Privacy Policy

Effective date: June 2026

1. Who We Are

PolishLine operates an AI receptionist service for nail salons. This policy explains what personal data we collect, how we use it, and your rights.

2. Data We Collect

From salon owners (you): business name, your name, email, phone number, and Google Calendar access (OAuth refresh token, stored encrypted). Payment details are processed directly by Stripe and never stored on our servers.

From your callers: caller phone number, name (as stated on the call), appointment details, and call audio/transcript via Vapi (our AI voice provider). Transcripts are used to fulfill bookings and are encrypted at rest.

Automatically: standard server logs (IP address, timestamp, request path) retained for up to 90 days for security monitoring.

3. How We Use Your Data

  • To provide the AI receptionist service (booking, cancellation, rescheduling)
  • To send SMS appointment confirmations via Twilio on your behalf
  • To push bookings to your Google Calendar
  • To process subscription payments via Stripe
  • To send you operational emails (new bookings, account activation)

We do not sell your data or your callers' data to third parties.

4. Third-Party Processors

We share data with the following sub-processors to deliver the service:

  • Vapi — voice AI and call transcription
  • Twilio — SMS delivery
  • Stripe — payment processing and subscription management
  • Google — Calendar integration (OAuth)

Each processor has its own privacy policy and data processing agreement. We instruct each processor to handle data only as necessary to provide the service.

5. Data Retention

Call transcripts and caller PII are retained for 365 days by default, after which they are permanently deleted. You can request earlier deletion at any time. Appointment records are kept for the same period. Billing records are retained for 7 years as required by accounting regulations.

6. Your Rights

Depending on your location, you may have the right to access, correct, or delete your personal data, and to restrict or object to certain processing. To exercise any of these rights, email us at appointmentiq@gmail.com. We will respond within 30 days.

7. Security

Sensitive data (OAuth tokens, caller PII) is encrypted at rest using AES-256. Data is transmitted over TLS. We use rate limiting and API key authentication to protect your account. Despite these measures, no system is perfectly secure; please notify us immediately if you suspect a breach.

8. Cookies

The marketing site (appointmentiq.shop) does not use tracking cookies or analytics scripts. The owner portal uses a session cookie strictly necessary for authentication.

9. Children

PolishLine is not directed at anyone under 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this policy. We will notify you by email 14 days before material changes take effect. The current version is always available at /privacy.

11. Contact

Privacy questions: appointmentiq@gmail.com.