Inyeon Privacy Policy
Effective date: July 4, 2026
This Privacy Policy describes how Inyeon LLC, a New York limited liability company ("Inyeon," "we," "us"), collects, uses, and shares personal information in connection with our websites (including inyeon.dev and its subdomains such as platform.inyeon.dev) and our business communication platform — AI-powered voice and messaging agents, appointment booking, CRM, knowledge base, and related services (together, the "Service").
Our Service is operated in the United States and is designed for business customers in the United States.
Contact for anything in this policy: team@inyeon.dev
1. Our Two Roles: Read This First
We handle personal information in two distinct roles:
a. Inyeon as the responsible business ("controller"). For information about our business customers and their staff (the businesses that subscribe to the Service), and about visitors to our websites, Inyeon decides how and why the information is used. Sections 2–13 of this policy apply fully.
b. Inyeon as a service provider ("processor") for our customers. When a person calls, texts, or messages a business that uses Inyeon — or books an appointment, joins a waitlist, pays a deposit, or chats with that business's website widget — we process that person's information on behalf of and at the direction of that business. The business, not Inyeon, decides why that information is collected and is responsible for providing its own privacy notice and obtaining any required consents.
If you are a caller, texter, or customer of a business that uses Inyeon ("End User"): the business you contacted is responsible for your information. Please direct privacy questions and requests (access, deletion, correction) to that business first. We provide every customer with tools to export and delete End User data, and we will assist the business in responding. If you contact us directly at team@inyeon.dev, we will identify the business where we reasonably can, forward your request, and assist. We do not sell End User information or use it for our own marketing.
2. Information We Collect
2.1 From our business customers and website visitors (Inyeon as controller)
- Account and profile data: name, business name, work email, password (stored hashed), role and permissions, language preferences.
- Billing data: billing contact details, invoicing records, prepaid-credit ledger and usage metering (e.g., call minutes, messages, tokens). Invoices may be paid through our banking provider's hosted payment page; we do not store your full bank or card numbers.
- Communications with us: support requests, emails, and feedback.
- Configuration data: agent settings, prompts, message templates, disclosure texts, business hours, and similar settings you create.
- Technical data: IP address, browser and device information, server logs, and session cookies (see Section 8). We do not use third-party advertising or analytics trackers on the dashboard.
2.2 On behalf of our business customers (Inyeon as service provider)
Depending on how a business configures the Service, we process the following End User Data for that business:
- Call data: caller and called phone numbers, call times, duration and status, call recordings (where recording is enabled in the business's configuration or by the underlying voice provider), turn-by-turn call transcripts, and AI-generated call summaries and extracted details (for example, a requested appointment time or a callback number).
- Messaging data: SMS, WhatsApp, and email message content, sender/recipient identifiers, delivery metadata, and media attachments.
- CRM data: names, phone numbers, email addresses, tags, notes, visit and interaction history, and customer value metrics maintained by the business.
- Booking and payment-status data: appointment details (name, contact, service, time), waitlist entries, and deposit status (paid, refunded, forfeited). Card payments are processed by Stripe on the business's own Stripe account; neither Inyeon nor the business's Inyeon account stores card numbers.
- Consent records: a ledger of each opt-in and opt-out (channel, time, method, the wording shown, language, and proof such as a message ID or call ID, and where applicable IP address and browser info), kept as evidence of the End User's communication preferences.
- Knowledge-base content: documents, text, and connected data sources (such as a Google Sheet) that the business uploads so its AI agents can answer questions. Businesses attest that connected reference sources contain no customer personal information, and we apply automated screening to help enforce that.
2.3 Information from third parties
We receive data from telephony and messaging providers (e.g., call routing metadata, delivery receipts), from Google when a business connects a Google integration (Section 7), from Stripe (payment event status, not card numbers), and from review platforms a business connects (e.g., public reviews of that business).
3. How We Use Information
We use personal information to:
- provide and operate the Service — including answering and placing calls, sending and receiving messages, transcribing and summarizing conversations, managing bookings and waitlists, and maintaining each business's CRM and knowledge base;
- meter usage and bill our customers;
- honor communication preferences — enforcing opt-outs (e.g., STOP), consent requirements, and quiet hours before any outbound message is sent;
- secure the Service — authentication, access control, audit logging, fraud and abuse prevention, and debugging;
- provide support and communicate with customers about the Service;
- comply with law, enforce our agreements, and establish or defend legal claims; and
- create de-identified, aggregated statistics (which no longer identify any person or business) to operate and improve the Service.
AI processing. Conversations handled by the Service are processed by artificial-intelligence systems — speech-to-text, large language models, and text-to-speech — to conduct and summarize the conversation, and knowledge-base text is converted into numerical embeddings to enable search. We do not use your information or End User Data to train our own generalized AI or foundation models. Conversation and knowledge-base content is processed by third-party AI infrastructure providers solely to generate responses in real time. Which providers are used depends on the service tier:
- Standard tier: content may be processed by large-model API providers under those providers' own terms, which may include storage or processing on servers located outside the United States. A list of the AI providers used on an account, with relevant excerpts of their data terms, is available on request at team@inyeon.dev.
- Restricted tier: businesses with heightened confidentiality needs (for example, medical, legal, or financial practices) can request routing in which conversation content is sent only to providers operating under zero-data-retention and no-training commitments.
We do not sell personal information, and we do not share it for cross-context behavioral advertising.
4. How We Share Information
We share personal information only as follows:
Subprocessors and service providers who process data on our instructions to run the Service:
- Hosting and infrastructure: Fly.io (application hosting and databases, United States); S3-compatible cloud object storage for message media.
- Telephony and messaging: Telnyx and Twilio (voice and SMS carriage); 360dialog and Meta (WhatsApp Business messaging); Resend (email delivery); Synthflow (voice-agent infrastructure, where used).
- AI infrastructure: speech-recognition, speech-synthesis, model-inference, and embedding providers that process conversation and knowledge-base content in real time solely to provide the Service.
- Payments and billing: Stripe (End User deposits, on the business's own Stripe account); Mercury (our banking and customer invoicing).
- Integrations you connect: Google (Calendar, Business Profile, Sheets — Section 7) and other sources a business chooses to connect.
A current, complete list of subprocessors is available on request at team@inyeon.dev.
The business you interacted with: if you are an End User, the business you contacted has access to your interactions with it (calls, transcripts, messages, bookings, CRM records) — that is the purpose of the Service.
Legal and safety: to comply with law, subpoena, or legal process; to protect the rights, safety, or property of Inyeon, our customers, or others; or to enforce our Terms of Service.
Business transfers: in connection with a merger, acquisition, financing, or sale of assets, subject to this policy's commitments.
We do not share personal information with third parties for their own marketing.
5. Call Recording and Monitoring Notice
Calls handled by the Service may be recorded and are transcribed to provide the Service (for example, to generate a summary and a callback task for the business). Each business is responsible for enabling the call disclosures required for its situation; the Service supports spoken disclosures at the start of a call, in multiple languages. If you do not wish to be recorded on a call with a business using the Service, hang up and contact the business by another means.
6. Text Messaging (SMS/WhatsApp) Notice
- Message frequency varies by your relationship with the business; message and data rates may apply.
- Reply STOP (or STOPALL, UNSUBSCRIBE, CANCEL, END, QUIT) to any message to opt out of that channel; reply START to opt back in. For assistance, contact the business directly.
- Opt-outs are recorded in the consent ledger and enforced automatically before any further outbound message is sent on that channel.
- Consent to receive messages is collected and managed by the business you interacted with; carriers are not liable for delayed or undelivered messages.
7. Google User Data (Google API Services)
Where a business connects Google services, we access Google user data as follows:
- Google Sheets (knowledge-base connector): we use the Google Picker with the
drive.filescope, which grants access only to the specific spreadsheet the business selects — we cannot see Gmail, other files, or the rest of Google Drive. We read the selected sheet's cell values and store them in that business's knowledge base so its AI agents can answer questions, and we re-read the sheet periodically to keep it current. OAuth tokens are encrypted at rest with AES-256-GCM. Disconnecting the integration deletes the sheet-derived content from the knowledge base and revokes our access with Google. - Google Calendar: with the business's authorization, we read availability and create, update, and cancel booking events on the connected calendar. Calendar OAuth tokens are encrypted at rest.
- Google Business Profile: with the business's authorization, we read and respond to the business's reviews and manage its profile.
Limited Use disclosure: Inyeon's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Google user data for advertising, do not sell it, do not transfer it to third parties except to provide or improve user-facing features (or for security or legal compliance), and do not use it to train generalized AI or machine-learning models.
8. Cookies
The dashboard uses essential cookies only — session cookies that keep you signed in and protect against request forgery. We do not use advertising cookies or third-party analytics cookies. Because we do not use non-essential cookies, no cookie-consent choices are required; you can clear cookies in your browser, which will sign you out.
9. Data Retention
- Call data: by default, call recordings, transcripts, summaries, and extracted details are automatically purged 90 days after the call; businesses may configure different retention. Call metadata (times, duration, and billing units) is retained for billing and compliance.
- Messaging, CRM, booking, and knowledge-base data: retained while the business's account is active or until the business deletes it.
- Consent records and audit logs: retained even after related content is deleted, because they are the legal evidence of opt-ins, opt-outs, and system actions.
- Account and billing records: retained for the life of the account plus the period required by tax, accounting, and legal obligations.
- After account termination: we delete or de-identify customer data within a reasonable period after any requested export, except records we must keep by law and routine backups purged on schedule.
10. Security
We use administrative, technical, and physical safeguards designed to protect personal information, consistent with the New York SHIELD Act's reasonable-safeguards requirement, including: encryption in transit (TLS); AES-256-GCM encryption at rest for stored credentials and OAuth tokens, with encryption keys held outside the database; per-business (tenant) data isolation; role-based access controls with granular permissions; audit logging of administrative and data actions; webhook signature verification; secret redaction in logs; and automated retention and redaction sweeps. No system is 100% secure, and we cannot guarantee absolute security. We will notify affected customers and regulators of security breaches as required by applicable law, including New York's breach-notification law.
11. Your Privacy Rights
Depending on your state of residence, you may have rights to access, correct, delete, or obtain a portable copy of your personal information, and to appeal a refusal. We honor these rights as follows:
- Business customers, their staff, and website visitors: email team@inyeon.dev with your request. We will verify your identity (for example, via the email on the account) and respond within the time required by applicable law (generally 45 days). If we refuse, we will explain why and how to appeal by replying to our decision; if your appeal is refused you may contact your state Attorney General.
- End Users: the business you interacted with controls your information — contact that business first (see Section 1). At a business's direction, we will export or delete an End User's information across the Service using our built-in data-subject tooling. Note that deletion removes personal content (recordings, transcripts, messages, contact details) but preserves legally required evidence such as consent and audit records, and that some records may be retained where the business is legally required to keep them.
- We will not discriminate against you for exercising privacy rights.
- We do not sell personal information or process it for targeted advertising or profiling with legal effects, so there is nothing to opt out of under state "sale/sharing" provisions, and we do not respond to browser "Do Not Track" signals (there is no tracking to disable). We treat universal opt-out signals (such as Global Privacy Control) the same way: since we do not sell or share data for advertising, no additional action results from the signal.
12. Children
The Service is a business tool and is not directed to children. We do not knowingly collect personal information from children under 13, and business customers must be at least 18. If you believe a child's information has been provided to us, contact team@inyeon.dev and we will delete it.
13. Changes to This Policy
We may update this policy from time to time. We will post the updated version with a new effective date and, for material changes affecting our customers, provide notice by email or in the dashboard at least 30 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance.
Inyeon LLC · New York, USA Privacy contact: team@inyeon.dev
© 2026 Inyeon LLC. All rights reserved.