Privacy Policy

Last Updated: March 2026

This Privacy Policy describes how Aitoa ("Service") operated by Furrfect Pets LLC collects, uses, and protects user information when using our platform at aitoa.io.

Information We Collect

We may collect the following information when users interact with the Service:

• Name and email address
• Authentication information through Clerk
• Workflow configuration data
• CRM connection information (HubSpot)
• Slack workspace authorization data
• Google account authorization for Gmail and Google Sheets integrations
• Microsoft account authorization for Outlook integrations
• Usage and diagnostic data
• Lead contact data (name, email, phone number, company) imported by users
• SMS and WhatsApp send records and inbound reply content
• AI voice call transcripts and outcomes
• AI video demo session transcripts and durations
• Uploaded files and media (stored via Cloudinary)

OAuth & Third-Party Access

Users may choose to connect third-party services such as Google (Gmail, Google Sheets), Microsoft Outlook, Slack, and HubSpot. When authorized, the Service accesses only the minimum account information necessary to perform the workflow automation requested by the user.

OAuth tokens are securely stored and used solely to execute automation tasks on behalf of the authenticated user. Tokens are never shared with third parties and are not used for any purpose beyond what is described in this policy.

Lead Data

When users import leads into AITOA via CSV upload, Google Sheets, HubSpot, Salesforce, GoHighLevel, Apollo, or manual entry, the following lead data is stored in AITOA's database:

• First and last name
• Email address
• Phone number (used for SMS, WhatsApp, and AI voice calls)
• Company name
• Any additional fields mapped during import

Lead data is stored for the duration of the user's account and associated workflow executions. Users may delete individual leads or all lead data from their account at any time from within the platform.

SMS and WhatsApp Data

When a user's workflow includes an SMS or WhatsApp step, AITOA transmits the following data to Twilio to deliver the message:

• Recipient phone number
• Sender phone number
• Message body text

AITOA stores a record of each sent message (including sender, recipient phone, and Twilio message SID) in its database for reply detection and execution tracking purposes. This data is retained for the lifetime of the execution and associated account.

Inbound SMS and WhatsApp replies from leads are received via Twilio webhooks. Reply content is processed to match the reply to an active execution and cancel any pending follow-up steps. Reply content is stored as part of the execution log.

AI Voice Calls

When a user's workflow includes an AI voice call step, AITOA initiates an outbound call via ElevenLabs' AI Calling infrastructure, which uses Twilio for telephony. The following data is processed:

• Lead phone number (transmitted to ElevenLabs and Twilio to place the call)
• AI agent configuration (greeting, script, tone — configured by the user)
• Call outcome (answered, voicemail, not connected)
• Call transcript (conversation between the AI agent and the lead, fetched from ElevenLabs on call completion and stored in AITOA's database)
• Call duration

Call transcripts are stored in AITOA's database and are accessible to the user who configured the workflow. Transcripts are retained for the lifetime of the associated execution and account. Users may delete individual call logs from within the platform.

AI Video Demo

When a user's workflow includes an AI video demo step, AITOA generates a personalised shareable demo link. When a lead starts the demo session, the following data is processed via Tavus:

• Lead name (used to personalise the demo)
• Video session duration
• Session transcript (conversation between the AI persona and the lead)

Session transcripts and duration data are stored in AITOA's database and are accessible to the user who configured the workflow. Session data is retained for the lifetime of the associated account.

Email Warmup

Users who connect their sending mailbox for warmup purposes use WarmupInbox, a third-party email warmup service. WarmupInbox sends and receives warmup emails from the user's connected mailbox. No lead data is shared with WarmupInbox. Warmup activity is limited to the connected mailbox's warmup configuration.

Cloudinary (Media Storage)

Files and videos uploaded within AITOA (such as AI demo training videos or knowledge documents) are stored with Cloudinary, a cloud media platform. Cloudinary stores files in access-controlled storage. Files are retained until the user deletes them or their account is deleted.

Gmail API Data Use

AITOA uses the Gmail API for the following specific, limited purposes only:

• Sending outreach emails — The gmail.send scope is used to send scheduled sales outreach and automated follow-up emails to prospects on behalf of the authenticated user. No email is sent without the user explicitly configuring an active workflow.
• Detecting replies — The gmail.readonly scope is used exclusively to detect whether a prospect has replied to an outreach email sent by AITOA. When a reply is detected, AITOA automatically stops further automated follow-up messages for that prospect. No email content is stored, analyzed for advertising, or shared with any third party.

AITOA does not use Gmail API access for any of the following: reading the user's inbox beyond reply detection, email warming, bulk sending beyond user-configured workflows, advertising, profiling, or any purpose not listed above.

AITOA's use and transfer to any other application of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Sheets API Data Use

AITOA uses the Google Sheets API with the drive.file scope, which grants access only to files the user explicitly selects or creates within AITOA. This scope is used for the following purpose only:

• Reading lead data — Reading rows from a user-selected Google Sheet to import sales lead information (name, email, company) into AITOA workflows. Data is processed in memory and is not permanently stored beyond what the user configures as part of their workflow.

AITOA does not write to, modify, delete, or share Google Sheets data. Access is strictly read-only for the file the user selects.

Data Protection Mechanisms

We implement the following technical and organizational measures to protect sensitive user data:

• Encryption in transit — All data transmitted between users, AITOA's servers, and third-party APIs is encrypted using TLS 1.2 or higher (HTTPS). Unencrypted connections are not accepted.
• Encryption at rest — All OAuth tokens (Gmail, Google Sheets, Outlook, HubSpot, Slack) and sensitive user credentials are stored encrypted in our PostgreSQL database hosted on Railway's secure infrastructure. Tokens are never written to application logs or error tracking systems.
• Access control — Each user's OAuth tokens and workflow data are scoped to their authenticated session using Clerk JWT verification. No user can access another user's credentials or data. API routes require valid authentication on every request.
• Minimum scope principle — AITOA requests only the minimum OAuth permissions necessary to perform the specific functions described in this policy. We do not request broad permissions or permissions not actively used by the Service.
• Token handling — OAuth refresh tokens are used only to obtain new short-lived access tokens when performing authorized automation tasks. Access tokens are used in memory and not persisted beyond their expiry.
• Third-party security — Infrastructure providers (Railway, Vercel, Clerk) maintain their own independent security certifications including SOC 2 compliance.

How We Use Information

• Provide and operate the automation platform
• Execute user-defined workflows on behalf of the user
• Improve reliability and performance of the Service
• Provide customer support
• Process billing and subscription management via Stripe

We do not use Gmail or Google Sheets data for advertising, training machine learning models, or any purpose unrelated to the user's own configured workflows.

Data Storage

Data is stored using secure cloud infrastructure including Railway (PostgreSQL databases and Redis for background job processing) and Vercel (frontend hosting). All infrastructure is located in secure, access-controlled data centers.

Google user data (OAuth tokens and any email metadata processed during reply detection) is retained only for as long as the user maintains an active connection in AITOA. Disconnecting a Gmail account immediately removes the associated OAuth tokens from our database.

Data Sharing

We do not sell, rent, or transfer personal data or Google user data to third parties. Data is shared only with the following categories of service providers strictly required to operate the platform:

• Hosting and infrastructure providers (Railway, Vercel)
• Authentication provider (Clerk)
• Payment processing provider (Stripe)
• Email delivery provider (Resend) — for system notifications only, not user Gmail data
• Voice and messaging infrastructure provider (Twilio) — for SMS, WhatsApp, and AI voice call delivery
• AI voice agent provider (ElevenLabs) — for AI calling features
• AI video conversation provider (Tavus) — for AI demo features
• Cloud media storage provider (Cloudinary) — for file and video storage
• Email warmup provider (WarmupInbox) — for mailbox warmup features (no lead data shared)

Google user data is never shared with any advertising networks, data brokers, analytics platforms, or other third parties.

User Data Deletion

Users may revoke Google OAuth access at any time by:

• Disconnecting the Gmail or Google Sheets connection from the AITOA Connections page, which immediately removes all associated tokens from our systems.
• Revoking access directly from Google Account Permissions.

Users may request complete deletion of all their data by contacting info@aitoa.io. Upon request, all user data will be removed from production systems within 30 days. For the full scope of your data rights including access and transfer requests, see the Data Access, Transfer, and Deletion Rights section below.

Data Access, Transfer, and Deletion Rights

You have the following rights regarding your personal data held by AITOA:

• Right to Access — You may request a summary of all personal data AITOA holds about you, including account information, workflow configurations, OAuth connection records, and execution logs.
• Right to Transfer / Export — You may request an export of your data in a machine-readable format. Upon a verified transfer request, we will provide your data as a JSON export.
• Right to Deletion — You may request that all your personal data be permanently deleted from AITOA's production systems, including OAuth tokens, workflow data, and account records.

To exercise any of these rights, email info@aitoa.io with the subject line Data Request – [Access / Transfer / Deletion] (choose whichever applies). Upon verification of your identity, AITOA will respond within 30 days. For access requests, we will provide a summary of all data held. For transfer requests, we will provide an export in JSON format. For deletion requests, all data will be purged from production systems within that period.

Children's Information

The Service is not intended for individuals under the age of 13. We do not knowingly collect personal information from children.

Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. Continued use of the Service after any changes constitutes acceptance of the updated policy.

Contact

For privacy-related questions, data deletion requests, or concerns about our Google API data practices, please contact:
info@aitoa.io