Privacy Policy — Front Desk by Poppy

Title
Privacy Policy
Version
v3_LAUNCH_2026-05-12
Effective Date
2026-05-12
Last Updated
2026-05-12
Provider
Poppy Marketing & Consulting LLC
Provider Address
23015 FM 529 Rd, Ste 200 PMB1125, Katy, TX 77493
Contact
privacy@poppymarketingandconsulting.com
Document URL
https://frontdesk.poppymarketingandconsulting.com/legal/privacy

This Privacy Policy describes how Poppy Marketing & Consulting LLC (“Poppy”, “we”, “us”, or “our”) collects, uses, and shares information about you when you use the Front Desk by Poppy service (“Service”), accessible at https://frontdesk.poppymarketingandconsulting.com and via SMS, voice, and web channels.

By using the Service, you agree to this Privacy Policy. If you do not agree, do not use the Service.

1. Information we collect

1.1 Information you provide

When you sign up for or use the Service, we collect:

  • Business information: business name, primary contact name, business phone number, email address, business address, industry/vertical, services offered, business hours, and FAQs you provide for your AI assistant.
  • Authorized signer information: the name, email, and (where provided) title of the individual who accepts the Customer Subscription Agreement and related terms on behalf of your business.
  • Account credentials: email and password (passwords are stored as one-way hashes; we never see your plaintext password).
  • Payment information: billing details processed by our payment processor (Stripe). We do not store your full card number on our servers.
  • Calendar and CRM credentials: if you connect Google Calendar, Cal.com, Calendly, Acuity, HubSpot, Pipedrive, Jobber, Housecall Pro, ServiceTitan, or other integrations, we store the OAuth tokens needed to write bookings or sync leads. We use the minimum scopes necessary.
  • Communications with us: support emails, cancellation requests, feature requests, complaints, and any other messages you send.
  • Acceptance records: the document versions, canonical URLs, timestamp, IP address, and user agent associated with your acceptance of the Customer Subscription Agreement, this Privacy Policy, the Data Processing Addendum, and the Subprocessors page, along with the Stripe session and payment identifiers where applicable.

1.2 Information collected automatically when callers reach your business

When end consumers call your business via your Front Desk number, we automatically collect:

  • Call metadata: caller phone number, call timestamp, call duration, ring time, call disposition.
  • Call audio recording: the AI assistant records the call. At the start of every call, the AI assistant plays a recording disclosure to the caller stating: “This call may be recorded, transcribed, and summarized by Front Desk by Poppy. By continuing, you consent to recording and transcription.” A Spanish-language equivalent is played when the caller’s language is Spanish.
  • Call transcript and call summary: automatically generated text version and summary of the call for your dashboard, reports, and lead summaries.
  • Caller-provided information: anything the caller tells the AI assistant — name, address, service request, callback time, and similar information.

1.3 Information collected automatically about your use of the website

When you visit https://frontdesk.poppymarketingandconsulting.com, we collect standard web logs: IP address, browser type, operating system, pages viewed, referring URL, and date/timestamp. We do not use third-party advertising trackers.

2. How we use information

We use the information we collect to:

  • Operate the Service: answer your business calls, capture leads, book appointments, deliver transactional SMS notifications, and send service reports.
  • Communicate with you: send the transactional SMS messages you have authorized (lead alerts, booking confirmations, account notifications), respond to support and cancellation inquiries, and send service-related emails (billing, account changes, security).
  • Tune your AI assistant: review a sampled subset of calls (typically 5 to 10 per week per account) to identify quality issues, adjust prompts, and improve performance for your specific business.
  • Improve the Service: analyze aggregated, de-identified usage patterns to make the Service better. We do not use your individual call data to train third-party models.
  • Bill you: process subscription payments and manage your account.
  • Maintain acceptance and audit records: retain records of which document versions you accepted, when, and through which mechanism, for compliance and audit purposes.
  • Comply with legal obligations: respond to subpoenas, court orders, and other valid legal process.

We do not sell your information or your callers’ information to third parties for advertising.

3. Who we share information with

3.1 Subprocessors

We engage third-party service providers (subprocessors) to operate the Service. Each subprocessor is bound by a written contract that requires it to protect your information consistent with this Privacy Policy and our Data Processing Addendum, available at https://frontdesk.poppymarketingandconsulting.com/legal/dpa.

The current list of subprocessors is maintained at https://frontdesk.poppymarketingandconsulting.com/legal/subprocessors. We will provide at least thirty (30) days’ written notice (by email and on the subprocessors page) before adding or replacing a subprocessor that processes your data. You may object in writing within that notice window; if we cannot reasonably accommodate your objection, you may terminate the affected portion of the Service without penalty, as described in Section 4.4 of the Data Processing Addendum.

Subprocessor categories include (current providers listed on the subprocessors page): telephony, call recording storage, SMS messaging, A2P 10DLC registration, AI inference, database and storage hosting, application hosting, payment processing, web hosting, transactional outbound email, inbound email and shared drive, intake and operational records, and (Pro tier) scheduling.

3.2 Aggregated and de-identified data

We may share aggregated, de-identified data publicly in formats that do not identify any specific business or caller.

3.3 Required disclosures

We may disclose your information when required by law, valid legal process, or to protect our rights, property, or safety, or the rights, property, or safety of our customers or others.

3.4 Business transfers

If Poppy is acquired or merges with another entity, your information may be transferred to the acquirer subject to this Privacy Policy. We will provide notice before your information becomes subject to a different privacy policy.

4. Your callers’ information

You are the controller of any personal information your callers provide. We process that information on your behalf as a service provider (under CCPA / CPRA terminology) and as a processor (under TDPSA terminology). The full processor obligations, subprocessor change rights, data subject request handling, security commitments, and audit rights are set out in our Data Processing Addendum, available at https://frontdesk.poppymarketingandconsulting.com/legal/dpa, which is incorporated into and forms part of the Customer Subscription Agreement when you use the Service.

By using the Service, you represent that:

  1. You have the right to use the Service to capture and process information from callers to your business.
  2. You will not use the Service in a manner that violates applicable laws (TCPA, state privacy laws, sector-specific rules including HIPAA).
  3. You will respond to any privacy requests from your callers (access, deletion, correction) and we will assist you in fulfilling those requests upon your instruction, consistent with the Data Processing Addendum.

We do not directly market to your callers. SMS messages sent on Pro customers’ behalf are transactional, scoped to the SMS Messaging and A2P 10DLC section below.

5. SMS Messaging and A2P 10DLC

If a Customer uses Front Desk Pro, Poppy may send transactional SMS messages on the Customer’s behalf, such as lead alerts, booking confirmations, and related service messages. Poppy may process recipient phone numbers, message content, delivery status, opt-out status, and related metadata to provide SMS features. Poppy may also submit Customer business information, sample messages, use-case descriptions, and opt-in-flow information to Twilio, The Campaign Registry, mobile carriers, and related service providers for A2P 10DLC registration, vetting, delivery, filtering, and compliance purposes. Recipients may opt out of SMS messages by replying STOP and may request help by replying HELP.

Industry-standard SMS opt-out and help language is included in messages: “Reply STOP to unsubscribe. Reply HELP for help. Msg & data rates may apply. Msg frequency varies.”

Customer is responsible for maintaining any required SMS consent from message recipients, for not using Front Desk for marketing or promotional SMS unless separately approved by Poppy, for honoring opt-out requests received outside the Service, and for not asking Poppy to message anyone who has opted out. Carrier filtering, rejection, or suspension is outside Poppy’s control, and Poppy may suspend SMS features if compliance issues are detected.

6. AI processing

The Service uses AI inference (provided by Anthropic, as listed on the subprocessors page) to handle inbound calls, generate transcripts and summaries, and assist with lead capture. Call audio is processed in real time for transcription. Transcripts and summaries are returned to your dashboard and stored consistent with Section 8 (Data retention).

We do not use your individual call data, your callers’ information, or your account data to train third-party AI models. AI model usage is limited to inference (running the model against your live calls) on the terms in our agreements with the model provider.

7. Your rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you and your business.
  • Correct inaccurate information.
  • Delete your information (subject to the retention requirements in Section 8).
  • Opt out of SMS by replying STOP to any of our messages, or by contacting us at support@poppymarketingandconsulting.com.
  • Port your data to another service in a machine-readable format.
  • Withdraw consent at any time (this does not affect the lawfulness of processing prior to withdrawal).
  • Cancel future recurring subscription charges through your Stripe billing portal or by emailing cancel@poppymarketingandconsulting.com. Unless otherwise stated in the Customer Subscription Agreement, cancellation takes effect at the end of the current billing period and already-charged fees are non-refundable.

To exercise these rights, contact us at privacy@poppymarketingandconsulting.com. We will respond within forty-five (45) days, consistent with the response timelines under CCPA / CPRA and TDPSA. We may extend this period by an additional forty-five (45) days where reasonably necessary, with notice to you of the extension.

California residents: California Civil Code Section 1798.135 grants you specific rights regarding your personal information under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA). The rights above incorporate the CCPA / CPRA framework for California residents.

Texas residents: the Texas Data Privacy and Security Act (TDPSA) grants similar rights. The rights above incorporate the TDPSA framework for Texas residents.

Your callers’ rights: rights of individuals who call your business are exercised through you as the controller. We will assist you in responding to those requests as described in the Data Processing Addendum.

We do not sell personal information for the purposes of CCPA / CPRA.

8. Data retention

8.1 Caller Data and operational call records

Call recordings, transcripts, summaries, call metadata, and caller contact details are retained while the subscription is active and for up to thirty (30) days after service access ends, unless a longer period is required by law, needed for security, billing, dispute, or legal purposes, or requested by Customer in writing. Customer may request export or earlier deletion during the applicable retention period, subject to legal, security, billing, and operational limitations.

8.2 Subscriber Business Records

Category Retention period
Account profile, settings, and integration credentials Duration of your subscription
Subscription, billing, and tax records Seven (7) years after service access ends, consistent with US tax and audit requirements
Acceptance and audit records (document versions accepted, timestamps, URLs, IP, user agent, Stripe session identifiers) Seven (7) years after service access ends
Support, cancellation, and other communications with us Two (2) years
Aggregated, de-identified analytics Indefinite (no longer personal information)

Subscriber Business Records are retained on standard US business-records and tax-audit timelines and apply to your own data as the subscriber, not to your callers’ data.

8.3 Earlier deletion

You can request earlier deletion of your data by emailing privacy@poppymarketingandconsulting.com. We will comply except where retention is required by law (for example, billing records subject to tax audit requirements) or where retention is needed for security, billing, dispute, or legal purposes. Where you request earlier deletion of Caller Data, we will act on your written instruction as the controller of that data, consistent with the Data Processing Addendum.

9. Security

9.1 Safeguards

We implement reasonable physical, administrative, and technical safeguards:

  • TLS 1.2 or higher for all data in transit.
  • Encryption at rest for database storage and audio files.
  • Role-based access control for our team; access is logged and reviewed.
  • Multi-factor authentication on all administrative accounts.
  • Regular review of vendor security postures.

No method of transmission over the internet or method of electronic storage is one hundred percent secure. We cannot guarantee absolute security, but we work to protect your information.

9.2 Security incident notification

If we become aware of a Security Incident affecting personal information processed on your behalf, we will notify you without undue delay, and in any case within seventy-two (72) hours of confirmation. The notification will describe (to the extent then known): the nature of the incident, the categories and approximate volume of records involved, the likely consequences, the measures taken or proposed to address the incident, and a point of contact for further information. We will assist you in fulfilling any notification obligations you owe to your callers or to regulators.

A “Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information.

10. Children’s privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal information from children under 18. If you believe we have collected information from a child under 18, contact us at privacy@poppymarketingandconsulting.com and we will delete it.

11. International users

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. The data protection laws of the United States may differ from those of your country.

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a notice on the Service at least thirty (30) days before the changes take effect. The “Last Updated” date at the top of this Privacy Policy indicates when it was last revised.

13. Contact us

Questions, complaints, or requests:

Poppy Marketing & Consulting LLC 23015 FM 529 Rd, Ste 200 PMB1125 Katy, TX 77493 United States

privacy@poppymarketingandconsulting.com support@poppymarketingandconsulting.com cancel@poppymarketingandconsulting.com (cancellation requests)