Privacy Policy

Effective Date: February 14, 2026

Last updated: February 14, 2026

Clifton Automations, operated by Brandon Clifton ("we," "us," or "our"), is committed to protecting the privacy of our customers and their end users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered missed call response and booking platform (the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Information We Collect

1.1 Account Information

When you sign up for Clifton Automations, we collect:

  • Business name and contact information
  • Owner name and email address
  • Business phone number(s)
  • Business address and service area
  • Password (stored securely using one-way hashing)
  • Billing information (processed securely by Stripe; we do not store credit card numbers)

1.2 Communication Data

Through the operation of the Service, we process:

  • Inbound and outbound SMS message content
  • Phone numbers of callers who contact your business
  • Call metadata (timestamps, duration, call status)
  • Conversation history between the AI and your callers

1.3 Booking Data

  • Customer names (as provided by callers)
  • Requested services
  • Appointment dates and times
  • Any notes or special requests provided during booking

1.4 Usage Analytics

  • Number of missed calls, conversations, bookings, and escalations
  • Dashboard access logs
  • Feature usage patterns
  • Service performance metrics

2. How We Use Your Information

We use the information we collect to:

  • Provide the Service: Respond to missed calls, conduct AI conversations, and book appointments on your behalf
  • Manage your account: Process billing, manage subscriptions, and provide customer support
  • Improve the product: Analyze usage patterns to enhance features, fix bugs, and optimize performance
  • Communicate with you: Send account notifications, service updates, and billing information
  • Ensure security: Detect and prevent fraud, abuse, and unauthorized access
  • Comply with legal obligations: Maintain records as required by applicable laws

3. Third-Party Services and Integrations

3.1 Twilio (SMS and Voice Processing)

We use Twilio to send and receive SMS messages and process voice calls. When a call or message is routed through our Service, Twilio processes the phone numbers and message content as a sub-processor. Twilio's handling of data is governed by their own privacy policy and data processing agreement. We validate all Twilio webhook requests using cryptographic signature verification to prevent unauthorized access.

3.2 AI Processing

Our Service uses AI to generate conversational responses:

  • Ollama (Primary — Local Processing): Our primary AI engine runs locally on our servers. Customer data processed by Ollama never leaves our infrastructure.
  • Claude API (Fallback Only): In the rare event that our local AI is unavailable, we fall back to the Claude API. Before sending any data to the Claude API, all personally identifiable information (PII) is automatically masked. PII is re-mapped only after the response is received, ensuring that no raw customer data is transmitted to external AI services.

3.3 Stripe (Payment Processing)

Billing is handled by Stripe. We do not store, process, or have access to your full credit card number. Stripe is PCI DSS Level 1 certified. Your payment information is subject to Stripe's privacy policy.

4. Data Storage and Security

4.1 Storage

  • Data is stored in SQLite databases with WAL (Write-Ahead Logging) mode for reliability
  • Each tenant's data is isolated in a separate database file
  • Backups are performed daily with optional AES-256 encryption
  • All data is stored on servers located in the United States

4.2 Security Measures

  • All data transmitted between your browser and our servers is encrypted using TLS/HTTPS
  • Passwords are hashed using industry-standard one-way hashing (Werkzeug/bcrypt)
  • Every inbound message is sanitized, rate-limited, and checked for injection attacks
  • Every outbound response is scanned for PII leakage and cross-tenant data exposure
  • All security events are recorded in a tamper-proof, hash-chained audit log (SHA-256)
  • Twilio webhook signatures are cryptographically validated on every request

5. Data Retention

  • Active accounts: Data is retained for the duration of your active subscription
  • After cancellation: Account data is retained for 90 days following cancellation to allow for reactivation, after which it is permanently deleted
  • Audit logs: Security audit logs are retained for 1 year for compliance purposes
  • Billing records: Transaction records are retained as required by applicable tax and financial regulations
  • You may request early deletion of your data at any time (see Section 8)

6. Data Sharing

We do not sell, rent, or trade your personal information or your customers' data to third parties.

We may share data only in the following limited circumstances:

  • Service providers: With Twilio and Stripe as necessary to operate the Service (as described in Section 3)
  • Legal requirements: When required by law, subpoena, court order, or governmental regulation
  • Safety: To protect the rights, safety, or property of Clifton Automations, our users, or the public
  • Business transfer: In connection with a merger, acquisition, or sale of assets (you will be notified)

7. Telecommunications Compliance

7.1 TCPA Compliance

We comply with the Telephone Consumer Protection Act (TCPA):

  • Consent: SMS messages are only sent in response to a caller initiating contact with your business (implied consent through the act of calling)
  • Opt-out: Any recipient can reply STOP at any time to immediately cease all automated messages. We honor all opt-out requests instantly.
  • Time restrictions: Automated messages are only sent between 8:00 AM and 9:00 PM in the recipient's local time zone
  • Consent logging: All consent events (opt-in and opt-out) are logged with timestamps for compliance records

7.2 CAN-SPAM Compliance

For any email communications sent through the Service:

  • All emails include a clear unsubscribe mechanism
  • Unsubscribe requests are honored within 24 hours
  • Emails include accurate sender information and physical address
  • We do not use deceptive subject lines or misleading header information

8. Your Privacy Rights (GDPR / CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Right to access: Request a copy of all personal data we hold about you
  • Right to correction: Request correction of inaccurate or incomplete data
  • Right to deletion: Request deletion of your personal data ("right to be forgotten")
  • Right to portability: Request your data in a structured, machine-readable format
  • Right to restrict processing: Request that we limit how we use your data
  • Right to object: Object to the processing of your data for certain purposes
  • Right to non-discrimination: We will not discriminate against you for exercising your privacy rights (CCPA)

California residents (CCPA): You have the right to know what personal information we collect, request its deletion, and opt out of its sale. As stated above, we do not sell personal information.

To exercise any of these rights, contact us at [email protected]. We will respond to verified requests within 30 days. You may also use the management CLI command python manage.py delete-customer <phone> for data deletion requests.

9. Cookie Policy

We use only essential session cookies to operate the Service:

  • Session cookie: Maintains your login session while you use the dashboard. This cookie is deleted when you log out or close your browser.
  • CSRF token: Protects against cross-site request forgery attacks.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not use Google Analytics or any similar tracking services. Your browsing activity on our platform is not tracked or shared with advertisers.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18 without parental consent, we will take steps to delete that information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by sending an email to the address associated with your account at least 30 days before the changes take effect. The "Effective Date" at the top of this page indicates when this policy was last revised. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.

12. Contact Us

If you have any questions about this Privacy Policy, your data, or your privacy rights, please contact us:

Clifton Automations

Brandon Clifton, Owner

Ohio, United States

Email: [email protected]

Phone: 740-870-6309