ServGroundServGround

Privacy Policy

Last updated: March 7, 2026

ServGround is operated by Beansoft Technology Services LLC, a North Carolina limited liability company (“Beansoft,” “we,” “us,” or “our”). We take your privacy seriously. This Privacy Policy explains how we collect, use, share, and protect your personal information when you use the ServGround platform (the “Platform”). This policy applies to all users, including merchants (workspace owners and team members), their clients who access the client portal, visitors to merchant public websites, and callers who interact with AI Voice Receptionist services. We are committed to transparency and to giving you control over your data.

1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and authentication credentials. If you sign up through Google OAuth, we receive your name, email address, and profile picture from Google. We also store your last login timestamp and account preferences.

1.2 Business Information

Merchants provide business details including company name, address, phone number, email, logo, tagline, service descriptions, operating hours, and service areas. This information is used to configure your workspace and may be displayed on your auto-generated merchant public website. Merchants may also configure custom domains, branding colors, template preferences, and notification settings.

1.3 Client Data

Merchants store client information within their workspace, including client names, company names, email addresses, phone numbers, mailing addresses, service history, and associated contacts. This data is managed exclusively within the merchant's workspace and protected by row-level security (RLS) at the database level, ensuring complete isolation between workspaces.

1.4 Service Request & Document Data

We collect service request details submitted through web forms, the client portal, AI voice receptionist, SMS text messaging, and manual entry. This includes the requester's name, email, phone number, service type, description, preferred dates, service addresses, and parcel information where applicable. We also store proposals, contracts (including electronic signatures), invoices, project details, and reports created on the Platform.

1.5 Financial & Payment Data

We collect billing information necessary to process subscription payments and client invoice payments. Credit card numbers and bank account details are collected and processed directly by Stripe — ServGround does not store raw payment card data on our servers. We retain transaction records, payment amounts, payment method types, payout history, and expense records (including AI-extracted receipt data) for accounting and reporting purposes.

1.6 Uploaded Documents & Files

Users may upload documents including logos, profile images, proposal attachments, contracts, invoices, reports (PDF or document builder), knowledge base training documents, receipt images for expense tracking, and service request attachments. Uploaded files are stored in private, encrypted storage buckets with workspace-level access controls. We enforce file size limits and restrict certain executable file types (.exe, .bat, .cmd, .sh, .ps1, .msi, .dll, .scr, .com) for security.

1.7 Voice Call Data

When clients call a merchant's AI Voice Receptionist, we collect the caller's phone number, call duration, call outcome, and a transcript of the conversation. Calls are processed through our voice AI provider (Vapi) and may be recorded and transcribed for service request capture, quality assurance, and dispute resolution. Call metadata is stored in our database with the associated workspace.

1.8 SMS & Text Message Data

When clients send text messages to a merchant's AI phone number, we collect the sender's phone number, message content, and response data. Inbound SMS messages are processed through Twilio and our AI systems to generate automated responses. We log message metadata (timestamp, phone number hash, workspace) for rate limiting, abuse prevention, and usage tracking. Individual message content is not permanently stored after processing.

1.9 Chat & AI Interaction Data

When visitors interact with the AI Website Agent on a merchant's public website or embedded chat widget, we collect session identifiers, a privacy-preserving hash of the visitor's IP address, message counts, and session timestamps. We do not permanently store the content of individual chat messages. Chat session metadata is retained for usage tracking and plan-based message limit enforcement.

1.10 Usage & Technical Data

We automatically collect information about how you interact with the Platform, including pages visited, features used, browser type and version, device information, operating system, screen resolution, IP address, referring URLs, and timestamps. We use this data to improve the Platform, diagnose technical issues, and prevent abuse.

2. How We Use Your Information

2.1 Providing Services

We use your information to operate and maintain the Platform, process transactions, manage subscriptions, send transactional communications (document reminders, payment confirmations, service request notifications, magic link authentication emails), and facilitate the merchant-client workflow from intake through completion.

2.2 AI-Powered Features

We use certain data to power AI features including: client data and service descriptions to train the AI Voice Receptionist and Website Agent; knowledge base documents and scraped website content to provide contextual AI responses; receipt images for AI-powered expense extraction; and service type information for AI content generation (proposals, contracts, reports). AI processing is performed by our third-party AI providers (see Section 8). We do not use your data to train general-purpose AI models.

2.3 Communications

We send transactional emails including service request confirmations, proposal and contract notifications, invoice reminders (escalating cadence: gentle, friendly, urgent), payment receipts, report publication notifications, team member invitations, workspace deletion notices, and project lifecycle updates. We may also send product updates and feature announcements, which you can opt out of through your notification preferences.

2.4 Security & Fraud Prevention

We use IP addresses, usage patterns, and technical data for rate limiting, spam detection (Cloudflare Turnstile), abuse prevention, and protecting the integrity of the Platform. We employ bot protection on authentication forms and service request submissions.

2.5 Analytics & Improvement

We analyze aggregated usage patterns to improve Platform performance, identify popular features, optimize user experience, and inform product development decisions. Analytics are performed on de-identified or aggregated data where possible.

3. Information Sharing & Disclosure

3.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share personal data with data brokers or advertising networks.

3.2 Service Providers

We share data with third-party service providers who assist in operating the Platform (see Section 8 for a complete list). These providers are contractually bound to use your data only for the purposes we specify and to maintain appropriate security measures.

3.3 Merchant-Client Data Sharing

When a merchant sends a proposal, contract, invoice, or report to a client, the relevant document data is shared with the client through the client portal. Merchants control what information is shared with their clients through document creation and publication. Client portal access is authenticated via magic links.

3.4 Legal Obligations

We may disclose your information to comply with applicable laws, regulations, legal processes, or governmental requests; to enforce our Terms of Service; to protect the rights, safety, or property of ServGround, our users, or the public; and to detect, prevent, or address fraud, security, or technical issues.

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will provide notice before your personal information becomes subject to a different privacy policy.

4. AI Data Processing

4.1 AI Providers & Data Flow

Our AI-powered features use the following third-party providers: OpenAI (GPT-4o, GPT-4o-mini) for the Website Agent chat, content generation, and receipt extraction via Vision API; Google (Gemini) as a fallback AI provider for chat when OpenAI is unavailable; and Vapi with OpenAI for the AI Voice Receptionist call handling and transcription. Data sent to these providers includes the conversation context (system prompt, user messages, tool results), knowledge base search results, and in the case of receipt extraction, the uploaded image. These providers process data according to their own privacy policies and data processing agreements.

4.2 Knowledge Base Data

Merchants can upload documents and provide website URLs to build a knowledge base that trains their AI assistants. Uploaded documents are chunked, converted to vector embeddings, and stored in our database. The original document text and embeddings are scoped to the merchant's workspace. When an AI assistant searches the knowledge base, only the relevant text chunks (not entire documents) are sent to the AI provider as part of the conversation context.

4.3 Voice Call Transcription

AI Voice Receptionist calls are transcribed in real-time by our voice AI provider (Vapi). Transcripts are stored in our database associated with the specific voice call record and workspace. Transcripts may contain personal information spoken during the call, including names, email addresses, phone numbers, and service details. Transcripts are retained for the duration specified in our data retention policy.

4.4 AI Data Retention by Providers

Our AI providers (OpenAI, Google, Vapi) may temporarily process and retain data in accordance with their own data retention policies. We use API access (not consumer products), which typically has shorter retention periods and excludes training on customer data. We recommend reviewing the privacy and data processing documentation of each provider listed in Section 8.

5. Cookies & Tracking Technologies

5.1 Essential Cookies

We use essential cookies required for the Platform to function, including authentication session cookies (Supabase Auth), workspace context cookies, portal session tokens (magic link authentication for clients), and CSRF protection tokens. These cookies cannot be disabled without breaking core functionality.

5.2 Preference Cookies

We use localStorage and cookies to store your preferences, including sidebar collapse state, theme preference (light/dark mode), selected workspace, and notification settings. These improve your experience but are not essential.

5.3 Analytics & Performance

We may use analytics tools to understand usage patterns, page performance, and feature adoption. Analytics data is collected in aggregate form where possible. We do not use third-party advertising cookies or tracking pixels.

5.4 Cloudflare Turnstile

We use Cloudflare Turnstile on authentication forms (login, signup) and certain public forms (contact forms, client portal login) for bot protection and spam prevention. Turnstile may collect browser characteristics, interaction data, and IP addresses to verify that visitors are human. This data is processed by Cloudflare in accordance with their privacy policy.

5.5 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the Platform. For specific instructions on managing cookies, consult your browser's help documentation.

6. Data Security

6.1 Encryption

All data transmitted between your device and the Platform is encrypted using TLS/SSL (HTTPS). Data stored in our database is encrypted at rest. Authentication tokens are generated using cryptographic functions (pgcrypto). Magic link tokens for client portal access expire after 24 hours.

6.2 Access Controls

We implement row-level security (RLS) on all database tables, ensuring complete data isolation between workspaces. All business data is scoped to a workspace_id. User authentication is handled by Supabase Auth with JWT token validation. Service role keys are restricted to server-side operations only and are never exposed to client browsers.

6.3 Multi-Tenant Isolation

ServGround is a multi-tenant platform. Each merchant's data is stored in the same database but strictly isolated through row-level security policies that enforce workspace boundaries. No merchant can access another merchant's data, clients, or documents through the Platform.

6.4 Storage Security

Uploaded files are stored in private storage buckets (not publicly accessible). File access requires authenticated, time-limited signed URLs that expire after one hour. File uploads are validated for type, size, and extension. Executable files are blocked. File paths are sanitized to prevent directory traversal attacks.

6.5 Payment Security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. ServGround does not store, process, or transmit raw credit card numbers. Payment operations use Stripe's secure tokenization and are processed through webhook-based async queues with idempotency keys to prevent duplicate charges.

6.6 Limitations

While we implement industry-standard security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users and relevant authorities as required by applicable law.

7. Data Retention

7.1 Account Data

We retain your account information for as long as your account is active. If you delete your account, personal information will be removed, subject to our obligation to retain certain records for legal, accounting, or fraud prevention purposes.

7.2 Workspace Data

When a workspace is deleted, all associated data (clients, proposals, contracts, invoices, projects, reports, service requests, documents, and team members) is preserved for a 30-day recovery period. During this period, the workspace owner can restore the workspace and all data. After the 30-day recovery period, data may be permanently deleted.

7.3 Notifications

Read notifications are automatically cleaned up after 30 days. Unread notifications are retained for up to 90 days. A per-user cap of 500 notifications is enforced to prevent unbounded growth. These retention periods are configurable at the platform level.

7.4 Voice Call Records

Voice call records (call metadata, transcripts, and outcomes) are retained for the period specified in our platform configuration (default: 12 months). Call recordings processed by our voice AI provider (Vapi) are subject to Vapi's own data retention policies.

7.5 Chat Sessions

Website Agent chat session metadata (session token, message count, timestamps) is retained for usage tracking and billing purposes. Individual chat message content is not permanently stored after the session ends.

7.6 SMS Messages

SMS message metadata (timestamp, phone number hash, workspace association) is retained for rate limiting and abuse prevention. Message content is processed in real-time for AI response generation and is not permanently stored by ServGround. Twilio may retain SMS records according to their own retention policies.

7.7 Email Send Logs

We maintain email send logs for idempotency purposes (preventing duplicate emails) and delivery tracking. These logs include the email type, recipient identifier (hashed), and send timestamp. Logs are retained for as long as the associated workspace is active.

7.8 Financial Records

Transaction records, payment history, invoices, expenses, and payout data may be retained for up to 7 years after the workspace is deleted to comply with tax, accounting, and financial reporting obligations.

8. Your Rights & Choices

8.1 Access & Portability

You have the right to access the personal information we hold about you. Merchants can export their data (clients, proposals, contracts, invoices, reports) through the Platform's export features. For a comprehensive data export, contact us through the Help Center.

8.2 Correction

You can update your account information, business details, and client data directly through the Platform. If you believe we hold inaccurate information that you cannot correct yourself, contact us and we will make corrections promptly.

8.3 Deletion

You can delete your workspace through Settings, which initiates a 30-day soft deletion period. To request complete deletion of your personal account and all associated data, contact us through the Help Center. Certain information may be retained as described in Section 7 (Data Retention).

8.4 Communication Preferences

You can manage your email notification preferences through Dashboard > Settings > Notifications. You can opt out of non-essential communications at any time. Transactional emails (payment confirmations, security alerts, account notifications) cannot be opted out of while your account is active, as they are necessary for service operation.

8.5 SMS Consent & Opt-Out

SMS auto-reply services require the merchant to have an AI phone number with SMS capabilities enabled. Clients can opt out of SMS communications at any time by replying STOP to any text message. Standard message and data rates apply. SMS consent is captured on service request intake forms with TCPA-compliant language.

8.6 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to know what personal information is collected, shared, and sold (we do not sell personal information); the right to delete personal information; the right to opt out of the sale of personal information (not applicable as we do not sell data); the right to non-discrimination for exercising your privacy rights; and the right to correct inaccurate personal information. To exercise these rights, contact us through the Help Center. We will verify your identity before processing requests.

8.7 European Residents (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectification, erasure, restriction of processing, data portability, and objection. Our legal bases for processing personal data include performance of a contract (providing the Platform services), legitimate interest (improving services, security), consent (marketing communications, AI features), and legal obligation (tax and financial recordkeeping). You may lodge a complaint with your local data protection authority.

8.8 Response Timeframes

We will respond to privacy rights requests within 30 days (or sooner as required by applicable law). Complex or voluminous requests may require an extension of up to 60 additional days, in which case we will notify you of the extension and the reasons.

9. Third-Party Services

9.1 Infrastructure & Hosting

Supabase (supabase.com) — Database hosting (PostgreSQL), user authentication (Google OAuth, email/password, magic links), file storage, and row-level security. Data is stored in Supabase-managed infrastructure. Vercel (vercel.com) — Application hosting, deployment, serverless function execution, custom domain management, and SSL certificate provisioning. Cloudflare (cloudflare.com) — Bot protection via Turnstile CAPTCHA on authentication and public forms.

9.2 Payment Processing

Stripe (stripe.com) — Primary payment processor for subscription billing, client invoice payments (credit card, ACH/bank transfer), merchant payouts via Stripe Connect, and instant payouts. Stripe is PCI-DSS Level 1 certified. Stripe collects and processes payment card data directly — ServGround does not handle raw card numbers. Stripe Connect enables merchants to receive payouts from client payments, subject to Stripe's own verification and compliance requirements.

9.3 Email

Resend (resend.com) — Transactional email delivery for all Platform communications including service request confirmations, document notifications, payment receipts, magic link authentication, team invitations, reminder cadences, and workspace deletion notices. Email content may include recipient names, document details, and magic link URLs.

9.4 AI & Machine Learning

OpenAI (openai.com) — Powers the AI Website Agent (chat), AI content generation for proposals, contracts, and reports, and AI Vision for receipt extraction. Data sent includes conversation context, knowledge base search results, and receipt images. Google AI (ai.google.dev) — Fallback AI provider when OpenAI is unavailable. Used for text-only chat responses (without tool calling support). Vapi (vapi.ai) — Powers the AI Voice Receptionist. Processes inbound phone calls, real-time voice transcription, and tool execution for service request capture and status lookup.

9.5 Telecommunications

Twilio (twilio.com) — Phone number provisioning for AI Voice Receptionist, inbound SMS webhook processing, and SMS auto-reply delivery. Twilio processes caller phone numbers, call metadata, and text message content. Vapi Phone Numbers — Alternative phone number provisioning through Vapi's platform for voice assistant functionality.

10. SMS & Voice Communications

10.1 SMS Consent (TCPA Compliance)

We obtain explicit consent before sending SMS messages to clients. Consent is captured on service request intake forms with the following disclosure: "I consent to receive text messages from [Business Name] regarding this request. Message and data rates may apply. Reply STOP to opt out." SMS consent status is stored per service request. Consent is voluntary and does not affect service delivery.

10.2 SMS Auto-Reply

When a client texts a merchant's AI phone number, our system generates an AI-powered response. All SMS responses include a TCPA/CTIA compliance footer: "Reply STOP to opt out. Msg & data rates apply." Inbound messages are subject to rate limiting (10 messages per 5 minutes per phone number) to prevent abuse.

10.3 Voice Call Recording

Calls to the AI Voice Receptionist are processed in real-time by our voice AI provider. Call transcripts are generated and stored in our database. By calling the AI Voice Receptionist, callers consent to the call being processed and transcribed by AI systems. Call recordings may be made and retained by our voice AI provider (Vapi) according to their data retention policies.

10.4 Opting Out

To stop receiving SMS messages, reply STOP to any text message from our system. Opting out of SMS does not affect the ability to receive services. Voice callers can request to speak with a human representative or call the merchant's direct business phone number instead of the AI receptionist.

11. Client Portal & Merchant Websites

11.1 Client Portal Access

Clients access the portal via magic link authentication (passwordless email links valid for 24 hours). When a merchant sends a document (proposal, contract, invoice, report) to a client, portal access is automatically granted. Portal sessions are time-limited and authenticated. Clients can view their documents, submit service requests, upload attachments, and leave comments through the portal.

11.2 Merchant Public Websites

ServGround auto-generates public websites for merchants displaying their business information, services, testimonials, FAQs, and contact forms. These websites are publicly accessible and may be indexed by search engines. Merchants control the content displayed on their public websites through the Dashboard. Custom domains may be configured, which involves DNS record verification.

11.3 Contact Form Submissions

When visitors submit contact forms on merchant public websites, the submitted information (name, email, phone, service type, message) is stored as a service request in the merchant's workspace. The visitor's data becomes client data managed by the merchant. Cloudflare Turnstile is used for bot protection on contact forms.

12. Children's Privacy

ServGround is not directed to children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe a child under 16 has provided us with personal information, please contact us through the Help Center.

13. International Data Transfers

ServGround is operated by Beansoft Technology Services LLC from the United States. If you access the Platform from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from those of your jurisdiction. By using the Platform, you consent to the transfer of your information to the United States and other countries. Where required by applicable law, we implement appropriate safeguards for international data transfers, such as standard contractual clauses.

14. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no industry-standard interpretation of DNT signals, the Platform does not currently respond to DNT signals. We do not track users across third-party websites for advertising purposes.

15. Merchant Responsibilities

Merchants using ServGround act as data controllers for the client data they collect and manage within their workspace. Merchants are responsible for ensuring they have appropriate legal bases for collecting client data, providing privacy notices to their clients, responding to client data rights requests, configuring appropriate data handling practices, and complying with applicable data protection laws in their jurisdiction. ServGround acts as a data processor for merchant-managed client data, processing it only as necessary to provide the Platform services.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. We will notify you of material changes by email to the address associated with your account and/or through a prominent notice on the Platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the Platform after the effective date of changes constitutes acceptance of the revised policy. If you disagree with the updated policy, you may delete your account.

17. Contact Us

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please contact us through our Help Center at the Platform or by emailing info@mylegacyai.ai. For privacy-specific requests (data access, correction, deletion), please include "Privacy Request" in the subject line. ServGround is a trade name of Beansoft Technology Services LLC, a North Carolina limited liability company. We are committed to working with you to resolve any privacy-related concerns in a timely manner.

See also our Terms of Service, End-User License Agreement, and Help Center.