Privacy Policy

1. Introduction

SFG Consulting ("we", "us", "our", or the "Company") is committed to protecting your privacy and complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use the AppointmentAI service (the "Service"). By using our Service, you agree to the collection and use of information in accordance with this policy.

This Privacy Policy applies to:

• Clients who subscribe to our Service (business customers)
• End users who interact with our AI receptionist (your customers)
• Visitors to our website

2. Information We Collect

2.1 Information You Provide Directly

When you register for and use our Service, we collect:

• Account Information: Name, email address, business name, phone number, billing address, payment information
• Business Information: Business type, services offered, pricing information, operating hours, policies, staff information
• Communication Preferences: Tone, style, language preferences, custom responses, communication templates
• Integration Data: Calendar access credentials, booking system details, API keys for third-party services
• Support Communications: Any information you provide when contacting customer support

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Conversation Data: All messages exchanged between the AI and end users (SMS, WhatsApp, website chat, etc.)
• Appointment Data: Booking details, appointment times, customer names, contact information, service requests
• Usage Data: How you interact with our platform, features used, settings configured, frequency of use
• Technical Data: IP addresses, device information, browser type, operating system, timestamps, error logs
• Performance Data: AI response times, conversation outcomes, booking success rates, system performance metrics
• Analytics Data: Service usage patterns, feature adoption, user behavior within the platform

2.3 Information from Third Parties

We may receive information from:

• Messaging Platforms: Data from SMS providers, WhatsApp Business API, and other communication channels
• Calendar Services: Availability data, appointment information from Google Calendar, Outlook, or other integrated calendar systems
• Facebook: Lead information from Facebook Lead Ads when integrated
• Payment Processors: Payment and billing information from Stripe or other payment providers
• Website Forms: Information submitted through contact forms or chat widgets on your website

2.4 End User Data (Your Customers)

When end users interact with the AI receptionist on your behalf, we collect:

• Names, phone numbers, email addresses
• Message content and conversation history
• Service requests and booking preferences
• Any information voluntarily provided during conversations
• Metadata about the communication (timestamps, channel used, etc.)

3. How We Use Your Information

3.1 Primary Service Delivery

We use collected information to:

• Provide, operate, and maintain the AI receptionist service
• Process and respond to customer inquiries on your behalf
• Book, modify, and manage appointments
• Train and optimize the AI to match your business communication style
• Integrate with your calendar, booking, and messaging systems
• Send automated messages via SMS, WhatsApp, and other channels
• Process payments and manage billing

3.2 Service Improvement and Development

We use data to:

• Analyze AI performance and accuracy
• Improve conversation quality and understanding
• Develop new features and functionality
• Identify and fix technical issues
• Train and refine AI models (using anonymized data where possible)
• Conduct research and analytics on service usage

3.3 Communication and Support

We use contact information to:

• Send service-related notifications and updates
• Provide customer support and respond to inquiries
• Send billing statements and payment reminders
• Notify you of changes to our Service or policies
• Send important security or system alerts

3.4 Legal and Security Purposes

We may use information to:

• Comply with legal obligations and regulations
• Enforce our Terms and Conditions
• Detect and prevent fraud, abuse, or security incidents
• Protect our rights, property, and safety
• Resolve disputes and investigate complaints
• Respond to law enforcement requests or court orders

4. Legal Basis for Processing (UK GDPR)

We process personal data based on the following legal grounds:

Purpose	Legal Basis
Providing the Service to business clients	Contract Performance - necessary to fulfill our contract with you
Processing end user conversations and bookings	Legitimate Interests - necessary for providing the service you've contracted us to deliver on your behalf
Service improvement and AI training	Legitimate Interests - improving our service quality and functionality
Marketing communications (where applicable)	Consent - which can be withdrawn at any time
Legal compliance and fraud prevention	Legal Obligation / Legitimate Interests
Payment processing	Contract Performance

5. Data Sharing and Disclosure

5.1 Third-Party Service Providers

We share data with trusted third-party service providers who assist in operating our Service:

• SMS and WhatsApp Providers: To send and receive messages on your behalf
• Cloud Hosting Providers: To store data and host our infrastructure
• Payment Processors: To process subscription payments (e.g., Stripe)
• AI and Machine Learning Services: To power the AI receptionist functionality
• Analytics Providers: To analyze service usage and performance
• Calendar Integration Services: To sync with your calendar systems
• Customer Support Tools: To provide technical support

These providers are contractually obligated to protect your data and use it only for the purposes we specify.

5.2 Business Transfers

If we are involved in a merger, acquisition, sale of assets, or bankruptcy, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose your information if required by law or in response to:

• Court orders or legal processes
• Law enforcement or government requests
• Requests to establish, exercise, or defend legal claims
• Situations involving potential threats to safety or security

5.4 With Your Consent

We may share your information with other parties when you specifically consent to such sharing.

6. Data Retention

We retain personal data for as long as necessary to provide the Service and fulfill the purposes outlined in this policy:

• Account Data: Retained for the duration of your subscription and for up to 7 years after termination for accounting and legal purposes
• Conversation Data: Retained for the duration of your subscription and for up to 90 days after termination, unless longer retention is required by law or legitimate business purposes
• Appointment Data: Retained for the duration of your subscription and for up to 2 years after termination
• Usage and Analytics Data: May be retained indefinitely in anonymized form for research and service improvement
• Payment Records: Retained for 7 years to comply with accounting and tax regulations
• Support Communications: Retained for up to 3 years after resolution

We may retain certain information for longer periods where required by law, to resolve disputes, enforce our agreements, or for legitimate business purposes.

7. Data Security

7.1 Security Measures

We implement reasonable technical and organizational measures to protect personal data, including:

• Encryption of data in transit using SSL/TLS protocols
• Encryption of sensitive data at rest
• Access controls and authentication mechanisms
• Regular security assessments and monitoring
• Employee training on data protection
• Secure data centers with physical security measures
• Regular backups and disaster recovery procedures

7.2 Security Limitations

Potential security risks include:

• Unauthorized access or data breaches
• Interception of data during transmission
• Vulnerabilities in software or systems
• Insider threats or human error
• Attacks by malicious third parties

7.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach.

7.4 Your Responsibility

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Not sharing your account access with unauthorized persons
• Promptly notifying us of any suspected unauthorized access

8. Your Data Protection Rights (UK GDPR)

Under UK GDPR, you have the following rights regarding your personal data:

8.1 Right to Access

You have the right to request copies of your personal data. We may charge a reasonable fee for additional copies.

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as:

• The data is no longer necessary for the purposes it was collected
• You withdraw consent and there is no other legal basis for processing
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed

Note: We may be unable to delete all data if we have legal obligations to retain it (e.g., financial records for tax purposes).

8.4 Right to Restrict Processing

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

8.5 Right to Data Portability

You have the right to request transfer of your data to another service provider in a structured, commonly used, machine-readable format.

8.6 Right to Object

You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis.

8.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing (including profiling) that produces legal or similarly significant effects. Our AI receptionist operates under your instruction and supervision, with you retaining ultimate control and responsibility.

8.8 How to Exercise Your Rights

To exercise any of these rights, please contact us using the contact information provided in Section 15. We will respond to your request within one month of receipt, though this may be extended by two months for complex requests.

8.9 Right to Lodge a Complaint

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe we have not complied with data protection laws:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

9. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including:

• Countries with adequacy decisions from the UK government
• The European Economic Area (EEA)
• United States and other jurisdictions where our service providers operate

When we transfer data internationally, we ensure appropriate safeguards are in place, such as:

• Standard Contractual Clauses approved by UK authorities
• Adequacy decisions confirming equivalent data protection standards
• Binding Corporate Rules
• Other legally approved transfer mechanisms

10. Cookies and Tracking Technologies

10.1 What We Use

Our website and Service may use cookies and similar tracking technologies to:

• Maintain your login session
• Remember your preferences and settings
• Analyze website traffic and usage patterns
• Improve user experience and service performance
• Provide relevant content and features

10.2 Types of Cookies

• Essential Cookies: Necessary for the Service to function (e.g., authentication)
• Analytics Cookies: Help us understand how users interact with our Service
• Functional Cookies: Enable enhanced functionality and personalization

10.3 Managing Cookies

You can control cookies through your browser settings. However, disabling certain cookies may affect Service functionality.

11. Children's Privacy

Our Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16.

If you believe we have inadvertently collected data from a child under 16, please contact us immediately and we will take steps to delete such information.

12. Third-Party Links and Services

Our Service may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing them with personal information.

13. AI and Machine Learning Disclosure

13.1 AI Training

We use conversation data to train and improve our AI models. This includes:

• Analyzing conversation patterns to improve response quality
• Learning from booking outcomes to optimize performance
• Using aggregated, anonymized data for general AI improvements

13.2 Human Review

Our team may review conversations for:

• Quality assurance purposes
• Troubleshooting and error correction
• Customer support and dispute resolution
• Compliance with legal obligations

All reviewers are bound by strict confidentiality obligations.

13.3 AI Limitations

Please note that AI systems are not perfect and may:

• Misinterpret or mishandle certain conversations
• Make errors in understanding or responding
• Process data in unexpected ways

You remain responsible for monitoring the AI's performance and ensuring data is handled appropriately for your business.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you via email or through the Service
• Provide you with reasonable notice before changes take effect

Your continued use of the Service after changes take effect constitutes acceptance of the updated policy. We encourage you to review this policy periodically.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

For data protection queries specifically, you may also contact our data protection contact using the above email address with "Data Protection Query" in the subject line.

16. Your Consent

17. Client Responsibilities Regarding End User Data

As a business client using our Service to interact with your customers, you acknowledge and agree that:

• You are the Data Controller: For data about your customers (end users), you act as the data controller and we act as a data processor on your behalf
• Your Privacy Notice: You are responsible for providing your own privacy notice to end users explaining how their data will be processed
• Consent and Legal Basis: You are responsible for obtaining necessary consents or establishing appropriate legal basis for processing end user data
• Data Subject Rights: You are responsible for handling data subject rights requests from your customers
• Regulatory Compliance: You must ensure your use of our Service complies with applicable privacy laws in your jurisdiction
• Telecommunications Regulations: You must comply with applicable laws regarding automated communications, including obtaining necessary consents for SMS/WhatsApp marketing

We recommend consulting with legal counsel to ensure your privacy practices comply with all applicable laws.