1. Scope

This Privacy Policy explains how Autonomy collects, uses, discloses, and safeguards information when you use our websites (including auai.cloud and autonomyreceptionist.com), products, and related services (collectively, the "Services").

2. Information We Collect

Information You Provide

Account & Contact Data: name, business name, email, phone number, billing address.
Business Configuration: service menus, hours, pricing, routing rules, scripts, FAQs, calendars, and integration settings.
Communications: messages, emails, or other communications with us.
Payment Data: payment method details processed by our payment processors (e.g., Stripe). We do not store full card numbers.

Information Collected Automatically

Usage & Log Data: device/browser info, IP address, timestamps, pages viewed, referral URLs, product interactions.
Cookies & Similar: cookies, local storage, and similar technologies for essential functions, analytics, and preferences.

Voice, SMS, and Conversation Data

Call/SMS Metadata: caller/callee numbers, call/SMS routing and timing, carrier data, status codes.
Recordings & Transcripts (if enabled): audio recordings and/or transcriptions of calls or voicemails. You are responsible for obtaining legally required consent before enabling call recording or transcript storage.

Information from Third Parties

Integrations: information from connected calendars, CRMs, scheduling tools, and payment processors.
Service Providers: we may receive technical or usage data from providers assisting with hosting, analytics, messaging, or payments.

3. How We Use Information

We use information to:

Provide, operate, secure, and troubleshoot the Services;
Configure and personalize receptionist behavior per your rules;
Book appointments, send confirmations, and process transactions;
Communicate with you about updates, security, and support;
Monitor service health, detect/prevent abuse, and ensure compliance;
Analyze usage to improve features and performance;
Comply with legal obligations.

3.1. MCP Server and Integration Data Practices

When you use our services with Claude (via Model Context Protocol / MCP servers) or connect third-party integrations, we handle specific types of credentials and data:

API Tokens and Credentials

Anthropic API Tokens: Your Claude API tokens are stored securely and used exclusively to authenticate requests to Anthropic's services on your behalf. We do not share these tokens with third parties.
OAuth Credentials: When you authorize third-party services (e.g., Google Drive, calendars, CRMs), we receive and store OAuth access tokens and refresh tokens. These are encrypted at rest and used only to access the specific resources you've authorized.
Scope of Access: We only request the minimum permissions required to provide our services. For example, Google Drive access is limited to files you explicitly choose to integrate, not your entire Drive.

Data Accessed Through Integrations

Document Content: When processing documents via Claude MCP servers (e.g., Google Drive files), content is transmitted to Anthropic's Claude API for analysis. This data is subject to Anthropic's Privacy Policy.
Calendar Data: When calendar integrations are enabled, we access event titles, times, attendees, and descriptions solely to book appointments and prevent scheduling conflicts.
CRM Data: When CRM integrations are enabled, we may access contact information, deal pipelines, and custom fields as configured by you to log interactions and update records.

Token Storage and Security

Encryption: All API tokens and OAuth credentials are encrypted at rest using industry-standard encryption (AES-256).
Access Controls: Token access is restricted to authorized service components on a need-to-know basis with role-based access controls.
Token Rotation: OAuth refresh tokens are used to obtain short-lived access tokens, minimizing exposure risk.
Revocation: You may revoke integration access at any time through your account settings or the third-party service's permission management interface.

Third-Party AI Services

When you use our Claude MCP server features, your data may be processed by:

Anthropic (Claude API): Conversation context, documents, and prompts are sent to Anthropic's Claude API for AI processing. See Anthropic's Privacy Policy for details on how they process data.
Data Retention by AI Providers: Anthropic may temporarily retain API requests for service operation but does not train models on customer data without explicit opt-in. Refer to their Commercial Terms for specifics.

Your Control Over Integration Data

Disconnect Integrations: You can disconnect any third-party integration from your account settings at any time.
Delete Cached Data: When you disconnect an integration, we delete cached data from that service within 30 days unless legally required to retain it longer.
Access Logs: You can request a log of which integrations accessed your data and when by contacting contact@auai.cloud.
Data Portability: You may export your data in machine-readable formats (JSON, CSV) through your account dashboard or by requesting it via email.

4. Sharing and Disclosure

We share information with:

Service Providers / Subprocessors for hosting, storage, telephony, messaging, analytics, support, and payments (e.g., cloud hosting, voice/SMS carriers, email services, scheduling, CRM, and payment processors). Examples may include providers such as Stripe (payments), telephony carriers and messaging aggregators, analytics platforms, email delivery services, and cloud infrastructure.
Integration Partners at your direction (e.g., calendar and CRM connections you enable).
Legal and Safety: when required by law or to protect Autonomy, our users, or the public.
Business Transfers: in connection with a merger, acquisition, financing, or sale of assets.

We do not sell personal information.

5. International Data Transfers

We are based in the United States. If you access the Services from outside the U.S., your information may be transferred to, stored in, or processed in the U.S. and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses) for cross-border transfers.

6. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect information. No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

7. Data Retention

We retain information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce agreements. You may request deletion of certain information, subject to legal or contractual limits.

8. Your Choices & Rights

Communication Preferences: you may opt out of non-essential emails via unsubscribe links or by contacting us.
Access, Update, Delete: you may request access to, correction of, or deletion of your personal information by emailing contact@auai.cloud.
Cookies: browser settings may let you block or delete cookies. Some features may not function without essential cookies.

GDPR (EEA/UK) Notice

If you are in the EEA or UK, Autonomy is a data controller for website and account data and a processor for end-customer call/SMS data we handle on your behalf. Depending on your location and the context, you may have rights to access, rectify, erase, restrict processing, data portability, or object. You also have the right to lodge a complaint with your local supervisory authority. Our legal bases include performance of a contract, legitimate interests, consent, and compliance with legal obligations.

California (CCPA/CPRA) Notice

For California residents, we provide the disclosures required by the CCPA/CPRA. We do not "sell" personal information as defined by the CCPA. You may request access, deletion, and correction, and you may limit the use of sensitive personal information (if collected) by contacting contact@auai.cloud.

9. Children's Privacy

The Services are not directed to children under 13 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children.

10. Third-Party Sites and Services

Our Services may link to third-party sites or services. Their privacy practices are governed by their own policies.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date. Your continued use of the Services after the update becomes effective signifies your acceptance.

12. Contact Us

For questions or requests regarding this Privacy Policy, contact contact@auai.cloud or write to the address above.