Legal

Privacy Policy

How we collect, use, and protect your data.

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy explains how X3 E-Commerce LLC d/b/a FrontDesk Global ("FrontDesk Global," "we," "us") collects, uses, and protects information when you use TheAutoReply (the "Service"). By using the Service, you agree to the practices described in this Policy.

1. Information we collect

1.1 Information you provide directly

  • Account information: name, business name, email address, password (hashed), phone number, billing address.
  • Payment information: processed by Stripe; we never see or store your full card details.
  • Business configuration: brand voice settings, custom phrases, staff names you opt to include in replies, escalation preferences.
  • Communications: messages you send to [email protected] or via in-app chat.

1.2 Information collected automatically

  • Usage data: features you use, replies drafted, replies posted, error logs, IP address, browser, device type, timestamps.
  • Cookies and similar technologies: we use first-party cookies to maintain your session and analytics cookies (Plausible, privacy-friendly) to understand product usage. We do not use advertising cookies.

1.3 Information from connected services

When you connect your Google Business Profile, we receive: - Your business name, address, hours, category, and other public profile information - Reviews left on your profile (review text, star rating, reviewer display name, timestamp) - The replies we and you post

We do not receive: customer phone numbers, private messages, or analytics from your Google Business Profile beyond what's needed to draft and post replies.

2. How we use information

We use the information we collect to:

  • Provide and operate the Service (read reviews, draft replies, post replies)
  • Process payments and send invoices
  • Send transactional emails (welcome, trial reminders, billing notifications, security alerts)
  • Provide customer support
  • Detect, investigate, and prevent fraud or abuse
  • Improve our Service through aggregate, anonymized analytics
  • Comply with legal obligations

What we do NOT do

  • We do not sell your personal data
  • We do not share customer data between accounts to "improve" replies
  • We do not train AI models on your private content
  • We do not use your data for advertising
  • We do not share customer data with marketing partners

3. Third-party services

We use a small number of carefully chosen vendors to operate the Service. Each is governed by their own privacy practices.

Vendor What they do What data they receive
Stripe Payment processing Billing name, email, payment method, IP, transaction history
Anthropic (Claude) AI model that drafts replies Review text + your brand voice configuration; never billing or login data
Cloudflare Hosting, DNS, security, edge processing Network metadata, IP addresses, traffic patterns
Supabase Database and authentication Your account record, subscription status, configuration
Resend Transactional email delivery Your name and email; the email content we send you
Plausible Privacy-friendly site analytics Aggregated, anonymized; no IP storage or cookies
Plain or Intercom Customer support Support conversations and your account context
Google Business Profile API integration API requests authenticated under your authorization

All vendors are contractually bound to protect your data and use it only for the purposes of providing services to us.

4. AI processing

The Service uses artificial intelligence (specifically large language models from Anthropic) to draft replies. When the AI processes a review:

  • The review text and your brand voice configuration are sent to the AI model
  • A draft reply is generated and returned to our systems
  • We store the generation log for 90 days for quality assurance and audit
  • The AI provider (Anthropic) does not retain your data for training; their data handling commitments are at https://www.anthropic.com/privacy

You can request deletion of all AI generation logs associated with your account at any time.

For full details on AI processing, see our AI Disclosure.

5. Data sharing and disclosure

We disclose information only in these circumstances:

  • With your consent. When you explicitly authorize us to share specific data.
  • To service providers. Listed in Section 3, only as needed to operate the Service.
  • To comply with law. Court orders, subpoenas, or legal process. We will notify you when permitted.
  • To enforce our Terms. Including investigations of suspected violations.
  • In a business transaction. If we are acquired, merged, or sell assets, your data may transfer to the successor — but only under equivalent privacy commitments.
  • To protect rights and safety. Yours, ours, or the public's, when there is an imminent threat.

6. Data retention

Data type Retention period
Account data (active customers) Duration of account
Account data (closed accounts) 30 days, then deleted
Reply history Duration of account, exportable anytime
AI generation logs 90 days
Payment records 7 years (legal/tax requirement)
Support conversations 2 years
Backups 30 days, automatically deleted

You can request earlier deletion of any data category by emailing [email protected].

7. Your rights

Depending on where you live, you have rights regarding your personal data. We honor these rights for all users globally, regardless of jurisdiction.

  • Access. Request a copy of the personal data we hold about you.
  • Correct. Update inaccurate or incomplete data through your dashboard or by contacting us.
  • Delete. Request deletion of your account and all associated data.
  • Export. Receive your data in a portable format (CSV) for transfer to another service.
  • Restrict processing. Limit how we use your data while we resolve a dispute or correction.
  • Object. Object to specific uses (e.g., analytics processing).
  • Opt out of automated decision-making. Switch from auto-post mode to approve-mode at any time.

To exercise these rights, email [email protected]. We respond within 30 days.

For California residents (CCPA/CPRA)

You have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA.

For EU/UK residents (GDPR/UK GDPR)

We process personal data on the legal bases of (a) contract performance (operating your subscription), (b) legitimate interests (security, fraud prevention, product improvement), and (c) consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

8. Children

The Service is not directed to children under 18 and we do not knowingly collect data from anyone under 18. If you believe we have, contact [email protected] and we will delete the information.

9. International data transfers

We are based in the United States and process data in the U.S. If you access the Service from outside the U.S., your data is transferred to and processed in the U.S. We rely on Standard Contractual Clauses or equivalent safeguards for transfers from the EU/UK.

10. Security

We protect your data with:

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for stored data (provided by Supabase, Cloudflare, Stripe)
  • Hashed and salted passwords
  • Mandatory two-factor authentication on all administrative accounts
  • Quarterly access audits
  • Logging and alerting on suspicious activity
  • Vendor due diligence including SOC 2 Type II reviews where applicable

No system is 100% secure. If a breach affects your data, we will notify you within 72 hours of confirming it, as required by law.

11. Cookies

We use a minimal cookie set:

  • Strictly necessary. Session cookies that keep you logged in. These cannot be disabled.
  • Analytics. Plausible Analytics, which does not use cookies and does not collect personal data.

We do not use: - Advertising or marketing cookies - Third-party tracking pixels (Facebook, LinkedIn, etc.) - Cross-site behavioral profiling

12. Changes to this Policy

We may update this Privacy Policy. Material changes (e.g., new categories of data collection, new vendors that change data flow) will be communicated by email at least 30 days before they take effect. Non-material changes (typo fixes, clarifications) are made silently with a "Last updated" date change.

13. Contact

For privacy questions, requests, or complaints:

Email: [email protected] Mail: X3 E-Commerce LLC d/b/a FrontDesk Global, [LLC address] Response time: within 30 days

For EU/UK users, our designated representative for data protection matters is available by emailing the address above.

This document was drafted for FrontDesk Global pending counsel review. Do not treat as final until signed off by qualified legal counsel.