Privacy Policy

Quitlo (“Service,” “we,” “us,” or “our”) is committed to protecting your privacy and the privacy of your customers. This Privacy Policy explains how we collect, use, store, and share information when you use our Service.

This policy covers two categories of individuals:

1. Customers — businesses and individuals who create a Quitlo account and use our Service
2. End Users — the customers of our Customers who may receive AI voice calls through the Service

1. Information We Collect

1a. Information from Customers (Quitlo Account Holders)

Account Information:

• Name, email address, and password (or authentication credentials via Google OAuth)
• Company name
• Billing information (processed and stored by Stripe — we do not store payment card numbers)

Integration Data:

• Stripe Connect OAuth tokens (encrypted at rest) for accessing your subscription cancellation events
• Slack OAuth tokens (encrypted at rest) for posting messages to your workspace
• Connected Stripe account identifiers
• Connected Slack workspace and channel identifiers

Usage Data:

• Number of calls initiated, completed, and failed
• Feature usage and interaction with the dashboard
• IP address, browser type, and device information (collected automatically via server logs)

1b. Information from End Users (Your Customers Who Receive Calls)

Information received from your Stripe account:

• Name
• Email address
• Phone number (if available in Stripe customer record)
• Subscription and product information (what they were subscribed to)

Information collected during AI voice calls:

• Voice recordings of the conversation
• Transcripts generated from voice recordings
• Structured analysis derived from transcripts (churn reason, sentiment, etc.)

Information we do NOT collect from End Users:

• Payment card numbers, bank account details, or billing amounts
• Social Security numbers or government-issued identification
• Any information not voluntarily shared during the call

1c. Landing Page Demo

Visitors who use the interactive demo on our landing page may engage in a simulated AI voice call. During the demo:

• We temporarily process the voice conversation via WebRTC
• We generate a transcript and analysis for display purposes
• We do not store demo call recordings or transcripts beyond the browser session
• We do not require or collect personal information to use the demo
• We may collect anonymous usage data (demo started, demo completed) for product analytics

2. How We Use Information

Customer Information

• To provide and maintain the Service
• To process payments and manage subscriptions
• To communicate with you about your account, updates, and support
• To improve the Service based on usage patterns
• To comply with legal obligations

End User Information

• To conduct AI voice calls on behalf of our Customers
• To generate transcripts and structured analysis
• To deliver churn insights to our Customer's Slack channel and dashboard
• We do not use End User call content to train AI models unless the Customer explicitly opts in
• We do not contact End Users for any purpose other than the authorized feedback call
• We do not sell, rent, or share End User information with any third party other than the Customer on whose behalf the call was made

Aggregated and Anonymized Data

We may create anonymized, aggregated datasets from call data for:

• Industry benchmarking (e.g., “average churn reasons across SaaS companies”)
• Product improvement
• Marketing content (e.g., “34% of churned customers cite integration issues”)

Aggregated data contains no personally identifiable information and cannot be traced back to any individual End User or Customer.

3. How We Store and Protect Information

Storage

• Account data and call records: Supabase (PostgreSQL), hosted on secure cloud infrastructure
• OAuth tokens (Stripe, Slack): Encrypted at rest using AES-256 encryption
• Call recordings: Encrypted at rest, stored in secure cloud storage
• Transcripts and analysis: Stored in our database, associated with the Customer's account

Security Measures

• All data transmitted via TLS 1.2 or higher
• OAuth tokens encrypted at rest
• Webhook signatures verified on all incoming requests
• Row-level security enforced at the database level — Customers can only access their own data
• Regular security reviews and monitoring
• Access to production systems restricted to authorized personnel

Retention

• Active accounts: Data retained for the duration of the subscription
• After cancellation: Data retained for 90 days, then permanently deleted
• Call recordings: Retained for 90 days after the call, then permanently deleted (unless the Customer requests earlier deletion)
• Demo calls: Not stored beyond the browser session

Customers may request deletion of their data at any time by contacting us at privacy@quitlo.com.

4. Third-Party Services

We use the following third-party services to operate Quitlo:

Each third-party service operates under its own privacy policy. We select services that maintain appropriate security standards and data protection practices.

OpenAI Data Usage

Call transcripts are sent to OpenAI's API for analysis. As of the date of this policy, OpenAI does not use API inputs to train its models. We use the API with data retention disabled where available. For the most current information on OpenAI's data handling, refer to OpenAI's privacy policy and API data usage policy.

5. AI Voice Calls — Disclosure and Consent

Call Disclosure

Every AI voice call initiated through Quitlo:

• Identifies itself as an AI assistant at the beginning of the call
• States the company name on whose behalf it is calling
• Provides an immediate option to end the call
• Does not disguise or misrepresent its nature

Consent Framework

Quitlo operates on the basis that:

• The Customer (our account holder) has obtained appropriate consent from their End Users for service-related communications, including automated calls for feedback purposes
• The Customer's terms of service and/or privacy policy with their End Users permits such communication

We provide consent language templates that Customers can incorporate into their own terms of service and privacy policies. However, it is the Customer's responsibility to ensure compliance with applicable consent requirements.

Do Not Call

• End Users who request not to be called during any interaction are immediately added to a do-not-call list for that Customer's account
• End Users who hang up or opt out during a call are not called again
• Customers can manually add numbers to their do-not-call list

6. Cookies and Tracking

Landing Page (quitlo.com)

• We use essential cookies for site functionality
• We may use analytics cookies (such as Google Analytics or Plausible) to understand visitor behavior
• We do not use advertising cookies or retargeting pixels
• The demo widget does not set persistent cookies

Application (app.quitlo.com)

• Session cookies for authentication (managed by Clerk)
• No third-party analytics or advertising cookies in the application

7. Your Rights (Customers)

You have the right to:

• Access your data — request a copy of all data we hold about your account
• Correct inaccurate information in your account
• Delete your account and all associated data
• Export your call data, transcripts, and analysis
• Withdraw consent for optional data processing (such as aggregated benchmarking)
• Object to processing where we rely on legitimate interest

To exercise any of these rights, contact us at privacy@quitlo.com.

8. End User Rights

End Users (your customers who receive AI calls) have the right to:

• Opt out of any call immediately by requesting it during the call
• Request information about what data was collected during their call — such requests should be directed to the Customer (the company on whose behalf the call was made), who can access the call transcript and analysis in their Quitlo account
• Request deletion of their call data — such requests should be directed to the Customer, who can delete specific call records from their account, or to us at privacy@quitlo.com

When we receive a direct request from an End User, we will make reasonable efforts to identify the Customer account and facilitate the request.

9. International Data Transfers

Quitlo's infrastructure is hosted in the United States. If you or your End Users are located outside the United States, data will be transferred to and processed in the United States.

For customers subject to GDPR:

• We process data as a data processor on your behalf
• We offer a Data Processing Agreement (DPA) upon request
• Transfers are conducted under Standard Contractual Clauses (SCCs) where required

To request a DPA, contact us at privacy@quitlo.com.

10. Children's Privacy

Quitlo is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will delete it promptly.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information we collect and how it is used
• Right to delete your personal information
• Right to opt out of the sale of personal information — we do not sell personal information
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, contact us at privacy@quitlo.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service at least 30 days before they take effect. The “Last Updated” date at the top of this policy indicates when the most recent changes were made.

13. Contact Us

For questions or concerns about this Privacy Policy:

Email: privacy@quitlo.com
General inquiries: hello@quitlo.com
Website: quitlo.com/contact

For data protection inquiries from EU residents, you may also contact your local data protection authority.