Privacy Policy

Kithmatic is operated by Driftel Labs, a business based in Toronto, Ontario, Canada. We can be reached at:

Email: privacy@driftellabs.com
Website: kithmatic.com

For the purposes of applicable privacy law, Driftel Labs is the data controller for the personal data of business owners who use Kithmatic. For the personal data of callers (your customers), you - the business owner - are the data controller, and Driftel Labs acts as your data processor.

This Privacy Policy applies to two groups of people:

Business owners and their staff - individuals who create a Kithmatic account, configure the service, and use the dashboard.

Callers - members of the public who call a business that uses Kithmatic, whose calls are handled by our AI on that business's behalf.

If you are a caller who spoke with a Kithmatic-powered AI receptionist and want to know how your data was used, your primary contact is the business whose number you called. You may also contact us directly at privacy@driftellabs.com.

All data processed through Kithmatic is currently stored on servers located in the United States.

We use infrastructure providers including Railway, Supabase, and others whose servers are based in the US. This means that if you are based in Canada, your data - and your callers' data - is transferred to and stored in the United States.

What this means for Canadian users: Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), cross-border transfers of personal data are permitted provided that reasonable safeguards are in place. We take steps to ensure appropriate contractual and technical safeguards exist with our US-based service providers. However, once data crosses the border, it may be subject to US laws including lawful access requests by US government authorities.

Our intention: As Kithmatic grows, we intend to offer Canadian data residency for Canadian customers. We will update this policy and notify you when this option becomes available.

4.1 Data Collected From Business Owners

Account and identity information

• Email address
• Phone number (used for SMS alerts and account verification)
• Password (stored as a secure hash - we never store plain text passwords)

Business information

• Business name and industry
• Business address and location details
• Opening hours and timezone
• Services offered, including service names, durations, and pricing

Staff information (if provided)

• Names of staff members
• Contact details for staff if provided for scheduling or notifications
• Role and assignment within your account

Billing information

• Payment card details - collected and processed by Stripe. We do not store your card number, expiry, or CVV.
• Billing address (if provided)
• Transaction history and subscription status

Usage and configuration data

• AI prompt settings and greeting configurations
• Emergency contact numbers you designate
• Integration settings (e.g. Google Calendar tokens)
• Dashboard activity and feature usage

4.2 Data Collected From Callers

Caller identity information

• Phone number (captured from inbound call metadata)
• Name (if provided during the call)
• Address (if provided during the call)
• Email address (if provided during the call)

Call content

• Full call transcript - a text record of everything said during the call
• Call duration and timestamp
• Call outcome (booked, inquiry, emergency, cancelled)

Booking information

• Requested service
• Preferred date and time
• Any additional details provided by the caller during booking

4.3 Data We Collect Automatically

• IP address
• Browser type and version
• Device type and operating system
• Pages visited and time spent
• Referring URL
• Session identifiers for authentication
• Error logs and crash reports

5.1 For Business Owners

We use your data to:

• Create and maintain your account
• Provide and operate the Kithmatic service
• Process your subscription payments and manage billing
• Send you transactional SMS notifications (call alerts, booking summaries, emergency alerts)
• Send you service-related emails (receipts, plan changes, renewal notices)
• Send you product update and feature announcement emails (you may opt out at any time)
• Provide customer support
• Monitor service performance and diagnose technical issues
• Improve our AI models using anonymised and aggregated data - never using your identifiable data
• Comply with our legal obligations

5.2 For Callers

We process caller data on behalf of the business that uses Kithmatic. We use caller data to:

• Handle the inbound call and provide the AI answering service
• Create booking records in the business owner's account
• Send appointment confirmation SMS messages on behalf of the business
• Send appointment reminder SMS messages on behalf of the business
• Send Google review request SMS messages on behalf of the business (if enabled)
• Detect potential emergency situations and alert the business owner
• Provide call transcripts to the business owner in their dashboard

We do not use caller data for any purpose beyond operating the service for the specific business that received the call. We do not market to callers, share caller data with other businesses, or use caller data to build advertising profiles.

To business owners:

• Call summary alerts after each call
• Emergency alerts when keywords are detected
• Payment notifications
• Service notifications

To callers (on behalf of the business):

• Booking confirmation messages
• Appointment reminder messages
• Google review request messages (if enabled by the business)
• Cancellation confirmations

Opting out of SMS: Callers may reply STOP to any SMS to opt out of future messages. Business owners may manage their SMS preferences in their account dashboard.

We comply with Canada's Anti-Spam Legislation (CASL) and the US Telephone Consumer Protection Act (TCPA) for all SMS communications.

We share data with the following third-party service providers to operate Kithmatic:

We do not sell your data or your callers' data to any third party for advertising, marketing, or any other purpose.

Essential cookies - required for the service to function:

• Authentication session cookies that keep you logged in
• Security tokens that protect against cross-site request forgery

Analytics cookies - used to improve the product:

• PostHog analytics tracks how business owners use the dashboard (anonymised where possible)

We do not use:

• Advertising or targeting cookies
• Third-party tracking pixels
• Social media tracking cookies

You can control cookies through your browser settings. Disabling essential cookies will prevent you from logging in. Disabling analytics cookies will not affect your ability to use the service.

Business owner data: Retained for as long as your account is active. After cancellation, data is retained for 90 days to allow for reactivation, then permanently and irreversibly deleted.

Caller data: Call transcripts, booking records, and caller information are retained for as long as your business account is active. Deleted when your account is deleted.

Anonymised data: Anonymised and aggregated data may be retained indefinitely for improving our AI models.

Legal holds: In certain circumstances, we may be required by law to retain data beyond the periods described above.

10.1 Rights of Business Owners

Under applicable Canadian privacy law (PIPEDA) and US state privacy laws, you have the right to:

• Access - request a copy of the personal data we hold about you
• Correction - request that we correct inaccurate or incomplete data
• Deletion - request deletion within 30 days (triggers 90-day retention period)
• Withdrawal of consent - withdraw consent to processing where consent is the basis
• Portability - export your account data in a machine-readable format
• Complaint - lodge a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca)

To exercise any of these rights, contact us at privacy@driftellabs.com. We will respond within 30 days.

10.2 Rights of Callers

If you are a member of the public who called a business using Kithmatic and wish to exercise rights over your personal data, please contact the business directly. You may also contact us at privacy@driftellabs.com.

We implement the following security measures:

• All data in transit is encrypted using TLS
• Passwords are stored using industry-standard one-way hashing (bcrypt)
• Access to production systems is restricted to authorised team members only
• We use Sentry to monitor for errors and potential security incidents
• Payment data is handled entirely by Stripe and never stored on our servers
• OAuth tokens for integrations are stored encrypted

In the event of a data breach, we will notify you as required by applicable law - within 72 hours where required - and take immediate steps to contain and remediate the issue.

Kithmatic is a business-to-business service and is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, contact us at privacy@driftellabs.com and we will delete it promptly.

What is automated:

• Identifying the caller's intent (booking, inquiry, emergency, cancellation)
• Detecting emergency keywords in the conversation
• Booking appointments in the business's calendar

What is not automated:

• No decisions with significant legal effects on callers are made automatically
• All bookings can be reviewed, modified, or cancelled by the business owner
• Emergency escalation triggers an SMS alert - a human is always in the loop

You have the right to request human review of any automated decision. Contact the business directly or reach us at privacy@driftellabs.com.

All data is currently processed on servers in the United States. When data is transferred outside of Canada, we rely on contractual commitments from US-based providers to maintain appropriate data protection standards and technical safeguards including encryption in transit and at rest. By using Kithmatic, you acknowledge and accept that your data will be processed in the United States.

When we make material changes, we will:

• Update the “Last updated” date at the top of this document
• Notify you by email at least 14 days before changes take effect
• Display a notice in your Kithmatic dashboard

Your continued use after the effective date constitutes acceptance. If you do not accept the changes, you may cancel your account before they take effect.

For any questions, concerns, or requests related to this Privacy Policy:

Driftel Labs
Toronto, Ontario, Canada
privacy@driftellabs.com
kithmatic.com

We aim to respond to all privacy inquiries within 5 business days and to resolve all requests within 30 days.

This Privacy Policy has been prepared for general operational purposes. It is not a substitute for legal advice. Driftel Labs strongly recommends having this policy reviewed by a qualified lawyer familiar with PIPEDA, CASL, and applicable US state privacy laws.