract performance: processing necessary to provide the Service you have subscribed to;
• Legitimate interests: fraud prevention, security, and product improvement;
• Consent: for marketing communications and optional features;
• Legal obligation: compliance with applicable law.

You have the right to access, rectify, erase, restrict, or port your personal data, and to object to certain processing. You also have the right to lodge a complaint with your local supervisory authority. To exercise your rights, contact us at privacy@pylorai.com.

We do not transfer personal data to countries outside the EEA except under appropriate safeguards (Standard Contractual Clauses or equivalent). Please contact us for details.

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately and we will promptly delete it.

We use the following types of cookies:

• Strictly necessary cookies: Required for authentication (managed by Clerk) and secure session management. These cannot be disabled.
• Preference cookies: Remember your settings, such as your light/dark theme preference.
• Analytics cookies: Aggregate, anonymized data about how the Service is used to help us improve it.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from using the Service.

This section describes how Pylor handles information received from Google APIs when you connect your Google account (Gmail, Google Calendar, Google Drive, or Google Analytics) to the Service. It supplements the other sections of this Privacy Policy.

Compliance with the Google API Services User Data Policy

Pylor's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

OAuth scopes we request and why

When you connect a Google account, Pylor requests only the scopes needed for the specific integration you enable. Each integration is initiated by you from the Integrations page in the Pylor dashboard, and you can disconnect at any time.

Limited Use commitments

Pylor's use of information received from Google APIs adheres to the four Limited Use requirements:

• No advertising. We never use Google user data to serve, target, or measure advertising, and we do not transfer it to ad networks.
• No transfer. We do not transfer Google user data to any third party except as necessary to provide or improve the user-facing features of the Service, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to you. Subprocessors are listed in Section 3.
• No human access. Pylor employees and contractors do not read your Google user data except (a) with your explicit consent for support, (b) to investigate security incidents or abuse, (c) when required by law, or (d) in aggregated and anonymized form for product analytics.
• No use to train generalized models. Pylor does not use Google user data — including Gmail message content — to develop, improve, or train generalized or general-purpose artificial intelligence or machine learning models. Google user data is used only to deliver the user-facing Pylor features described in the table above.

Storage, encryption, and retention

Google OAuth tokens are stored encrypted at rest. Email and calendar content fetched from Google APIs is processed by Pylor only to deliver the features above and is retained according to Section 4. You may revoke Pylor's access at any time from the Integrations page in your Pylor dashboard or from your Google Account permissions settings. Revoking access deletes the stored OAuth tokens within 24 hours and terminates Pylor's ability to read further data from your Google account.

Questions about Google data

For questions or concerns about how Pylor handles information received from Google APIs, contact privacy@pylorai.com.

This section describes how Pylor and Pylor-powered businesses ("Merchants") handle information collected via SMS/text messaging. It supplements the other sections of this Privacy Policy and our SMS Consent & Messaging Policy.

What we collect via SMS

When a subscriber opts in to receive text messages from a Pylor-powered Merchant, we process:

• The phone number provided at opt-in and a record of the consent (source, timestamp, and consent language);
• Message content sent and received between the Merchant and the subscriber;
• Metadata such as delivery status, timestamps, and carrier responses.

Where consent is captured

As of May 11, 2026, affirmative SMS opt-in is captured at the following surfaces, and a verbatim copy of the disclosure shown to each subscriber is stored on the recipient's record:

• (a) Public booking form — on each Merchant's booking page at /book/{business}, via a required checkbox shown immediately above the submit button. Form submission is blocked until the box is checked. The checkbox is unchecked by default and consent is never a condition of purchasing a service.
• (b) Post-signup SMS consent page — for business owners, immediately after Clerk sign-up. The owner sees the disclosure and chooses "Opt in & continue" or "Skip without SMS"; either choice unblocks the dashboard.
• (c) Staff invite acceptance page — for staff members joining an existing business via an invitation link, immediately after their first sign-in. Same opt-in / skip pattern as the owner page.

Each consent event records the recipient's phone number, the exact disclosure paragraph rendered, the timestamp, the capture surface, and (where the consent occurs in a web form) the originating IP address. These records are the source of truth for opt-in evidence under the TCPA and Twilio's A2P 10DLC program.

How SMS data is used

Phone numbers and SMS content collected via the Service are used solely to:

• Send the messages the subscriber consented to receive (appointment confirmations, reminders, follow-ups, review requests, and replies to inbound inquiries);
• Honor opt-out requests (STOP keyword processing) promptly and automatically;
• Maintain records of consent as required by the Telephone Consumer Protection Act (TCPA) and CTIA guidelines;
• Troubleshoot, monitor, and improve message delivery and service reliability.

No sharing for third-party marketing

Phone numbers and SMS content collected via the Pylor platform are never sold, rented, or shared with third parties for their own marketing purposes. SMS data is shared only with the service providers that help deliver the messages (e.g., Twilio for carrier delivery) under confidentiality obligations, and only as described in Section 3 of this Privacy Policy.

Message frequency and rates

Message frequency varies by Merchant and the services a subscriber uses. Typical messaging is transactional (appointment-related) rather than promotional. Standard message and data rates from the subscriber's wireless carrier may apply. Pylor does not charge recipients for receiving SMS.

How to opt out

Subscribers may opt out at any time by replying STOP to any message from a Pylor-powered number. Alternative opt-out keywords are honored: STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT. A single confirmation message is sent after opt-out, and no further messages will be sent from that number unless the subscriber re-subscribes (by texting START or YES). Reply HELP for help and Merchant contact information. Full opt-out policy and consent details are at pylorai.com/sms-consent.

Retention

SMS consent records and message logs are retained for the period required to comply with applicable law (typically 3 years for consent records under the TCPA) and as described in Section 4. Message content is retained as part of the conversation transcript for 12 months by default unless earlier deletion is requested.

Questions about SMS

SMS questions, complaints, or reports of messages received after opt-out: support@pylorai.com.

This section provides the detailed disclosure of every third-party AI and communications processor that may receive personal data when you use Pylor's AI features. It supplements the high-level service-provider table in Section 3. The same disclosure is surfaced inside the Pylor mobile app on first launch and on the in-app Settings → Data & Privacy screen, in compliance with App Store Guidelines 5.1.1(i) and 5.1.2(i).

Always-on AI processors

Data flows to the providers below as part of the core AI features Pylor offers to every customer. Each provider is bound by a written contract — typically a Data Processing Addendum — to handle your data with at least the protection described in this Privacy Policy and to use it only to deliver the service.

Optional integrations

The providers below receive data only if you explicitly connect them from the web dashboard at pylorai.com → Integrations. They are not active by default.

Equal-protection commitment

For every provider listed in this section and in Section 3, Pylor confirms that:

• The provider is contractually bound to protect your data with confidentiality obligations no less protective than those in this Privacy Policy;
• The provider may use your data only to deliver the service Pylor has engaged them for, and may not sell, rent, or repurpose it;
• Conversation content, customer data, and call audio are never used to train any general-purpose AI model — by Pylor or by any of these providers — and we have opt-out terms in place for vendors who would otherwise default to model training;
• You may request a current list of subprocessors at any time by emailing privacy@pylorai.com.

Your control

On the Pylor mobile app, you must affirmatively accept this disclosure on first launch before any AI feature is reachable. You can revisit the disclosure at any time from Settings → Data & Privacy and revoke access by signing out, deleting your account, or disconnecting an optional integration.

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a notice in the Service. The "Effective date" at the top of this page reflects the date of the most recent update. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy or our data practices, please contact us: