Privacy Policy

1. Company Information

We provide AI-powered business tools focused on helping small businesses automate communications and manage their online presence.

2. Introduction

At HelloMellon, we take your privacy seriously. We build AI voice agents that answer phones, managed websites that represent your business, and content tools that help you grow. All of these services process information, and we want to be transparent about what happens to that data.

This policy is written in plain English. If you have questions, please email us at [email protected].

3. Scope

This policy applies to:

• Our website hellomellon.io
• Our AI voice agent and call handling platform
• Our managed website hosting and management services
• Our AI-generated content tools and dashboards
• All communications with us via email, phone, or chat

It does not apply to third-party websites linked from our services or to data you process about your own customers using our tools (where you are the data controller and we act as your processor).

4. Information We Collect

We collect information needed to deliver reliable AI services for your business.

Personal Identifiers

• Name, email address, phone number, and billing address
• Account login credentials
• Payment information (processed securely by our payment processor; we do not store full card numbers)

Business Data

• Business name, address, hours, services, pricing, and branding assets
• Website content, customer lists, and CRM data you upload or connect
• Google Calendar, booking, and integration data you authorize

Technical Data

• IP address, browser type, device information, operating system
• Pages visited, features used, time spent, and referring URLs
• Error logs and performance data

Call Recordings and Transcripts

• Audio recordings of calls handled by our AI voice agents
• Transcripts, call summaries, voicemails, and extracted intent (e.g., appointment request)
• Caller phone number, call time, duration, and call outcome

AI Prompts and Outputs

• Text you enter into our AI tools, prompts, instructions, and edits
• AI-generated content, responses, website copy, and suggested replies
• Feedback you provide (thumbs up/down, corrections)

Cookies and Similar Technologies

• Essential cookies for login and security
• Analytics cookies to understand usage (you can opt out)
• Preference cookies to remember your settings

5. How We Collect

• Directly from you when you sign up, build an agent, upload content, or contact support
• Automatically when you use our website or platform (via cookies and logs)
• From callers who interact with your AI voice agent
• From integrations you connect, such as Google Calendar, Gmail, or payment processors
• From service providers like telephony carriers and hosting platforms

6. How We Use Information

• Provide, operate, and maintain your AI voice agents, websites, and content tools
• Process and transcribe calls, schedule appointments, and send confirmations
• Generate, edit, and publish AI content for your business
• Bill you, process payments, and manage your account
• Provide customer support and troubleshoot issues
• Improve and train our AI models (using de-identified or aggregated data only, unless you opt in to sharing more)
• Monitor security, prevent fraud, and enforce our terms
• Comply with legal obligations and respond to lawful requests
• Communicate product updates, security alerts, and administrative messages

We do not use your business content or customer call data to advertise to others or to train third-party foundation models without your permission.

7. AI Processing and Human Review

Our services are powered by AI. This means automated systems process your prompts, business data, and call audio to generate responses, transcripts, and content.

• AI models process data in real-time to run your voice agent and content tools
• Limited human review may occur for quality assurance, abuse prevention, and to improve accuracy — reviewers are bound by confidentiality
• We do not use your personally identifiable customer call content to train public models
• You can request to opt-out of human review for model improvement by emailing [email protected]

8. Call Recording and Consent (Washington Two-Party Consent)

Washington is a "two-party consent" state (RCW 9.73.030). This means all parties to a private conversation must consent to being recorded.

• Our AI voice agents are configured to play an automatic disclosure at the start of calls: "This call may be recorded for quality and training purposes"
• If you use our call handling in Washington or other two-party consent states, you must keep this disclosure enabled
• You are responsible for informing your customers about recording when required by law
• Callers can request that recording stop; our agents are trained to honor these requests
• We retain recordings to provide transcripts, summaries, and to improve service quality

9. Sharing and Disclosure

We do not sell your personal information. We do not sell call recordings, transcripts, or business data.

We share information only as needed with:

• Service providers: Cloud hosting (AWS/Google Cloud), telephony providers (for call routing and recording), payment processors (Stripe), email delivery, analytics, and AI infrastructure providers — all under strict data processing agreements
• Integrations you enable: Such as Google Calendar, Google Business Profile, and other tools you connect — we only share what you authorize
• Legal compliance: When required by law, subpoena, or to protect our rights and safety
• Business transfers: If we are involved in a merger or acquisition, your data would transfer under the same privacy protections

All vendors are required to protect your data and use it only to provide services to us.

10. Data Retention

• Account data: Retained while your account is active and for up to 12 months after closure for legal and financial records
• Call recordings and transcripts: Default retention is 3 months for active accounts, unless you set a shorter period in settings
• AI prompts and outputs: Retained while your account is active to provide history and continuity
• Website content: Retained while we host your managed site
• Logs and analytics: Typically 3 months

You can request deletion at any time. We will delete or anonymize data unless we must keep it for legal reasons.

11. Security Measures

We implement reasonable administrative, technical, and physical safeguards:

• Encryption in transit (TLS 1.2+) and encryption at rest for stored data
• Role-based access controls and multi-factor authentication for our staff
• Segregated production environments and regular backups
• Vendor security reviews and signed data processing agreements
• Monitoring for unauthorized access and vulnerabilities

Data Breach Notification

In the event of a security breach that involves your personal information, we will notify you in accordance with applicable law. For residents of Washington and other applicable jurisdictions, we will provide notice in the most expedient time possible and without unreasonable delay, typically within 30 days of discovery. Notification will be sent via email to the account owner.

If we are acting as a data processor (for example, if the breach affects data handled by your AI voice agent), we will notify you, the business owner, as soon as possible so that you may notify your customers in compliance with your local regulations.

No system is 100% secure. You are responsible for keeping your login credentials safe and for controlling who in your business has access.

12. Your Privacy Rights

Washington State Residents

Under the Washington My Health My Data Act and Washington Privacy Act, you have rights including access, correction, deletion, data portability, and to opt-out of targeted advertising and profiling.

Clarification: HelloMellon is not a health care provider and we do not collect "consumer health data" as defined by Washington's My Health My Data Act for our own purposes. If you use our voice agents to collect health-related appointment information for your business (e.g., a clinic), you are responsible for your own compliance, and we act solely as your processor.

California Residents (CCPA/CPRA)

You have the right to know, access, delete, correct, and opt-out of sale/share of personal information. We do not sell or share personal information for cross-context behavioral advertising. You may also limit the use of sensitive personal information. To exercise rights, email [email protected].

GDPR (European Economic Area and UK)

If you are in the EEA/UK, we process data under lawful bases including contract performance, legitimate interests, and consent. You have rights to access, rectify, erase, restrict, object, and data portability. You may withdraw consent at any time and lodge a complaint with your supervisory authority.

To exercise any rights, contact us at [email protected]. We will verify your identity and respond within 30-45 days.

13. Children's Privacy

Our services are for businesses and are not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us for deletion.

14. International Data Transfers

HelloMellon is based in the United States. Data is stored and processed in the U.S. If you access our services from outside the U.S., you consent to transfer to the U.S. For EEA/UK transfers, we rely on Standard Contractual Clauses and similar safeguards with our vendors.

15. Changes to Policy

We may update this policy as our services evolve. We will post the new effective date at the top. For material changes, we will email account owners or display a notice in the dashboard. Continued use after changes means you accept the updated policy.