Privacy Policy - LIFTSTACK.AI

This is a v1 template that requires lawyer review before launch. Consult a qualified attorney for legal advice specific to your situation.

1. Who We Are

LIFTSTACK.AI is operated by [LIFTSTACK.AI legal entity], a company providing AI automation and security services to small and mid-size businesses in Canada and Argentina. We also serve clients in the European Union and other jurisdictions.

Contact: [email protected]

2. Scope of This Policy

This policy applies to:

The liftstack.ai website and all subdomains
Our AI Operations services (voice agents, booking automation, lead generation, content automation, ops workflows, custom cloud builds)
Our Security Services (penetration testing, security audits, AI hardening engagements)
All personal data we process in the course of delivering those services

3. What Data We Collect

3.1 Data You Provide Directly

Contact and lead intake forms: name, email address, phone number, business name, and any additional information you include in a message
Booking and scheduling data: appointment date, time, and any pre-booking questionnaire responses submitted through our scheduling tool
Engagement-specific data: information you share during onboarding, scoping calls, or project delivery (for example, access credentials managed under strict need-to-know controls, workflow configuration details, or business-process documentation)

3.2 AI Workflow Data

When you use a LIFTSTACK.AI-built automation, such as an AI voice receptionist or a lead-generation workflow, data flows through that system as part of the service. The specific data processed depends on the package. We describe it in your service agreement. Common examples include:

Inbound call content and transcripts processed by AI voice services
CRM records synced between platforms
Lead data enriched through automation pipelines

3.3 Voice Recordings

If you use our AI Receptionist package, voice calls may be recorded and transcribed to deliver the service. Recordings are retained for [retention period in days] days and then permanently deleted, unless you have opted in to extended retention in your service agreement.

3.4 Website Analytics

We use a privacy-first analytics tool (Plausible Analytics or Vercel Analytics, no cookies, no cross-site tracking, no fingerprinting). We collect aggregate page-view data to understand traffic patterns. No personal identifiers are attached to analytics events.

3.5 Cookies

We do not use third-party tracking cookies. Our site may set a session cookie strictly necessary for functionality. No advertising or retargeting cookies are used.

4. How We Use Your Data

Purpose	Legal Basis (GDPR Art. 6)	PIPEDA Principle
Responding to inquiries and booking requests	Legitimate interest / Pre-contractual steps	Identifying purpose, consent
Delivering contracted AI automation services	Performance of a contract	Identifying purpose, accountability
Delivering security engagements	Performance of a contract	Identifying purpose, accountability
Sending transactional service emails	Performance of a contract	Identifying purpose, consent
Improving our service quality through anonymized analysis	Legitimate interest	Identifying purpose
Complying with legal obligations	Legal obligation	Accountability

We do not use your data for advertising. We do not sell your data to any third party. We do not train AI models on your data.

5. Sub-Processors

We share data with the following categories of third-party processors only to the extent necessary to deliver our services. We maintain data processing agreements with each.

Category	Provider(s)	Data Touched	Location
Website hosting and infrastructure	Vercel or DigitalOcean	Website traffic, form submissions	USA / EU
CDN, DNS, and WAF	Cloudflare	Network traffic metadata	USA / EU
Transactional email	Resend	Name, email address	USA
Booking and scheduling	Cal.com	Name, email, appointment data	USA / EU
AI inference (language and voice)	OpenAI, Anthropic, ElevenLabs	Prompts and responses per workflow	USA
CRM	HubSpot or Notion	Name, email, business name, deal notes	USA

We do not permit sub-processors to use your data for their own purposes beyond what is needed to process it on our behalf.

AI Inference Data Handling

We do not permit OpenAI, Anthropic, or ElevenLabs to train their models on data we send through API calls.
Prompts and responses are processed transiently per the settings available through each provider’s API.
We configure retention at the minimum available option for each provider. Refer to their respective privacy policies for their own data-handling terms.

6. Data Retention

Data Category	Retention Period
Lead intake form data	24 months from last contact, or on deletion request
Contracted client project data	Duration of engagement plus 12 months
Voice recordings	[retention period in days] days, then permanently deleted (unless extended retention is opted in)
Transactional email logs	6 months
Analytics (aggregate, non-personal)	Indefinite
Security engagement reports	Duration of engagement plus 36 months

7. International Data Transfers

We are based in Canada and Argentina. Some sub-processors are located in the United States or the European Union. We rely on the following mechanisms for cross-border transfers:

Canada to USA: We use sub-processors operating under standard contractual clauses or equivalent safeguards.
Canada to EU: Canadian law is recognized as adequate by the European Commission for GDPR purposes.
Argentina to USA and EU: Argentina’s Ley 25.326 permits transfers to countries with adequate protection. For transfers to the USA, we rely on contractual safeguards.
For EU residents: Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission.

8. Your Rights

Your rights depend on the jurisdiction where you are located. We honor all of the following regardless of jurisdiction.

Access: Request a copy of the personal data we hold about you.
Correction: Ask us to correct inaccurate or incomplete data.
Deletion: Ask us to delete your personal data, subject to legal retention requirements.
Portability: Request your data in a structured, machine-readable format (where technically feasible).
Objection: Object to processing based on legitimate interest.
Restriction: Ask us to restrict processing while a complaint or correction is in progress.
Withdrawal of consent: Where we rely on consent, withdraw it at any time without affecting prior lawful processing.

To exercise any right, email [email protected]. We will respond within 30 days. We may ask you to verify your identity before acting on a request.

Complaints to Regulators

Canada: You may file a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.

Argentina: You may file a complaint with the Agencia de Acceso a la Informacion Publica (AAIP) at aaip.gob.ar.

European Union: You may contact the data protection authority in your EU member state.

9. Data Security

We apply security controls consistent with our security-engineering background:

All client environments we build are deployed with infrastructure-as-code, least-privilege IAM, secrets management (Vault or cloud-native KMS), and full audit logging.
Data in transit is encrypted using TLS 1.2 or higher.
Access to production systems is restricted to authorized personnel and protected by multi-factor authentication.
We conduct internal security reviews of our own tooling as part of normal operations.

No system is completely immune to attack. If you believe your data has been compromised, contact [email protected] immediately.

10. Children’s Privacy

Our services are directed at business owners and professionals. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected such data, contact [email protected] and we will delete it promptly.

11. Changes to This Policy

We will post updates to this page with a revised “Last updated” date. For material changes, we will notify active clients by email.

12. Contact

[LIFTSTACK.AI legal entity] [email protected] [email protected] (data security concerns only)