← Back to boltdesk.

Privacy Policy

BoltDesk AI — Operated by BoltDesk LLC

Last Updated: May 17, 2026

1. Introduction

BoltDesk LLC ("BoltDesk AI," "we," "us," or "our") operates the website boltdesk.ai and provides AI-powered front office services including automated call answering, AI chat, lead qualification, appointment booking, follow-up automation, review management, and CRM tools (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you visit our website or use our Service.

This Privacy Policy applies to two categories of individuals:

  • Clients: businesses and authorized users that subscribe to the Service.
  • End Users: individuals who interact with our AI voice agents (callers) or AI chat agents on Client websites, or who otherwise have their personal information processed through the Service on behalf of a Client.

For End User data, the subscribing Client is the data controller and BoltDesk AI acts as the data processor (or "service provider" under U.S. state privacy laws). Our processing of End User data is governed by the Client's instructions and our Data Processing Agreement, available on request to help@boltdesk.ai.

For Client account data, website visitor data, and the limited information BoltDesk collects for its own business operations (billing, marketing, support), BoltDesk AI is the data controller.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree, please do not use the Service.

Mailing Address: BoltDesk LLC, 30 N Gould St, STE R, Sheridan, WY 82801, USA.

2. Industries We Do Not Serve

BoltDesk AI is not designed for and does not knowingly serve:

  • HIPAA "covered entities" (healthcare providers, health plans, healthcare clearinghouses) or their business associates handling Protected Health Information (PHI). We do not enter into Business Associate Agreements (BAAs).
  • Financial institutions subject to the Gramm-Leach-Bliley Act in connection with consumer financial information processing.
  • Consumer reporting agencies subject to the Fair Credit Reporting Act (FCRA).
  • Educational institutions subject to FERPA in connection with student records.
  • Any business whose use of the Service would require us to enter into a BAA, be subject to PCI-DSS Level 1 obligations beyond standard tokenized payment processing, or be designated a high-risk AI deployer under regulated decision-making frameworks.

Clients warrant in our Terms of Service that they will not transmit PHI, FCRA-regulated consumer reports, FERPA-protected student records, or comparable regulated data through the Service.

If you are uncertain whether your business falls within these categories, contact help@boltdesk.ai before subscribing.

3. Information We Collect

3.1 From Clients

We collect: business name, contact name(s), email address, phone number, physical address, website URL, and industry; payment details processed through a third-party payment processor (we do not store full card numbers); calendar and scheduling data from connected calendar systems; Client-uploaded contact lists for review-request and follow-up purposes; and platform usage data (logins, features used, dashboard interactions, IP address, device/browser info).

3.2 From End Users

When an End User interacts with an AI voice agent or AI chat agent powered by BoltDesk AI, we collect on behalf of the Client: the End User's phone number, call duration, date/time, and the number called; call recordings and transcripts, where recording is enabled (see Section 7); chat messages; any name, contact details, scheduling information, or other content voluntarily provided during the interaction; appointment information; and limited device/browser information for chat interactions.

3.3 Voice Recording and Voice-Based Processing

In the course of recording and processing calls, our service providers temporarily generate or use voice-based features including transcription, speaker labeling within a single call, and voice synthesis output. Neither we nor our primary infrastructure provider extracts, generates, or stores voiceprint embeddings or biometric voice identifiers from call audio, and we do not perform cross-call speaker identification or caller matching at any layer of the Service. Our voice synthesis subprocessor generates outbound audio and does not analyze End User voice for biometric identification.

We do not knowingly extract or store standalone voiceprint embeddings, faceprints, or other biometric identifiers as defined under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), Washington's biometric law, or comparable laws.

Where applicable law treats voice recordings themselves as biometric information, we handle them subject to the notice and consent requirements of those laws (see Section 8).

3.4 Automatically Collected on Our Website

IP address, browser type, operating system, device type, and cookie data on boltdesk.ai. See Section 10.

4. How We Use Information

4.1 Client Information

We use Client information to: provide and operate the Service; authenticate users and protect accounts; process payments and manage subscriptions; provide customer support and account communications; send transactional and service notifications; analyze and improve the Service (using Client-account-level usage data, not End User content); communicate with Clients about new features, training, and offerings (with the ability to opt out of marketing communications); comply with legal obligations; and prevent fraud and misuse.

4.2 End User Information

We process End User information only on documented instructions from the relevant Client to: enable AI-powered call and chat handling; qualify leads and capture intake data; book appointments; send appointment confirmations, reminders, follow-up communications, and review requests on the Client's behalf; provide call recordings, transcripts, summaries, and analytics to the Client; and comply with legal obligations.

4.3 No Use for Our Own Marketing

We do not use End User personal information for our own marketing, do not target advertising to End Users based on End User data, and do not sell End User personal information.

4.4 AI Model Training and Service Improvement

We do not train our own foundational AI models on End User personal information. Our primary infrastructure provider has confirmed that it does not use customer data to train or fine-tune any foundation models, and has contractual prohibitions with its underlying model providers against such use as well.

Our AI service providers may, in accordance with their own published terms and our agreements with them, use anonymized, deidentified, or aggregated data to maintain and improve their services. We require these providers to apply industry-standard deidentification techniques and to not attempt to re-identify individuals.

AI features within the Service are optional. Clients may decline to enable AI features for some or all of their sub-accounts. A current summary of our service-provider AI-data practices is available on request.

If we ever change this position and use identifiable Service data to train models, we will update this Privacy Policy, notify Clients in advance, and obtain consent or offer an opt-out where required by law.

5. How We Share Information

We do not sell personal information for monetary consideration.

California disclosure: Some standard commercial activities on our marketing website (boltdesk.ai), including the use of analytics and advertising cookies and pixels, may be considered "sharing" of personal information for cross-context behavioral advertising under the California Consumer Privacy Act, even though no money changes hands for the data itself. We honor Global Privacy Control signals and provide an opt-out on request. Within the Service itself (call recordings, transcripts, lead data, etc.), we do not "share" or "sell" End User personal information.

We disclose information only as follows:

  • To the relevant Client. End User data is disclosed to the Client whose phone number, website, or campaign the End User contacted. The Client is the data controller for that data.
  • To service providers and subprocessors. We use third-party providers under written contracts that limit their use of personal information to providing services to us. A current list of subprocessors is available on request and currently includes: HighLevel Inc. (CRM, automation, telephony orchestration, AI features); LeadConnector / Twilio (telephony, SMS, and call recording storage); AI voice and conversational providers as engaged for specific AI features; LLM providers as engaged for specific AI features; Stripe (payment processing for Client billing only); Google, Microsoft, and Apple calendar APIs; our cloud hosting providers; and our transactional email provider. Not all subprocessors are used for every Client; AI-specific subprocessors are engaged only when the Client uses corresponding AI features. We will provide reasonable advance notice of material additions to our subprocessor list (at least 30 days where commercially feasible) and accept reasonable Client objections under the Data Processing Agreement.
  • For legal compliance. Where required by law, regulation, legal process, governmental request, or to enforce our agreements or protect our rights, property, or safety.
  • In a business transaction. In connection with a merger, acquisition, financing, reorganization, sale of assets, bankruptcy, or similar transaction, subject to the acquirer agreeing to honor this Privacy Policy or providing equivalent protections.

6. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. Where required by law, we rely on appropriate transfer mechanisms (such as the EU-U.S. Data Privacy Framework certification of our service providers, Standard Contractual Clauses, or your consent) for international transfers.

7. Call Recording and Wiretap Compliance

Calls handled by our AI voice agents may be recorded and transcribed for quality assurance, service delivery, and the Client's lawful business purposes. Our system includes a default-on call recording disclosure message that plays at the beginning of each call. Clients may not disable this disclosure without contacting BoltDesk AI and providing written confirmation that an alternative compliant disclosure is in place.

Federal law and the laws of the following U.S. states currently require all parties to a call to consent to recording: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. State law definitions and exceptions vary; some states (including Connecticut and Massachusetts) treat in-person and telephonic recordings differently. Clients are responsible for ensuring their use of recording features complies with all applicable federal, state, and local laws in every jurisdiction where calls may originate or terminate. BoltDesk AI does not provide legal advice on jurisdiction-specific recording requirements.

8. Biometric and Voice Recording Notice

We provide this notice in light of biometric privacy laws including the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act (CUBI), and Washington's biometric law:

  • We have not implemented features that collect, capture, purchase, receive through trade, or otherwise obtain a person's biometric identifiers or biometric information for the purpose of identifying any individual.
  • Voice recordings made through the Service are stored by our telephony subprocessor for the Client's business purposes and are not used by us, by our primary infrastructure provider, or by any subprocessor to create voiceprint databases or perform cross-call biometric identification, as confirmed by our primary infrastructure provider.
  • We contractually require our voice and conversational AI subprocessors to limit use of End User voice data to providing services to us, and to not perform cross-call biometric identification or build voiceprint databases.
  • Retention of voice recordings is governed by Section 11.
  • If our practices ever change such that biometric identifiers are collected, we will provide the written notice and obtain the written consent required by applicable law before any such collection occurs, and we will require Clients to obtain and document such consent from End Users in their jurisdictions.

9. SMS and Email Communications

By providing a phone number or email address to a Client through the Service, an End User may receive appointment confirmations, reminders, follow-ups, and review requests via SMS and/or email from the Client. Each automated message includes opt-out instructions: reply STOP to any SMS to opt out of further SMS, or click the unsubscribe link in any email. Opt-out requests are honored promptly across the Client's account and propagated across all messaging channels for that Client.

Clients are responsible for compliance with the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, the Florida Telephone Solicitation Act, and other applicable federal and state communications laws, including obtaining all required prior express written consent before initiating automated calls or texts, and registering for Application-to-Person (A2P) 10DLC where required.

10. Cookies and Similar Technologies

We use cookies and similar technologies on boltdesk.ai for authentication and session management (essential), to remember preferences (functional), to understand site usage (analytics), and to support our marketing on our own site (advertising). Where required by law, we display a cookie consent banner and honor browser-level signals such as the Global Privacy Control (GPC) as a valid opt-out of "sale" or "sharing" of personal information. We do not use cookies or pixels within the Service itself (call recordings, transcripts, etc.).

11. Data Retention

  • Client account information: retained for the duration of the subscription and up to 12 months after closure for record-keeping, dispute resolution, and legal compliance.
  • Call recordings: Call recordings are stored by our telephony subprocessor, not by us directly. Recordings remain accessible for the duration of the Client's subscription. Following Client account closure, our administrative wind-down process initiates the closure of the underlying telephony resources approximately 14 days after sub-account closure, after which recordings remain retrievable for up to 40 additional days before becoming permanently inaccessible. Total time from Client account closure to permanent deletion of recordings is approximately 54 days.
  • Transcripts and chat logs: Retained for the duration of the Client's subscription and deleted within 90 days of Client account closure, subject to the Client's instructions and the underlying platform provider's deletion processes.
  • Lead and contact records: Retained for the duration of the subscription and deleted within 90 days of Client account closure, subject to the Client's instructions and the underlying platform provider's deletion processes.
  • Payment and billing records: retained as required by tax, accounting, and financial regulations (typically seven years).
  • Aggregated/deidentified data: may be retained indefinitely for analytics purposes provided it cannot reasonably be re-identified.

Expedited deletion requests. Where Clients request expedited deletion (for example, to comply with state privacy law response deadlines), we will delete the categories of data within our direct control (account information, contact records, transcripts, chat logs) within 30 days. Call recordings stored by our telephony subprocessor are subject to the wind-down timeline described above and cannot be deleted more quickly without changes to upstream provider behavior. We will use commercially reasonable efforts to initiate the telephony wind-down promptly on request.

12. Data Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit (TLS), encryption at rest where supported by our service providers, access controls and least-privilege provisioning, multi-factor authentication for our administrative accounts, periodic security reviews, and contractual security requirements with subprocessors. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

13. Data Breach Notification

If we become aware of a security incident affecting Client or End User personal information, we will notify the affected Client without undue delay and in any event within 72 hours of confirmation, with the information reasonably available at that time, and will cooperate with the Client to meet the Client's legal notification obligations to End Users and regulators. Where an upstream provider notifies us later than 72 hours, we will notify Clients as soon as we are notified.

Clients agree to provide accurate and current contact information for incident notifications.

14. Children's Privacy

The Service is not directed to children. We do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16, we will delete that information promptly. Clients agree not to use the Service in connection with services directed to children.

15. Your Privacy Rights

Subject to verification and applicable law, you may have the right to access, correct, delete, restrict or object to processing of, and obtain a portable copy of, the personal information we hold about you, and the right not to be discriminated against for exercising your rights. To exercise rights, contact help@boltdesk.ai or use any in-product mechanism we provide. We will respond within the timeframe required by applicable law (generally 30 to 45 days). If you are an End User, please contact the relevant Client first; we will assist the Client in responding.

15.1 California (CCPA/CPRA)

California residents have the rights described in this section, plus:

  • The right to know the categories and specific pieces of personal information collected, the purposes, the categories of sources, and the categories of third parties with whom information is disclosed.
  • The right to delete personal information, subject to exceptions.
  • The right to correct inaccurate personal information.
  • The right to opt out of "sale" or "sharing" for cross-context behavioral advertising. Within the Service, we do not sell or share personal information; on our marketing website (boltdesk.ai) we may "share" via advertising/analytics cookies and you may opt out by emailing help@boltdesk.ai or using GPC.
  • The right to limit the use and disclosure of sensitive personal information, including audio recordings.
  • The right to non-discrimination for exercising rights.
  • The right to designate an authorized agent to make requests on your behalf, with appropriate verification.

We honor opt-out preference signals (including GPC) where required by law.

15.2 Other U.S. States

Residents of states with comprehensive privacy laws — including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, New Jersey, Tennessee, Minnesota, Maryland, New Hampshire, Nebraska, Indiana, Kentucky, Rhode Island, and any others as those laws come into force — have rights similar to those described above, as well as the right to appeal any denial of a request. Appeals may be submitted to help@boltdesk.ai.

15.3 EEA, UK, and Switzerland

Where the GDPR or comparable laws apply, the lawful bases for our processing are: performance of a contract; legitimate interests (operating and securing the Service); compliance with legal obligations; and, where required, consent. You have the right to lodge a complaint with your local supervisory authority.

16. Industry-Specific Acknowledgments

If you are a Client in a regulated industry, additional limitations apply:

  • Law firms: You are responsible for compliance with attorney advertising rules, state bar ethics requirements, conflict-of-interest screening, and Model Rule of Professional Conduct 1.6 (or your state analog) regarding confidentiality of client information. The Service is not designed to receive privileged communications, and we make no representation that AI-handled calls preserve attorney-client privilege.
  • Healthcare: Not permitted as a Client (see Section 2).
  • Consumer credit / debt collection: Use of the Service for activities regulated by the FDCPA or for consumer credit decisioning requires a separate written agreement with us.

17. Third-Party Links

Our Service and website may contain links to third-party sites. We are not responsible for the privacy practices of third parties.

18. Changes to this Privacy Policy

We may update this Privacy Policy. We will post the revised policy with a new "Last Updated" date and, for material changes affecting Clients, notify Clients by email at least 30 days before the changes take effect. Continued use after the effective date constitutes acceptance.

19. Contact Us

BoltDesk LLC
Mailing Address: 30 N Gould St, STE R, Sheridan, WY 82801, USA
Email: help@boltdesk.ai
Website: boltdesk.ai