BlueAgent Privacy Policy
Effective Date: June 9, 2025
BlueAgent, Inc. (“BlueAgent,” “we,” “us,” or “our”) provides AI-powered voice agents that answer and place phone calls on behalf of service businesses. This Privacy Policy explains how we collect, use, share, and protect information when anyone (“User,” “Customer,” “Caller,” or “you”) visits blueagent.co, uses our web or mobile apps, or interacts with calls placed through our platform (collectively, the “Services”).
1. Scope
Applies to: all visitors, account holders, call participants, and business contacts whose data we process in connection with the Services.
Does not cover: third-party sites or services we merely link to. Their policies govern those interactions.
2. Categories of Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account Data | Name, business name, email, billing address, phone number, login credentials, Twilio sub-account SID/Auth Token | Direct from Customer |
| Usage Data | Log-ins, feature clicks, API calls, browser type, IP address, cookies, device identifiers | Automated (website & app) |
| Telecom Events | From/To numbers, call SID, duration, carrier codes, SMS body (if SMS add-on enabled) | Twilio webhook |
| Call Audio & Transcripts | Voice recordings, AI-generated transcripts, agent responses | Recorded by BlueAgent on Customer’s behalf |
| CRM / Script Content | Knowledge-base articles, calendars, appointment data, downstream CRM records | Synced from Customer-configured integrations |
| Payment Data | Last four digits of card, expiration, billing ZIP (full card handled by Stripe) | Stripe |
| Support Data | Chat messages, emails, attachments | Direct |
We intentionally do not ask for or store government-issued IDs, full payment card numbers, or biometric markers.
3. How and Why We Use Data
| Purpose | Legal Basis (GDPR) / Business Purpose (US) |
|---|---|
| Provide, secure, and maintain the Services (e.g., routing calls, generating AI responses, preventing fraud) | Contract (Art 6 (1)(b)); Legitimate Interests |
| Train and continuously improve our speech-to-text, intent detection, and response models using aggregated, de-identified data only | Legitimate Interests |
| Generate usage analytics for Customers (e.g., first-call resolution rate, booking conversion) | Contract |
| Send transactional emails (invoices, system alerts) | Contract |
| Send product updates or marketing (opt-in only where required) | Consent / Legitimate Interests |
| Comply with law, enforce Terms, defend legal claims | Legal Obligation (Art 6 (1)(c)); Legitimate Interests |
Plain-talk promise: We never sell Customer or Caller data—no shady ad networks, period.
4. Sharing & Disclosure
| Recipient | Why & What | Safeguards |
|---|---|---|
| Twilio | Telephony transport metadata, audio streams | DPA & SCCs in place |
| OpenAI | Prompt text, context snippets for response generation | Enterprise agreement; no training on your proprietary scripts |
| Stripe | Billing contact info, amount, plan, card token | PCI-DSS Level 1 |
| Zapier / CRM Integrations | Transcripts, booking details per Customer mappings | Each integration governed by its DPA |
| Affiliates & Service Providers | Cloud hosting, error monitoring, analytics | Confidentiality + access-minimization |
| Law enforcement / regulators | Only when legally compelled and narrow in scope | We fight over-broad requests |
| Corporate transactions | Data transfers in mergers, acquisitions | Contractual continuity of safeguards |
We do not allow third-party tracking cookies or behavioral ads on authenticated dashboard pages.
5. Cookies & Similar Tech
- Strictly necessary – login session, CSRF token.
- Functional – remember UI prefs.
- Analytics – privacy-respecting first-party metrics (Plausible). No cross-site advertising cookies.
Browser Do-Not-Track signals are respected where technically feasible.
6. Data Retention
| Data Type | Default Retention | Options |
|---|---|---|
| Call audio & transcripts | 30 days | Customer-configurable to 0-365 days; cold-storage add-on for longer |
| Account & billing records | Life of account + 7 years (tax law) | — |
| Logs & telemetry | 12 months | Critical security logs kept up to 3 years |
| AI model training artifacts (de-identified) | Indefinite | Not linked to Customer or Caller |
Deletion requests (see § 8) override these defaults unless retention is legally required.
7. Security Measures
- Encryption – TLS 1.3 in transit; AES-256 at rest.
- Least privilege – scoped API keys, role-based access controls.
- Isolation – each Customer gets their own Twilio sub-account; no cross-account mingling of call SIDs or tokens.
- Pen-testing – annual third-party assessment plus continuous vulnerability scanning.
- Incident response – 24-hour internal SLA; breach notifications within 72 hours of confirmation as required by law.
Remember: no system is perfectly secure. You share responsibility by safeguarding your credentials and choosing sensible data-retention windows.
8. Your Rights
| Region | Rights & How to Exercise |
|---|---|
| EEA/UK (GDPR) | Access, rectify, erase, restrict, data portability, object, lodge complaint with DPA. Email privacy@blueagent.co or use in-dashboard request flow. |
| California (CCPA/CPRA) | Know, delete, correct, opt-out of “sale”/“share” (we don’t sell), limit use of sensitive info. Toll-free: +1 (800) 123-4567. |
| Colorado / Virginia / Other US State Laws | Similar rights; we honor them. |
| Marketing Emails | Click “unsubscribe” or update preferences any time. |
We will verify your identity before fulfilling requests and respond within the statutory period (30–45 days, extendable once).
9. International Transfers
We host data on AWS us-east-1 (N. Virginia) and may replicate to us-west-2 (Oregon) for resilience. For EEA/UK data we rely on:
- Standard Contractual Clauses (SCCs) with subprocessors;
- Supplementary measures (server-side encryption keys, strict access logging);
- Data minimization – most personal data never leaves the Twilio region chosen by Customer (if using Twilio’s Regional SIP).
10. Children’s Privacy
BlueAgent is not directed to children under 13 and we do not knowingly collect their data. If you believe we have, contact us and we’ll delete it.
11. Automated Decision-Making & Profiling
Our AI agents generate conversational responses automatically, but decisions that have legal or significant effects (e.g., appointment confirmations, payments) are ultimately made or reviewed by the Customer’s staff. You can request human review of any automated outcome.
12. Changes to This Policy
We may update this Policy from time to time. We’ll post the revised version with a new Effective Date and, for material changes, provide 30 days’ advance notice via email or in-app banner. Continuing to use the Services after the new date means you accept the changes.
13. Contact Us
BlueAgent, Inc.
#1014
Grand Blanc, Michigan 48439
United States
Email: support@blueagent.co