Privacy Policy
Last updated: June 3, 2026 · Effective: June 3, 2026
1. Who We Are
SwiftReplAI ("we", "us", "our") is an AI-powered lead-response service for service businesses that receive leads through Thumbtack. You ("the pro" or "you") are the business owner who signs up and connects your Thumbtack account.
2. Information We Collect
We collect the minimum information needed to deliver the service:
- Account info - your business name, your name, business email, phone number, and the configuration you fill out during onboarding (services offered, pricing, tone, etc.).
- Thumbtack OAuth credentials - when you connect Thumbtack, we receive an access token and refresh token that let us read and reply to leads on your behalf. We store these encrypted (AES-256-GCM) and rotate refresh tokens as Thumbtack requires.
- Lead data delivered by Thumbtack - customer first/last name, phone number, job category, and the contents of each negotiation thread Thumbtack sends us via webhook. We store this so you can review it on your dashboard.
- AI prompts and replies - every prompt we send to Anthropic and every reply Anthropic returns is stored so you can audit what the bot said.
- Cookies - a signed HttpOnly session cookie keeps you logged into your dashboard. We don't use third-party tracking cookies.
- Server logs - standard request logs (IP address, user agent, path, status). Used for debugging and abuse prevention. Retained for ~30 days.
3. How We Use Your Information
- To deliver the SwiftReplAI service - generating and sending AI replies to your Thumbtack leads.
- To show you your leads, replies, and bot activity on the dashboard.
- To improve the service (e.g., fixing bugs, monitoring API errors). We don't train AI models on your data.
- To communicate with you about your account (billing, service updates, security issues).
4. Who We Share Data With
We share data only with the third parties that make the service work. Each is bound by their own privacy policies and security standards.
- Anthropic, PBC - we send your business config, lead data, and conversation context to Anthropic's Claude API to generate replies. Anthropic's terms apply (anthropic.com/legal/privacy). Per Anthropic's commercial terms, your data is not used to train their models.
- Thumbtack, Inc. - we send the AI-generated replies back into your Thumbtack negotiation threads through Thumbtack's Partner API. Thumbtack's policies apply (thumbtack.com/privacy).
- Railway - our hosting provider. Customer data, encrypted Thumbtack tokens, and Postgres database are stored on Railway's infrastructure.
- Payment processor - billing details (card number, etc.) are handled by our payment processor and never touch our servers. We only receive a customer ID and subscription status.
We do not sell or rent your data, ever. We do not share data with advertisers.
5. Data Security
- Thumbtack access and refresh tokens are encrypted at rest with AES-256-GCM using a key stored separately from the database.
- Database connections require TLS. The web application uses HTTPS.
- Session cookies are HttpOnly, Secure, SameSite=Lax, and HMAC-signed.
- Webhook deliveries from Thumbtack can be optionally authenticated using a shared secret (Basic auth).
No system is 100% secure. If we discover a breach affecting your data, we'll notify you promptly.
6. How Long We Keep Your Data
- Account data: as long as your account is active, plus up to 90 days after cancellation for support and dispute resolution.
- Lead/reply history: same as account data.
- Encrypted Thumbtack tokens: deleted when you disconnect Thumbtack or cancel.
- Server logs: ~30 days.
7. Your Choices and Rights
- Access - request a copy of all data we hold about your account.
- Correction - update your business config any time from your dashboard.
- Deletion - request full account deletion at any time. We'll remove your account, encrypted tokens, and all lead/reply history within 30 days.
- Pause - disconnect Thumbtack at any time to stop all AI activity without deleting your account.
- Disable bot - toggle the "bot paused" switch on any lead or globally to stop new replies while keeping your data.
Email support@swiftreplai.com to exercise any of these rights.
8. California, EU/UK, and Other Privacy Rights
California (CCPA/CPRA). California residents have specific rights: the right to know what personal information we have collected and disclosed, the right to delete personal information, the right to correct inaccurate personal information, the right to opt out of "sale" or "sharing" of personal information, and the right to non-discrimination for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CPRA. To exercise these rights, email support@swiftreplai.com. We may need to verify your identity by confirming details associated with your account before fulfilling a request.
EU / UK (GDPR / UK GDPR). If you're in the European Economic Area, the United Kingdom, or Switzerland, our lawful basis for processing is (a) performance of the contract for delivering the service to you, (b) legitimate interest for security, fraud-prevention, and product improvement, and (c) your consent where required. You have the right to access, rectify, erase, restrict, or port your personal data, and to object to processing. You can lodge a complaint with your local supervisory authority. Your data may be transferred to and processed in the United States, where the laws may differ from those in your country; we rely on standard contractual clauses and other appropriate safeguards for these transfers. Contact us at support@swiftreplai.com.
Other jurisdictions. If you have additional privacy rights under any applicable law, you can exercise them by emailing us. We respond within the time the applicable law requires.
9. AI Vendor - Anthropic Data Handling
We use Anthropic's Claude API to generate replies. Per our commercial-tier agreement with Anthropic, prompts and completions sent through our API key are not used to train Anthropic's models and are subject to Anthropic's commercial data-handling commitments. Anthropic may store prompts and completions for a limited period for trust-and-safety review and abuse prevention. See Anthropic's commercial terms (anthropic.com/legal/commercial-terms) and Anthropic's privacy policy (anthropic.com/legal/privacy) for details.
10. Cookies and Local Storage
We use a small number of strictly-necessary cookies and local storage entries to make the service work:
- Session cookie - HttpOnly, Secure, SameSite=Lax, HMAC-signed. Keeps you logged in to the customer dashboard. Expires when your browser session ends or when you log out.
- Admin cookie - same characteristics, used only for the founder's admin view of the system.
- OAuth state cookie - short-lived (a few minutes) cookie that protects the Thumbtack OAuth flow against CSRF attacks.
- Browser localStorage - we may use localStorage to remember UI preferences (e.g., which filter tab you had open on the dashboard).
We do not use third-party advertising cookies, retargeting pixels, or session-replay tools.
11. Children's Privacy
SwiftReplAI is a B2B service for licensed adult-operated service businesses. We do not knowingly collect personal information from anyone under 18. If you become aware that a child has provided personal information to us, please contact us at support@swiftreplai.com and we will delete it.
12. International Transfers
SwiftReplAI is operated from the United States. If you access the service from outside the U.S., your personal information may be transferred to, stored in, and processed in the U.S. and other countries where our service providers operate. The U.S. may not provide the same level of data-protection rights as your country. By using the service you consent to this transfer. Where the GDPR or UK GDPR applies, we use standard contractual clauses or other appropriate safeguards to protect your data during these transfers.
13. Data Breach Notification
If we discover a security incident that affects your personal information, we will notify you without undue delay by email to the address on your account, and where required by applicable law, to the relevant regulator. Our notification will describe what happened, what data was affected, what we are doing about it, and what you can do to protect yourself.
14. Changes to This Policy
If we materially change this policy, we'll notify active customers by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version. Continued use of the service after the effective date constitutes acceptance of the new policy. If you don't agree, your remedy is to cancel and delete your account.
15. Contact
Questions, complaints, or requests: support@swiftreplai.com