Privacy Policy
- We run on data you provide and telemetry we collect to operate, secure, and improve the service.
- For ads/measurement, certain partners collect limited web/app identifiers from your browser/app. That is a sale/share under some state laws. You can opt out at /privacy-choices or via a recognized universal opt-out signal (e.g., GPC/UOOM).
- Customer Content (your end-customer messages/calls/files) is processed only to provide/support the services; no sale/share of Customer Content.
- Model training is OFF by default. You can opt in by contract or admin setting.
- We publish named subprocessors at /subprocessors.
- U.S. privacy rights are honored as required by law. See /state-privacy for disclosures.
1) Who We Are & How to Reach Us
Controller (for site/app telemetry and marketing): Very Good AI, LLC, 9942 NW 87th Terr, Doral, FL 33178 · info@verygoodai.co · 786-224-4585
Processor (for Customer Content): For data you connect for us to process on your behalf (e.g., reviews, messages, call audio/metadata), we act as your service provider/processor under our Data Processing Addendum (DPA).
Children: Services are not for children under 13; we do not knowingly collect their data. We also do not knowingly sell/share data of individuals under 16.
B2B coverage: This Policy applies to business contacts (e.g., owners/managers of SMB customers).
2) Roles & Data Boundaries
| Data Category | Examples | Our Role | Sale/Share? |
|---|---|---|---|
| Customer Content | End-customer messages, reviews, call audio/metadata you connect | Processor (we act on your instructions) | No |
| Account/Admin & Business Info | Owner/admin contact, company profile | Controller | No |
| Usage/Device & Online IDs | IP, device/browser info, pages/screens, SDK/cookies | Controller | Yes (ads/measurement, unless you opt out or send a universal signal) |
| Support Communications | Emails/tickets; call recordings if enabled | Controller (for our support) | No |
| Aggregated/De-identified Metrics | Service reliability, usage diagnostics | Controller (de-ID commitments apply) | No |
We do not process Sensitive Personal Information unless you enable a feature or sign an addendum that requires it. If enabled, we will present legally required notice/consent per state.
3) Notice at Collection (California & similar states)
“Sale/Share” refers to cross-context behavioral advertising/analytics handled by independent third parties. Default retention is listed; we may retain longer where required by law, to resolve disputes, or ensure service integrity (backups rotate as set out below).
| Category | Examples | Purposes | Sale/Share? | Retention |
|---|---|---|---|---|
| Identifiers & Online IDs | IP, device/browser, cookie/advertising IDs | Security, fraud prevention, service functionality, analytics, ads/measurement | Yes (ads/measurement) | 12 months (or until opt-out/setting change) |
| Internet/Network Activity | Pages viewed, events, referrers, app interactions | Product analytics, performance, ads/measurement | Yes | 12 months |
| Inferences | Interest segments derived from usage | Ads/measurement | Yes | 12 months |
| Customer Service Comms | Emails/tickets | Support, compliance | No | 180 days after ticket closure |
| Audio/Call Recordings (only if enabled) | Recorded calls with required notices | Quality, dispute resolution, compliance | No | 90 days (configurable by contract) |
Sensitive PI: Not collected/used unless you enable/contract for it; where enabled, we comply with state-specific opt-in/limits.
Point-of-collection: A link to this Notice at Collection is provided at or before the point of collection across our web/app surfaces.
4) What We Collect & From Where
- Account/Admin & Business Info you provide.
- Customer Content & connected platform data you authorize (e.g., reviews, messages, call metadata).
- Usage/Device Data gathered via cookies/SDKs (functional, analytics, ads/measurement).
- Support Data (emails/tickets; call recordings if enabled with legally required one-/all-party consent).
5) How We Use Information
- Provide & Secure: authentication, integrations, automations, routing, fraud/abuse prevention.
- Improve: aggregated/de-identified metrics and diagnostics to enhance reliability, security, features.
- Marketing/Analytics: including cross-context behavioral advertising (opt-out available).
- Legal/Compliance: records, taxes, contractual obligations, lawful requests.
6) Model Training & Product Improvement
Customer Content ownership: You retain ownership. You grant us a non-exclusive license to process it solely to deliver/support the services.
Model Training: OFF by default. You may opt in via contract or admin setting (scope and data classes will be shown before enabling).
De-identified data commitments: When we claim data is de-identified, we maintain safeguards to prevent re-identification, publicly commit not to re-identify, and contractually prohibit recipients from attempting re-identification or using it to target individuals.
7) Service Providers, Subprocessors, and Independent Third Parties
Service Providers / Subprocessors (processors): Hosting, storage/CDN, communications (SMS/MMS/voice), security/observability, support/CRM, and processor-mode analytics. They act only on our instructions under written contracts requiring security and deletion/return at end of service. We publish named subprocessors (name, purpose, data types, region) at /subprocessors and provide change notifications.
Independent Third Parties (controllers): We allow certain advertising/measurement partners to collect limited web/app identifiers directly from your device for their own purposes. Under some state laws, this is a sale/share.
Contract guardrail: We contractually require service providers and third-party recipients to: (i) use personal information only for specified purposes, (ii) implement security controls, (iii) honor applicable opt-out signals and deletion requests we relay, and (iv) delete/return data at end of services.
8) Sale/Share for Ads & Measurement; Your Opt-Out Choices
We sell/share the following categories for ads/measurement: Identifiers & Online IDs, Internet/Network Activity, Inferences. We do not sell/share Customer Content unless you direct us to or separately consent.
This toggle stores your preference and fires a site-wide suppression event. Wire it to disable ad/measurement tags immediately.
Universal signals: We detect and honor Global Privacy Control (GPC) and Universal Opt-Out Mechanisms (UOOM) where required (California and Colorado now; Connecticut effective January 1, 2025). If your browser/extension sends a supported signal, we apply your opt-out automatically.
Third-party categories & purpose: Ad networks, social platforms, and measurement/attribution providers receive the categories above for cross-context behavioral advertising and measurement.
Financial incentives: We do not offer price/discount programs in exchange for personal information at this time. If that changes, we will post a Notice of Financial Incentive.
10) Messaging (A2P SMS/MMS/Voice) & Call Recording
- Your responsibilities: Maintain documented consent for A2P messaging and comply with carrier programs (e.g., 10DLC/toll-free registration).
- Our enforcement: We globally honor STOP/HELP; require campaign/brand registration; may suspend non-compliant senders; and log opt-outs/consents to the extent technically feasible.
- Call recording (if enabled): We surface legally required one-/all-party consent notices based on caller locations. When uncertain, we provide all-party announcements or tones by default. Retention defaults to 90 days (configurable by contract).
11) Retention (Unified)
- Account/Admin & Business Info: life of account + 12 months
- Usage/Device & Online IDs (analytics/ads): 12 months (or until opt-out/setting change)
- Message/Voice Logs: 180 days
- Call Recordings: 90 days (configurable)
- Backups: 35 days by rolling overwrite; not used for active processing
We may retain longer where required by law, to resolve disputes, or ensure service integrity. When you request deletion, we remove from active systems and complete removal from backups through normal rotation.
12) Your Privacy Rights (U.S.)
We provide access, correction, deletion, and opt-out of sale/share and targeted advertising as required by applicable law. Some states also provide the right to appeal and to opt out of certain profiling.
- Submit requests: /privacy-choices, info@verygoodai.co, or 786-224-4585
- Verification: We may request reasonable information to verify identity for access/deletion/correction. Opt-out of sale/share does not require identity verification.
- Response time: 45 days (we may extend once with notice).
- Authorized agents: Allowed with proof of authority; we may confirm with you.
- Appeals: Appeal within 30 days at /privacy-choices → “Appeal a decision.” We respond within 45 days (up to 60 days where required) with reasons. If denied, we explain how to contact your state Attorney General. We maintain request/appeal logs as required by law.
- Non-discrimination: We will not unlawfully discriminate for exercising your rights.
- Nevada: We do not sell “covered information” as defined by Nevada law; opt out via /privacy-choices.
- State disclosures: See /state-privacy for jurisdiction-specific details.
13) Security (What We Actually Do)
We use safeguards appropriate to our services, including encryption in transit/at rest, role-based access controls, MFA for privileged access, audit logging, and least-privilege practices. No method is 100% secure—use strong, unique passwords and enable MFA on your accounts.
14) Consumer Health Data (Guardrail)
Our services are not intended to collect/process consumer health data. We block ingestion of health categories by default. If you need to process such data, you must execute an addendum and enable applicable jurisdictional controls; third-party tracking is disabled on any health-touching surfaces configured in our product.
15) International
We operate in the United States and do not direct services to the EEA/UK. If our coverage changes, we will post an EEA/UK Addendum with transfer mechanisms (e.g., SCCs) and contact details.
16) Third-Party Links & Integrations
If you connect outside platforms (e.g., review sites, POS, carriers), those providers process data under their privacy policies. Review them before enabling.
17) Changes to This Policy
We update this Policy as practices or laws change and post the new date above. If changes are material, we will provide additional notice where required.
18) How to Contact Us
/privacy-choices · info@verygoodai.co · 786-224-4585
For employee/applicant privacy, see /employee-privacy (if applicable).
State Privacy Disclosures (U.S.)
- Your rights (nationwide): access, correction, deletion; opt-out of sale/share and targeted advertising; appeal.
- Opt-out signals: We honor GPC/UOOM (CA/CO now; CT from Jan 1, 2025).
- California (CPRA): sale/share opt-out; minors under 16 require opt-in; Notice at Collection provided; no financial incentive currently.
- Colorado (CPA): universal opt-out mechanism honored; sensitive data requires consent.
- Connecticut (CTDPA): opt-out preference signals honored starting Jan 1, 2025; sensitive data consent.
- Virginia/Utah/Texas/Oregon/Delaware: opt-outs for sale/targeted ads; appeals timelines respected.
- Nevada: we do not sell “covered information” as defined by Nevada law; opt out via /privacy-choices.
Subprocessors
We use vetted Service Providers (processors) to deliver our services. Each processes personal information only under our instructions and contracts requiring security and deletion/return. Subscribe on this page for change notifications.
| Vendor | Purpose | Data Types | Region | Notes |
|---|---|---|---|---|
| (Add entries) | Hosting/compute | Account metadata, telemetry | US | … |
| (Add entries) | Communications (SMS/MMS/voice) | Phone numbers, message/call metadata | US | … |
| (Add entries) | Observability/Security | Logs/diagnostics | US | … |
| (Add entries) | Analytics (processor mode) | Usage events | US | … |
| (Add entries) | Support/CRM | Tickets, contact info | US | … |
Data Processing Addendum (DPA)
Confirms VGAI as processor for Customer Content; includes subprocessor list/change notice; security controls and breach notification timelines; data subject request assistance; regional addenda as needed.