Privacy Policy

Personal information we collect

Information you provide to us

Personal information that an Owner or an Operator provides to us through the Service includes:

• Contact and identity data, such as name, email address, profile picture (sourced from your OAuth provider), and the OAuth provider’s subject identifier.
• Authentication data, such as hashed refresh tokens, token expiry, and login timestamps.
• Business contact data, such as the business phone number we provision through our communications platform, the Prentice-hosted email handle, the business street address with derived latitude/longitude, and timezone.
• Business descriptive content, such as free-text descriptions of your business that you provide during onboarding and over the course of using the Service.
• Calendar credentials, such as OAuth access and refresh tokens for the connected calendar account, the calendar account email, and the names of calendars Prentice is permitted to read or write.
• Connected business-platform credentials, such as OAuth access and refresh tokens, account identifiers, and integration metadata for third-party business platforms that you choose to connect to the Service (for example, accounting platforms such as QuickBooks Online and similar services Prentice supports from time to time).
• Operator data, such as an Operator’s name, contact details, the Owner who invited them, and their status.
• Business registration data, such as legal entity name, EIN or other tax identification number (or Canadian equivalents), business type, industry, registered address, business website, and authorized-representative information, which we collect for A2P 10DLC brand and campaign registration.
• Communications data based on our exchanges with you, including when you contact us through the Service or otherwise.
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.

Information we process about End Customers on behalf of our customers

The Service operates an Owner’s communications channels on the Owner’s behalf. Through that operation, Prentice processes the following categories of End Customer personal information. This information is included here for informational purposes only; Prentice processes it solely on behalf of and pursuant to its agreement with the Owner.

• Identifiers and contact data, such as name (when shared), phone numbers, email addresses, and postal addresses (with derived latitude/longitude when geocoded for scheduling).
• Communications content, such as the verbatim text, audio, and attachments of every inbound and outbound message between the End Customer and the business across all channels Prentice operates (SMS, MMS, WhatsApp, voicemail, and email). These fields are unfiltered and may include whatever the End Customer chooses to write or say.
• Scheduling and service data, such as appointments, recurring service arrangements, quotes, jobs, and related work artifacts derived from conversations.
• Relationship and account data, such as household or organization groupings and free-text notes the business or the assistant has recorded about the End Customer.
• Inferred and derived data, such as business-specific “Learned Knowledge” extracted from conversations and Owner input that may include customer-specific facts.

Information collected automatically

We, and our service providers, may automatically log information about you and your interaction over time with the Service, such as:

• Audit and diagnostic data, including internal audit logs of AI decisions and tool invocations, which may incidentally contain message snippets or customer identifiers.
• Frontend telemetry, such as error and performance telemetry from the Owner-facing web app (production only), processed by our cloud-infrastructure provider as part of our hosting tenancy.
• Edit history, which our primary datastore retains as an implicit revision history of records.

Tracking and other technologies

Cookies and other technologies. The Prentice web application does not set first-party cookies and does not load marketing or product-analytics trackers; authentication state is maintained in browser local storage. The Prentice marketing landing page on meetprentice.com uses Google Analytics solely for internal product and marketing metrics. The marketing landing page does not load Google Ads conversion tracking, the Meta Pixel, the LinkedIn Insight Tag, or any other technology used to enable cross-context behavioral advertising, and Prentice does not engage in cross-context behavioral advertising. If we begin to use any cookies or similar technologies not described above, we will update this Privacy Policy and, where required, publish a separate Cookie Notice.

Chat and other artificial-intelligence (“AI”) technologies. The Service uses third-party AI providers to interpret messages, generate responses, and otherwise power the assistant. On each assistant invocation, we transmit the conversation context (which may include End Customer message content and the business’s accumulated knowledge) to those providers solely for the purpose of providing the Service. Those providers may incidentally access personal information you share through the Service. We contractually require these providers to maintain appropriate data-protection safeguards and prohibit them from using that data to train their generalized AI models.

How we use your personal information

We may use personal information for the following purposes or as otherwise described at the time of collection:

Service delivery and operations

We may use personal information to:

• provide the Service, including by receiving, interpreting, and responding to messages addressed to a business and scheduling appointments on the connected calendar;
• authenticate Owners and Operators, provision the Prentice phone number and Prentice-hosted email handle, and manage team membership;
• communicate with Owners about the Service, including by sending service-related announcements, security alerts, and support and administrative messages; and
• provide support for the Service and respond to requests, questions, and feedback.

Service personalization and Learned Knowledge

We may use personal information to maintain business-specific Learned Knowledge that informs subsequent assistant behavior, including by recording facts, preferences, rules, and customer-specific notes extracted from conversations and Owner input. Learned Knowledge is scoped to a single business and does not cross tenant boundaries.

Service improvement and analytics

We may use personal information to analyze the use of the Service, diagnose errors, monitor service health, and improve the Service and develop new features.

Access by Prentice personnel. To support these activities, Prentice personnel may review identifiable Owner or Operator content and End Customer message content on a need-to-access basis, including for purposes of evaluating assistant quality, quality assurance, debugging, support, and training of our team. Access is limited to Prentice employees and contractors who need it to perform their role and is subject to confidentiality and access-control obligations.

Compliance and protection

We may use personal information to:

• comply with applicable laws, lawful requests, and legal process, such as responding to subpoenas, investigations, or requests from government authorities;
• protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims);
• audit our internal processes for compliance with legal and contractual requirements or our internal policies;
• enforce the Terms of Service that govern the Service; and
• prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks, abuse of the Service, and identity theft.

Data sharing in the context of corporate events

We may share certain personal information in the context of actual or prospective corporate events; see How we share your personal information, below.

To create aggregated, de-identified, and/or anonymized data

We may create aggregated, de-identified, and/or anonymized data from the personal information we collect by removing information that makes the data identifiable, and we will not attempt to re-identify any such data. We may use this aggregated, de-identified, and/or anonymized data and share it with third parties for our lawful business purposes, including improving the Service, developing new features, and training and evaluating the AI systems used in the Service. Today, Prentice does not train, fine-tune, or otherwise build machine-learning models on identifiable Owner or Operator content or End Customer data, and we will not use identifiable Owner or Operator content or End Customer data to train machine-learning models without prior consent. Owners may opt out of our use of aggregated, de-identified, and/or anonymized data for AI training and model improvement; see the Your choices section below.

Further uses

In some cases, we may use personal information for further uses, in which case we will rely on the original legal basis where the further use is compatible with the initial purpose for which the personal information was collected, or we will obtain consent or otherwise comply with applicable law if the further use is not compatible with the initial purpose.

How we share your personal information

We may share personal information with the following categories of parties (or as otherwise described in this Privacy Policy or at the time of collection).

Affiliates. Our corporate parent, subsidiaries, and affiliates, if and when we have any.

Vendors and service providers. Third parties that provide services on our behalf or help us operate the Service or our business, including:

• cloud-infrastructure and hosting providers that host the Service and store its data, including blob storage for message attachments and voicemail audio;
• database providers that host the primary application database (please see the International data transfer section for a note about the one database provider that is headquartered outside the United States and has operator-level access to the application database);
• artificial-intelligence and large-language-model providers that interpret messages, generate responses, and otherwise power the assistant, which receive the conversation context (which may include End Customer message content and the business’s accumulated knowledge) on each assistant invocation;
• communications platform and carrier partners that deliver SMS, MMS, WhatsApp, voice, and voicemail, and that perform A2P 10DLC brand and campaign registration on our behalf;
• email-delivery providers that process inbound and outbound email on a business’s behalf;
• OAuth identity and calendar providers that authenticate Owners and provide read and write access to the Owner’s authorized calendar account;
• geocoding providers that convert addresses to latitude/longitude for scheduling purposes;
• payment processors (when applicable) that take subscription payments on our behalf and tokenize cardholder data so that we do not hold card numbers; and
• customer-support, billing-platform, and internal-operations vendors that we use to administer the Service and our business; and
• connected business-platform providers (for example, providers of accounting platforms such as QuickBooks Online) that you elect to connect to the Service, which receive personal information you have authorized us to share with them in order to operate the integration.

Communications registries. The Campaign Registry (TCR) and analogous carrier registries in Canada, to which we (through our communications platform partner) submit business-registration data as part of A2P 10DLC brand and campaign registration. Messages sent through the WhatsApp channel additionally involve Meta as a further party.

Third parties designated by you. We may share personal information with third parties where you have instructed us, or provided your consent for us, to do so.

Linked third-party services. If you connect your Service account to a calendar, OAuth, or other third-party service, we may share personal information with that third-party service in connection with that integration. The third party’s use of the shared information will be governed by its own privacy policy and the settings associated with your account on that third-party service.

Professional advisors. Professional advisors, such as lawyers, accountants, auditors, bankers, and insurers, in the course of the professional services they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance-and-protection purposes described above.

Business transferees. We may disclose personal information in the context of actual or prospective business transactions (for example, investments in Prentice, financing of Prentice, public offerings, or the sale, transfer, or merger of all or part of our business, assets, or shares). For example, we may share certain personal information with prospective counterparties and their advisers, and we may disclose personal information to an acquirer, successor, or assignee of Prentice as part of any merger, acquisition, sale of assets, or similar transaction, and/or in the event of an insolvency, bankruptcy, or receivership in which personal information is transferred to one or more third parties as one of our business assets.

Within-tenant access by Owners and Operators. Owners and Operators have access, through the Service, to personal information that flows through their business’s Prentice tenant, including communications with their End Customers and Learned Knowledge associated with their business. We do not share an Owner’s data, an Owner’s End Customer data, or any Learned Knowledge associated with one Owner’s tenant with another Owner.

Retention

We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, establishing or defending legal claims, or for fraud prevention. The Service depends on long-running conversational and business memory, and, while an account is active, we do not schedule periodic purges of message content, customer records, or Learned Knowledge.

• While your account is active, we retain your account’s data for the life of the account.
• After account closure, we will delete your account’s data, including Learned Knowledge and the implicit edit-history pool in the primary datastore associated with your account, within 90 days of closure.
• Operational backups follow their own routine rotation cycle and are not treated as a separate retention pool for the purposes of the 90-day commitment.

When we no longer require the personal information we have collected, we will either delete it, anonymize it, or isolate it from further processing.

Your choices

In this section we describe the rights and choices available to all users of the Service. Owners and Operators located in certain U.S. states may have additional rights described in the State privacy rights notice section, below.

Access or update your information

If you are an Owner or an Operator, you may review and update certain account information by logging into your account or by emailing privacy@meetprentice.com.

Cancel your subscription or close your account

If you are an Owner, you may cancel your subscription or close your account at any time as described in Section 4.4 of our Terms of Service. Operators may be removed by the Owner that invited them.

Opt out of marketing communications

If we send you marketing communications, you may opt out by following the opt-out or unsubscribe instructions in the communication or by emailing privacy@meetprentice.com. You may continue to receive service-related and other non-marketing communications.

Training data

As described in the How we use your personal information section, we may use aggregated, de-identified, and/or anonymized data to train our AI models and to improve the Service. If you are an Owner and you would like to opt out of our use of your aggregated, de-identified, and/or anonymized data for AI training, you may do so through your account settings or by emailing privacy@meetprentice.com.

End Customer requests

End Customers do not have a direct account with Prentice, and Prentice does not act as the controller or business with respect to End Customer personal information. End Customer requests should be directed to the business that hired Prentice.

SMS opt-out

End Customers may opt out of SMS communications from a business at any time by following instructions described in messages we send on the business’s behalf.

Do Not Track

Some Internet browsers may be configured to send “Do Not Track” signals to the online services that you visit. Because the Prentice web application does not load advertising or third-party analytics trackers, this signal has no practical effect on Prentice.

Declining to provide information

We need to collect personal information to provide the Service. If you do not provide the information we identify as required or mandatory, we may not be able to provide the Service.

Linked third-party platforms

If you choose to connect the Service to a third-party platform (for example, a calendar or OAuth identity provider), you may be able to use your settings on that platform to limit the information we receive from it. Revoking our access to a third-party platform will not delete information that we have already received from it.

Other sites and services

The Service may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications, or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites, mobile applications, and online services you use.

Security

We employ technical, organizational, and physical safeguards designed to protect personal information, including:

• Encryption in transit: all external traffic, including provider webhooks, AI-API calls, calendar APIs, and web-app traffic, uses HTTPS/TLS.
• Encryption at rest: our cloud-infrastructure provider’s platform encryption applies to our primary datastore and to blob storage.
• Tenant isolation: each business’s data is scoped by a business identifier on every record, and tenant scope is enforced at the query layer. Learned Knowledge does not cross tenant boundaries.
• Access control: the web app is gated by authenticated sessions; Owners authenticate through OAuth identity providers; internal access by Prentice personnel is limited to engineering on a need-to-access basis.

Security risk is inherent in all internet and information technologies, and we cannot guarantee the security of personal information.

International data transfer

Prentice is headquartered in the United States. The Service and the data we process for it are hosted on US-based infrastructure (cloud-infrastructure resources in US regions, with our primary application database hosted on the same infrastructure).

Cross-border transfer from Canada. If you are an Owner located in Canada, or if the business that hired Prentice is located in Canada, personal information we process for that business will routinely be transferred to and processed in the United States. By using the Service, you acknowledge and consent to this cross-border transfer.

Non-US sub-processor with operator-level access. One of our database providers is operated by a company headquartered outside the United States and has operator-level access to our primary application database. Although the underlying infrastructure is hosted in US regions, this means the provider’s operations personnel may, in the course of operating the database, access personal information processed through the Service.

Where we transfer personal information to or share personal information with third parties located outside the United States, we rely on contractual obligations and other commercially reasonable safeguards.

Children

The Service is not directed at, and is not intended for use by, children under 13. We do not knowingly collect personal information from children under 13. Owners represent in our Terms of Service that they will not direct Prentice to message individuals they know or reasonably should know are under 13. Free-text and voicemail messages received from End Customers may incidentally contain information about children; Owners are responsible for ensuring that any consents required by applicable law have been obtained for such incidental processing.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will review this Privacy Policy and update it as our practices change. Material changes will be notified to Business Personnel by email, in-product notice, or both at least 30 days before they take effect (or longer if required by law). Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). Your continued use of the Service after the effective date of any modified Privacy Policy constitutes your acknowledgment that the modified Privacy Policy applies.

How to contact us

Prentice, LLC

2400 State Highway 121, Euless, TX 76039

Privacy: privacy@meetprentice.com

Legal: legal@meetprentice.com

State privacy rights notice

Except as otherwise provided, this section applies to residents of U.S. states to the extent they have privacy laws applicable to us that grant their residents the rights described below (collectively, the “State Privacy Laws”).

Scope of this section

Owners and Operators (business-capacity treatment). Because the Service is designed for enterprise customers and their representatives, and because we treat all Owner and Operator personal information as pertaining to that individual in their business capacity, most State Privacy Laws (other than the California Consumer Privacy Act, as amended by the California Privacy Rights Act, the “CCPA”) do not apply to personal information that we hold about an Owner or an Operator.

End Customers (service-provider / processor treatment). For personal information that we hold about an End Customer, Prentice acts as a service provider, processor, or analogous role on behalf of the business that hired Prentice. That business — not Prentice — is the controller / business as to your information. Please direct any access, correction, deletion, portability, or opt-out request to that business. Prentice will support the business in honoring valid requests as required by applicable law.

Your privacy rights

The State Privacy Laws may provide eligible residents with some or all of the following rights. These rights are not absolute and some State Privacy Laws do not provide these rights to their residents; we may decline a request as permitted by law.

• Information about the categories of personal information we have collected, the sources, the business or commercial purposes for collecting personal information, the categories of third parties with which we share personal information, and the categories of personal information disclosed for a business purpose.
• Access to a copy of personal information we have collected about you.
• Correction of inaccurate personal information we have collected about you.
• Deletion of personal information we have collected from you.
• Appeal of a denial of a request.
• Opt out of targeted advertising. This right does not apply because we do not engage in targeted advertising.
• Opt out of profiling or automated decision-making. This right does not apply because we do not use personal information to engage in profiling or to perform automated decision-making that produces legal or similarly significant effects on you.
• Opt out of the sale of personal information. This right does not apply because we do not sell personal information within the meaning of the State Privacy Laws.
• Limit processing of Sensitive Personal Information. Although End Customer communications can incidentally include categories of information classified as Sensitive Personal Information under the State Privacy Laws (for example, health information that a customer shares in a message), we do not process Sensitive Personal Information for the purpose of inferring characteristics about an individual.
• Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the State Privacy Laws.

No sale, no sharing, no targeted advertising

Prentice does not sell personal information, does not share personal information for cross-context behavioral advertising, and does not engage in targeted advertising.

Information practices

• Sources and purposes. We collect personal information from the sources and for the purposes described in the Personal information we collect and How we use your personal information sections above.
• Retention. The criteria for retention are described in the Retention section above.
• Deidentification. We do not attempt to reidentify deidentified information derived from personal information, except for the purpose of testing whether our deidentification processes comply with applicable law.

Verification of identity; authorized agents

We may need to verify your identity in order to process your information requests and may confirm your residency. We will verify your identity by matching information you provide against information we already hold about you, and we may require you to provide a copy of a government-issued identification document, a declaration under penalty of perjury, or other reasonable identifying information for higher-risk requests, where permitted by law. Under some State Privacy Laws, you may use an authorized agent to make a request on your behalf; we may need to verify the agent’s identity and authority, and may require a copy of a valid power of attorney or written, signed permission.

Exercising your rights

Owners and Operators may submit requests by emailing privacy@meetprentice.com. End Customers should follow the procedure described in the Your choices section (route the request through the business that hired Prentice).

California-specific provisions

California’s “Shine the Light” law (Cal. Civ. Code §1798.83) does not apply to Prentice because we do not disclose personal information to third parties for those third parties’ own direct-marketing purposes.

Texas-specific provisions

If we begin to sell Sensitive Personal Information (as defined by the Texas Data Privacy and Security Act), we will publish a separate, standalone Texas notice as required by law. Today we do not sell Sensitive Personal Information.

Nevada-specific provisions

Nevada residents have the right to opt out of the sale of certain personal information for monetary consideration. We do not currently engage in such sales. If you are a Nevada resident and would like to submit an opt-out request for any potential future sales, please email privacy@meetprentice.com.

Additional information for Canadian residents (PIPEDA and CASL)

Prentice’s initial scope includes Canadian Owners and the End Customers they serve. This section addresses Prentice’s direct obligations to Canadian Owners and Operators under Canadian privacy law, including PIPEDA and applicable provincial privacy laws.

Cross-border processing

Personal information we collect from or about Canadian Owners and Operators is processed and stored on US-based infrastructure as described in the International data transfer section above. By using the Service, you acknowledge and consent to this cross-border transfer. You should be aware that, once personal information is transferred to the United States, it may be accessed by US government agencies, courts, law enforcement, and other authorities pursuant to US law (including subpoena, warrant, court order, or under national-security statutes), and may not enjoy the same protections it has under Canadian law.

Accountability and privacy officer

Prentice is accountable for personal information under its control, including personal information transferred to third parties for processing. For purposes of PIPEDA Principle 4.1 and Quebec’s Law 25, our designated privacy officer can be contacted at privacy@meetprentice.com.

Access, correction, and complaint rights for Canadian residents

If you are a Canadian resident Owner or Operator, you may ask Prentice to provide access to the personal information we hold about you, correct inaccuracies, and answer questions about our handling of your personal information. Please submit requests to privacy@meetprentice.com. If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (or, for Quebec residents, the Commission d’accès à l’information du Québec).

End Customer data and Owner responsibility

Owners are responsible for compliance with PIPEDA and applicable provincial privacy laws (including Quebec’s Law 25) with respect to the End Customer personal information they direct Prentice to process. See Section 6.4 of our Terms of Service for the related representations, covenants, and indemnity.

CASL (Canada’s Anti-Spam Legislation)

Owners are responsible for compliance with CASL with respect to any commercial electronic messages (CEMs) sent to End Customers through Prentice, including obtaining and documenting required express or implied consent and providing identification and unsubscribe mechanisms in every CEM. See Section 6 of our Terms of Service for the related representations and indemnity.