Privacy Policy
Last updated: [PLACEHOLDER: e.g. July 1, 2026]
This Privacy Policy explains how Alchemical AI LLC (“we,” “us”) collects, uses, and shares information in connection with TurnkeyHQ (the “Service”). For Customer Content you upload about your own contacts, you are the controller and we act as your processor under your instructions and our Terms (and a DPA where applicable).
1. Information we collect
- Account data — name, business, email, password (hashed), workspace settings.
- Customer Content — contacts, conversations, recordings, documents, and other data you submit; may include personal information about your clients/leads.
- Usage data — log, device, and product-interaction data used to operate, secure, and improve the Service.
- Payment data — handled by Stripe; we store billing status and identifiers, not full card numbers.
- Cookies / analytics — see §8.
2. How we use information
To provide, secure, and improve the Service; process payments; provide support; send service and (with consent where required) marketing communications; enforce our Terms; and comply with law. We use AI/model providers to generate Service output (see §5); we do not sell personal information.
3. Legal bases
Where the GDPR/UK GDPR applies, we process on the bases of contract performance, legitimate interests, consent (e.g. certain cookies/marketing), and legal obligation. [PLACEHOLDER: confirm bases per jurisdiction with counsel.]
4. Sharing & subprocessors
We share information with service providers that process data on our behalf:
- Supabase — database & auth hosting
- Stripe — payments & tax
- Retell — voice/SMS
- Google — email/calendar integration (your connected account)
- Postmark — transactional/outbound email
- AI model providers (e.g. OpenAI, Anthropic, and others via our model router) — generating Service output; outbound payloads pass a DLP/redaction layer
- PostHog — product analytics
[PLACEHOLDER: maintain the authoritative subprocessor list + link a public subprocessor page.] We may also disclose information to comply with law or protect rights, and in a merger/acquisition subject to this Policy.
5. Retention
We retain information for as long as your account is active and as needed to provide the Service, then per our retention schedule and legal obligations. You can export or request deletion of Customer Content (see §7). [PLACEHOLDER: state concrete retention periods.]
6. Your rights
Depending on your location you may have rights to access, correct, delete, port, or restrict processing of your personal information, and to object or withdraw consent. The Service supports data export and deletion (DSAR / right-to-be-forgotten). To exercise rights, use in-product controls or contact [PLACEHOLDER: privacy@alchemicalai.com].
7. Security
We use technical and organizational measures including encryption in transit, tenant-isolation (row-level security), access controls, contact-PII encryption, and audit logging. No method is 100% secure; we work to protect your data and will notify you of breaches as required by law.
8. Cookies & analytics
We use necessary cookies for authentication and, where permitted, analytics cookies (PostHog) to understand product usage. [PLACEHOLDER: deploy a cookie/consent banner; describe categories and opt-out. Required before enabling non-essential analytics in consent jurisdictions.]
9. International transfers & children
Data may be processed in the United States and other countries; where required we use appropriate transfer mechanisms (e.g. SCCs). [PLACEHOLDER: confirm.] The Service is not directed to children under 16 and we do not knowingly collect their data.
10. Changes & contact
We may update this Policy; material changes will be notified through the Service or by email. Questions or requests: [PLACEHOLDER: privacy@alchemicalai.com].