Privacy Policy

• WhatsApp messages — message content, sender phone number, and display name sent to your business WhatsApp number.
• Appointment data — service type, date, time, and notes entered during the booking flow.
• Account information — organisation name and email address provided when creating a workspace (via Clerk authentication).
• Google Calendar data — when you connect Google Calendar, we access your calendar to read availability (free/busy) and create or delete appointment events on your behalf.
• Usage data — error logs and basic telemetry to operate and improve the service.

• To operate the AI booking assistant and respond to customer WhatsApp messages.
• To create, update, and cancel appointments in your Google Calendar.
• To display conversation history and appointment data in the dashboard.
• To send escalation notification emails when a conversation requires human attention.
• To improve the reliability and performance of the service.

Rudd's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request access to Google Calendar (calendar.events scope) when you explicitly connect your calendar in Settings.
• Google Calendar data is used solely to check availability and create/delete appointment events. It is never used for advertising or shared with third parties.
• We store only the OAuth refresh token (encrypted with AES-256-GCM) necessary to maintain your connection. We do not store or read your full calendar data beyond what is needed to book appointments.
• You can disconnect your Google Calendar at any time from Settings → Integrations, which deletes the stored token.

• All data is stored in a Neon PostgreSQL database hosted in the EU (Frankfurt).
• OAuth tokens (Google and WhatsApp) are encrypted at rest using AES-256-GCM before storage.
• All data transmissions use HTTPS/TLS.
• Access to production data is restricted to authorised personnel only.

We do not sell your data. We share data only with the following sub-processors necessary to operate the service:

• Vercel — hosting and serverless compute
• Neon — database
• Clerk — authentication and organisation management
• Groq / OpenAI — AI language model (message content is sent to generate replies)
• Inngest — background job processing
• Resend — transactional email (escalation notifications)
• Meta (WhatsApp) — message delivery

Conversation messages and appointment records are retained for as long as your workspace exists. You may request deletion of your data by contacting us at the email below. Deleting your organisation account removes all associated data within 30 days.

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Disconnect any third-party integration (Google Calendar, WhatsApp) at any time.

To exercise these rights, contact us at hello@sarmadax.com.

If you have questions about this Privacy Policy, please contact us at hello@sarmadax.com.