Privacy Policy

We collect several categories of information depending on how you interact with Summit Reception and our deployed AI systems. Below is a comprehensive breakdown:

1.1 Information You Provide Directly

• Contact & Account Information: Name, email address, phone number, business name, job title, and mailing address when you fill out a form, book a demo, or sign up for our services.
• Payment Information: Billing address, credit/debit card details (processed securely through PCI-compliant third-party processors — we do not store raw card data), and transaction history.
• Business Information: Information about your business, including services offered, target customers, custom scripts, qualification criteria, calendar details, and CRM data you provide during onboarding.
• Communications: Messages you send us via email, contact forms, or live chat, including their content and metadata.
• Demo Booking Data: Information collected via our booking widget, including name, email, phone number, company, and meeting preferences.

1.2 Information Collected Automatically (Website)

• Usage Data: Pages visited, time on page, click patterns, referring URLs, and navigation paths.
• Device & Technical Data: IP address, browser type and version, operating system, screen resolution, device type, and language settings.
• Cookies & Tracking Technologies: Session cookies, persistent cookies, pixel tags, and local storage. See Section 7 for full details.
• Analytics Data: Aggregated behavioral data collected via analytics platforms (see Section 7 and 10).

1.3 Information Generated by Our AI Services (On Behalf of Clients)

• Call Recordings & Transcripts: Audio recordings and AI-generated transcriptions of calls handled by our AI receptionist system, on behalf of and accessible to our clients.
• SMS Conversation Logs: Full two-way SMS conversation records processed by our AI SMS Setter, including messages sent and received.
• Lead & Qualification Data: Information collected from callers or texters during AI-conducted qualification conversations (name, contact details, service needs, appointment preferences, and other qualifying information per client-defined criteria).
• Appointment & Calendar Data: Details of appointments booked, rescheduled, or cancelled through our system, including date, time, service type, and associated contact information.
• CRM Data: Contact records, pipeline stages, conversation notes, interaction history, and other data stored in the GoHighLevel CRM platform we provision for clients.
• Outbound Call Data: Records of AI-initiated outbound calls including call duration, outcome, and conversation transcript.

1.4 Information from Third-Party Sources

• Information from calendar platforms (Google Calendar, Microsoft Outlook, Apple Calendar) when you connect them to our system.
• CRM data imported from your existing platforms (Salesforce, HubSpot, Zoho) during integration setup.
• Lead data imported from third-party sources (e.g., Zillow, Facebook Lead Ads) where you have authorized such integration.
• Business verification information from publicly available sources.

We use the information we collect for the following purposes, always grounded in a lawful basis for processing:

2.1 Marketing Communications

If you opt in to receive marketing communications, we may send you emails about our products, features, case studies, and industry insights. You can opt out at any time by clicking "unsubscribe" in any marketing email or by contacting us directly. Transactional communications (service notices, billing, security alerts) are not subject to opt-out.

2.2 AI Model Improvement

We may use anonymized and aggregated data from AI interactions to improve the quality, accuracy, and naturalness of our AI systems. We do not use identifiable personal data of callers or SMS recipients to train general AI models without appropriate consent and contractual authorization from our business clients.

We may share your information in the following limited circumstances:

3.1 Service Providers & Sub-Processors

We engage trusted third-party companies to help us deliver our services. These sub-processors are contractually bound to use your data only for specified purposes and to maintain appropriate security measures. Key sub-processors include:

• GoHighLevel: CRM platform, booking system, SMS messaging infrastructure, and landing page hosting. Processes contact data, appointment data, and conversation records.
• Voice AI Providers: Infrastructure providers for AI voice synthesis and natural language processing. Process call audio and transcripts in accordance with our data processing agreements.
• Cloud Infrastructure: Hosting, storage, and computing infrastructure providers operating under strict security and data processing agreements.
• Payment Processors: Stripe and/or other PCI-DSS compliant payment processors for billing. We do not store raw payment card data.
• Analytics Providers: Website analytics platforms (e.g., Google Analytics) operating under data processing agreements. See Section 7.
• Calendar Platforms: Google, Microsoft, and Apple calendar integration services to facilitate appointment booking.
• Email Service Providers: For transactional and marketing emails, operating under data processing agreements.

3.2 Business Clients (Controller Relationship)

When we deploy AI systems on behalf of our business clients, all call recordings, SMS logs, lead data, and CRM records generated belong to and are accessible by our client (the data controller). Our clients are responsible for their own privacy notices to their callers, leads, and customers, and for ensuring appropriate consents are obtained where required (e.g., call recording disclosures).

3.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our website of any such change and any choices you may have.

3.4 Legal Requirements & Protection

• To comply with applicable laws, regulations, legal processes, or governmental requests.
• To enforce our Terms of Service or other agreements.
• To protect the rights, privacy, safety, or property of Summit Reception, our clients, or the public.
• To detect, prevent, or address fraud, security breaches, or technical issues.

3.5 With Your Consent

We may share your information with third parties when you give us explicit consent to do so, such as when you authorize a specific integration or request a referral to a partner service.

We retain personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Upon termination of a service agreement, clients may request an export of their CRM and conversation data within 90 days. After this window, data is securely deleted unless retention is required by law. You may request earlier deletion subject to legal retention obligations — see Section 6.

We implement industry-standard technical and organizational security measures to protect your information against unauthorized access, disclosure, alteration, or destruction. Our security practices include:

• Encryption in Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at Rest: Sensitive data stored in our systems is encrypted at rest using AES-256 or equivalent standards.
• Access Controls: Strict role-based access controls limit who within our team can access your data. All access is logged and audited.
• Authentication: Multi-factor authentication is required for all internal system access by Summit Reception personnel.
• Sub-Processor Vetting: We require all third-party service providers to maintain adequate security standards via contractual Data Processing Agreements.
• Regular Security Reviews: Periodic internal security reviews, vulnerability assessments, and updates to our security practices.
• Incident Response: We maintain a documented data breach incident response plan. In the event of a breach affecting your rights, we will notify you in accordance with applicable law.
• Physical Security: Our systems operate on cloud infrastructure with robust physical security controls at data center facilities.

If you discover or suspect a security vulnerability or incident related to our services, please contact us immediately at [email protected].

Depending on your location and applicable law, you may have the following rights regarding your personal information. We honor these rights regardless of your jurisdiction to the extent practicable.

How to Exercise Your Rights

To exercise any of the above rights, submit a written request to [email protected] with the subject line "Privacy Rights Request." We will respond within 30 days (or sooner, as required by law). We may need to verify your identity before processing your request.

California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including the right to know, delete, correct, and opt out of the sale or sharing of personal information. We do not sell personal information. To submit a California-specific request, email us at [email protected] with "California Privacy Request" in the subject line.

European/UK Residents (GDPR/UK GDPR)

If you are located in the European Economic Area or United Kingdom, you have rights under the General Data Protection Regulation. Our lawful bases for processing are contract performance, legitimate interests, legal obligation, and consent (where applicable). You also have the right to lodge a complaint with your local data protection supervisory authority.

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze traffic, and understand how visitors interact with our content.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for the website to function. These cannot be disabled. They include session management and security cookies.
• Performance & Analytics Cookies: Help us understand how visitors interact with our website by collecting aggregated, anonymized data. We use Google Analytics and similar tools (with IP anonymization enabled).
• Functional Cookies: Remember your preferences (such as form data and language settings) to improve your experience.
• Marketing & Targeting Cookies: Used to deliver relevant advertisements and track the effectiveness of marketing campaigns. We may use tools like Google Ads, Meta Pixel, or LinkedIn Insight Tag.

7.2 Managing Your Cookie Preferences

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your computer, and you can set most browsers to prevent them from being placed. However, if you do this, you may have to manually adjust some preferences every time you visit a site and some services and functionalities may not work.

To opt out of Google Analytics tracking, you may install the Google Analytics Opt-out Browser Add-on. To opt out of interest-based advertising, visit the Digital Advertising Alliance opt-out page.

7.3 Do Not Track

Some browsers have a "Do Not Track" (DNT) feature that signals to websites that you do not want to be tracked. We currently do not respond to DNT signals because there is no industry standard for DNT compliance. We will revisit this as standards evolve.

Our core product involves deploying AI voice agents that interact with human callers on behalf of our business clients. This section explains the specific privacy considerations that apply to these AI interactions.

8.1 Call Recording Disclosure

Calls handled by our AI systems may be recorded and transcribed for quality assurance, client review, and service improvement. Our business clients are responsible for ensuring that appropriate call recording disclosures are made to callers in compliance with applicable state and federal laws (including two-party consent states such as California, Florida, Illinois, and others). We provide guidance and technical tools to help clients meet these obligations.

8.2 AI Identity Disclosure

Summit Reception is committed to ethical AI deployment. Our AI agents are highly sophisticated and may sound very natural. We support and recommend that our clients configure their AI agents to disclose that they are speaking with an AI assistant when directly and sincerely asked by a caller. We comply with applicable laws regarding AI disclosure, including California's BOLT Act (AB 1536) and similar emerging regulations.

8.3 Data Generated During AI Interactions

Personal information collected during AI calls (name, phone number, appointment details, qualification answers, etc.) is:

• Stored in the client's GoHighLevel CRM sub-account, owned and accessible by the client.
• Used to fulfill the call's purpose (e.g., booking an appointment, logging a lead).
• Used by Summit Reception for quality monitoring, AI performance improvement (in anonymized/aggregated form), and service delivery.
• Subject to the client's privacy policy as the data controller for their callers and customers.

8.4 Voicemail & Message Data

Voicemails left with our AI system, text messages sent to AI-managed numbers, and other asynchronous communications are processed and stored in accordance with this policy and the applicable client service agreement.

Our AI SMS Setter service sends and receives text messages on behalf of our business clients. This section explains how SMS data is handled and your rights regarding SMS communications.

9.1 SMS Consent

Our business clients are responsible for obtaining appropriate opt-in consent from individuals before initiating SMS communications, in compliance with the Telephone Consumer Protection Act (TCPA), A2P 10DLC regulations, and applicable carrier guidelines. Summit Reception provides technical infrastructure and AI automation; the business client is the sender of record and is responsible for consent collection and management.

9.2 Opt-Out Requests

All SMS conversations managed by our AI SMS Setter honor standard opt-out keywords. Replying STOP, UNSUBSCRIBE, CANCEL, END, or QUIT to any AI-sent SMS will immediately halt further automated messages from that campaign. We process opt-outs within the timeframe required by applicable law (generally immediately or within 10 business days).

9.3 SMS Data Handling

• All inbound and outbound SMS messages are logged in the client's CRM for reference, quality assurance, and compliance.
• Message content, timestamps, and delivery status are stored for the retention period described in Section 4.
• SMS data is not shared with third parties except as described in Section 3 (sub-processors and legal requirements).

9.4 Promotional vs. Transactional SMS

Our system sends both transactional messages (appointment confirmations, reminders, service updates) and, where authorized, promotional messages. Transactional messages are sent based on an existing business relationship. Promotional messages require explicit opt-in consent.

Our website and services may contain links to third-party websites, integrations with third-party platforms, or embed content from external services. This section provides transparency about key third-party relationships.

10.1 Third-Party Website Links

Our website may link to external websites for reference or convenience. We are not responsible for the privacy practices of those websites and encourage you to review their privacy policies before providing any personal information.

10.2 Integrated Platforms

• GoHighLevel (GHL): Our primary CRM, communications, and automation platform. GoHighLevel has its own privacy policy and acts as a sub-processor under our agreements. Data stored in GHL is subject to their data processing terms.
• Google Calendar / Microsoft Outlook / Apple Calendar: When you connect a calendar for appointment booking, we access calendar data solely to create, read, and manage appointments. We do not use calendar data for marketing or profiling.
• Stripe: Payment processing. Stripe's privacy policy governs data shared with them during payment transactions.
• Google Analytics: Website traffic analysis. We have configured Google Analytics with IP anonymization. Google's privacy policy applies to data processed by their analytics service.
• CRM Integrations (Salesforce, HubSpot, Zoho): Available for AI Sales Machine clients. Data exchanged with these platforms is subject to the applicable platform's privacy policy and your organization's agreement with them.

10.3 Social Media Integrations

Our website includes links to social media platforms (LinkedIn, Twitter/X, Facebook). These platforms may set cookies or collect data when you interact with embedded content or follow our links. Their privacy policies govern such data collection.

Summit Reception's services are designed for and directed to businesses and their adult employees, clients, and customers. Our services are not directed to individuals under the age of 13 (or 16 in certain jurisdictions).

We do not knowingly collect personal information from children under 13. If you believe that a child under 13 has provided us with personal information without parental consent, please contact us immediately at [email protected] and we will take steps to delete such information promptly.

Our business clients who serve consumers should ensure that their own services comply with the Children's Online Privacy Protection Act (COPPA) and applicable children's privacy laws if they serve or may interact with minors.

12.1 Business Associate Agreement (BAA)

If you are a Covered Entity or Business Associate under HIPAA and you intend to use Summit Reception to process Protected Health Information (PHI), you must execute a Business Associate Agreement (BAA) with Summit Reception before deploying our services. Please contact us at [email protected] to request a BAA.

12.2 HIPAA-Aware Practices

For clients who execute a BAA, we implement the following HIPAA-aware practices:

• Limiting the collection and disclosure of PHI to the minimum necessary for the specified purpose.
• Implementing access controls, audit logging, and encryption standards aligned with HIPAA Security Rule requirements.
• Configuring AI agents to avoid requesting unnecessary PHI during qualification conversations.
• Supporting client obligations for patient authorization where required.
• Breach notification procedures consistent with the HIPAA Breach Notification Rule.

12.3 Client Responsibility

Healthcare clients remain responsible for their own HIPAA compliance, including obtaining appropriate patient authorizations, configuring our system in a HIPAA-compliant manner, training their staff, and ensuring that all PHI handled through our platform is consistent with their privacy practices and applicable law. Summit Reception cannot guarantee HIPAA compliance independent of proper client configuration and use.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by:

• Posting the updated policy on this page with a revised "Last Updated" date.
• Sending an email notification to active clients at the email address on file.
• Displaying a prominent banner on our website for 30 days following a material change.

Your continued use of our services after the effective date of any changes constitutes acceptance of the updated policy. We encourage you to review this page periodically.

Policy Version History

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please don't hesitate to reach out. We are committed to addressing all privacy inquiries promptly and transparently.

For California-specific requests, please include "California Privacy Request" in your subject line. For GDPR/UK GDPR requests, please include your country of residence. For BAA requests (healthcare), please include "BAA Request" in your subject line.