Privacy Policy

Extra Hour AI provides an AI-powered front desk for service businesses. We help our clients respond to leads, book appointments, and follow up across the channels they already use. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the rights you have.

1. Who we are

"Extra Hour AI," "we," "us," or "our" refers to Extra Hour AI, the operator of https://extrahourai.com and the related products and services (the "Service"). You can reach us at clayton@extrahourai.com.

2. Scope of this policy

This policy applies to three groups:

• Clients — the businesses who sign up for the Service. We act as a service provider / data processor with respect to data their leads and customers generate.
• End users — the prospects, leads, and customers who interact with our clients through channels we process on the client's behalf (SMS, voice, web chat, social DMs, marketplace messages such as Thumbtack).
• Site visitors — anyone visiting extrahourai.com or our subdomains.

When we process end-user data on a client's behalf, the client is the controller of that data and we are the processor. Our processing is governed by our agreement with that client and by this policy.

3. Information we collect

From clients

• Account information: name, business name, email, phone, billing address.
• Payment information: handled by our payment processor (Stripe). We do not store full card numbers.
• Service configuration: how the client wants their AI to respond, business hours, pricing, calendar rules, custom values, and other operating context.
• Credentials and tokens for services the client connects (for example, GoHighLevel Private Integration Tokens, Retell API keys, OAuth refresh tokens from connected marketplaces such as Thumbtack). These are stored to operate the Service on the client's behalf and never resold or exposed to other clients.
• Usage data: which features the client uses, internal admin actions, support correspondence.

From end users (leads and customers of our clients)

• Contact information shared in the conversation: name, phone number, email, address, and similar identifiers.
• Conversation content: the messages, voice calls (and transcripts), and metadata exchanged with our client through channels we process.
• Channel metadata: timestamps, channel identifiers (for example, a Thumbtack negotiation ID, a Meta conversation ID, a phone number), and event identifiers used for routing and de-duplication.
• Booking and lifecycle data: appointments booked, status changes, follow-up touches.

We collect end-user data only because the end user contacted our client through a channel the client connected to us. We do not solicit end users directly.

From site visitors

• Standard server log information: IP address, user agent, referrer, pages visited, timestamps.
• Information submitted through forms on our marketing site (for example, the build-call intake form): name, email, phone, business details, and the messages you write.

4. How we use information

• To operate the Service — receive inbound messages and calls, run them through our AI agent, send replies on the client's behalf, book appointments, run follow-up sequences.
• To sync data into the client's CRM (typically GoHighLevel) so the client has a single record of every conversation regardless of channel.
• To bill clients and process payments through Stripe.
• To improve the Service (debugging, quality review of representative call transcripts and chat transcripts, performance monitoring, prompt engineering against our own clients' data — not pooled across clients).
• To communicate with clients about their account, billing, support requests, and material service changes.
• To comply with legal obligations and to detect and prevent fraud and abuse.

We do not sell personal information. We do not use end-user conversation content to train general-purpose AI models, and we do not share one client's data with another client.

5. Sharing and sub-processors

We share information with vendors who help us operate the Service. Each is bound by a contract that requires them to protect the data and use it only for the purposes we direct.

• Retell AI — voice and chat AI inference, call transcription.
• GoHighLevel (LeadConnector) — CRM, calendar, conversation system, SMS gateway, customer-facing surfaces for each client.
• Supabase — application database, edge functions, file storage. Hosted on the European Union and United States regions.
• Cloudflare — DNS, CDN, Pages hosting, Workers (including our API surface at api.extrahourai.com).
• Twilio — telephony number provisioning and message routing (when used by the client's GoHighLevel sub-account).
• Stripe — payment processing for client billing.
• n8n (self-hosted) — workflow orchestration on infrastructure operated by Extra Hour AI.
• Vaultwarden (self-hosted) — secret backup for our own infrastructure credentials.
• Connected marketplaces — Thumbtack, and similar services a client elects to connect. We exchange data with them only on the client's instruction and only for the connected channel.
• Google Workspace — internal email, calendar, and document workspace.

We may also disclose information if required by law, to enforce our agreements, or to protect the rights, property, or safety of Extra Hour AI, our clients, or others.

In the event of a merger, acquisition, or sale of assets, information may transfer as part of that transaction. We will notify affected clients before any such transfer.

6. AI model providers

Our AI agents run primarily on Retell AI, which in turn uses large language model providers including Anthropic, OpenAI, and Google. Conversation content (messages, transcripts) passes through these providers as part of model inference. By contract:

• Conversation content is not used to train the providers' general-purpose models.
• Providers retain transient inference data only as required for abuse monitoring and operations.
• We choose providers and configurations that support business-grade data handling. We do not enable optional features that would expand model-provider data use.

7. Retention

We retain information for as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

• Call recordings and transcripts: retained while the client's account is active and for a reasonable operational window after.
• Chat and message transcripts: retained while the client's account is active.
• Contact and conversation records synced into the client's CRM: governed by the client's own retention controls in their CRM.
• Billing records: retained for as long as required by applicable tax and accounting law.
• Backups: rolling backups may retain copies of deleted data for a limited period before being purged.

A client can request deletion of their account and the data we process on their behalf at any time by emailing clayton@extrahourai.com. End users should contact the client they interacted with; we will support our client in honoring deletion requests they direct to us.

8. Security

We use technical and organizational measures appropriate to the sensitivity of the information we handle:

• TLS for all data in transit.
• Encryption at rest for managed-database fields handled by our database provider.
• Access controls scoped to Extra Hour AI staff who need access to operate the Service.
• Signed webhook verification for inbound integrations.
• Per-client isolation of conversation data, credentials, and CRM contexts.
• Audit logging on administrative actions.

No security program is perfect. If we become aware of a breach affecting your data, we will notify affected clients without undue delay and follow applicable legal requirements.

9. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, restrict, port, or object to the processing of personal information we hold about you, and to lodge a complaint with a supervisory authority.

California residents (CCPA / CPRA). You have the right to know what personal information we collect, to delete it, to correct it, to opt out of sharing for cross-context behavioral advertising (we do not engage in this), and to be free from retaliation for exercising these rights. We do not sell personal information.

EU / UK / Swiss residents (GDPR). Where we act as a controller, our lawful bases for processing are contract performance, legitimate interests in operating and improving the Service, consent (where required), and compliance with legal obligations. Where we act as a processor on behalf of a client, please direct rights requests to that client first; we will support them in fulfilling your request.

To exercise any of these rights, email clayton@extrahourai.com with enough detail to verify your identity and identify the data at issue.

10. Cookies and tracking

Our marketing site uses minimal first-party storage for basic functionality and for anonymous server-side analytics. We do not use third-party advertising cookies. If we add analytics that involve a third party in the future, we will update this policy and provide controls where required.

11. International data transfers

Extra Hour AI operates in the United States. Information we collect may be processed in the United States and in other countries where our sub-processors operate. Where required by law, we rely on appropriate transfer mechanisms such as the European Commission's Standard Contractual Clauses.

12. Children

The Service is intended for businesses and adults. We do not knowingly collect personal information from anyone under 16. If you believe a child has provided us personal information, please contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. If changes are material, we will notify clients by email or in-product notice before the change takes effect.

14. Contact us

Questions about this policy, or about how we handle your information: