Privacy Policy

1. Introduction

NightAI ("NightAI," "we," "our," or "us") is committed to protecting the privacy of the people whose information we handle. This Privacy Policy explains how NightAI collects, uses, stores, shares, and protects personal information in connection with:

• Business Customers — companies and individuals who subscribe to and operate the NightAI platform to deploy an AI voice agent for their business;
• End-User Callers — individuals who call a business that has deployed a NightAI AI voice agent;
• Website Visitors — individuals who visit getnightai.com or any NightAI web property.

By using the Service or accessing our website, you acknowledge you have read and understand this Privacy Policy. If you do not agree with this policy, please do not use our services.

This Policy does not cover personal information that NightAI processes on behalf of a Business Customer, to the extent that the Business Customer acts as a data controller for such information. In those cases, please refer to the Business Customer's own privacy policy.

2. Data Controller vs. Processor Roles

Privacy law distinguishes between "data controllers" (those who determine the purposes and means of processing personal data) and "data processors" (those who process data on a controller's behalf). NightAI plays both roles depending on the context:

NightAI as Data Controller

NightAI acts as a data controller for the following categories of data:

• Business customer account data (name, email, company name, billing information);
• Platform usage analytics and access logs;
• Payment and subscription data processed via Stripe;
• Communications you send to NightAI (support inquiries, legal requests, etc.);
• Website visitor data collected via cookies and analytics.

For this data, NightAI determines why and how the data is processed and is responsible for complying with applicable data protection law.

NightAI as Data Processor

NightAI acts as a data processor for personal data collected by the AI voice agent during a call placed to a Business Customer's phone number. This includes caller name, phone number, email address, appointment details, and spoken conversational content.

In this context, the Business Customer is the data controller and is responsible for:

• Having a lawful basis for collecting the caller's personal data;
• Providing appropriate privacy disclosures to callers before or during calls;
• Responding to callers' data rights requests (see Section 8);
• Complying with all applicable privacy laws in their jurisdiction regarding caller data.

NightAI processes caller data only as directed by the Business Customer's configuration of the Service and as described in this Policy. NightAI will not use caller data for its own independent commercial purposes.

3. Information We Collect

a. From Business Customers

When you register for and use NightAI as a business customer, we collect:

• Account information: Your name, business name, email address, phone number, and account credentials;
• Billing information: Your billing address and payment method information, processed and stored by Stripe. NightAI does not store your card number, CVV, or full payment card data;
• Provider credentials: API keys for Twilio, OpenAI, and Retell AI that you connect to your NightAI account. These are encrypted at rest using AES-256-GCM encryption;
• Business configuration: Your Twilio phone number(s), business hours, appointment duration settings, AI agent name, and any custom system prompt you configure;
• Usage and access logs: Records of login activity, API usage, feature usage, and platform events, used for security, debugging, and service improvement;
• Communications: Any correspondence you send to NightAI, including support tickets, legal inquiries, or onboarding communications.

b. From Callers and Web Widget Users (End Users)

When an individual calls a business that uses NightAI, or initiates a voice interaction through a NightAI web widget embedded on a Business Customer's website, the AI voice agent may collect the following:

• Phone number: Automatically captured via Twilio's caller ID (the Twilio "From" field). The caller does not need to speak their phone number;
• Name: Spoken by the caller during the call;
• Email address: Spoken by the caller for the purpose of receiving an appointment confirmation and calendar invite;
• Requested appointment date and time: Spoken by the caller;
• Reason for appointment: Spoken by the caller;
• Spoken conversational content: The substance of the caller's conversation with the AI agent is processed in real time by OpenAI's API to generate responses. Call session state, including conversation history, is temporarily stored in Redis with a 30-minute auto-expiry TTL. After 30 minutes, the session state is automatically and permanently deleted.

NightAI collects this information only to provide the appointment scheduling service on behalf of the Business Customer. Structured appointment data (name, phone, email, date, reason) is stored in the Business Customer's appointment records in a PostgreSQL database hosted on Railway.

Caller Consent

NightAI's AI voice agent is designed to provide an AI identity disclosure and, where applicable, a recording notice in the greeting at the start of every call. A caller's continued participation in the call after hearing this disclosure constitutes implied consent to the collection and use of information they provide during the call for the sole purpose of scheduling their appointment.

For online bookings made through a NightAI-powered booking page, callers must check an explicit consent checkbox before submitting their appointment request. This constitutes express consent. The method and timestamp of consent (voice_implied or web_explicit) are recorded on every appointment record created through NightAI and are available to the Business Customer in their records.

When a caller or online booking user provides a mobile phone number and consents to SMS messaging, NightAI may use that number to send transactional appointment and customer-care text messages, including confirmations, reminders, cancellation updates, scheduling follow-up, and support replies. Message frequency varies based on the user's activity. Message and data rates may apply. Users can reply HELP for help or STOP to opt out.

Callers who provide an email address during a call or online booking consent to receiving transactional emails related to their appointment (confirmation, calendar invite, reminders). Email addresses collected through NightAI are used solely for appointment-related transactional communications and will not be used for marketing without separate consent.

For web widget interactions initiated on a Business Customer's website, the Business Customer is responsible for displaying appropriate consent notices to site visitors before the widget initiates a voice interaction. NightAI processes web widget call data under the same terms as phone call data described above.

If you are a caller or web widget user who wishes to request access to, correction of, or deletion of your personal data, please contact the business whose website or phone line you interacted with directly, or email [email protected] and we will route your request to the appropriate Business Customer.

c. From Website Visitors

When you visit the NightAI website (getnightai.com), we may automatically collect:

• IP address and approximate geographic location;
• Browser type and version, operating system, and device type;
• Pages viewed, time spent, referring URL, and click patterns;
• Session cookies for maintaining your browsing session;
• Analytics cookies if you have not opted out, used to understand how visitors use the site.

You can control cookie behavior through your browser settings. Disabling cookies may affect certain website functionality.

4. How We Use Information

NightAI uses the information we collect for the following purposes:

To Provide and Operate the Service

• Processing inbound calls and operating the AI voice agent on behalf of Business Customers;
• Recording and confirming appointments in the Business Customer's dashboard;
• Sending appointment confirmation emails with .ics calendar invites to callers via SendGrid;
• Maintaining Business Customer accounts and settings;
• Processing subscription payments via Stripe.

To Improve and Secure the Service

• Diagnosing and resolving technical issues;
• Monitoring platform performance and availability;
• Detecting and preventing fraudulent or abusive activity;
• Ensuring the security of accounts and API credentials.

To Communicate With You

• Sending onboarding communications and product updates to Business Customers;
• Responding to support requests, legal inquiries, and other communications;
• Sending billing notifications, invoices, and payment receipts;
• Notifying Business Customers of material changes to these policies (see Section 11).

To Comply With Legal Obligations

• Responding to lawful requests from government authorities or courts;
• Maintaining records as required by applicable law;
• Enforcing our Terms of Service.

NightAI does not use caller personal data for advertising, marketing, profiling, or any purpose beyond providing the appointment scheduling Service to the Business Customer. NightAI does not sell personal data to third parties. See Section 9.

5. Sub-Processors

To deliver the Service, NightAI engages the following third-party sub-processors who may process personal data on NightAI's behalf. We have entered into appropriate data processing agreements or rely on equivalent contractual protections with each sub-processor.

Sub-Processor	Purpose	Data Processed
Twilio	Voice and telephony infrastructure; inbound call routing and PSTN connectivity	Caller phone number (From), called number (To), call duration, call audio
OpenAI	AI language model processing; interprets caller speech and generates AI responses	Conversational content (spoken words transcribed by Twilio, sent to OpenAI API for language processing). Per OpenAI's current API policy, OpenAI does not use API data to train its models. This policy may change; see OpenAI's privacy policy for current terms.
Retell AI	Speech-to-text transcription of caller audio, text-to-speech synthesis, and call orchestration. NightAI has executed a signed BAA and Data Processing Agreement with Retell AI.	Caller audio (real-time, for STT); agent response text (for TTS synthesis). Audio is not retained by NightAI beyond real-time processing.
Railway (PostgreSQL)	Cloud database hosting; stores appointment records, business account data, and platform configuration	Caller name, phone, email, appointment date/time, appointment reason; Business Customer account data
Redis	Session and conversation state caching; holds active call session state during a call	Conversation history, collected fields (name, email, date, reason), call phase. Auto-expires after 30 minutes; no persistent storage.
Stripe	Payment processing and subscription billing	Business Customer billing address and payment method. NightAI does not store card numbers, CVV, or full PAN data. Stripe maintains PCI DSS Level 1 certification.
SendGrid (Twilio)	Transactional email delivery; sends appointment confirmation emails and .ics calendar invites to callers	Caller email address, caller name, appointment details, Business Customer name and contact details included in the email

NightAI will notify Business Customers of material changes to sub-processors with at least 30 days' advance notice where feasible. An up-to-date list of sub-processors is available upon request at [email protected].

6. Data Retention

NightAI retains personal data only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

• Redis session state (call sessions): Automatically expires and is deleted 30 minutes after a call ends. This data is not archived or transferred to persistent storage.
• Appointment records (caller PII in database): Retained for the duration of the Business Customer's active subscription, plus a 30-day grace period following cancellation or termination. After the grace period, appointment records and associated caller PII are permanently deleted.
• Business Customer account data: Retained for the duration of the subscription plus 60 days following account termination, after which it is permanently deleted, subject to any legal hold obligations.
• Stripe payment data: Managed and retained by Stripe in accordance with their data retention policy and PCI DSS requirements. NightAI does not independently store card numbers or payment card data.
• Access and security logs: Retained for up to 90 days for security, debugging, and incident investigation purposes, then deleted.
• Communications (support tickets, emails): Retained for up to 2 years from the date of the last communication.

When data is deleted, NightAI uses industry-standard secure deletion practices. Data stored by sub-processors is deleted in accordance with the applicable data processing agreements.

7. Data Security

NightAI takes the security of personal data seriously and implements technical and organizational safeguards appropriate to the risk, including:

• Encryption at rest: API credentials (Twilio, OpenAI, Retell AI) stored in the database are encrypted using AES-256-GCM encryption. The encryption key is stored separately from the encrypted data and is never logged.
• Encryption in transit: All data transmitted between your browser and NightAI's servers, and between NightAI and its sub-processors, is protected using TLS 1.2 or higher.
• Webhook signature validation: Inbound webhooks from Twilio are validated using Twilio's X-Twilio-Signature mechanism, preventing unauthorized webhook injection.
• Minimal PII in logs: NightAI's application logs are designed to avoid capturing personally identifiable information such as caller names, email addresses, or phone numbers.
• Access controls: Access to production systems is restricted to authorized personnel on a need-to-know basis.
• Redis TTL: Conversation session data in Redis is set with a hard 30-minute TTL, limiting the window of exposure for in-flight call data.

Despite these measures, no security system is impenetrable. NightAI cannot guarantee the absolute security of information transmitted over the internet. In the event of a data breach, NightAI will notify affected Business Customers within 72 hours of discovering a material breach, as described in the Security page.

8. Your Privacy Rights by Jurisdiction

Depending on where you reside, you may have rights under applicable privacy laws regarding the personal information NightAI holds about you. The following is a summary of rights available in the US jurisdictions most likely to apply to our users. This list is not exhaustive and does not constitute legal advice. We honor applicable rights regardless of whether your jurisdiction is listed below.

California (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (as amended by the California Privacy Rights Act):

• Right to Know — request disclosure of the categories and specific pieces of personal information we hold about you, the sources from which it was collected, our purposes for collecting it, and the categories of third parties we share it with;
• Right to Delete — request deletion of personal information we hold about you, subject to certain exceptions (e.g., where retention is required by law);
• Right to Correct — request correction of inaccurate personal information;
• Right to Opt-Out of Sale or Sharing — NightAI does not sell or share personal information for cross-context behavioral advertising. This right is therefore already satisfied. See Section 9 and our Do Not Sell page;
• Right to Limit Use of Sensitive Personal Information — NightAI does not use sensitive personal information for purposes beyond those permitted by CPRA.

Colorado (CPA)

Colorado residents have the following rights under the Colorado Privacy Act (effective July 1, 2023):

• Right to access, correct, and delete personal data;
• Right to data portability;
• Right to opt out of the sale of personal data, targeted advertising, and profiling for significant decisions.

Virginia (CDPA)

Virginia residents have the following rights under the Consumer Data Protection Act (effective January 1, 2023):

• Right to access, correct, and delete personal data;
• Right to data portability;
• Right to opt out of the sale of personal data, targeted advertising, and profiling for decisions that produce significant legal or similar effects.

Texas (TDPSA)

Texas residents have the following rights under the Texas Data Privacy and Security Act (effective July 1, 2024):

• Right to access, correct, and delete personal data;
• Right to data portability;
• Right to opt out of the sale of personal data, targeted advertising, and profiling for significant decisions.

Connecticut (CTDPA)

Connecticut residents have the following rights under the Connecticut Data Privacy Act (effective July 1, 2023):

• Right to access, correct, and delete personal data;
• Right to data portability;
• Right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling for significant decisions.

Other US States and International Users

Additional state privacy laws are in effect or taking effect in Oregon, Montana, Indiana, Tennessee, Florida, and other states. NightAI honors valid opt-out and deletion requests from residents of any jurisdiction, regardless of whether a specific state law mandates it. EU, UK, and other international users may also have rights under GDPR or equivalent frameworks; contact us at [email protected] to discuss applicable rights.

How to Submit a Request

To exercise any of the rights above, submit a request to [email protected] with sufficient information to verify your identity and describe your request. We will respond within 45 days of receipt of a verifiable request, with up to a 90-day extension where complexity requires it (we will notify you of any extension). We will not discriminate against you for exercising your privacy rights.

Note for Callers (End Users)

If you are a caller who used an AI agent operated by a NightAI Business Customer and wish to exercise data rights (including deletion of your appointment record), your request should be submitted directly to the business whose phone number you called. That business is the data controller for your information and is responsible for responding to your request. NightAI will process data deletion requests on a Business Customer's behalf when the Business Customer instructs us to do so.

If you are unable to reach the business or believe your request is not being addressed, contact NightAI at [email protected] and we will assist where we are able.

9. Do Not Sell or Share My Personal Information

Mobile phone numbers, SMS opt-in data, and text messaging consent records are used only to provide NightAI appointment, scheduling, and customer-care messaging. NightAI does not sell or share mobile information, SMS opt-in data, or text messaging consent with third parties or affiliates for marketing or promotional purposes. This exclusion applies to all categories of personal information described in this Policy.

This applies to personal information collected from Business Customers, callers, and website visitors. We do not monetize personal data in any form.

To formally exercise your right to opt out of the sale or sharing of personal information — even though no sale or sharing occurs — visit our dedicated Do Not Sell or Share My Personal Information page, which includes instructions for submitting a request and information about your rights by state.

10. Children's Privacy

The NightAI platform and website are not directed to individuals under the age of 13, and NightAI does not knowingly collect personal information from children under 13 in accordance with the Children's Online Privacy Protection Act (COPPA). The Service is intended for use by businesses and their adult staff only.

If you are a Business Customer deploying NightAI for a service that may receive calls from minors, you are responsible for complying with applicable laws regarding the collection of data from minors. NightAI recommends that Business Customers serving minors take appropriate legal advice before deploying AI-based call handling.

If NightAI becomes aware that it has inadvertently collected personal information from a child under 13, it will take reasonable steps to delete such information promptly. If you believe NightAI may have collected information from a child, contact [email protected].

11. Changes to This Policy

NightAI reserves the right to update this Privacy Policy at any time. We will provide at least 30 days' advance notice of material changes by:

• Sending an email to registered Business Customers at their account email address;
• Posting a prominent notice on the NightAI dashboard; and/or
• Updating the "Last Updated" date at the top of this page.

Non-material changes (such as clarifications or corrections that do not affect your rights) may take effect immediately upon posting. Your continued use of the Service after the effective date of any material change constitutes your acceptance of the updated Policy.

We maintain an archive of prior versions of this Policy, available upon request at [email protected].

12. Contact

For questions, concerns, or requests related to this Privacy Policy or NightAI's data practices, please contact:

This Privacy Policy was written to be readable and plain-language. It is not a substitute for legal advice. NightAI recommends that Business Customers obtain independent legal counsel to review their own data handling obligations, including with respect to caller privacy, recording consent, and any applicable sectoral privacy laws.