Privacy Policy
Effective April 30, 2026. This Policy is non-contractual and is supplemented by our Terms of Service, Data Processing Addendum, and Acceptable Use Policy.
B&G Solutions ("we," "us," "our," "Company") provides AI-assisted operations software to U.S. trades businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information about (1) our paying customers, who are trades businesses (each a "Customer"); and (2) the end customers of those businesses — homeowners and other recipients who call, text, email, book, or review the trades business (each an "End User"). For End User personal data, the Customer is the data controller and Company is the data processor.
1. Categories of personal information we collect
From Customers: name, business name, email, phone, business and billing address, payment instrument metadata (Stripe customer ID and last-4 only — we do not store full card numbers), tax identifiers, GBP and CRM access credentials (OAuth tokens — we do not see passwords), service-area settings, uploaded documents (logo, license, insurance), product analytics, IP address, device and browser metadata, support communications, and account audit logs.
From End Users (collected on Customer's behalf): phone number, name (where provided), service address (where provided for dispatch), inbound and outbound voice-call audio, call transcripts, SMS message content, email content, booking metadata (date, time, job description), review content and star rating, and limited identifiers necessary to deduplicate or match contacts. Voice recordings and transcripts may incidentally contain "sensitive personal information" within the meaning of California Civil Code § 1798.140(ae) (including precise geolocation, account log-in credentials a caller chooses to reveal, or personal health information a caller chooses to disclose).
We do not knowingly collect personal information from anyone under 16. We do not collect government IDs, financial-account numbers, or biometric identifiers, except as voluntarily disclosed during a call.
2. Sources of personal information
(a) Directly from Customers (signup, dashboard, support); (b) directly from End Users (calls, texts, web forms, online reviews); (c) from third-party platforms with Customer's authorization (Google Business Profile, the Customer's CRM, Twilio, Stripe); (d) automatically as you use the Service (logs, analytics, cookies); and (e) from public sources during outbound prospecting where applicable.
3. How we use personal information
- To deliver the Service (answer calls, capture leads, draft messages, schedule jobs, request and post reviews, generate posts, etc.);
- To communicate with Customer about its account, billing, support, and product updates;
- To detect, investigate, and prevent fraud, abuse, and security incidents;
- To comply with legal obligations (tax, subpoena, regulatory inquiry, law-enforcement request);
- To enforce our Terms and AUP and to defend or prosecute legal claims;
- To improve the Service using de-identified, aggregated usage analytics; and
- To exercise other lawful business purposes consistent with this Policy.
What we do not do. We do not "sell" personal information for money. We do not "share" personal information for cross-context behavioral advertising. We do not use End User call recordings, transcripts, SMS content, or other Customer Data to train cross-customer or third-party AI models. We do not disclose Customer pipeline data to its competitors. We do not use End User personal data for our own marketing.
4. Automated decision-making & AI
The Service uses generative AI (Anthropic Claude, xAI Grok, and self-hosted local models) to draft messages, classify intent, summarize conversations, and propose next actions. AI outputs are reviewed by a human (the Customer or, where contracted, Company personnel) before being transmitted to End Users in any case where applicable law or these policies require human review. AI processing does not produce decisions with legal or similarly significant effects without human involvement. End Users in jurisdictions that grant a right to opt out of profiling for legally significant decisions (such as Colorado, Connecticut, Texas, and Virginia) may exercise that right per Section 9.
5. Disclosure to third parties & sub-processors
We disclose personal information only to the categories of recipients below and only as necessary for the listed purposes:
| Category of recipient | Purpose | Categories of personal information |
|---|---|---|
| Communications carriers | Voice & SMS transport, transcription | Phone numbers, message bodies, call audio |
| Payment processor | Subscription billing & payouts | Customer billing identifiers (no full card numbers) |
| Generative AI providers | AI reasoning, drafting, classification, summarization | Prompts & conversation content (contracts prohibit training on our data) |
| Productivity & listing platforms (with Customer authorization) | Calendar sync, business-listing posting, mapping | Business listing data, scheduling, location queries |
| Edge / DNS / static-asset hosting providers | DNS resolution, TLS termination, asset delivery | IP addresses, request metadata |
| Customer's chosen CRM or scheduling software | Job, contact, and calendar sync at Customer's direction | Customer-authorized job and contact data |
| On-device / self-hosted AI inference | Local model inference | Data does not leave Company-controlled hardware |
This list reflects the categories of recipients we engage, consistent with U.S. state privacy statutes (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA, TIPA, ICDPA, DPDPA, NJDPA, NHDPA, MODPA, Minnesota CDPA, RIDTPPA) and the GDPR. Where a state statute grants you the right to request the specific identities of our sub-processors (currently Oregon's OCPA, Delaware's DPDPA, and California's CCPA on verified consumer request), we will provide that list within the response window required by law via the contact in §9.
We may also disclose personal information (i) to our auditors, attorneys, accountants, and insurers under confidentiality, (ii) in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business, (iii) to law enforcement or to comply with a lawful subpoena, court order, or regulator request, (iv) to enforce our agreements or protect rights, property, or safety, or (v) with your consent.
6. SMS & phone consent
SMS messages are sent to End Users only when the Customer represents it has the legal basis to do so (prior express written consent for marketing messages and prior express consent for informational messages, plus current DNC scrubbing). End Users may reply STOP to opt out of any further messages from the Customer's SMS program; HELP for assistance. Opt-out flags are retained indefinitely to prevent re-messaging. Mobile phone numbers and SMS content are not sold, rented, or shared with third parties for marketing purposes, and are not shared with affiliates for their own marketing.
7. Call recording & AI disclosure
Inbound and outbound calls placed through Company-operated phone numbers are recorded for quality, training, and dispute-resolution purposes. A recorded disclosure ("This call may be recorded") is played at the start of each call by default. In states that generally require all-party consent — California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington — the disclosure satisfies the consent requirement when callers continue the conversation after hearing it. State law on call-recording consent varies and changes; Customer is responsible for assessing the law of any state from which it expects calls. AI-generated customer-facing communications include an AI-disclosure notice ("This message was generated with the assistance of artificial intelligence on behalf of [Business]. A human reviews replies.") and, where applicable, the disclosures required by Georgia's conversational-AI law (Senate Bill 540, when effective) and any other state AI-disclosure statute. If a Customer instructs Company to disable any disclosure, the Customer assumes the related compliance and indemnity risk under the Terms of Service.
8. Storage, security & international transfers
Primary storage is on Company-controlled hardware in Atlanta, Georgia. Backups are encrypted at rest using age encryption and are mirrored to encrypted external media; backup keys are kept off-device. Data in transit is protected with TLS. Access to administrative surfaces requires authenticated sessions and is logged. Sub-processors above are located in the United States; we do not intentionally transfer personal data outside the United States. Where a transfer to another jurisdiction becomes necessary (for example, an authorized vendor's regional infrastructure), we will use a lawful transfer mechanism (such as Standard Contractual Clauses).
9. Your privacy rights
Subject to verification and applicable exceptions, you may have the following rights under U.S. state privacy laws:
| State | Statute | Rights honored |
|---|---|---|
| California | CCPA / CPRA | Know, access, delete, correct, opt-out of sale/share, limit use of SPI, non-discrimination, authorized agent |
| Virginia | VCDPA | Know, access, delete, correct, portability, opt-out, appeal |
| Colorado | CPA | Same as VCDPA + opt-out of profiling |
| Connecticut | CTDPA | Same as CPA |
| Utah | UCPA | Know, access, delete, portability, opt-out |
| Texas | TDPSA | Know, access, delete, correct, portability, opt-out, appeal |
| Oregon | OCPA | Same as TDPSA + list of specific recipients |
| Montana | MCDPA (Montana) | Same as VCDPA |
| Tennessee | TIPA | Same as VCDPA |
| Iowa | ICDPA (Iowa) | Know, delete, portability, opt-out |
| Delaware | DPDPA | Same as VCDPA + list of specific recipients |
| New Jersey | NJDPA | Same as VCDPA |
| New Hampshire | NHDPA | Same as VCDPA |
| Maryland | MODPA | Same as VCDPA + heightened SPI restrictions |
| Minnesota | Minn. Consumer Data Privacy Act | Same as VCDPA + AI profiling explanation right |
| Rhode Island | RIDTPPA | Know, access, delete, correct, opt-out |
Where you are an End User, your direct relationship is with the Customer (who is the controller). We will route applicable requests to the Customer and assist within the timelines required by law. Where you are a Customer, contact us directly.
How to exercise your rights. Email [email protected] with subject "Privacy Request" and identify (i) the right(s) you wish to exercise, (ii) the business name (Customer) involved if any, and (iii) information sufficient to verify your identity (typically email and phone associated with your records, plus a second factor we request). We respond within 45 days (extendable by 45 more for complex requests, on notice). Verified deletion requests are honored unless an exception applies (legal hold, fraud prevention, completion of a transaction the End User requested, internal uses reasonably aligned with the End User's expectations). You may appeal a denial by replying to our response within 60 days; we will respond within 60 days, and if denied you may contact your state Attorney General.
Authorized agents. California residents may use an authorized agent. The agent must provide written authorization from the consumer, and we will verify both. Non-discrimination. We do not deny goods or services, charge different prices, or provide a different level of quality because you exercise a privacy right. "Shine the Light" (Cal. Civ. Code § 1798.83). We do not share End User personal information with third parties for those third parties' direct-marketing purposes; California residents may request confirmation by emailing the address above. Nevada SB 220. We do not sell personal information; Nevada residents may submit a verified request to that effect at the same address.
10. Cookies, tracking & analytics
Our marketing site uses essential cookies (session, CSRF) and may use lightweight first-party analytics (page views, interaction counts) and Microsoft Clarity (heatmaps and session replay) to understand site usage. We honor the Global Privacy Control (GPC) signal as a valid opt-out of "sale" or "sharing" where applicable; if your browser sends GPC, we treat it as a request to opt out for that browser session. We do not respond to legacy "Do Not Track" headers because there is no industry consensus. The dashboard product surfaces use only authentication and CSRF cookies.
11. Retention
- Call audio recordings: 90 days, then auto-deleted
- Call and SMS transcripts (text): 2 years
- Booking and review records: 2 years
- Account and contact records: while the Service is active and 60 days after termination
- Billing records (invoices, payments): 7 years (tax-record retention)
- Security and audit logs: 1 year
- Opt-out and DNC flags: indefinitely (to prevent re-messaging)
- De-identified, aggregated analytics with no personal identifiers: indefinitely
If a Customer cancels, we delete operational personal data within 30 days of the cancellation effective date, except where retention is required to comply with law, resolve disputes, or enforce agreements.
12. Security incidents
We maintain administrative, technical, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. No system is perfectly secure. If we discover a security incident affecting personal information, we will notify affected Customers without undue delay and within 72 hours of confirmation, and will assist Customers with their downstream notification obligations to End Users.
13. Children
The Service is for businesses. We do not knowingly collect personal information from anyone under 16. Customers must not direct the Service at, or knowingly process personal data of, children under 13 (per COPPA, 15 U.S.C. § 6501) without obtaining verifiable parental consent.
14. Specialized regulations
The Service is not designed or held out for use under HIPAA (45 C.F.R. Parts 160 & 164), GLBA, FCRA, FERPA, or as a "Covered Entity" or "Business Associate" under HIPAA. Customers must not use the Service to process protected health information, financial-account information regulated by GLBA, consumer reports under FCRA, or education records under FERPA, without a separate written agreement. We do not enter Business Associate Agreements at standard pricing tiers.
15. Changes to this Policy
We may update this Policy. The "Effective" date above reflects the current version. Material changes will be emailed to Customers at least 14 days before they take effect.
16. Contact
Privacy contact: [email protected] (subject: "Privacy Request"). Mailing address: B&G Solutions, Atlanta, Georgia, USA. Privacy lead: Barukh Aronov.
Questions: [email protected] · Last updated April 30, 2026