Privacy Policy

Last Updated: April 26, 2026

1. Information We Collect

Information You Provide

Modular Automations collects information that you voluntarily provide when you interact with our services, including:

• Name, email address, and phone number (provided when you contact us or fill out a form)
• Information you provide through our website forms or booking pages
• Messages and information shared through our live chat widget
• Text messages sent to and from our business phone number
• Payment and billing information processed through our payment provider
• Appointment scheduling information including preferred dates and times

Information Collected Automatically

When you visit our website, we may automatically collect certain information, including:

• IP address and approximate location
• Browser type, device type, and operating system
• Pages visited and time spent on our website
• Referring website or source that brought you to us

2. How We Use Your Information

Modular Automations uses the information we collect for the following purposes:

• To provide and maintain our services
• To respond to your inquiries and communicate with you
• To process transactions and send related information
• To send you updates, marketing communications, and promotional materials (with your consent)
• To improve our website, services, and customer experience
• To comply with legal obligations
• To power AI-assisted communications that help us respond to you faster (see AI-Powered Communications Disclosure below)
• To schedule and manage appointments

We do not sell your personal information to third parties.

3. SMS/Text Message Consent

By providing your phone number and opting in to receive text messages from Modular Automations, you consent to receive recurring automated text messages at the number provided. These messages may include:

• Appointment confirmations and reminders
• Service updates and follow-ups
• Promotional offers and marketing messages
• Responses to your inquiries

Message frequency varies. Message and data rates may apply. Your carrier's standard messaging rates may apply.

To opt out: Reply STOP to any message to unsubscribe. You will receive a confirmation message and no further texts will be sent.

To get help: Reply HELP for assistance, or contact us at .

Your consent to receive text messages is not a condition of purchasing any goods or services. You may opt out at any time without affecting your ability to use our services.

We will not share your phone number or text message opt-in data with third parties for their marketing purposes.

5. AI-Powered Communications Disclosure

Modular Automations uses artificial intelligence (AI) technology to assist with website chat (Conversation AI) and phone calls (Voice AI). This means:

• Some of your interactions may be handled by an AI assistant rather than a human
• The AI may answer questions, provide information about our services, and help schedule appointments
• AI-generated responses are based on information about our business and services
• The AI may collect and process information you share during the conversation

Human oversight: All AI interactions are monitored. You may request to speak with a human at any time during a conversation. Complex or sensitive matters are escalated to our team.

Accuracy: While our AI is designed to provide helpful and accurate information, AI-generated responses may occasionally contain errors. For important decisions regarding our services, we recommend confirming details with a human team member.

Information collected during AI interactions is subject to the same privacy protections described in this policy.

6. Cookies and Tracking Technologies

Modular Automations uses cookies and similar tracking technologies on our website. Cookies are small text files stored on your device that help us provide and improve our services.

Types of Cookies We Use

• Essential Cookies: Required for basic website functionality (e.g., session management, security)
• Analytics Cookies: Help us understand how visitors use our website so we can improve it
• Functional Cookies: Remember your preferences (e.g., returning visitor greetings)
• Marketing Cookies: Used to deliver relevant advertisements and measure campaign effectiveness

Third-Party Tracking Tools

Managing Cookies

Most web browsers allow you to manage cookie preferences through their settings. You can choose to block or delete cookies, though this may affect your experience on our website. For more information, visit your browser's help documentation.

7. Third-Party Services

Modular Automations uses the following third-party sub-processors that may collect or process your information:

• Anthropic (Claude) — Large language model for content generation, copy composition, and onboarding assistance. (United States). DPA
• OpenRouter — Backup LLM gateway providing access to Anthropic and other model providers. (United States). DPA
• Vercel — Frontend hosting and CDN for marketing sites and admin dashboards. (United States). DPA
• Hetzner Online GmbH — Primary application server hosting and Storage Box backup destination. (Germany (EU)). DPA
• GoHighLevel (HighLevel Inc.) — Customer relationship management, conversation history, scheduling, and workflow execution. (United States). DPA
• Stripe — Payment processing and subscription billing. (United States). DPA
• Apify — Public-data scraping for lead enrichment and market intelligence (owner-tenant only by default). (United States). DPA
• Cloudflare — DNS, CDN, and Cloudflare Access JWT for admin authentication. (United States). DPA
• Pinecone — Vector database for knowledge retrieval and RAG-grounded generation. (United States). DPA
• Cohere — Embedding generation and reranking for retrieval relevance. (United States). DPA
• ElevenLabs — Text-to-speech voice generation for video pipelines (only when voice features used). (United States). DPA
• Kie.ai — Image generation (Nano Banana 2) and video generation (Kling) for content pipelines (only when media features used). (United States). DPA

Each of these services has its own privacy policy and Data Processing Agreement governing the use of your data. We encourage you to review their privacy policies. We share only the minimum information necessary for each service to function.

We are not responsible for the privacy practices of these third-party services beyond our contractual relationships with them.

8. Data Retention

Modular Automations retains your personal information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Specifically:

• Contact and communication records: Retained for the duration of our business relationship and for a reasonable period afterward to handle follow-up inquiries
• Transaction records: Retained as required by applicable tax and accounting laws (typically 7 years)
• Website analytics data: Retained in aggregated, anonymized form
• Marketing consent records: Retained for as long as you remain subscribed, plus a record of your opt-out for compliance

When your personal information is no longer needed, we will securely delete or anonymize it.

You may request deletion of your personal information at any time by contacting us using the information provided at the end of this policy.

8.1 Tenant-Scoped Retention

For platform tenants, the following additional retention rules apply:

• Audit log entries in our internal action_executions ledger are retained for seven years. After tenant offboarding the entries are anonymized (tenant identifiers replaced with a sentinel value) but retained per GDPR Article 17(3)(b) for legal-hold and accounting purposes.
• Brand kit, generated content, and rendered pages are retained for the duration of the service agreement plus a 30-day post-termination grace window. During the grace window, the customer may export a complete archive (see "Your Rights") or request reactivation.
• Contact and CRM data. Tenant-scoped CRM tables follow the same 30-day grace plus hard-delete rule. pre-multi-tenant tables (specifically: contacts, opportunities, lead_scores, activities, content, campaigns) are exported wholesale at offboarding and migrated to per-tenant deletion in milestone v73 of our roadmap. Until the v73 migration ships, deletion of these tables in the offboarding flow is a no-op (full-table truncation would affect platform data); the customer's data in these tables is preserved with our commercial controls.
• Encrypted OAuth and credential tokens. Tenant-scoped GHL OAuth tokens are stored encrypted at rest using Fernet symmetric encryption; upon offboarding the encrypted column is purged and the encryption key reference is severed. Tokens are revoked at offboarding where the upstream provider supports a revoke endpoint, and the encrypted-at-rest column is purged at hard-delete (after the 30-day grace window). Keys are held outside the database; a database-only compromise does not yield plaintext credentials.
• Backups are encrypted, stored in a geographically separate region, and follow a 30-day rolling retention window. Backup deletion happens automatically as the rolling window advances; we do not perform out-of-band backup deletion on tenant offboarding because backups are encrypted at rest and the ability to restore a single tenant from backup requires the encryption key.

If you require a custom retention window for compliance reasons (e.g., a regulated industry with shorter or longer mandated retention), contact us at privacy@modularautomations.com and we will negotiate a per-tenant retention addendum to your Data Processing Agreement.

9. Multi-Tenant Data Isolation

Modular Automations operates as a multi-tenant software-as-a-service platform. Your data is logically isolated from other customers' data by a tenant identifier attached to every record we store. We do not perform queries that cross tenant boundaries in ordinary application logic.

Application-layer safeguards. Our action executor refuses to write data to one tenant using another tenant's credentials and raises a CrossTenantWriteAttemptError at the boundary. Such attempts are recorded as priority-zero events in our audit ledger. We monitor cross-tenant attempts as a Service Level Objective and alert immediately on any breach.

Encryption at rest. OAuth tokens, refresh tokens, and webhook signing keys are encrypted at rest using Fernet symmetric encryption. The encryption key is held outside the database. A database-only compromise does not yield credentials in plaintext.

Operational kill switches. Our operators can halt traffic to any sub-processor (CRM, payments, LLM provider) without a code deploy if a breach or vendor incident is suspected. Kill switches are documented in our incident runbooks and audit-logged when triggered.

Audit ledger. Every action taken on your data is recorded in the action_executions audit table with an idempotency key, the operator (system or admin email), and the input/output payloads. Admin reads of your tenant data are logged in a separate admin-audit stream. Both are exportable on request alongside the data export endpoint described in this policy's data-rights section.

10. Your Privacy Rights (CCPA / GDPR)

Your Rights Under the California Consumer Privacy Act (CCPA)

If you are a California resident, you have the following rights under the CCPA:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, completing a transaction).
• Right to Opt-Out of Sale: We do not sell your personal information. If this changes, we will provide a "Do Not Sell My Personal Information" link.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at hello@modularautomations.com. We will respond to verifiable consumer requests within 45 days.

Your Rights Under the General Data Protection Regulation (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of Access: You may request a copy of the personal data we hold about you.
• Right to Rectification: You may request that we correct inaccurate or incomplete personal data.
• Right to Erasure: You may request that we delete your personal data, subject to legal obligations.
• Right to Restrict Processing: You may request that we limit how we use your data.
• Right to Data Portability: You may request your data in a structured, machine-readable format.
• Right to Object: You may object to our processing of your data for direct marketing purposes.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time.

To exercise these rights, contact us at privacy@modularautomations.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

Legal Basis for Processing: Modular Automations processes your personal data based on: (a) your consent, (b) performance of a contract, (c) our legitimate business interests, or (d) compliance with legal obligations.

How to exercise these rights operationally. Email us at privacy@modularautomations.com or contact your designated administrator. For data export and portability requests we generate a complete archive of your tenant data via our admin endpoint at /api/admin/tenants/{tenant_id}/export and deliver it to you in a portable JSON-and-asset bundle. For erasure requests we follow our 30-day grace soft-delete process: your data is immediately marked deleted (no further processing), and is irreversibly hard-deleted after the 30-day grace window. During the grace window, you may revoke the deletion request at no cost; after the grace window ends, your data is permanently removed except for audit-log entries retained per GDPR Article 17(3)(b) for legal-hold and accounting purposes.

11. Children's Privacy

Modular Automations are not directed to individuals under the age of 13 (or 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under the applicable age, we will take steps to delete that information as quickly as possible.

If you believe we have inadvertently collected information from a child, please contact us at hello@modularautomations.com.

12. Changes to This Privacy Policy

Modular Automations may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Notify you by email or through a prominent notice on our website, where appropriate

We encourage you to review this policy periodically. Your continued use of our services after any changes indicates your acceptance of the updated policy.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Email: hello@modularautomations.com
• Address: CA

We aim to respond to all privacy-related inquiries within 30 days.