# Privacy Policy
Effective Date: May 8, 2026 Last Updated: May 8, 2026
Alta ("Alta", "we", "us", "our") provides AI-powered customer communication, scheduling, and marketing software to local service businesses (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard information when our customers ("Operators") and their end-customers ("Consumers") interact with the Service.
By using the Service you consent to the practices described below. If you do not agree, do not use the Service.
1. Who we are
Alta is operated by Apex Aspire LLC d/b/a Alta, a Wyoming limited liability company. Our registered office address and Data Protection Officer contact information are listed in Section 14.
2. Information we collect
2.1 From Operators (the businesses subscribing to Alta)
- Account information — business name, contact name, email, phone, billing address, federal tax ID.
- Authentication — hashed passwords, OAuth tokens for integrations you authorise (Google, Twilio, SendGrid, Stripe, etc.).
- Business-operational data — staff roster, calendars, service catalogue, pricing, hours of operation.
- Payment information — handled by our PCI-DSS-compliant payment processor (Stripe). Alta never stores full card numbers.
- Usage telemetry — IP address, session length, feature usage, error logs, request traces.
2.2 From Consumers (your customers who interact with Alta on your behalf)
- Contact information — name, phone number, email, mailing address as provided by you or by the Consumer.
- Conversational content — SMS, voice transcripts, email replies, chat exchanges with the Alta AI on your behalf.
- Service / appointment records — what was booked, when, the outcome, payment status.
- Voice recordings — when call recording is enabled by you and Consumer consent is obtained where required by state law (we default to two-party-consent assumptions for CA, FL, IL, MD, MA, MT, NH, PA, WA).
- Device & log data — IP address, user agent, telephony metadata (carrier, country code).
- Marketing-targeting data — opt-in source, lead score, reactivation status, opt-out status.
2.3 We do not collect
- Government-issued ID numbers (SSN, driver's licence) — Alta has no use for them.
- Health information regulated by HIPAA — we are not a covered entity and do not accept PHI.
- Children's information — the Service is intended for adults (18+). If you become aware that a minor has provided personal information, contact us so we can delete it.
3. How we use information
| Purpose | Legal basis (GDPR) |
|---|---|
| Provide the Service to Operators | Contract performance |
| Process payments and billing | Contract / legal obligation |
| Respond on the Operator's behalf to Consumers | Operator's legitimate interest |
| Improve and secure the Service | Legitimate interest |
| Train AI models on de-identified, aggregated | Legitimate interest (opt-out at any time, see § 7) |
| data only | |
| Send service-related notifications | Contract performance |
| Send marketing about Alta features | Consent (opt-out anytime) |
| Comply with legal obligations | Legal obligation |
We do not sell personal information. We do not "share" personal information for cross-context behavioural advertising as defined by CPRA.
4. Disclosure to third parties
We disclose information only to:
- Service providers under written confidentiality and data- processing agreements: Stripe (payments), AWS (hosting), Twilio (SMS / voice), SendGrid (email), Postiz (social), Sentry (error tracking), Langfuse (LLM trace storage — self-hosted on our infrastructure when configured).
- AI model providers — when the Operator selects a hosted model (OpenAI, Anthropic, Google) we pass the minimum content required to fulfil the request, under each provider's enterprise data- protection terms (no-training-on-inputs).
- Law enforcement when compelled by valid legal process; we resist over-broad requests and notify Operators where lawful.
- In a corporate transaction — a buyer of Alta would receive this data subject to the same protections; we will publicly notice any such transition.
5. International transfers
Alta is hosted in the United States. When personal data is transferred from the EU/UK/Switzerland to the US, we rely on the EU Standard Contractual Clauses (Module 2) and the UK Addendum, with supplementary measures (encryption in transit + at rest, access controls, sub-processor audits).
6. Retention
| Category | Retention |
|---|---|
| Operator account data | Active + 90 days after termination |
| Consumer conversation logs | 24 months from last contact, then anonymised |
| Voice recordings | 30 days, unless Operator extends in writing |
| Billing records | 7 years (US tax retention rules) |
| Marketing opt-out lists | Indefinite (so we can keep honouring the opt-out) |
| Aggregated analytics | Indefinite (already anonymised) |
Operators may request immediate deletion of Consumer data through their dashboard (Settings → Data → Erase customer) or via § 14.
7. Your rights
Depending on your jurisdiction you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your information ("right to be forgotten").
- Port your information in a structured, machine-readable format.
- Object to or restrict processing.
- Opt out of AI-model training on your data.
- Opt out of marketing communications.
- Withdraw consent at any time (without affecting prior lawful processing).
- Lodge a complaint with a supervisory authority.
To exercise any of these rights: email privacy@getalta.ai or write to the address in § 14. We verify the identity of every request and respond within 30 days (45 for complex cases, with notice).
California residents (CCPA / CPRA) also have the right to know what categories of personal information we collect; to opt-out of "sales" and "sharing" (we don't do either, but the toggle is available in the dashboard); and to non-discrimination for exercising their rights.
8. Security
We protect personal information with:
- TLS 1.2+ for all data in transit.
- AES-256 encryption at rest (database, object storage, backups).
- Hardware-key-protected secrets management.
- Role-based access controls + audited admin actions.
- Continuous security monitoring and quarterly penetration tests.
- Annual SOC 2 Type II audit (report available under NDA).
No system is perfectly secure. If we discover a personal data breach, we notify affected Operators within 72 hours and Consumers where the law requires.
9. Cookies & similar technologies
The Alta dashboard uses first-party cookies for authentication, session management, and feature preferences. We do not use third- party advertising cookies. You can disable cookies in your browser, but parts of the dashboard will not function.
10. AI-specific disclosures
- Automated decision-making. The Service makes automated responses to Consumer inquiries on the Operator's behalf. Every outbound message is governed by Alta's compliance rules (see § 11 on TCPA and § 2.3 on opt-outs). Consumers can always reach a human by replying "AGENT" or asking explicitly.
- AI training. Alta uses de-identified, aggregated transcripts to improve its models. Operators can disable this in Settings → Privacy. Hosted LLM providers (OpenAI, Anthropic, Google) are bound by their enterprise terms to not train on our customers' data.
- Voice cloning. Operators may upload reference audio to generate a custom voice. Reference samples are stored encrypted and are only used to produce voices for that Operator. We do not clone the voices of third parties without their explicit consent.
11. TCPA & telephone communications
See the separate TCPA Disclosure for our practices regarding SMS and voice calls placed on behalf of Operators.
12. Children's privacy
The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe we have, contact us at privacy@getalta.ai and we will delete it promptly.
13. Changes to this policy
We will update this policy from time to time. Material changes will be announced by email and a banner in the dashboard at least 30 days before they take effect.
14. How to contact us
Apex Aspire LLC d/b/a Alta Attn: Privacy <<PHYSICAL MAILING ADDRESS - set ALTA_PHYSICAL_ADDRESS to the Apex Aspire LLC registered address before publishing>> Cheyenne, WY 82001 (placeholder � replace with registered-agent address) United States
Email: privacy@getalta.ai EU Representative: [name + address] UK Representative: [name + address]
This document is intended to comply with the GDPR, the UK GDPR, the California Consumer Privacy Act (as amended by CPRA), the Colorado Privacy Act, Virginia's Consumer Data Protection Act, Connecticut's Data Privacy Act, and Utah's Consumer Privacy Act. This is not legal advice; consult counsel before publishing.