Legal

Privacy Policy

How we collect, use, and protect your data.

Privacy Policy

Last updated: May 4, 2026

This Privacy Policy explains how X3 E-Commerce LLC d/b/a FrontDesk Global ("FrontDesk Global," "we," "us") collects, uses, and protects information when you use TheAutoReply (the "Service"). By using the Service, you agree to the practices described in this Policy.

1. Information we collect

1.1 Information you provide directly

  • Account information: name, business name, email address, password (hashed), phone number, billing address.
  • Payment information: processed by Stripe; we never see or store your full card details.
  • Business configuration: brand voice settings, custom phrases, staff names you opt to include in replies, escalation preferences.
  • Communications: messages you send to [email protected] or via in-app chat.

1.2 Information collected automatically

  • Usage data: features you use, replies drafted, replies posted, error logs, IP address, browser, device type, timestamps.
  • Cookies and similar technologies: we use first-party cookies to maintain your session and analytics cookies (Plausible, privacy-friendly) to understand product usage. We do not use advertising cookies.

1.3 Information from connected services

When you connect your Google Business Profile, we receive: - Your business name, address, hours, category, and other public profile information - Reviews left on your profile (review text, star rating, reviewer display name, timestamp) - The replies we and you post

We do not receive: customer phone numbers, private messages, or analytics from your Google Business Profile beyond what's needed to draft and post replies.

2. How we use information

We use the information we collect to:

  • Provide and operate the Service (read reviews, draft replies, post replies)
  • Process payments and send invoices
  • Send transactional emails (welcome, trial reminders, billing notifications, security alerts)
  • Provide customer support
  • Detect, investigate, and prevent fraud or abuse
  • Improve our Service through aggregate, anonymized analytics
  • Comply with legal obligations

What we do NOT do

  • We do not sell your personal data
  • We do not share customer data between accounts to "improve" replies
  • We do not train AI models on your private content
  • We do not use your data for advertising
  • We do not share customer data with marketing partners

3. Third-party services

We use a small number of carefully chosen vendors to operate the Service. Each is governed by their own privacy practices.

Vendor What they do What data they receive
Stripe Payment processing Billing name, email, payment method, IP, transaction history
Anthropic (Claude) AI model that drafts replies Review text + your brand voice configuration; never billing or login data
Cloudflare Hosting, DNS, security, edge processing Network metadata, IP addresses, traffic patterns
Supabase Database and authentication Your account record, subscription status, configuration
Resend Transactional email delivery Your name and email; the email content we send you
Plausible Privacy-friendly site analytics Aggregated, anonymized; no IP storage or cookies
Plain or Intercom Customer support Support conversations and your account context
Google Business Profile API integration API requests authenticated under your authorization

All vendors are contractually bound to protect your data and use it only for the purposes of providing services to us.

4. AI processing

The Service uses artificial intelligence (specifically large language models from Anthropic) to draft replies. When the AI processes a review:

  • The review text and your brand voice configuration are sent to the AI model
  • A draft reply is generated and returned to our systems
  • We store the generation log for 90 days for quality assurance and audit
  • The AI provider (Anthropic) does not retain your data for training; their data handling commitments are at https://www.anthropic.com/privacy

You can request deletion of all AI generation logs associated with your account at any time.

For full details on AI processing, see our AI Disclosure.

5. Google user data — Limited Use disclosure

This section applies specifically to data we receive from Google APIs (Google Business Profile, Google account email and profile) when you connect your Google account to TheAutoReply.

FrontDesk Global's and TheAutoReply's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data exclusively to provide and improve user-facing features of TheAutoReply — namely, reading reviews from your Google Business Profile and posting reply text you have approved.
  • We do not transfer this data to third parties for purposes unrelated to providing TheAutoReply's service to you.
  • We do not use this data to serve advertising, including personalized or retargeted advertising.
  • We do not use this data to train AI/ML models. Review text and reply drafts are sent to Anthropic's Claude API for inference under Anthropic's zero-retention commercial terms — Anthropic does not retain or train on this data.
  • We do not allow humans to read this data unless we have your explicit consent, where required for security investigations, where required to comply with applicable law, or where the data has been aggregated and de-identified for service improvement metrics.
  • You can revoke our access to your Google Business Profile at any time by removing TheAutoReply from your Google account permissions. This immediately stops all data access and review syncing on our side.

For Google account email and profile data, we use it only to (a) identify you across sign-ins and (b) display your name and email in your TheAutoReply dashboard. We do not share, sell, or use this data for marketing.

5A. SMS and text messaging

This section applies to SMS/MMS messaging delivered through TestimonialCollect, PreventNoShows, CustomerRetentionAI, and any other FrontDesk Global product that sends text messages to your customers.

FrontDesk Global operates a multi-tenant SMS platform on behalf of our small-business clients. Messages are sent from a 10DLC number registered to X3 E-Commerce LLC via our carrier partner (Twilio and/or Telnyx). When a business owner using one of our products sends or schedules an SMS to their customer, the following applies:

  • Who the message is from: messages are personalized with the small business's name and signed by that business. FrontDesk Global is the technical sender of record for carrier compliance purposes.
  • Why we collect phone numbers: exclusively to deliver SMS that the end user has consented to receive from the small business they patronize (appointment reminders, review requests, retention messages, account notifications).
  • How consent is captured: end users opt in via (a) the web form at frontdeskglobal.com/sms-consent, (b) an explicit unchecked-by-default checkbox at the small business's booking or signup flow, or (c) by texting START to our 10DLC number. The exact consent language they see is: "By providing my phone number I agree to receive recurring SMS messages from [Business Name] about my appointments, reviews, and account. Msg frequency varies, max 8 msgs/month. Msg & data rates may apply. Reply STOP to opt out, HELP for help."
  • Consent recordkeeping: we retain a tamper-evident consent ledger for at least 7 years: SHA-256 hash of the phone number, IP address, user agent, ISO-8601 timestamp, and the consent text shown at the time. Stored in encrypted object storage at Cloudflare R2.
  • Opt-out: a recipient can reply STOP (also UNSUBSCRIBE, END, CANCEL, QUIT) at any time. Opt-out is honored immediately and irrevocably across all FrontDesk Global products for that phone number, not just the specific business. A confirmation reply is sent.
  • Help: a recipient can reply HELP (also INFO) to receive: business name, support contact ([email protected]), and the disclosure that they can reply STOP to opt out.
  • Frequency disclosure: message frequency varies by which products the originating business uses, typically up to eight (8) messages per month per recipient.
  • Carrier fees: standard message and data rates from the recipient's mobile carrier may apply. FrontDesk Global does not charge end recipients.
  • What we do NOT do with phone numbers: we do not sell phone numbers, do not share them with marketing partners, do not transfer them between unrelated small-business clients, do not use them for advertising, and do not allow third-party affiliates or marketing partners to message recipients.
  • What we do NOT include in SMS content: we do not send marketing or promotional content on behalf of unaffiliated third parties, do not include third-party advertising, and do not facilitate messaging for prohibited content categories (gambling, firearms, cannabis, controlled substances, etc.) under either Twilio's or Telnyx's acceptable use policies.

6. Data sharing and disclosure

We disclose information only in these circumstances:

  • With your consent. When you explicitly authorize us to share specific data.
  • To service providers. Listed in Section 3, only as needed to operate the Service.
  • To comply with law. Court orders, subpoenas, or legal process. We will notify you when permitted.
  • To enforce our Terms. Including investigations of suspected violations.
  • In a business transaction. If we are acquired, merged, or sell assets, your data may transfer to the successor — but only under equivalent privacy commitments.
  • To protect rights and safety. Yours, ours, or the public's, when there is an imminent threat.

7. Data retention

Data type Retention period
Account data (active customers) Duration of account
Account data (closed accounts) 30 days, then deleted
Reply history Duration of account, exportable anytime
AI generation logs 90 days
Payment records 7 years (legal/tax requirement)
Support conversations 2 years
Backups 30 days, automatically deleted

You can request earlier deletion of any data category by emailing [email protected].

8. Your rights

Depending on where you live, you have rights regarding your personal data. We honor these rights for all users globally, regardless of jurisdiction.

  • Access. Request a copy of the personal data we hold about you.
  • Correct. Update inaccurate or incomplete data through your dashboard or by contacting us.
  • Delete. Request deletion of your account and all associated data.
  • Export. Receive your data in a portable format (CSV) for transfer to another service.
  • Restrict processing. Limit how we use your data while we resolve a dispute or correction.
  • Object. Object to specific uses (e.g., analytics processing).
  • Opt out of automated decision-making. Switch from auto-post mode to approve-mode at any time.

To exercise these rights, email [email protected]. We respond within 30 days.

For California residents (CCPA/CPRA)

You have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information as those terms are defined under CCPA/CPRA.

For EU/UK residents (GDPR/UK GDPR)

We process personal data on the legal bases of (a) contract performance (operating your subscription), (b) legitimate interests (security, fraud prevention, product improvement), and (c) consent (where applicable). You have the right to lodge a complaint with your local data protection authority.

9. Children

The Service is not directed to children under 18 and we do not knowingly collect data from anyone under 18. If you believe we have, contact [email protected] and we will delete the information.

10. International data transfers

We are based in the United States and process data in the U.S. If you access the Service from outside the U.S., your data is transferred to and processed in the U.S. We rely on Standard Contractual Clauses or equivalent safeguards for transfers from the EU/UK.

11. Security

We protect your data with:

  • TLS 1.3 encryption for all data in transit
  • Encryption at rest for stored data (provided by Supabase, Cloudflare, Stripe)
  • Hashed and salted passwords
  • Mandatory two-factor authentication on all administrative accounts
  • Quarterly access audits
  • Logging and alerting on suspicious activity
  • Vendor due diligence including SOC 2 Type II reviews where applicable

No system is 100% secure. If a breach affects your data, we will notify you within 72 hours of confirming it, as required by law.

12. Cookies

We use a minimal cookie set:

  • Strictly necessary. Session cookies that keep you logged in. These cannot be disabled.
  • Analytics. Plausible Analytics, which does not use cookies and does not collect personal data.

We do not use: - Advertising or marketing cookies - Third-party tracking pixels (Facebook, LinkedIn, etc.) - Cross-site behavioral profiling

13. Changes to this Policy

We may update this Privacy Policy. Material changes (e.g., new categories of data collection, new vendors that change data flow) will be communicated by email at least 30 days before they take effect. Non-material changes (typo fixes, clarifications) are made silently with a "Last updated" date change.

14. Contact

For privacy questions, requests, or complaints:

Email: [email protected] Mail: X3 E-Commerce LLC d/b/a FrontDesk Global, [LLC address] Response time: within 30 days

For EU/UK users, our designated representative for data protection matters is available by emailing the address above.

This document was drafted for FrontDesk Global pending counsel review. Do not treat as final until signed off by qualified legal counsel.