Privacy Policy
1. Who we are
This Privacy Policy explains how Exige SARL ("ServiceLocal", "we", "us" or "our") collects, uses, and discloses personal information when you visit https://servicelocal.ai, sign up as a business customer of the Service, log into the tenant dashboard at app.servicelocal.ai, or otherwise interact with us as a prospective or existing business customer.
This Privacy Policy applies to the personal information of:
- Marketing-site visitors and prospects who browse our public website or submit a lead form;
- Business-customer accounts ("Tenants") and the individuals who administer those accounts (OWNER and MEMBER roles);
- Anyone who contacts us by email about our Service.
When you are an end-customer of a business that uses ServiceLocal (for example, you booked an appointment, called the AI receptionist, or submitted a lead form on a ServiceLocal-powered tenant site), please see Section 8 below — the business you contacted is the controller of your personal data, and you should review their own privacy notice. A standard tenant-site privacy notice published by us on their behalf, where applicable, is available at https://servicelocal.ai/legal/tenant-site-privacy.
2. Our role
For the data described in this Privacy Policy, Exige SARL is the business / controller within the meaning of the California Consumer Privacy Act and the California Privacy Rights Act ("CCPA/CPRA") and similar U.S. state privacy laws.
For end-customer data that flows through the Service on behalf of a business customer, Exige SARL is a service provider / processor acting on the business customer's instructions. That relationship is governed by our Terms of Service and is summarised in Section 8 below.
3. What we collect, why, and from where
The categories below describe personal information we collect about marketing-site visitors and business-customer accounts.
3.1 Information you give us
| Category | Specific data | Collected from | Purpose |
|---|---|---|---|
| Lead form information | Name, email, phone, business name, business type, location, free-text inquiry | You, via the GoHighLevel-hosted lead form at try.servicelocal.* | Sales contact, account creation |
| Account identity | Name, email, role (OWNER or MEMBER), invited-by reference, and (for OWNER) mobile phone number used for SMS notifications | You, during signup or invite | Authentication, account management, communication, SMS alerts |
| Business profile | Business name, address, phone, website URL, hours, services, brand assets | You, in the dashboard or via an AI agent acting on your instructions | Service operation, public booking page, tenant-site generation |
| Staff scheduling | Working hours, calendar credentials, service assignments | You | Booking flow |
| Billing data | Stripe customer reference, last 4 digits and brand of card, billing address, invoices, charges, credits balance, top-up and auto-refill history | You via Stripe, and from Stripe webhooks | Subscription, top-ups, receipts |
| Support correspondence | Whatever you choose to send us by email | You | Resolution and recordkeeping |
We never collect or store full payment card numbers, CVV, or expiry data — those are tokenised by Stripe and never reach our servers.
3.2 Information we collect automatically
| Category | Specific data | Source | Purpose |
|---|---|---|---|
| Session cookies | One short-lived authentication cookie set by WorkOS on app.servicelocal.ai | Set on login | Keep you signed in |
| Login records | Timestamps, IP address, user-agent of each successful sign-in | Auto | Security, abuse prevention, audit |
| Server / access logs | IP address, user-agent, request path, timestamps, HTTP response codes | Auto | Operating the Service, investigating incidents |
| Email engagement metadata | Bounce, complaint, and suppression events from AWS SES | AWS SES webhooks | Email-deliverability hygiene |
We do not run analytics on our marketing site. No Google Analytics, Plausible, PostHog, Mixpanel, Segment, or similar product is loaded by the marketing website at https://servicelocal.ai. No tracking cookies, no pixels, no fingerprinting. If we add an analytics tool in the future, we will update this Privacy Policy in advance.
3.3 Information from third parties
| Source | What we receive | Why |
|---|---|---|
| GoHighLevel | Lead-form submissions made on our hosted funnel pages before account activation | Sales follow-up, account creation |
| Stripe | Payment confirmations, dispute notifications, default-payment-method changes | Billing |
| WorkOS | Authentication events, identity confirmation | Account access |
3.4 Information from services you connect
When you connect a third-party account to the Service through an OAuth flow or similar authorisation, we receive data from that third party within the scopes you have granted, solely to operate the feature you have enabled.
| Connected service | What we receive | Why |
|---|---|---|
| Google Calendar | Calendar events on the calendars you authorise — start/end times, titles, attendees, locations, status — read and written to keep your bookings in sync | Booking synchronisation between the Service and your staff calendars |
| Google Business Profile | Reviews and ratings left for your business on Google, reviewer-provided metadata, basic business-location data, and any replies you compose | Review monitoring and reply management |
You can revoke our access to any connected service at any time through Google's account settings, through Google Business Profile, or from the dashboard. Revoking access stops the integration immediately; data already synchronised into your account on the Service is retained per the schedule in Section 7.
Compliance with the Google API Services User Data Policy
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use Requirements. In particular, we do not:
- transfer or sell Google user data to third parties for serving advertisements or for any other secondary purpose;
- use Google user data to develop, improve, or train any generalised machine-learning model;
- allow humans to read Google user data, except (a) with your explicit consent for a specific message or thread, (b) for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operational metrics.
4. How we use personal information
We use the information described in Section 3 to:
- provide, operate, secure, monitor, and improve the Service;
- create and manage your account, authenticate you, and apply role-based access controls;
- process subscriptions, top-ups, auto-refills, refunds (where applicable), and other billing operations;
- communicate with you about your account, our Service, security, billing, support requests, product updates, and material changes to these documents;
- detect, investigate, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
- comply with our legal, regulatory, accounting, and audit obligations; and
- enforce our Terms, defend legal claims, and protect our rights, property, and the safety of others.
We do not use the personal information described in this Privacy Policy to train general-purpose machine-learning models, nor do we sell it.
4.1 SMS notifications
When you provide a mobile phone number for the OWNER role on your account, we may send transactional SMS messages to that number on your behalf — new-booking alerts, missed-call notifications, payment-failure warnings, low-credit-balance alerts, and similar service-related events. SMS is delivered by our telephony subprocessor (Telnyx) acting on our instructions. These messages are transactional, not marketing. You can stop SMS at any time by replying STOP to any message or by disabling SMS notifications in the dashboard. Standard message and data rates from your mobile carrier may apply.
5. How we share personal information
We share personal information only with:
5.1 Subprocessors and service providers
We engage the following subprocessors to operate the Service. Each is contractually bound to use the information only to provide the function described.
| Vendor | Function |
|---|---|
| Stripe | Payment processing and card vault |
| WorkOS | Authentication and identity management |
| GoHighLevel | Pre-activation lead intake on our marketing funnel pages |
| ElevenLabs | Voice receptionist speech-to-text and text-to-speech (audio and transcripts deleted per our configuration) |
| Telnyx | Telephony — call routing, phone-number leasing, and SMS delivery for owner notifications |
| OpenAI | Large-language-model inference for in-app AI agents |
| Anthropic | Large-language-model inference for the voice receptionist |
| Maps and Places APIs for address autocomplete and embedded maps; Calendar API for booking synchronisation when you connect a Google account; Business Profile API for review monitoring and reply management when you connect a Google Business Profile | |
| AWS SES | Transactional email delivery |
| Cloudflare | DNS, edge proxy, and tunnel |
| Hetzner | Server hosting in the European Union |
We will publish material changes to this list at least 30 days in advance via a version update to this Privacy Policy.
5.2 Legal and safety disclosures
We may disclose personal information when we believe in good faith that disclosure is necessary to comply with a law, regulation, legal process, or governmental request; to enforce our Terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of ServiceLocal, our users, or the public.
5.3 Business transfers
If we are involved in a merger, acquisition, financing, reorganisation, bankruptcy, sale of assets, or similar transaction, personal information may be transferred as part of that transaction. Where required by law, we will notify affected users in advance and describe their choices.
5.4 With your consent
We may share personal information for other purposes with your consent or at your direction.
6. Hosting and data location
Customer data is hosted on infrastructure located in the European Union (Hetzner). The Service is targeted at the United States market; we have chosen EU hosting as a posture choice. Personal information may be processed by our subprocessors in the United States and other countries as part of their normal operations.
7. Retention
We retain personal information only as long as necessary to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements.
| Data | Retention |
|---|---|
| Marketing-funnel leads (pre-activation, in GoHighLevel) | Per GoHighLevel's retention; copied into our systems on account activation |
| Business-customer account data (subscription active) | For the life of the subscription |
| Business-customer account data (after offboarding) | 30 days after permanent offboarding, then deleted |
| Billing records (invoices, charges) | 7 years (U.S. tax and accounting requirements) |
| End-customer CRM data held on behalf of a business customer | Until the business customer is permanently deleted, or earlier on the business customer's instructions |
| Voice call summaries and metadata held for a business customer | Same lifecycle as that business customer's CRM data |
| Voice call audio and transcripts | Never retained by ServiceLocal. ElevenLabs is configured to delete audio and transcripts post-call. |
| Calendar events synchronised from connected Google Calendar | Retained on our systems only while the calendar connection is active and the corresponding booking remains in your account. Revoking the connection or deleting the booking removes the synchronised copy. |
| Google review content surfaced from connected Google Business Profile | Retained on our systems only while the Business Profile connection is active. Revoking the connection removes our copy. |
| Server / access logs | 90 days |
| Email-delivery suppression list (AWS SES) | Indefinite — required for anti-spam compliance |
After the relevant retention period ends, we will delete or de-identify the data, unless we are required by law to retain it longer.
8. Information we process on behalf of business customers
If your interaction with ServiceLocal consists of booking an appointment with a business that uses our Service, calling that business's AI receptionist, submitting a lead form on that business's site, or otherwise being a customer of one of our business customers, then that business is the controller of your personal information and we act as their service provider / processor.
In that case:
- Direct your privacy, access, deletion, correction, opt-out, and consent-withdrawal requests to the business you contacted. We will refer requests we receive about end-customer data to the relevant business customer.
- Standard information about how that data flows through our Service is published, on behalf of business customers, at https://servicelocal.ai/legal/tenant-site-privacy.
- We do not sell or share end-customer personal information within the meaning of CCPA/CPRA, and we use it only to provide the Service to the business customer.
9. Your U.S. state privacy rights
Depending on the U.S. state in which you reside, you may have the following rights with respect to personal information we hold about you as a controller (i.e., information collected from you as a marketing-site visitor, prospect, or account user):
- Right to know what categories of personal information we hold about you, the sources, the purposes, and the categories of recipients;
- Right to access specific pieces of personal information;
- Right to correct inaccurate personal information;
- Right to delete personal information, subject to exceptions (e.g., we may need to retain billing data for tax purposes);
- Right to opt out of "sale" or "sharing" of personal information — we do not sell or share personal information within the meaning of CCPA/CPRA, but you may still submit an opt-out and we will confirm;
- Right to limit use of sensitive personal information — we do not use sensitive personal information for purposes beyond providing the Service;
- Right to non-discrimination — you will not be denied service, charged different prices, or provided a different quality of service for exercising any privacy right;
- Right to appeal a denial of a request, where applicable in your state.
To exercise any of these rights, email [email protected] with your request and enough information for us to verify your identity. We will respond within the timeframes required by applicable law. We may decline a request that we cannot verify or that we are legally permitted to refuse.
You may use an authorised agent to submit a request on your behalf. We may require the agent to demonstrate written permission from you and may require you to confirm your identity directly.
We do not use personal information for profiling in furtherance of decisions that produce legal or similarly significant effects, and we do not use it for targeted advertising.
10. Children
The Service is intended exclusively for business use by adults. It is not directed at children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, please contact [email protected] and we will delete it.
11. Security
We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These include encryption in transit, access controls, audit logging, segregated environments, and review of subprocessor security postures. No system is perfectly secure, and we cannot guarantee the absolute security of any information.
If we become aware of a security incident affecting personal information, we will notify affected users and regulators as required by applicable law.
12. Cookies
The marketing site at https://servicelocal.ai does not set cookies for tracking or analytics. The only cookie used in connection with the Service is the authentication-session cookie set by WorkOS on app.servicelocal.ai when you sign into your tenant dashboard. It is strictly necessary to keep you signed in and is removed on sign-out or expiry.
We do not currently use reCAPTCHA, hCaptcha, Turnstile, or similar bot-detection services. If we add any of these later, we will update this Privacy Policy.
13. Third-party links
Our Service may link to third-party websites, services, or resources we do not control. We are not responsible for the privacy practices or content of those third parties. We encourage you to read the privacy notices of any third-party services you use.
14. Changes to this Privacy Policy
We may modify this Privacy Policy from time to time. The current version is always posted at https://servicelocal.ai/legal/privacy with the version number and effective date.
Material changes take effect 30 days after the earlier of the posting of the updated version at the canonical URL above or email notification to the account-owner address on file. For non-material clarifications (typographical corrections, formatting, wording that does not change rights or obligations), we may make changes with immediate effect.
15. How to contact us
For questions about this Privacy Policy, to exercise any of the rights described in Section 9, or to submit any other privacy-related inquiry:
- Email: [email protected]
- Mail: Exige SARL, Address on file with the Luxembourg Trade and Companies Register, Luxembourg.