Relay — AI Phone Assistant

1. Information We Collect

Account Information. When you sign in via a third-party provider (Google, or email/password backed by Google Identity Platform), we receive your name, email address, and provider account identifier. We do not collect or store passwords.

Call Data. When a caller dials a Relay-powered phone number, we process and store: call audio (as a WAV recording), the AI-generated transcript, the AI-generated summary, the caller's phone number (E.164), start/end timestamps, and duration. Any structured data produced by the assistant during the call — such as appointment bookings — is also stored.

SMS Data. Relay does not accept inbound SMS on tenant phone numbers. When the SMS add-on is active, the Service sends outbound notification messages from a Sandy Brook–operated number — to verified tenant recipients (alerts, daily summaries) and, with the caller's verbal consent during a Receptionist call, to callers (appointment booking confirmations). For each outbound message we process and store: recipient phone number (E.164), message body, segment count returned by the carrier, and delivery status. For caller confirmations, we additionally store an opt-in audit record (timestamp, originating call SID, source = "verbal-receptionist"). See Section 5 (SMS / Text Messaging) for the specific disclosures that apply.

Configuration Content. Text you enter in Receptionist/Assistant Mode configuration, Knowledge Base entries, and trusted-number labels is stored on our systems so the assistant can use it during calls.

Billing Metadata. If you subscribe to a paid plan, Stripe stores payment instrument data on its systems; we receive only non-sensitive identifiers (Stripe customer ID, subscription ID, plan tier, invoice status).

Usage Data. IP address, browser type, pages visited, and timestamps, to operate and improve the Service.

2. How We Use Your Information

To provide, operate, and maintain the Service.
To process and deliver call recordings, transcripts, and summaries to you.
To authenticate your identity and manage your account.
To communicate with you about your account, billing, or the Service.
To detect, prevent, and address technical issues or abuse.

We do not sell your data, and we do not use call content to train any model — ours or a sub-processor's. See Section 4.

3. Sub-processors & Data Flow

Delivering the Service requires sharing specific data with the sub-processors listed below. Each row identifies the provider, its role, and the categories of data it receives. Each provider is governed by its own terms and privacy policy.

Twilio, Inc.

Privacy

Voice telephony · call routing · audio transport · WAV recording generation · SMS delivery via shared 10DLC campaign

Data received: caller phone number, called phone number, real-time call audio (transported to our infrastructure), recorded audio (generated and temporarily held for download), inbound and outbound SMS message content for accounts that have activated the SMS add-on.

Google LLC — Vertex AI / Gemini Live

Data governance

Real-time speech recognition, natural language understanding, text generation, text-to-speech

Data received: real-time caller audio streamed during the call; recorded audio re-submitted after the call for transcription and summarization; the system prompt (tenant configuration + knowledge base content). Not used to train Google's foundation models — see Section 4.

Google LLC — Google Cloud Platform

Privacy

Hosting (Cloud Run) · Firestore (tenant + call metadata) · Cloud Storage (recordings) · Cloud KMS (encryption keys) · Cloud Tasks / Scheduler / Logging / Monitoring

Data received: all stored call data (transcripts, summaries, WAV recordings), tenant account and configuration data, application logs (which may contain metadata such as call IDs and timestamps). Data is stored in the United States (region us-central1), encrypted in transit (TLS) and at rest.

Stripe, Inc.

Privacy

Subscription billing · payment processing · invoicing

Data received: your email, company name, plan tier, subscription state, invoice line items (minutes used, overage), and payment instrument data that you enter directly into Stripe's hosted Checkout page. Stripe does not receive call audio, transcripts, or summaries.

Brevo (Sendinblue SAS)

Privacy

Transactional email delivery (call summaries, notifications)

Data received: recipient email address, company name, caller phone number, AI-generated summary text, and a link to the call detail page. Call audio is not transmitted via email.

Google LLC — Identity Platform (Firebase Auth)

Privacy

Email/password authentication storage

Data received: email address and salted/hashed password. Passwords are stored by Google Identity Platform; they are never transmitted to or stored by Relay.

4. AI Model Training

Relay processes call audio and text using Google's Gemini models via Vertex AI. Per Google's Vertex AI data governance policy, customer content (including prompts and model responses) is not used to train or fine-tune Google's foundation models, and is not made available to other customers.

Relay does not operate its own machine-learning models, and we do not use your call content to train, fine-tune, or otherwise improve any model that we or a third party distributes.

Google may retain prompts and responses for a short period for abuse monitoring and to operate the service (see the linked Google policy for exact retention). This is separate from model training.

5. SMS / Text Messaging

Relay sends SMS, but does not accept SMS on tenant-provisioned numbers — inbound texts to those numbers are silently dropped at the carrier. All Relay SMS traffic is outbound and transactional, sent from a single Sandy Brook–operated number, and falls into one of two categories below. We do not send marketing, promotional, or broadcast SMS, and we do not allow subscribing businesses to do so either.

Tenant notifications. When a subscribing business activates the SMS add-on and verifies a recipient phone via one-time code, Relay sends them transactional SMS for events they opt into in their dashboard: new voicemail, urgent voicemail, daily summary, and appointment booked. These messages go only to phones the business itself added and verified.

Caller booking confirmations. When a caller schedules an appointment through Receptionist Mode, the assistant verbally asks if they would like a text confirmation. If the caller agrees and provides a phone number, Relay sends a confirmation message and (if the appointment is later canceled by the business) a cancellation message. We record an opt-in audit entry (timestamp, originating call SID, source = "verbal-receptionist") for each caller who consents. We do not message a caller who does not opt in, even if their CallerID is otherwise known to us.

We do not sell your phone number or SMS content to any third party. Mobile phone numbers and SMS consent are not shared with third parties or affiliates for marketing purposes under any circumstances. SMS data is processed only by the sub-processors listed in Section 3 (Twilio for delivery) and only for the purpose of operating the service.

Opting out (STOP). Reply STOP, UNSUBSCRIBE, CANCEL, QUIT, or END to any message sent from the Relay number to stop receiving further messages. You will receive one confirmation message, then no further messages will be sent. STOP requests are processed automatically by Twilio Advanced Opt-Out and apply across tenants — once you opt out, you will not receive Relay messages on behalf of any business.

Getting help (HELP). Reply HELP to the Relay number for information about the service, or contact us directly at hello@sandybrook.io.

Geographic scope. Relay SMS currently delivers to U.S. and Canadian numbers (NANP) only. Messages to numbers outside that range are not sent.

Message frequency and rates. Tenant alert frequency follows the events the subscribing business has enabled (typically one per inbound voicemail or appointment, plus an optional daily digest). Caller confirmations are limited to one per booked appointment plus one if that appointment is later canceled. Message and data rates may apply based on your mobile carrier plan. Relay and Sandy Brook DevWorks are not responsible for carrier charges you incur.

For sample messages, the exact opt-in copy used in the dashboard, and the public Call-to-Action disclosure for our 10DLC campaign, see our SMS Messaging Policy.

6. Data Storage and Security

All data is stored on Google Cloud Platform in the United States (region us-central1). Data is encrypted in transit (TLS) and at rest (GCP default encryption). Call recordings are stored in access-controlled private Cloud Storage buckets; transcripts and metadata are stored in Firestore.

Third-party OAuth refresh tokens (e.g., Google Calendar integration) are envelope-encrypted with a customer-scoped Cloud KMS key before persistence.

7. Data Retention

Call recordings, transcripts, summaries, and related metadata are retained for 90 days by default, after which they are permanently purged by a nightly job. Tenants may change the retention window in Settings to 30, 60, 90, 180 days, 1 year, 3 years, or unlimited (no automatic purge).

Individual calls can be exempted from automatic purge by applying a Legal Hold flag on the call detail page — for example, when a call is relevant to an active dispute or investigation. Legal Hold preserves the call indefinitely until the tenant removes the flag.

Account information and billing records are retained for the life of your account and for a period afterward as required by law or to resolve disputes.

Deletion on demand. You can delete any specific call at any time from the call detail page, which cascade-deletes both the recording and the transcript/summary. A separate "Delete on behalf of caller" action is provided on the call detail page for handling caller-initiated right-to-erasure requests (CCPA / GDPR Article 17); the deletion is recorded with the reason you provide for audit purposes. Account-wide deletion is available from Settings; on deletion we purge your call recordings, transcripts, summaries, and configuration from our systems and instruct sub-processors to do the same, subject to their own retention policies.

8. Your Rights

Depending on your jurisdiction (including under GDPR, UK GDPR, and CCPA/CPRA), you may have the right to:

Access the personal data we hold about you.
Request correction or deletion of your personal data.
Object to or restrict processing of your personal data.
Request a portable copy of your data.
Withdraw consent for processing (where processing is based on consent).

To exercise these rights, contact us at privacy@sandybrook.io. If you are a caller whose call was handled by a Relay-powered phone line, we typically do not have a direct relationship with you; please contact the business operating the phone line, who is the primary controller of the call data.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes are published with an incremented version number at the top of this page and are announced via dashboard notice or email.

11. Contact Us

Questions about this Privacy Policy, or about the data we process on your behalf, can be sent to privacy@sandybrook.io. For our Terms of Service, see the linked page.