Privacy Policy

Last updated: May 2026

1. Overview

PipeSpark AI ("we," "us," "our") provides a software platform that helps home service contractors automatically follow up with missed callers via SMS. This Privacy Policy explains what data we collect, how we use it, how long we keep it, and your rights regarding that data.

PipeSpark AI operates as a platform provider (data processor). The contractor using our Service ("Contractor") is the primary data controller responsible for the data of their customers ("End Users" or "Homeowners"). Our processing of End User data is done solely on behalf of and under the instruction of the Contractor, as described in our Terms of Service.

2. Data We Collect

From Contractors (our direct customers)

  • Business name, owner name, and contact information
  • Mobile phone number (for alert SMS delivery)
  • Billing and payment information (processed by our payment provider; we do not store raw card data)
  • Dashboard usage and activity logs

From End Users (homeowners — collected on behalf of Contractors)

  • Phone number (from missed call or inbound SMS)
  • Content of SMS messages exchanged
  • Service type, city/location, and property type if provided during inquiry
  • AI-generated lead score, urgency classification, and summary
  • Opt-out / STOP status (retained permanently)

From Landing Page Visitors

  • Email address (if submitted through the lead audit form)
  • Trade type and self-reported business data entered into the audit form

Automatically Collected

  • Server log data (IP address, request method, timestamp)
  • Vercel deployment and performance analytics (aggregated)

We do not use tracking cookies, third-party analytics tags, or advertising pixels on this site.

3. How We Use Data

  • Sending automated missed-call SMS replies and follow-up messages on behalf of Contractors
  • AI-powered lead qualification and scoring (via OpenAI)
  • Generating daily lead digest SMS messages for Contractors
  • Displaying lead history and details in the Contractor dashboard and client portal
  • Sending real-time owner alerts for high-priority leads
  • Responding to support requests and inquiries
  • Improving the Service using aggregated, de-identified data only

We do not sell, rent, lease, or share End User personal information with third parties for their own marketing, advertising, or commercial purposes. Data is processed solely to provide the contracted Service to Contractors.

4. Third-Party Subprocessors

We rely on the following subprocessors to deliver the Service. Each receives only the minimum data necessary for their function:

  • Twilio — SMS sending/receiving and phone number provisioning. Phone numbers and message content pass through Twilio's infrastructure. Privacy Policy
  • OpenAI — AI lead qualification. Message content and inquiry details are sent to OpenAI's API. OpenAI does not use API data to train models by default under its API terms. Privacy Policy
  • Supabase — Database storage for leads, messages, and Contractor accounts. Data is encrypted at rest and in transit. Privacy Policy
  • Vercel — Application hosting and serverless function execution. Privacy Policy

We will notify Contractors of any material changes to our subprocessor list with reasonable advance notice.

5. Data Retention

  • Lead and message data is retained for the duration of the Contractor's active subscription plus 90 days after termination, then permanently deleted.
  • Opt-out (STOP) records are retained indefinitely — this is a legal requirement to prevent re-contacting individuals who have requested no further messages.
  • Audit form email submissions are retained until you request deletion.
  • Server logs are retained for up to 30 days for security and debugging purposes.

To request deletion of your data, contact us at the address below. We will respond within 30 days. Note that opt-out records cannot be deleted, as doing so could result in re-contacting individuals who have withdrawn consent.

6. Data Security

We implement the following technical safeguards:

  • Row-level security (RLS) on all database tables — anon access is denied by default
  • Service credentials stored as environment variables, never in code
  • HMAC-SHA1 signature validation on all Twilio webhooks
  • Bearer token authentication on all internal API routes
  • HTTPS enforced for all connections

No internet-based system is 100% secure. We cannot guarantee absolute security against all possible attacks. In the event of a data breach that affects your personal information, we will notify affected parties as required by applicable law, typically within 72 hours of discovery.

7. Law Enforcement and Legal Process

We may disclose personal information if required to do so by law, court order, subpoena, or other legal process, or if we believe in good faith that such disclosure is necessary to protect our rights, prevent fraud, respond to a government request, or protect the safety of any person. Where permitted by law, we will notify you of such a request before complying.

8. California Privacy Rights (CCPA / CPRA)

California residents have the following rights:

  • Right to Know: You may request a disclosure of the personal information we have collected about you, the categories of sources, the business purposes for collection, and the third parties with whom we share it.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., opt-out records required for compliance).
  • Right to Correct: You may request correction of inaccurate personal information we hold about you.
  • Right to Opt Out of Sale: We do not sell personal information. There is nothing to opt out of.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at the email below. We will respond within 45 calendar days. We may need to verify your identity before processing your request.

If you are a homeowner whose information was collected through a Contractor's use of PipeSpark AI, your primary data rights should be directed to that Contractor, as they are the data controller for your information. We will forward requests to the relevant Contractor where appropriate.

9. Children's Privacy

The Service is intended for business use by adults only and is not directed at individuals under 18. We do not knowingly collect personal information from minors. If we learn that we have inadvertently collected personal information from a minor, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or the law. Material changes will be communicated via email to Contractors or by a notice in the dashboard at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance.

11. Contact

Privacy questions, data deletion requests, or CCPA rights requests: support@pipespark.ai