Privacy Policy

Last updated: 2026-05-27

Revenue Recovery Engine (“RRE”, “we”, “us”) is a service operated by SmartFlow Digital LLC, a West Virginia limited liability company. We operate an AI-powered phone-answering, lead-reactivation, and follow-up service. This policy explains what we collect, why, and how we protect it.

Who is the data controller?

When a business signs up for RRE, that business is the data controller for its callers and leads. RRE acts as a data processor on its behalf. The same applies to any data uploaded as part of onboarding (e.g. an old leads CSV).

What we collect

• Account information: business name, contact details, billing data via Stripe.
• Calls: caller phone number, call duration, recordings, transcripts, structured outcomes.
• Messages: inbound and outbound SMS body, status, timestamps.
• Leads: name, phone, email, service interest, source, notes. May be uploaded by you or captured from calls/messages.
• Appointments: scheduled date, service, estimated value.
• Operational logs: provisioning events, webhook payloads, audit trail.

Call recording

Calls are recorded and transcribed by our voice-agent provider (Synthflow). Each business is responsible for ensuring its customers are notified before recording in jurisdictions that require two-party consent. By default our agents include a brief opening that satisfies most US states; ask us if you operate in CA, CT, FL, IL, MD, MA, MT, NV, NH, PA, or WA and we’ll tailor the script.

SMS compliance

All outbound SMS includes opt-out language (STOP) and is subject to TCPA, CTIA, and carrier rules. We honor opt-outs immediately and suppress further messages to that phone number across all campaigns for that business. Reactivation campaigns include an opt-out hint in every message and a quiet-hours window.

Who we share data with

We use a small number of third-party processors to operate the Service. Each is contractually limited to using your data only for our benefit (not for their own commercial purposes). The full list — what each vendor does, what data flows to them, and their privacy policy — lives at /subprocessors and is kept current. We notify active customers at least 14 days before adding or replacing a subprocessor.

We do not sell personal data. We do not share data across customers. We do not use customer data, call transcripts, or SMS content to train RRE’s own AI models or our LLM vendors’ models. Anthropic operates under their zero-retention API terms for our account.

AI use disclosure

RRE uses large language models (currently Anthropic Claude) to draft SMS replies, summarize calls, and operate the voice agent (via Synthflow, which uses third-party LLMs under the hood). When the AI voice agent answers a call, it identifies itself as an AI assistant at the start of every call. AI-generated transcripts and summaries may contain errors; the source recording is the authoritative record. We do not use customer or caller data to train any AI model.

Retention

Call recordings and transcripts are kept for 12 months unless you request shorter. Lead and appointment data is kept for the life of your account plus 90 days, then deleted. Operational logs are kept for 30 days. Opt-out records are kept indefinitely to ensure ongoing suppression compliance. You can request export or deletion at any time at privacy@smartflow.tools. Records subject to a legal hold, subpoena, or pending litigation are retained until that obligation lapses.

Data breach notification

If we discover or are notified of a security breach affecting your data, we will notify affected customers without undue delay and, in any event, within 72 hours of confirmation. The notification will describe the nature of the breach, the data affected, the steps we are taking, and recommended actions you may want to take.

Children’s data

RRE is built for business-to-business use and is not intended for or directed at children under 18. We do not knowingly collect personal information from individuals under 18. If you believe we have inadvertently collected such information, contact privacy@smartflow.tools and we will delete it.

Security

All data is encrypted in transit (TLS 1.2+) and at rest. Database access is gated by row-level security; no customer can see another’s data even if they have a valid session. Service-role keys live only in server-side environments, never in the browser.

Your rights

You can access, export, correct, or delete your data, or restrict how we process it, by emailing privacy@smartflow.tools. We respond within 30 days. Residents of CA, EU, UK, and other regions with applicable privacy laws have the rights granted by those laws (CCPA/CPRA, GDPR, UK GDPR). California residents see also our Do Not Sell or Share page.

Changes

We’ll post material updates here and notify active customers by email at least 14 days before they take effect.

Questions? Back to home or email privacy@smartflow.tools.