Privacy Policy

This policy applies to:

• business owners, staff members, and account users who use the small Talk dashboard or website;
• customers who receive a review request or submit public-review inputs or private feedback through a small Talk review flow; and
• people who contact us for support, sales, or other inquiries.

In many cases, the business that invited a customer into a review flow controls the underlying customer relationship. small Talk processes that information so we can provide the service to that business.

That means a customer may have rights both with respect to small Talk and with respect to the business that sent the review request.

The information we collect depends on how you use small Talk.

Information collected from business owners and account users

• name, business name, and email address;
• password and authentication-related information;
• business profile information, including logo, city, neighborhoods, Google review or place links, service names, and team member names;
• review request templates, reply voice preferences, reminder settings, quiet hours, time zone, and batch-send settings;
• billing and subscription information, including subscription status, trial usage, Stripe customer and subscription references, and billing portal activity;
• support requests, help-center messages, and account communications.

Information businesses submit about their customers

• customer names;
• customer phone numbers and email addresses;
• service type and employee or technician names associated with a visit;
• review request scheduling and delivery information;
• customer and job details imported from connected tools such as Jobber, when a business enables that integration.

Information customers provide through the review flow

• star ratings;
• topics selected and follow-up answers about the customer’s experience;
• optional written details or comments;
• private feedback messages submitted to a business;
• edited or approved review draft text;
• optional voice-input transcripts if the customer uses browser speech recognition features in the review flow.

We do not intentionally ask customers to provide sensitive personal information, such as medical information, government IDs, or financial account numbers, through the review flow.

Information collected automatically

• IP address, browser type, device information, operating system, and referral data;
• pages viewed, app events, clicks, usage behavior, and feature interactions;
• session, cookie, and local-storage identifiers used for authentication, analytics, and product functionality;
• message delivery logs, review-link status, and reminder activity;
• limited session replay and diagnostic analytics on dashboard pages, with text and input masking enabled.

• provide, operate, secure, and improve the small Talk product;
• create and manage business accounts and onboarding flows;
• send review requests, reminders, emails, and SMS messages;
• generate AI-drafted review text and AI-drafted public-review replies from user-provided inputs;
• deliver private feedback to businesses and help businesses manage customer follow-up;
• process billing, subscriptions, trials, and account access;
• monitor product usage, diagnose bugs, and analyze product performance;
• enforce our Terms, prevent abuse, and protect the security and integrity of the service;
• comply with legal obligations and respond to lawful requests.

Where applicable law requires a legal basis for processing, we generally rely on one or more of the following: performance of a contract, legitimate interests in operating and improving the Service, consent where required, and compliance with legal obligations.

small Talk is designed to capture honest reviews, not to fabricate customer experiences. When a customer goes through a review flow, the customer may provide a rating, choose topics, answer follow-up questions, add optional details, or choose to send private feedback. small Talk may use those inputs to generate a review draft or a business-owner reply draft with the help of AI providers.

If a customer uses voice input in a supported browser, speech recognition processing occurs through the browser feature itself. small Talk generally receives the resulting text transcript, not a raw audio recording.

If a customer chooses to send private feedback, that feedback is delivered to the business that requested it. If a customer chooses to post publicly, the customer is responsible for deciding whether to copy, edit, and post the draft to Google or another public platform.

We do not sell personal information. We share information only as needed to operate the service, support customers, comply with law, or protect the platform.

Service providers and subprocessors

We may share information with vendors that help us run small Talk, including:

• Supabase for database, authentication, and application storage;
• Twilio for SMS delivery and opt-out handling;
• Resend for email delivery;
• Stripe for billing, checkout, and subscription management;
• PostHog for analytics and masked session replay on dashboard pages;
• AI providers, including Anthropic, OpenAI, and OpenRouter, when used to generate review or reply drafts;
• Sentry for production error monitoring, with sensitive values such as emails, phone numbers, and tokens redacted before errors are reported;
• Google for account sign-in and for Google Business Profile and Places data used during onboarding;
• Jobber, only when a business connects its Jobber account, to import completed-job and customer details the business uses to send review requests;
• Vercel for hosting and related infrastructure.

When customer or business inputs are sent to AI providers, they are sent through API calls to generate the requested draft or suggestion. We do not use those inputs to train our own models. Third-party AI providers may process or retain submitted data according to their own policies and the agreements we have with them.

Vendor privacy and DPA resources

We review our vendors regularly, and their legal terms may change over time. These are the current privacy or data-processing resources for the core providers we rely on most:

• Supabase: Privacy Policy and Data Processing Addendum.
• Twilio: Data Protection Addendum.
• Resend: Data Processing Addendum.
• Stripe: Data Processing Agreement and Privacy Policy.
• PostHog: Privacy Policy and DPA.
• OpenAI: Data Processing Addendum.
• Anthropic: Privacy Policy and DPA guidance.
• OpenRouter: Privacy Policy.
• Google Cloud: Cloud Data Processing Addendum.
• Sentry: Data Processing Addendum.
• Jobber: Privacy Policy.
• Vercel: Data Processing Addendum.

Sharing with businesses

If you are a customer using a review flow sent by a business, information you submit through that flow may be shared with that business, including ratings, topic selections, optional notes, private feedback, and certain review-flow status data.

Third-party services such as Google, Stripe, and Twilio also have their own privacy practices. This policy does not govern how those third parties handle information once it leaves small Talk and is processed under their own terms.

Legal and safety disclosures

We may disclose information if required by law, subpoena, court order, or other valid legal process, or if we believe disclosure is reasonably necessary to protect the rights, safety, security, or property of small Talk, our users, or others.

Personal information may be transferred to and processed in the United States or other jurisdictions where our service providers operate. Where applicable, we rely on contractual and technical safeguards that are reasonably intended to protect transferred personal information.

We use cookies, local storage, and similar technologies to keep users signed in, remember settings, protect accounts, and understand how people use the product and website.

• essential technologies used for authentication, session security, and core product functionality;
• functional technologies used to remember settings and user preferences;
• analytics technologies used to understand website and product usage, including PostHog.

We also use analytics tools, including PostHog, to understand product usage and improve the service. Dashboard session replay is configured with masking so text and input values are not intentionally captured in readable form.

We do not use third-party advertising cookies, and we do not currently respond to Do Not Track browser signals.

You can usually control cookies through your browser settings. Disabling some cookies may affect how the service works.

We retain personal information for as long as reasonably necessary to provide the service, maintain security and integrity, comply with legal obligations, resolve disputes, and enforce our agreements.

• account, business, and subscription data are generally retained while the account remains active and for a reasonable period afterward;
• review-flow submissions, private feedback, delivery logs, and request history may be retained to support the product, troubleshooting, and business reporting;
• opt-out and suppression information may be retained longer so we can honor do-not-contact requests.

We do not assign a single retention period to every data type. Instead, we retain information based on the purpose for which it was collected, the needs of the business using the Service, legal requirements, dispute-resolution needs, and security or abuse-prevention considerations.

We use reasonable technical and organizational safeguards intended to protect personal information from unauthorized access, loss, misuse, alteration, or disclosure. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

These safeguards include measures such as encrypted data transmission, signed session or authentication tokens, access controls on administrative functions, and provider-level controls offered by the infrastructure and payment services we use.

Depending on your relationship to small Talk and where you live, you may have rights to access, correct, delete, or export certain personal information, or to object to or limit certain processing.

• Business owners can update much of their account and business information inside the dashboard.
• Business owners may also request deletion of their account data through the dashboard or by contacting us, subject to the retention practices described in Section 7.
• Customers who submit private feedback or review-flow inputs may contact us or the business that sent the review request to ask about deletion or access.
• Anyone can contact us at hello@usesmalltalk.com to request help with privacy questions.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are commonly used in U.S. state privacy laws.

California residents may have additional rights under California privacy law, including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

Customers who receive SMS messages through small Talk can reply STOP to opt out of future text messages. We retain opt-out preferences so we can continue to honor them.

To exercise privacy-related rights or ask a privacy question, contact us at hello@usesmalltalk.com. We may need to verify your identity before fulfilling certain requests.

small Talk is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information through the service, contact us and we will take appropriate steps.

We may update this Privacy Policy from time to time. If we make material changes, we will update the “Last updated” date above and may provide additional notice where appropriate.

If you have questions about this Privacy Policy or our privacy practices, contact Small Talk Digital LLC at hello@usesmalltalk.com. Small Talk Digital LLC is based in Texas.