← Back to Bearded AI

Legal

Privacy Policy

Effective date: June 3, 2026  ·  Last updated: June 3, 2026

1. Who we are

This Privacy Policy describes how Bearded AI ("Bearded AI," "we," "us," or "our") collects, uses, shares, and protects your information when you visit or use:

• Our website at beardedai.net (the "Site")
• Lunara, our local-first CRM application at beardedai.net/lunara/
• Our admin tools, demo environments, and any subdomains under beardedai.net
• Any AI voice agent, SMS agent, or related services we provide to your business under contract

Together, these are the "Services." Bearded AI is operated by Jesse Heiserman, based in Bethlehem, Pennsylvania, United States. You can reach us at any time at beardedai.net@gmail.com or (610) 735-6163.

2. What this policy covers

This policy applies to information we receive about three distinct groups of people:

• Visitors — anyone who browses our Site or submits a contact form
• Tenants (account holders) — businesses that sign up for Lunara or our voice/SMS services
• Tenant end-users and contacts — clients, leads, crew members, and other people whose information a tenant enters into Lunara or whom a tenant's voice/SMS agent contacts

Where the policy says "you," we generally mean visitors and tenants. Where we mean tenant end-users and contacts, we'll say so explicitly.

This policy does not apply to data you collect on your own systems outside of our Services, or to third-party websites we link to. Each tenant is responsible for their own privacy practices regarding the contacts and clients they manage in Lunara.

3. Information we collect

3.1 Information you provide directly

Category	Examples	Where it goes
Contact form submissions	Name, email, phone, business name, message	Sent via Web3Forms to our inbox; not stored on a server we control
Account credentials (when backend auth is enabled in a future release)	Email address, password (hashed), company name	Currently stored in your browser's localStorage; future releases will store hashes via Supabase
CRM data you enter	Client names, contact info, job details, invoices, notes, schedule events, crew records	Your browser's localStorage only. Never transmitted to our servers in the current architecture.
Payment information (when Stripe is enabled)	Card number, billing address	Sent directly to Stripe. We never see, store, or transmit raw card numbers.
Customer reviews	Name, rating, review text, optional company	Sent via Web3Forms to our inbox for manual approval before publication

3.2 Information collected automatically

• Standard server logs — When you visit our Site (which is hosted on AWS S3 with CloudFront), AWS records standard request logs including IP address, user agent, timestamp, and resource requested. These logs are kept for operational and security purposes.
• localStorage entries — Lunara and our admin tools write data to your browser's localStorage to make the apps work. This data does not leave your device unless you explicitly export it.
• Session timing — Lunara tracks the time of your last login and password change for your security.
• OAuth tokens — If you connect Google Calendar/Gmail (optional), an access token is stored in your localStorage so the app can sync. We never see this token.

3.3 Information from third parties

• Google Places API — When you use map and address features in Lunara, we may query Google Places to display addresses or location information for clients you enter. This is data Google publishes about businesses and addresses.
• Google account info — If you connect your Google account, we receive your email address (so the app knows which account it's connected to) and limited Calendar/Gmail API access scoped to specific actions you authorize.
• Stripe — When/if you subscribe to a paid plan, Stripe sends us a webhook telling us your subscription status. We do not receive your card number from this webhook.

3.4 Information our tenants enter about other people

Tenants of Lunara may enter contact information about clients, prospects, crew members, subcontractors, and other third parties into the application. This data lives in the tenant's local browser storage and is never sent to our servers. Tenants are responsible for having a lawful basis to collect, store, and process this information under applicable privacy laws.

4. How we use your information

We use the information we collect for the following purposes:

• Operate the Services — provide login, sync, exports, and the features you signed up for
• Communicate with you — respond to support requests, send service updates, send transactional emails (e.g. password reset)
• Process payments — through Stripe, when paid plans are enabled
• Marketing — only with your express opt-in. You can unsubscribe at any time.
• Security and fraud prevention — detect abuse, investigate suspicious activity, enforce our Terms of Service
• Legal compliance — comply with applicable laws, respond to valid legal process
• Improve the Services — analyze how features are used (in aggregate, no individual tracking) to fix bugs and prioritize roadmap

We do not sell your personal information, and we do not share it with third parties for their independent marketing purposes.

5. Legal bases for processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar laws, we rely on these legal bases:

• Contract — to provide the Services you signed up for
• Legitimate interests — to operate, secure, and improve the Services; to prevent fraud and abuse; to communicate about your account
• Consent — for marketing communications, optional integrations, and when otherwise required by law (you can withdraw consent anytime)
• Legal obligation — to comply with tax, accounting, anti-money-laundering, and other legal requirements

6. How we share information

We share information in these limited circumstances:

• Service providers (processors) — vendors who help us operate the Services. See Section 7 for the full list. Each is contractually bound to use your data only for the purpose we specify and to protect it appropriately.
• Legal requirements — if compelled by valid legal process (subpoena, court order, government request) and we cannot push back. We will notify you of such requests where lawfully permitted.
• Business transfers — if Bearded AI is acquired, merged, or sells assets, your information may transfer to the acquirer subject to this policy or a successor policy.
• Safety and rights — to protect the rights, property, or safety of Bearded AI, our users, or others, including to prevent fraud or abuse.
• With your consent — for any other sharing not described above, only after we ask and you agree.

We do not sell or rent personal information to third parties for their independent use. We do not engage in "cross-context behavioral advertising" or share personal information with data brokers.

7. Third-party services we use

Provider	Purpose	Data shared	Privacy policy
Amazon Web Services (AWS)	Static site hosting (S3), CDN (CloudFront)	Standard request logs (IP, UA, URL)	aws.amazon.com/privacy
Web3Forms	Contact form / review form delivery to our inbox	Form fields you submit	web3forms.com/privacy-policy
Google (Maps, Places, Calendar, Gmail)	Maps display, address autocomplete, business lead data, optional calendar/email integration	Search queries, address inputs; OAuth tokens for Calendar/Gmail if connected	policies.google.com/privacy
Stripe (when paid plans enabled)	Subscription billing and payment processing	Email, billing details, payment method (card details go directly to Stripe)	stripe.com/privacy
Supabase (when backend enabled)	Authentication, database, optional sync layer	Email, hashed password, account metadata	supabase.com/privacy
Google Fonts & CDNs (cdnjs, fonts.googleapis.com)	Web font & library delivery	IP and User-Agent (per CDN provider standards)	See respective providers
Voice agent platforms (e.g. Synthflow, Retell AI — when contracted)	AI voice agent infrastructure for tenant-purchased voice agents	Call audio, transcripts, phone numbers (if you've contracted for these services)	See respective provider's policy

8. Google API Services User Data Policy disclosure

If you connect a Google account to use Calendar or Gmail features in Lunara, our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• What we receive: An OAuth access token scoped to the permissions you grant: typically calendar.events (create/read calendar events you authorize), gmail.send (send emails on your behalf when you click "Send"), and userinfo.email (so we can label which Google account is connected).
• Where it's stored: The OAuth token is stored in your browser's localStorage on your device only. It never reaches our servers.
• What we do with it: Only what you explicitly initiate — pushing an event to your calendar, sending an email you composed, or reading the events you select. We do not read your inbox. We do not bulk-read your calendar history.
• What we don't do: We do not use Google user data for advertising, train AI/ML models on Google user data, share Google user data with other parties (except as needed to provide the user-facing feature), or transfer Google user data to anyone else for any reason other than to provide the feature you requested.
• Disconnecting: You can revoke our access at any time at myaccount.google.com/permissions, or disconnect inside Lunara → Integrations.

9. Cookies, localStorage, and similar technologies

The Site uses minimal tracking. We do not use third-party advertising cookies, retargeting pixels, or session-replay tools.

What we use

• localStorage (your device) — Lunara and the admin panel write extensively to localStorage because that's where they store all your data. Without localStorage, the apps cannot function.
• sessionStorage (your device) — Used for short-lived UI state (e.g. demo entry flags) that should clear when you close the tab.
• Functional cookies / storage — Used by integrated providers (Google, Stripe checkout) within their own iframes/scripts when you use those features.

Because no analytics cookies, advertising cookies, or persistent identifiers are set by Bearded AI itself, no cookie consent banner is required under most jurisdictions. If we add analytics in the future, we'll update this policy and add a clear consent mechanism.

How to clear

You can clear localStorage at any time via your browser's settings (Privacy → Clear browsing data → Cookies and other site data). Note: doing this will erase all your Lunara data on this device. Use the in-app "Export All (JSON Backup)" first if you want to keep it.

10. Data retention

Data type	Retention
localStorage app data (clients, jobs, invoices, leads, etc.)	Stored on your device until you clear it. Not retained by us.
Contact form / review submissions	Retained in our email inbox indefinitely unless you ask us to delete
Account metadata (when backend enabled)	Retained for the life of your account, plus up to 30 days after account closure to allow recovery, then deleted
Payment / billing records	Retained as long as legally required (typically 7 years in the US for tax purposes), held by Stripe
AWS server logs	Up to 90 days, then automatically deleted
Voice/SMS agent call records	As specified in your separate Service Agreement, typically 12 months unless you request otherwise

You can request earlier deletion at any time — see Section 12.

11. Security

We take reasonable administrative, technical, and physical safeguards to protect your information, including:

• Encryption in transit — All traffic to beardedai.net is served over HTTPS (TLS 1.2+).
• Local-first architecture — Most user data never leaves your device, dramatically reducing the attack surface.
• Password hashing — Account passwords are hashed using SHA-256 (current local-first version) and will use industry-standard bcrypt/scrypt when migrated to Supabase.
• WebAuthn / passkey support — Lunara supports Face ID, Touch ID, Windows Hello, and security keys for password change verification.
• OAuth tokens scoped narrowly — Google Calendar and Gmail access is scoped to the minimum permissions needed.
• Limited admin access — Master admin tools are gated by separate PINs.
• Vendor selection — We use SOC 2-compliant vendors (AWS, Stripe, Supabase, Google) for data processing.

12. Your privacy rights

Depending on where you live, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you
• Correction — ask us to correct inaccurate or incomplete information
• Deletion ("right to be forgotten") — ask us to delete your information, subject to legal retention requirements
• Portability — receive your data in a machine-readable format (Lunara's "Export All (JSON Backup)" feature satisfies this for in-app data)
• Objection — object to certain types of processing (e.g. marketing)
• Restriction — ask us to pause processing while we investigate a concern
• Withdraw consent — for processing based on consent
• Lodge a complaint — with your local data protection authority

To exercise any of these rights, email beardedai.net@gmail.com with the subject line "Privacy Request." We'll verify your identity and respond within 30 days (45 in some jurisdictions). We will not discriminate against you for exercising these rights.

13. California residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know what personal information we have collected, used, disclosed, or sold/shared in the last 12 months
• Right to delete personal information we hold about you
• Right to correct inaccurate personal information
• Right to opt out of the sale or sharing of your personal information — note: we do not sell or share personal information for cross-context behavioral advertising, so there is nothing to opt out of, but the right exists
• Right to limit use of sensitive personal information — we don't process sensitive personal information beyond what's necessary to provide the Services
• Right to non-discrimination for exercising these rights

Categories of personal information collected in the last 12 months: Identifiers (name, email, phone, IP), commercial information (subscription status), internet activity (server logs), geolocation (general from IP), professional information (company name).

Categories of sources: directly from you, automatically when you use the Site, from third-party services you connect (Google).

Categories disclosed to service providers: as listed in Section 7.

Categories sold or shared: none.

To submit a CCPA request, email beardedai.net@gmail.com with the subject "CCPA Request." Authorized agents may submit requests on your behalf with verifiable proof of authorization.

14. EU/UK residents (GDPR / UK GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, the legal bases listed in Section 5 apply. You also have the right to lodge a complaint with your supervisory authority. If you need an EU representative for GDPR purposes, contact us and we will make appropriate arrangements before serving EU customers at scale.

International data transfers: our service providers (AWS, Stripe, Google, Supabase) may process your data in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) and equivalent safeguards.

15. Children's privacy (COPPA)

The Services are not directed to, and we do not knowingly collect personal information from, children under 13 (or under 16 in the EU). If you believe a child has provided personal information to us, contact beardedai.net@gmail.com and we will promptly delete it.

16. Voice & SMS agent services

If you have purchased a voice agent or SMS agent service from Bearded AI for your business, additional privacy considerations apply. This section addresses how data flows through these services.

What data we (and our subprocessors) handle

• Voice call audio. When your agent answers or places a call, audio is processed by our voice infrastructure provider (e.g. Synthflow, Retell AI, Vapi, or similar — disclosed in your Service Agreement). Audio may be transcribed by an automatic speech recognition (ASR) provider and processed by a large language model (LLM) to generate the agent's responses.
• Call recordings. Recorded only if your account is configured to record. Stored by the voice infrastructure provider; retention is configurable and disclosed in your Service Agreement (default: 12 months).
• Transcripts. Generated automatically by the ASR layer. Used to populate Lunara's activity feed for the matching client.
• SMS message content. When your SMS agent sends or receives messages, content is processed by a telecom provider (e.g. Twilio) and routed through an LLM to generate responses. Both the inbound message and outbound reply are logged.
• Caller/recipient metadata. Phone numbers, call duration, timestamp, disposition (answered/voicemail/busy), and outcome (appointment booked, lead qualified, etc.).

Data subject roles

• For voice/SMS data about your customers: you are the data controller (you decided to contact them, you obtained consent, you set the campaign goals). We are the processor.
• This means: data subject requests (deletion, access, correction) from your callers/recipients should generally come to you first. We will support you in fulfilling them.

Compliance responsibilities

• Recording consent. You as the customer are responsible for ensuring legal compliance with two-party / all-party consent laws in every jurisdiction you operate in or call into. The following US states require all parties to consent to recording: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, Vermont, Washington. Pennsylvania falls under 18 Pa.C.S. § 5701 et seq.
• TCPA / SMS / CAN-SPAM. See our Terms of Service Section 8 and our Security & Compliance telecom section for the full compliance framework. Short version: prior express written consent is required before any AI-voice or marketing-SMS contact to a wireless number.
• AI disclosure. You must disclose to callers/recipients that they are interacting with an AI system. California (BPC § 17941), Utah, Colorado, and other states require this by law for commercial transactions. We strongly recommend including the disclosure in every voice agent opening greeting regardless of jurisdiction.
• Data subject rights from contacted consumers. Consumers contacted by your AI agents have the same privacy rights described elsewhere in this policy (access, deletion, correction, opt-out). Direct requests through us at beardedai.net@gmail.com, and we will coordinate with you to fulfill them.

How recordings and transcripts are protected

• Recordings and transcripts are encrypted at rest by the voice infrastructure provider
• Access is limited to you (the account holder) and Bearded AI staff for support purposes
• We do not use call audio or transcripts to train AI models
• We do not share call data with third parties except as required by law or to provide the service
• On account closure, you can request deletion of all recordings and transcripts per the retention schedule in your Service Agreement

17. International data transfers

Bearded AI is based in the United States. By using the Services, you consent to your information being transferred to and processed in the United States, where data protection laws may differ from your home jurisdiction. For users in the EEA, UK, and Switzerland, transfers are made under appropriate legal mechanisms including Standard Contractual Clauses.

18. Do Not Track signals

We do not currently respond to "Do Not Track" browser signals because there is no industry consensus on how to interpret them. We don't engage in cross-site tracking regardless. The Global Privacy Control (GPC) signal is treated as a valid request to opt out of sale/sharing of personal information under CCPA.

19. Breach notification

If we discover a security incident affecting your personal information, we will notify you and applicable regulators as required by law — typically without undue delay and within 72 hours of becoming aware of a breach (per GDPR), and as soon as practicable under US state laws. Notice will describe the nature of the breach, the data involved, what we're doing about it, and what you can do to protect yourself.

20. Automated decision-making and AI disclosures

Bearded AI uses automation and AI in the following ways:

• Automation rules in Lunara — Tenants configure their own automation rules (e.g. "when an estimate is sent, queue a follow-up email"). These act on tenant-controlled data inside the tenant's browser.
• Lunara automation rules — Tenants configure their own automation rules (e.g. "when an estimate is sent, queue a follow-up email"). These act on tenant-controlled data inside the tenant's browser and produce no automated decisions about people.
• AI voice/SMS agents — When contracted, these are autonomous AI systems that handle conversations on your business's behalf. The AI is making real-time decisions during calls. Consumers interacting with these agents have the right to know they're talking to an AI and can request a human at any time.

You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. None of our current automations meet that bar — they're either advisory (scores) or executing tenant-defined rules (automation engine) or autonomous within a clearly-disclosed AI service (voice agents).

21. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes:

• We'll update the "Last updated" date at the top
• For significant changes, we'll provide more prominent notice (banner on the Site, or email to active tenants)
• Continued use of the Services after the effective date means you accept the updated policy

For minor clarifications, typo fixes, or restructuring (no substantive change), we may update without separate notice.

22. Contact us

Questions, concerns, or requests about this policy or your data:

• Email: beardedai.net@gmail.com
• Phone: (610) 735-6163
• Mail: Bearded AI, Bethlehem, Pennsylvania, USA (specific address available on request)

For privacy-specific requests (access, deletion, correction, etc.), please use the subject line "Privacy Request" so we route it correctly. We'll acknowledge receipt within 5 business days and respond substantively within 30 days (or 45 days if we need an extension under applicable law).