BABrass AI
Sign inBook pilot

Legal

Privacy Policy

Brass AI is an AI voice front desk for plumbing & HVAC businesses. This policy explains what we collect when the agent answers and books calls, how we use it, and the choices you and your callers have.

Effective date: June 21, 2026 · Brass AI, a service of RDMI

This is a good-faith starting template provided for convenience — not legal advice. Review and adapt it with qualified counsel for every jurisdiction you operate in before you publish or rely on it.

1. Overview

Brass AI (“Brass AI”, “we”, “us”), a service of RDMI, provides an automated voice agent that answers inbound phone calls for home-services businesses, validates service areas, books jobs, and sends booking confirmations. Delivering that service necessarily involves processing the contents of phone calls, including recordings, transcripts, and the personal details a caller shares to book a job.

This policy covers the Brass AI marketing site, the operator dashboard, and the voice agent. It does not cover the independent privacy practices of the businesses that use Brass AI to answer their calls, or of the third-party providers described below.

2. Who we are & our roles

For the operator account data of the businesses that subscribe to Brass AI (name, work email, company, login credentials), RDMI acts as a controller.

For caller data captured during calls (recordings, transcripts, phone numbers, service addresses, job details), the subscribing business is the controller and Brass AI acts as a processor / service providerthat processes that data on the business’s behalf and under its instructions. Each business is responsible for having a lawful basis and the appropriate notices and consents in place for its callers.

3. Information we collect

Call & booking data

  • Call audio and recordings of inbound calls handled by the agent, and the machine transcripts generated from them.
  • Caller detailsshared during a call: name, phone number, service address, and the reason for the call (e.g., “burst pipe”, “no heat”).
  • Booking and notification records: appointment slot, trade, booking reference, and the delivery state of any text/WhatsApp confirmation.
  • Campaign & attribution identifiers where available, such as a Google Ads click id (gclid), campaign, and the number that was dialed.

Operator account & usage data

  • Account profile: name, work email, company name, and a salted password hash (never the plaintext password).
  • Workspace configuration you enter: service-area ZIP codes, trades, business hours, and notification numbers.
  • Standard technical logs (IP address, timestamps, request metadata) used for security, rate limiting, and debugging.

4. How we use information

  • To answer calls, triage and qualify jobs, check the service area, find slots, and book appointments under the business’s brand.
  • To send booking confirmations and operator alerts by text/WhatsApp and email.
  • To display calls, bookings, leads, and delivery states in the operator dashboard.
  • To measure ad attribution and return on ad spend for the business.
  • To secure, maintain, troubleshoot, and improve the service, and to prevent abuse.
  • To comply with legal obligations and enforce our terms.

We do not sell personal information, and we do not use caller recordings or transcripts to train third-party advertising profiles.

5. Legal bases (EEA/UK)

Where the EU/UK GDPR applies, we and the subscribing business rely on: performance of a contract (to answer and book the call you requested); legitimate interests (to run, secure, and improve the service and measure advertising), balanced against your rights; consent (where required for call recording or marketing messages); and legal obligation (record-keeping, responding to lawful requests). You may object to processing based on legitimate interests at any time.

6. Call recording & consent — by region

Calls answered by the agent may be recorded and transcribed to provide the service. Recording and “you are speaking with an automated assistant” disclosure laws vary by jurisdiction, and the subscribing business is responsible for enabling and honoring the disclosure appropriate to where its callers are located. Brass AI provides the tooling to do so; the business is the party that must comply.

United States

  • One-party consent (federal & many states):federal law and most states permit recording with one party’s consent.
  • All-party (“two-party”) consent states: several states require every party to consent to recording — including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. For callers in these states the agent must disclose recording at the start of the call and obtain consent (continuing the call after a clear notice is the common method).
  • Automated-caller / “bot” disclosure:some states (e.g., California’s B&P Code §17940) require disclosing that a person is communicating with an automated system. The agent identifies itself as an automated assistant.
  • Messaging (TCPA): text/WhatsApp confirmations are sent only in connection with a job the caller asked you to book; businesses remain responsible for TCPA and carrier requirements for any other messaging.

European Economic Area & United Kingdom

Under the GDPR/UK GDPR and the ePrivacy rules, callers must be clearly informed before recording, with a lawful basis (typically consent or legitimate interests) and the information required by Articles 13–14. Data-subject rights below apply in full.

Canada

Under PIPEDA and provincial equivalents, callers must be told that the call is recorded, why, and be able to decline; knowledge and consent are required.

Recommended caller disclosure

Operators should configure a greeting along these lines, adapted to local law:

“Thanks for calling [Company]. You’re speaking with our automated assistant, and this call may be recorded for scheduling and quality. If you’d prefer not to be recorded, let me know and we’ll have someone call you back.”

7. Sharing & subprocessors

We share data only as needed to run the service. We use the following categories of subprocessors, each of which processes data under its own terms and security commitments:

ProviderPurposeData involved
Voice AI providerConversational voice AI (speech-to-text, language model, text-to-speech)Call audio, transcripts
TwilioTelephony and SMS/WhatsApp confirmationsPhone numbers, message content
MongoDB / cloud hosting (Railway)Application hosting and the database of recordAll stored records (PII masked where feasible)
ResendTransactional email (welcome, password reset, lead alerts)Email address, message content
Google AdsAd attribution / conversion measurementClick identifiers, campaign metadata

We may also disclose information to comply with law, enforce our terms, protect rights and safety, or in connection with a merger or acquisition (with notice where required). A current subprocessor list is available on request at the contact below.

8. Data retention

We keep records only as long as needed to provide the service to the business, resolve disputes, and meet legal obligations, after which they are deleted or de-identified. A subscribing business may request export or deletion of its workspace data; we will action it within a reasonable period, subject to records we must retain by law.

9. How we protect data

  • Caller phone numbers and service addresses are masked before they are displayed or stored.
  • Traffic is encrypted in transit (HTTPS/TLS); the dashboard is protected by signed, expiring session cookies.
  • Operator passwords are stored only as salted PBKDF2 hashes, never in plaintext.
  • Access is rate-limited and scoped per tenant so one business cannot see another’s data.

No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security.

10. Your privacy rights

Depending on where you live, you may have the right to access, correct, delete, port, or restrict the processing of your personal information, to object to certain processing, and to withdraw consent. Under U.S. state laws such as the CCPA/CPRA you may request access and deletion and are entitled not to be discriminated against for exercising those rights; we do not sell or “share” personal information for cross-context behavioral advertising.

Because most caller data is processed on behalf of a subscribing business, requests about a specific call are usually best directed to that business; we will assist them as their processor. To exercise rights or route a request, contact us below. You may also have the right to lodge a complaint with your local data-protection authority.

11. International transfers

We and our subprocessors may process data in countries other than yours, including the United States. Where required, transfers are protected by appropriate safeguards such as the EU Standard Contractual Clauses.

12. Children’s privacy

Brass AI is a business tool that is not directed to children and is not intended to knowingly collect personal information from anyone under 16. If you believe a child’s information has been provided to us, contact us and we will delete it.

13. Changes to this policy

We may update this policy as the service evolves. We will revise the effective date above and, for material changes, provide additional notice. Continued use after an update means you accept the revised policy.

14. Contact us

Questions, requests, or complaints about this policy or your data: info@rdmi.in (RDMI — Brass AI). For postal contact and a designated privacy/data-protection contact, add your business address before publishing.

← Back to site