Privacy Policy

Last updated: May 18, 2026

Plain-English summary: SwiftReplAI receives your Thumbtack lead data and your business config, sends them to Anthropic (the makers of Claude AI) to generate replies, then posts those replies back to Thumbtack on your behalf. We encrypt your Thumbtack tokens, never sell your data, and let you delete your account at any time.

1. Who We Are

SwiftReplAI ("we", "us", "our") is an AI-powered lead-response service for service businesses that receive leads through Thumbtack. You ("the pro" or "you") are the business owner who signs up and connects your Thumbtack account.

2. Information We Collect

We collect the minimum information needed to deliver the service:

Account info — your business name, your name, business email, phone number, and the configuration you fill out during onboarding (services offered, pricing, tone, etc.).
Thumbtack OAuth credentials — when you connect Thumbtack, we receive an access token and refresh token that let us read and reply to leads on your behalf. We store these encrypted (AES-256-GCM) and rotate refresh tokens as Thumbtack requires.
Lead data delivered by Thumbtack — customer first/last name, phone number, job category, and the contents of each negotiation thread Thumbtack sends us via webhook. We store this so you can review it on your dashboard.
AI prompts and replies — every prompt we send to Anthropic and every reply Anthropic returns is stored so you can audit what the bot said.
Cookies — a signed HttpOnly session cookie keeps you logged into your dashboard. We don't use third-party tracking cookies.
Server logs — standard request logs (IP address, user agent, path, status). Used for debugging and abuse prevention. Retained for ~30 days.

3. How We Use Your Information

To deliver the SwiftReplAI service — generating and sending AI replies to your Thumbtack leads.
To show you your leads, replies, and bot activity on the dashboard.
To improve the service (e.g., fixing bugs, monitoring API errors). We don't train AI models on your data.
To communicate with you about your account (billing, service updates, security issues).

4. Who We Share Data With

We share data only with the third parties that make the service work. Each is bound by their own privacy policies and security standards.

Anthropic, PBC — we send your business config, lead data, and conversation context to Anthropic's Claude API to generate replies. Anthropic's terms apply (anthropic.com/legal/privacy). Per Anthropic's commercial terms, your data is not used to train their models.
Thumbtack, Inc. — we send the AI-generated replies back into your Thumbtack negotiation threads through Thumbtack's Partner API. Thumbtack's policies apply (thumbtack.com/privacy).
Railway — our hosting provider. Customer data, encrypted Thumbtack tokens, and Postgres database are stored on Railway's infrastructure.
Payment processor — billing details (card number, etc.) are handled by our payment processor and never touch our servers. We only receive a customer ID and subscription status.

We do not sell or rent your data, ever. We do not share data with advertisers.

5. Data Security

Thumbtack access and refresh tokens are encrypted at rest with AES-256-GCM using a key stored separately from the database.
Database connections require TLS. The web application uses HTTPS.
Session cookies are HttpOnly, Secure, SameSite=Lax, and HMAC-signed.
Webhook deliveries from Thumbtack can be optionally authenticated using a shared secret (Basic auth).

No system is 100% secure. If we discover a breach affecting your data, we'll notify you promptly.

6. How Long We Keep Your Data

Account data: as long as your account is active, plus up to 90 days after cancellation for support and dispute resolution.
Lead/reply history: same as account data.
Encrypted Thumbtack tokens: deleted when you disconnect Thumbtack or cancel.
Server logs: ~30 days.

7. Your Choices and Rights

Access — request a copy of all data we hold about your account.
Correction — update your business config any time from your dashboard.
Deletion — request full account deletion at any time. We'll remove your account, encrypted tokens, and all lead/reply history within 30 days.
Pause — disconnect Thumbtack at any time to stop all AI activity without deleting your account.
Disable bot — toggle the "bot paused" switch on any lead or globally to stop new replies while keeping your data.

Email support@swiftreplai.com to exercise any of these rights.

8. California, EU, and Other Privacy Rights

If you're located in California, the EU, the UK, or another jurisdiction with consumer-privacy laws, you may have additional rights including the right to know, the right to delete, and the right to opt out of sale. We don't sell your data so the opt-out is built in. Contact us at support@swiftreplai.com to exercise other rights.

9. Children

SwiftReplAI is a B2B service for licensed service businesses. We do not knowingly collect personal data from anyone under 18.

10. Changes to This Policy

If we materially change this policy, we'll notify active customers by email at least 14 days before the change takes effect. The "Last updated" date at the top of this page always reflects the current version.

11. Contact

Questions or requests: support@swiftreplai.com