Privacy Policy

Last updated: January 2025

Our commitment: We process the minimum data necessary to deliver the Service. Customer personal data uploaded by Clients is never sold, shared with third parties for marketing purposes, or stored beyond what is operationally necessary.

1. Information We Collect

From Clients (businesses using the Service):

Business name, owner name, email address, phone number
Online booking link
Stripe payment information (handled by Stripe; we store only customer and subscription IDs)

From CSV uploads (your customers' data):

Customer names (stored for message personalization)
Phone numbers (encrypted using AES-256-CBC; we store only hashed and encrypted versions)
Last visit dates (used to determine inactivity; not stored after processing)

2. How We Handle Customer Data

Raw CSV data is processed in memory only and is never written to disk. After processing, we retain only: a hashed phone reference (for opt-out tracking), an encrypted phone (for SMS delivery), customer name, and communication status.

Specifically:

Phone numbers are hashed (SHA-256) for deduplication and opt-out tracking
Phone numbers are encrypted (AES-256-CBC) for operational SMS delivery only
Last visit dates are used to identify lapsed customers and then discarded
We never store health information, appointment details, or sensitive personal data

3. SMS Communications and AI Processing

Messages are sent via Twilio, a third-party SMS provider. By using the Service, you authorize us to send SMS messages on your behalf to your customers. All replies are processed by Claude AI (Anthropic) to generate contextually appropriate responses.

Conversation history is stored to enable coherent multi-message exchanges. Conversations are retained for up to 90 days after completion.

4. Opt-Out

Any recipient who replies STOP (or equivalent) to any message is immediately removed from all future communications. Their phone hash is retained in our opt-out registry to ensure they are never contacted again, even if re-uploaded in future CSV files.

5. Data Retention

Active customer queue: retained while your subscription is active
Conversation records: 90 days after conversation ends
Business account data: retained while account is active, deleted 30 days after cancellation upon request
Opt-out records: retained indefinitely to honor opt-out requests

6. Third-Party Services

We use the following third-party services to deliver Highground Recall:

Twilio — SMS delivery (twilio.com/privacy)
Stripe — Payment processing (stripe.com/privacy)
Anthropic (Claude) — AI conversation handling (anthropic.com/privacy)

7. Security

We implement industry-standard security measures including:

AES-256-CBC encryption for stored phone numbers
SHA-256 hashing for phone number indexing
HTTPS/TLS for all data in transit
Server-side SQLite database with no public access

8. Your Rights

If you are a Client, you may request deletion of your account and all associated data by emailing hello@highgrounddao.com. If you are a customer who has received an SMS through our platform, you can opt out by replying STOP to any message.

9. Contact

For privacy-related questions, contact: hello@highgrounddao.com