# Privacy Policy **Last Updated: April 16, 2026** Lomelli ("Lomelli," "we," "us," or "our") respects your privacy. This Privacy Policy explains what information we collect when you use our AI-powered booking platform, how we use and protect it, and the rights you have over it. It is written in plain language so you can actually understand what happens to your data. If anything in this policy is unclear, contact us. Details are at the bottom. --- ## Who We Are Lomelli is an AI-powered booking automation platform that connects WebChat, WhatsApp, and SMS so service businesses (dental clinics, med spas, HVAC companies, and similar) can answer inbound messages and schedule appointments automatically. - **Legal entity:** [YOUR-LEGAL-ENTITY-NAME] - **Registered address:** [YOUR-REGISTERED-ADDRESS] - **Contact phone:** +1 (448) 413-9729 - **Contact email:** hello@lomelli.ai - **Data Protection contact:** privacy@lomelli.ai When you book, chat, or contact us through Lomelli, we act as the **data controller** for personal information we collect directly from you about our own service. When a business uses Lomelli to serve its customers, that business is the **controller** for its customers' data and Lomelli acts as the **data processor** on their behalf under a Data Processing Agreement. --- ## Information We Collect We only collect what we actually need to run the service. ### Information You Provide - **Account information:** name, work email, business name, industry, phone number. - **Billing information:** billing address and tax ID. Card numbers are handled directly by our PCI-compliant payment processor (Stripe); Lomelli never stores full card numbers. - **Calendar data:** when you connect Google Calendar, we receive read/write access scoped to the calendars you authorize. - **Conversation content:** messages exchanged through web chat, SMS, and WhatsApp inside Lomelli. - **Contact form submissions:** first name, last name, email, and the message you send us. - **Support communications:** anything you tell us in email, phone, or live chat. ### Information Collected Automatically - **Usage data:** pages viewed, features used, clicks, timestamps, referring URL. - **Device and log data:** IP address, browser type, operating system, device identifiers, crash reports. - **Cookies and similar tracking:** see our [Cookie Policy](cookie-policy.md). ### Information from Third Parties - **Messaging providers:** we receive message content, sender phone numbers, and delivery status from Twilio (SMS/WhatsApp) when those channels are connected. - **Calendar provider:** Google OAuth tokens and calendar availability from Google Calendar. - **Payment provider:** subscription status and billing events from Stripe. - **Email provider:** bounce and deliverability events from Resend. We do **not** buy personal information from data brokers. --- ## How We Use Your Information We use your information only for the following purposes: - Provide, operate, and maintain the Lomelli service. - Authenticate users, protect accounts, and prevent fraud and abuse. - Book appointments on your calendar, send reminders, and follow up on no-shows. - Qualify leads and score conversations so your team can focus on high-intent customers. - Process payments and send invoices and receipts. - Respond to your contact-form submissions, support requests, and inquiries. - Improve our AI models and product. Conversation data used for improvement is **aggregated and de-identified** before any analysis, unless you have given us explicit separate consent. - Send essential service notices (security alerts, billing changes, policy updates). - Send marketing communications — only where we have a lawful basis and always with an unsubscribe link. - Comply with legal obligations and enforce our [Terms of Service](terms-of-service.md). We do **not** sell your personal information. We do **not** share it with advertisers. We do **not** use your customers' conversation content to train AI models that are shared with anyone else. --- ## Legal Basis for Processing (GDPR) Where GDPR applies, we rely on the following legal bases: - **Contract** (Art. 6(1)(b)): to provide the service you signed up for. - **Legitimate interests** (Art. 6(1)(f)): to keep the service secure, prevent abuse, and improve the product. - **Consent** (Art. 6(1)(a)): for optional features, marketing emails, and non-essential cookies. You can withdraw consent at any time. - **Legal obligation** (Art. 6(1)(c)): to meet tax, accounting, and regulatory requirements. --- ## How We Share Your Information We share information only with the following categories of recipients, and only as needed to run the service: - **Service providers ("sub-processors"):** hosting, databases, payment processing, messaging, email delivery, analytics, error tracking, customer support tooling. All sub-processors are bound by written contracts with confidentiality and security obligations. - **Connected platforms:** Google Calendar, Twilio (SMS/WhatsApp), your email provider, your CRM — only the specific fields required by the integration you authorized. - **Legal and safety:** we disclose information to comply with a valid subpoena, court order, or lawful request, or to protect rights, safety, and property. - **Business transfers:** if Lomelli is acquired or merged, information transfers under the same protections; users are notified in advance. A current list of key sub-processors is available on request at privacy@lomelli.ai. --- ## AI and Automated Processing Lomelli uses large language models to generate replies, qualify leads, and suggest bookings. Here is what that means for your data: - Conversation content is sent to our LLM provider (Groq, Llama 4 Scout) for inference. The provider operates under a zero-retention contract: prompts and responses are **not** retained by the provider and are **not** used to train their models. - AI output is not guaranteed to be perfect. Important actions (booking, cancellation, payment) always require explicit user confirmation. See our [Terms of Service](terms-of-service.md) for details. - You are entitled to human review of any automated decision that meaningfully affects you. Contact privacy@lomelli.ai. --- ## Data Retention We keep personal data only as long as we need to: | Category | Retention | |-------------------------------|------------------------------------------------------| | Active account data | While your account is active | | Billing and tax records | 7 years (legal obligation) | | Conversation transcripts | 24 months, then aggregated and de-identified | | Contact form submissions | 24 months | | Security and audit logs | 12 months | | Marketing contact lists | Until unsubscribe, or 3 years of inactivity | | Backups | Rolling 30-day window before automated expiry | When you close your account, we delete or anonymize your personal data within 90 days, except where retention is required by law. --- ## Data Security We treat your information the way we would want ours treated. - **In transit:** all traffic uses TLS 1.3. Lomelli does not accept unencrypted HTTP. - **At rest:** databases and object storage are encrypted with AES-256. - **Passwords:** hashed using bcrypt with a per-user salt. Passwords are never stored in plaintext and never logged. - **Secrets and tokens:** stored in a managed secrets vault, rotated on a schedule, never committed to source control. - **Access control:** employees get the least privilege needed for their role. Production access requires multi-factor authentication and is logged. - **Isolation:** each customer's business data is logically isolated in our database by a tenant identifier and enforced by row-level security. - **Network security:** production systems sit behind a firewall, a web application firewall, and rate-limiting middleware. Bot and injection attempts are logged and blocked. - **Dependency hygiene:** our dependencies are scanned for known vulnerabilities on every build; critical patches ship within 48 hours. - **Backups:** encrypted, geographically redundant, tested monthly. - **Incident response:** we will notify affected customers and, where required, supervisory authorities within 72 hours of confirming a personal-data breach, as required by GDPR Article 33. No system is perfectly secure. If you believe you have found a vulnerability, please email security@lomelli.ai — we appreciate coordinated disclosure. --- ## International Data Transfers Lomelli is operated from the United States. If you access Lomelli from outside the US, your information will be transferred to, stored, and processed in the US or in other countries where we or our sub-processors operate. Where data is transferred out of the EEA, UK, or Switzerland, we rely on the European Commission's **Standard Contractual Clauses** or other lawful transfer mechanisms, and we perform a transfer impact assessment for each sub-processor. --- ## Your Rights and Choices ### For EU/EEA, UK, and Swiss residents (GDPR / UK GDPR) You have the right to: - **Access** the personal data we hold about you. - **Rectify** inaccurate or incomplete data. - **Erase** your data ("right to be forgotten"), subject to legal retention obligations. - **Restrict** or **object** to processing. - **Data portability** — get a copy of your data in a structured, machine-readable format. - **Withdraw consent** at any time where processing is based on consent. - **Lodge a complaint** with your local supervisory authority. ### For California residents (CCPA/CPRA) You have the right to: - **Know** what personal information we collect, use, and disclose. - **Delete** your personal information. - **Correct** inaccurate personal information. - **Limit** the use of sensitive personal information. - **Opt out** of sale or sharing. Lomelli **does not sell personal information** and **does not share it for cross-context behavioral advertising**, so there is nothing to opt out of, but you can still confirm that in writing. - **Non-discrimination** — we will not charge you more or give you less service for exercising any of these rights. ### For all users You can: - Update your account information at any time from your account settings. - Download an export of your data from your account settings. - Unsubscribe from marketing emails using the link in every email. - Manage cookies using our [Cookie Policy](cookie-policy.md). To exercise any right, email **privacy@lomelli.ai**. We respond within 30 days (45 days in exceptional cases, with notice). --- ## Children's Privacy Lomelli is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it. --- ## Changes to This Policy We will post any changes to this policy here and update the "Last Updated" date. For material changes, we will notify registered users by email or in-product notice at least 30 days before the change takes effect. --- ## Contact Us Privacy questions, requests, or complaints: - **Email:** privacy@lomelli.ai - **General contact:** hello@lomelli.ai - **Phone:** +1 (448) 413-9729 - **Postal mail:** [YOUR-REGISTERED-ADDRESS] --- *This Privacy Policy is a thorough starting point and not a substitute for legal advice. Please have it reviewed by a qualified attorney before publishing.*