Blue Collar Caller
Blue Collar
Caller

Template notice: This document is a starting template and has not been reviewed by legal counsel. Before relying on it in a commercial launch, please have an attorney specializing in SaaS, privacy, and US telecommunications law (TCPA) review and customize it for your jurisdiction and business specifics.

Privacy Policy

Effective date: TBD — set on launchLast updated: TBD — set on launch

Blue Collar Caller ("we," "us," or "Blue Collar Caller") is operated by [Legal Entity Name], a [State] [entity type, e.g. LLC]with a principal place of business at [Address] ("Company"). This Privacy Policy describes how we collect, use, share, and protect personal information in connection with the Blue Collar Caller website at https://bluecollarcaller.com, the application at https://app.bluecollarcaller.com, and the related AI voice receptionist services (collectively, the "Service").

By using the Service you confirm that you have read and agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

1. Who this Policy applies to

We process information about two distinct categories of individuals:

  • Subscribers. Owners or representatives of trade and home-service businesses (plumbers, HVAC contractors, electricians, landscapers, etc.) who create accounts and subscribe to the Service.
  • Callers. Individuals (typically the end customers of a Subscriber) who place phone calls to a phone number provisioned through the Service and interact with our AI receptionist ("Sarah").

With respect to Caller data collected during a call, the Subscriber acts as the data controller (the party deciding how the data is used), and we act as the processor (operating under the Subscriber's instructions to deliver the Service).

2. Information we collect

2.1 From Subscribers

  • Account information: name, email address, hashed password, or Google account identifier if you sign in with Google.
  • Business profile: business name, owner name, business and service addresses, service area, business email, website or social media, services offered, average service duration, preferred contact channel, operating days and hours, timezone.
  • Phone number information: the business phone you provide and the AI phone number we provision on your behalf through Twilio.
  • Calendar integration: if you connect Google Calendar, we receive an OAuth refresh token. We store this token encrypted at rest (AES-256-GCM) and use it only to read availability and create appointment events on the calendar you authorize.
  • Billing: name, billing address, and payment-card information collected and processed by our payment provider (Stripe). We do not store full card numbers.
  • Usage data: pages visited, features used, IP address, browser/device information, error logs, and timestamps necessary to operate and secure the Service.

2.2 From Callers

When a Caller speaks with Sarah, our AI receptionist, we collect information necessary to schedule a service appointment, including:

  • Name and call-back phone number
  • Service address
  • Type of service requested and a free-form description of the problem
  • Preferred date and time
  • Call metadata: phone number originating the call, call start/end time, call duration
  • Brief recordings and/or transcripts of the conversation, retained for the limited periods described below

3. How we use information

  • Provide, operate, and improve the Service
  • Authenticate Subscribers and protect accounts
  • Process payments and manage subscriptions
  • Schedule appointments and create events in the Subscriber's connected calendar
  • Communicate with Subscribers about their accounts, billing, security, and Service updates
  • Detect, prevent, and respond to fraud, abuse, or violations of our Terms
  • Comply with applicable laws and respond to lawful requests
  • Improve the accuracy and helpfulness of the AI receptionist (in aggregate or de-identified form)

We do not use Caller data to train AI models without the Subscriber's explicit instruction.

4. Call recording and AI processing — important notice

When a Caller speaks with Sarah:

  • The conversation is processed in real time by our voice-AI provider, Vapi.ai, which routes audio to a large language model (currently provided by OpenAI) and synthesizes speech responses.
  • Brief audio recordings and text transcripts may be created and retained for a limited period by our voice provider to operate, debug, and improve the Service.
  • We do not sell call audio or transcripts.

Subscriber responsibility for recording disclosure. Federal law and the laws of certain U.S. states (including but not limited to California, Florida, Illinois, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington) require all-party consent before recording a phone call. Subscribers are responsible for ensuring that Sarah's greeting and Subscriber-configured prompts include any recording or AI-use disclosure required by the laws of the jurisdictions in which the Subscriber and the Subscriber's customers are located.

5. Sub-processors and third-party services

We share information with the following sub-processors to deliver the Service:

ProviderRoleTypes of data shared
SupabaseAuthentication and primary databaseAccount credentials, structured Subscriber and Caller records
RailwayBackend application hostingAll backend-processed data in transit
VercelFrontend application hostingWeb request logs, IP addresses
Vapi.aiVoice-AI orchestrationCall audio, transcripts
OpenAILanguage model (via Vapi)Call transcripts
TwilioPhone numbers, call routing, carrier lookupCaller phone numbers, call metadata
GoogleOAuth sign-in, Calendar APISubscriber Google identity, calendar events
StripeSubscription billingSubscriber billing details (card data held by Stripe)

Each sub-processor is contractually required to protect personal information consistent with this Privacy Policy and applicable law. We will update this list as our sub-processors change.

We do not sell personal information to advertisers or data brokers, and we do not share personal information for cross-context behavioral advertising.

6. Google user data and Limited Use disclosure

Blue Collar Caller requests access to Google APIs (Google Sign-In and the Google Calendar API) solely to provide the Service's core, user-facing scheduling features: reading your calendar availability and creating, updating, or removing appointment events on the Google Calendar you explicitly authorize.

Blue Collar Caller's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

In accordance with those Limited Use requirements, we affirm that:

  • We only use data obtained through Google APIs to provide and improve the user-facing features described above (calendar availability lookups and appointment scheduling).
  • We do not transfer this data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
  • We do not use Google user data for serving advertising, including personalized, targeted, retargeted, or interest-based advertising.
  • We do not allow humans to read this data unless (i) we first obtain your affirmative consent for specific data, (ii) it is necessary for security purposes (such as investigating abuse), (iii) it is required to comply with applicable law, or (iv) the data has been aggregated and anonymized for internal operations.

Google Calendar OAuth refresh tokens are stored encrypted at rest (AES-256-GCM) and are used only to perform the actions you authorize. You may revoke our access at any time from your Google Account permissions page or by disconnecting the calendar within the Service.

7. Data retention

  • Subscriber account data: retained while your account is active; deleted within thirty (30) days of account termination, except where retention is required by law or for legitimate accounting, tax, or dispute-resolution purposes.
  • Appointment records: retained while your account is active so you can reference them.
  • Call audio and transcripts (held by Vapi.ai): retained per Vapi.ai's data retention policy, typically 30–90 days.
  • Web and security logs: retained for up to ninety (90) days.

Subscribers may request deletion of their account and associated personal data at any time by emailing privacy@bluecollarcaller.com.

8. How we protect information

  • TLS encryption for all data in transit
  • Encryption at rest for OAuth refresh tokens (AES-256-GCM)
  • Database encryption and managed backups via Supabase
  • Role-based access controls and audit logging for administrative actions
  • HMAC signature verification for inbound webhooks

No system is perfectly secure. In the event of a data breach affecting your personal information, we will notify you without undue delay and as required by applicable law.

9. Your rights

9.1 California residents (CCPA / CPRA)

California residents have the following rights regarding their personal information:

  • Right to know: what personal information we collect, the sources, purposes, and recipients.
  • Right to delete: personal information we have collected, subject to legal exceptions.
  • Right to correct: inaccurate personal information.
  • Right to opt out of "sale" or "sharing" for cross-context behavioral advertising. We do not engage in either.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising your rights.

To exercise these rights, email privacy@bluecollarcaller.com from the email address associated with your account, or submit a request via your account settings. We may need to verify your identity before fulfilling certain requests. You may also designate an authorized agent to act on your behalf.

9.2 Other U.S. state privacy laws

Residents of states with comprehensive consumer privacy laws (including Colorado, Connecticut, Utah, Virginia, Texas, Oregon, Montana, Iowa, Tennessee, Indiana, and others as enacted) have rights similar to those described above. Contact us at the privacy email above to exercise them.

9.3 Callers

If you are a Caller and wish to access, correct, or delete the data we hold about you, please contact the business you called. As the Subscriber, that business is the controller of the data. We will assist Subscribers in honoring valid requests.

10. Cookies and similar technologies

The Service uses cookies and similar storage technologies that are strictly necessary for authentication, session management, and security. We do not currently use third-party advertising cookies, analytics scripts, or cross-site tracking pixels.

11. Children's privacy

The Service is intended for adult business owners and is not directed to children under the age of 18. We do not knowingly collect personal information from children under 13 (COPPA) or, for marketing purposes, from individuals under 18. If you believe we have inadvertently collected such information, contact us and we will delete it.

12. International data transfers

We process and store information in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, which may have different data-protection laws than your country of residence.

13. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, notify Subscribers by email. Continued use of the Service after the update constitutes acceptance of the revised Privacy Policy.

14. Contact us

For privacy questions or to exercise your rights:

© 2026 Blue Collar Caller
HomePrivacyTerms