Privacy Policy

Last Updated: May 20, 2026

Ziviro LLC ("Ziviro," "we," "us," or "our") is a Pennsylvania limited liability company that operates the website getziviro.com (the "Site") and provides done-for-you automation services for local service businesses (the "Services"). This Privacy Policy describes how we collect, use, disclose, retain, and protect information when you visit our Site, interact with our Services, or otherwise communicate with us. It applies to two categories of individuals:

• End Users / Consumers — individuals who call, text, or otherwise interact with a business that uses Ziviro's automation platform.
• Business Clients — business owners and authorized representatives who subscribe to Ziviro's Services.

By using our Site or Services, you acknowledge that you have read and understood this Privacy Policy. If you are a Business Client, your use of our Services is also governed by our Terms of Service and any applicable service agreement.

1. Information We Collect

We collect information in three ways: directly from you, automatically through technology, and from our Business Clients.

1.1 Information Provided Directly

• Contact information: Name, phone number, email address, and service address provided during phone calls, SMS conversations, website forms, chat widgets, scheduling links, or onboarding.
• Appointment information: Dates, times, service type, location, and scheduling preferences collected through our AI voice agents, SMS automation, or online booking tools.
• Communication content: The full content of voice calls (including recordings and AI-generated transcripts), SMS text messages and AI-generated replies, website live chat messages, and emails exchanged through or related to our platform.
• Form submissions: Any information you voluntarily submit through our website contact forms, onboarding questionnaires, discovery chat, booking pages, or chat widgets — including your name, phone number, email, business name, trade or industry, service needs, differentiators, and any free-text responses.
• Feedback and reviews: Responses to post-service review requests, satisfaction surveys, or support inquiries.

1.2 Information Collected Automatically

• Website usage data: IP address, browser type, operating system, device identifiers, screen resolution, pages visited, referring URL, time spent on pages, scroll depth, and clickstream data — collected via Cloudflare Analytics (see Section 10).
• Call and SMS metadata: Call timestamps, call duration, caller ID, called number, missed-call logs, voicemail status, message delivery status, message read receipts (where available), opt-in/opt-out status, carrier name, and message segment count.
• AI interaction data: Voice agent conversation flows, intent classifications, booking outcomes, escalation triggers, and AI confidence scores generated during automated interactions.
• Portal usage data: Login timestamps, pages viewed, features accessed, and session duration within the Ziviro client portal.

1.3 Information Received from Business Clients

Our Business Clients may provide us with information about their customers ("End-User Data") in order for us to perform Services on their behalf, including customer names, phone numbers, email addresses, service history, appointment records, estimate/invoice status, and past-due balances. In this capacity, Ziviro acts as a data processor on behalf of the Business Client (the data controller). Our processing of End-User Data is governed by our service agreement with the Business Client and applicable law.

1.4 Information from Public Sources

For lead generation and enrichment services, we may collect publicly available business information from sources including Google Maps, Google Business Profiles, public business directories, and publicly accessible business websites. This information may include business name, address, phone number, website URL, Google rating, review count, business category, and hours of operation. Website content may be accessed using automated tools for the purpose of generating business profiles and AI-powered prospect research.

2. Business Client Information and EIN Disclosure

When a business subscribes to Ziviro's Services, we collect additional business-specific information necessary to configure, register, and operate our platform on your behalf. This information includes:

• Business identity: Legal business name, DBA (if applicable), business address, business phone number, and business email address.
• Employer Identification Number (EIN): We collect your federal EIN (also known as a Federal Tax Identification Number) as required by Twilio and telecommunications carriers for A2P 10DLC campaign registration. A2P 10DLC is a carrier-mandated registration framework that requires businesses sending application-to-person (A2P) SMS messages to register their brand and messaging campaigns with The Campaign Registry (TCR). Your EIN is submitted to Twilio and TCR solely for this regulatory registration and is not used for tax reporting, credit checks, marketing, or any other purpose.
• Business owner information: Owner name, personal phone number, and personal email for account management, escalation notifications, and emergency contact.
• Business website URL: Used for brand verification during A2P registration, AI agent configuration, and automated website analysis for onboarding.
• Google Business Profile information: Business category, hours of operation, service areas, Google rating, review count, and reviews — used to configure AI agents and automation workflows.
• Customer lists: Contact lists provided by you for SMS campaigns (such as review generation, estimate follow-up, lapsed customer re-engagement, or seasonal campaigns). You represent and warrant that you have obtained all necessary consents from individuals on these lists prior to providing them to Ziviro.
• Financial information: Billing address and payment method for invoicing and subscription management. We do not store credit card numbers directly; payment processing is handled exclusively by Stripe (see Section 7).
• Operational preferences: Business hours, holiday closures, service offerings, pricing, scheduling availability, preferred communication channels, and other operational details used to configure AI voice agents, SMS automation, and workflow logic.

EIN security: Your EIN is stored securely, encrypted at rest, transmitted only to Twilio and The Campaign Registry for A2P 10DLC registration, and is never sold, shared with third parties for marketing purposes, displayed in any client-facing portal, or used for any purpose other than telecommunications compliance registration.

3. How We Use Your Information

We use the information we collect for the following purposes:

• Service delivery: Operating AI voice receptionists, missed-call text-back, AI-powered SMS conversations, appointment scheduling and reminders (confirmations, 24-hour, and 1-hour), review generation requests, estimate follow-up drip sequences, lapsed customer re-engagement campaigns, invoice payment reminders, seasonal promotional campaigns, website live chat, lead scraping and enrichment, and other automation workflows on behalf of Business Clients.
• A2P compliance: Registering Business Client brands and messaging campaigns with carriers via Twilio and The Campaign Registry (TCR), which requires submission of business identity information including EIN.
• Communication: Responding to inquiries, sending transactional messages (booking confirmations, system alerts), and communicating with Business Clients about their accounts, services, and system status.
• CRM and pipeline management: Storing and managing contact information, interaction history, lead scores, and deal stages in our CRM system to facilitate sales and client relationship management.
• Analytics and reporting: Generating performance reports, call analytics, lead conversion metrics, and ROI dashboards for Business Clients through the client portal.
• AI improvement: Analyzing interaction patterns and system performance in anonymized or aggregated form to improve our AI models, voice agents, conversation flows, and overall service quality.
• Security and fraud prevention: Detecting, preventing, and addressing fraud, abuse, spam, and security incidents — including call screening, opt-out enforcement, and access token validation.
• Legal compliance: Meeting legal obligations, responding to lawful data requests, enforcing our Terms of Service, and maintaining records required by telecommunications regulations.

4. Artificial Intelligence Disclosure

Ziviro uses artificial intelligence ("AI") extensively to power our services. We believe in full transparency about how AI processes your information:

4.1 AI Voice Agents (ElevenLabs)

Inbound phone calls are answered by AI voice agents powered by ElevenLabs' conversational AI platform. These agents use speech recognition to understand spoken language, natural language processing to determine intent, and speech synthesis to generate spoken responses. Each agent identifies itself as an AI assistant at the beginning of each call. Voice agents can answer questions, qualify leads, book appointments, provide business information, and escalate to human operators.

4.2 AI SMS Conversations (Anthropic Claude)

Text message responses are generated by Anthropic's Claude language model (Claude Haiku 4.5). When an End User sends an SMS to a Ziviro-powered business number, the AI reads the message, considers the conversation history and the Business Client's configured information, and generates a contextual reply. These responses are fully automated — no human reviews individual messages before they are sent.

4.3 AI Data Processing

AI is used throughout our platform for: call transcript analysis and summarization, lead scoring and qualification, prospect research and business profile generation, contact enrichment from public sources, website content extraction for onboarding, report generation, and workflow decision logic.

4.4 AI Limitations and Human Oversight

AI-generated responses may contain inaccuracies, misunderstand requests, or provide incomplete information. AI decisions are not used to deny services, determine creditworthiness, make employment decisions, or make other consequential automated decisions about End Users. Business Clients maintain ultimate control over their AI agent configuration and are responsible for reviewing AI-assisted outputs. Ziviro monitors AI system performance and intervenes when systematic issues are identified.

5. Voice Communications and Call Recording

Pennsylvania is a two-party (all-party) consent state. Under the Pennsylvania Wiretapping and Electronic Surveillance Control Act, 18 Pa.C.S. § 5704, it is unlawful to intercept, record, or disclose any wire, electronic, or oral communication without the consent of all parties to the communication.

5.1 Recording Disclosure

All AI voice agents operated by Ziviro provide an audible disclosure at the beginning of each call stating that (a) the caller is speaking with an AI assistant, (b) the call may be recorded, and (c) the call may be transcribed for quality assurance and service delivery purposes.

5.2 Consent Mechanism

By continuing the call after the recording disclosure, the caller provides consent to the recording, transcription, and AI processing of the call under 18 Pa.C.S. § 5704(4). Callers who do not consent may disconnect immediately at no penalty. Business Clients provide consent to the recording and transcription of calls handled by Ziviro's AI agents by subscribing to voice-enabled Services.

5.3 Use of Recordings and Transcripts

Call recordings and AI-generated transcripts are used for: appointment verification and confirmation, service quality assurance, dispute resolution, compliance with legal obligations, generating call summaries for Business Client dashboards, and (in anonymized or aggregated form only) AI model improvement. Recordings and transcripts are accessible to the applicable Business Client through the client portal.

5.4 Multi-State Compliance

Ziviro applies Pennsylvania's two-party consent standard as a baseline for all calls, regardless of the caller's location. Business Clients operating in other two-party consent states (including California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, and Washington) are protected by this baseline. Business Clients are responsible for ensuring their own compliance with any additional state-specific recording consent laws applicable to their jurisdiction or their callers' jurisdictions.

6. SMS Communications and TCPA Compliance

6.1 Regulatory Framework

Ziviro operates in compliance with the Telephone Consumer Protection Act of 1991 (TCPA), 47 U.S.C. § 227, the CAN-SPAM Act, all applicable FCC regulations and declaratory rulings governing automated messaging, and CTIA (Cellular Telecommunications Industry Association) messaging guidelines. All SMS campaigns are registered through Twilio's A2P 10DLC program via The Campaign Registry (TCR).

6.2 Consent Requirements

SMS messages are sent only to End Users who have provided prior express consent through one or more of the following mechanisms:

• Initiating a phone call to a Ziviro-powered business number (implied consent for missed-call text-back).
• Submitting a web form that includes SMS consent disclosure (express written consent).
• Texting the business number first (implied consent for conversational reply).
• Being provided as a contact by the Business Client with the Business Client's representation that consent was obtained (Business Client assumes liability for consent validity).

6.3 Message Types

Ziviro sends the following categories of SMS messages on behalf of Business Clients:

• Missed-call text-back: Automated message sent when a call goes unanswered.
• AI conversation replies: Contextual responses generated by AI during an active SMS conversation.
• Appointment confirmations: Confirmation of newly booked appointments.
• Appointment reminders: 24-hour and 1-hour reminders before scheduled appointments.
• Rescheduling messages: Notifications related to appointment changes.
• Review generation: Post-service requests to leave an online review (sent after a configurable delay).
• Estimate follow-up: Multi-touch drip sequences following up on estimates or proposals (typically Day 1, Day 3, Day 7).
• Lapsed customer re-engagement: Outreach to customers who have not engaged in 12 or more months.
• Invoice payment reminders: Payment follow-up messages (typically Day 7 and Day 14 past due).
• Seasonal/promotional campaigns: One-time promotional messages (sent only with Business Client authorization and proper consent).

6.4 Opt-Out

End Users may opt out of SMS communications at any time by replying STOP to any message. Opt-out is processed immediately and irrevocably — the phone number is permanently suppressed from all future messaging campaigns for that Business Client. We also honor UNSUBSCRIBE, CANCEL, END, and QUIT as opt-out keywords. Opt-out records are retained indefinitely to ensure continued suppression. End Users may re-subscribe by texting START.

6.5 Message Content Standards

All automated messages include: the Business Client's business name, a clear purpose for the message, and opt-out instructions. Ziviro does not send unsolicited marketing messages. All promotional or campaign messages require explicit Business Client authorization and verified End User consent.

7. Third-Party Service Providers and Subprocessors

We use the following third-party service providers ("Subprocessors") to deliver our Services. Each processes data only as necessary to provide their respective functions and is subject to their own privacy policies and, where applicable, data processing agreements:

Provider	Function	Data Processed
Twilio	Voice calls, SMS messaging, phone numbers, A2P 10DLC registration, call recording	Phone numbers, call audio, SMS content, call metadata, EIN (for A2P registration), opt-out status
ElevenLabs	AI voice agents, speech synthesis, call transcription	Call audio (real-time streaming), conversation transcripts, caller intent data
Anthropic (Claude)	AI language processing for SMS conversations, lead research, data analysis	SMS message content, conversation history, business profile data, prospect research inputs
GoHighLevel (GHL)	CRM, contact management, deal pipeline, client portal, marketing automation	Contact names, emails, phone numbers, company info, deal stages, interaction history, lead scores
Stripe	Payment processing, subscription billing, invoicing	Billing address, payment method tokens, transaction history, subscription status
Google Calendar	Appointment scheduling and calendar management	Appointment dates/times, attendee names, service type, location, calendar event details
Cal.com	Online booking and scheduling links	Booker name, email, phone, selected time slot, booking notes
n8n	Workflow automation and orchestration	All data flowing through automated workflows (processed in transit; data stored in n8n data tables includes lead records and opt-out lists)
Cloudflare	Website hosting (Pages), DNS, CDN, DDoS protection, web analytics	IP addresses, HTTP request headers, page URLs, geographic location (country/region level)
Firecrawl	Website content extraction for prospect research and onboarding	Publicly accessible website URLs and page content (business information only)
Google Workspace (Gmail)	Business email communications, notifications, reports	Email addresses, email content for system notifications and client communications
Google Drive	Document storage for contracts, templates, and internal files	Business documents, contracts, internal operational files

We require all Subprocessors to maintain appropriate security measures and to process personal data only in accordance with our instructions and applicable law. We do not permit Subprocessors to use personal data for their own marketing or unrelated purposes.

8. Data Sharing and Disclosure

We do not sell personal information. We do not share personal information with third parties for their own direct marketing purposes. We may share information in the following limited circumstances:

• With Business Clients: End User interaction data (calls, transcripts, messages, bookings, lead scores) is shared with the respective Business Client whose number was contacted or on whose behalf the interaction occurred.
• Service providers / Subprocessors: As described in Section 7, solely to the extent necessary to provide our Services.
• Legal requirements: When required by law, regulation, subpoena, court order, or governmental request. We will attempt to notify affected parties when legally permitted to do so.
• Protection of rights: When we believe in good faith that disclosure is necessary to protect our rights, enforce our Terms of Service, investigate fraud, or protect the safety of any person.
• Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as a business asset. We will provide notice and, where required, obtain consent before personal information becomes subject to a different privacy policy.
• Aggregated or de-identified data: We may share aggregated or de-identified data that cannot reasonably be used to identify any individual, for analytics, benchmarking, or industry research purposes.
• With consent: When you have given explicit, informed consent to share your information for a specified purpose.

9. Data Retention and Deletion

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, and resolve disputes. Specific retention periods are as follows:

Data Type	Retention Period	Basis
Call recordings	90 days	Service delivery; extended upon Business Client request
Call transcripts	12 months	Quality assurance, dispute resolution
SMS conversation logs	12 months from last interaction	TCPA compliance, dispute resolution
Website form submissions	24 months	Lead management, consent records
CRM contact records	Duration of Business Client relationship + 90 days	Service continuity, data portability window
Business Client account data	Duration of service + 30 days	Service delivery, data export window
Billing and payment records	7 years	Tax and legal compliance (IRS requirements)
Opt-out / suppression records	Indefinite	TCPA compliance — required to prevent re-contact
Website analytics data	26 months	Performance analysis
Contracts and service agreements	Duration of service + 6 years	PA statute of limitations for contract disputes

Deletion requests: Business Clients may request deletion of their data and their End Users' data by contacting us at hello@getziviro.com. Deletion requests are processed within 30 days, subject to legal retention requirements. Data that must be retained for legal compliance (such as billing records and opt-out lists) will be retained for the minimum required period and then deleted. We will confirm deletion in writing upon completion.

10. Cookies, Tracking, and Analytics

10.1 Analytics

Our Site previously used the HubSpot tracking script for website visitor analytics. That script has been removed as of May 2026. Our Site currently uses only Cloudflare's server-side analytics (described in Section 10.2 below) and does not employ any third-party client-side tracking pixels or advertising scripts.

10.2 Cloudflare Analytics

As our hosting provider, Cloudflare collects server-side analytics including IP addresses (anonymized), request counts, bandwidth usage, geographic distribution, and threat metrics. Cloudflare's analytics are privacy-focused and do not use client-side tracking or cookies for analytics purposes. For more information, see Cloudflare's Privacy Policy.

10.3 Essential Cookies

We use essential cookies for site functionality, including session management for the client portal and security features (such as Cloudflare Bot Fight Mode and challenge cookies). These cookies are strictly necessary for the operation of the Site and cannot be disabled.

10.4 Your Cookie Choices

You may control non-essential cookies through your browser settings. Disabling cookies may affect certain features of the Site but will not prevent you from accessing core content. We do not use cookies for cross-site advertising or retargeting.

11. Data Security

We implement industry-standard administrative, technical, and physical security measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: TLS 1.2+ encryption for all data in transit. Sensitive data (including EIN) encrypted at rest.
• Authentication: Two-factor authentication (2FA) enforced on all administrative accounts. Client portal access secured with cryptographic token-based authentication.
• Email security: SPF, DKIM, and DMARC (policy: quarantine) configured on all email domains to prevent spoofing and phishing.
• Access controls: Role-based access controls and principle of least privilege applied to all systems and data stores.
• Credential management: API keys and secrets stored in encrypted credential vaults with access logging. No credentials stored in plaintext or source code.
• Infrastructure security: Cloudflare DDoS protection, Web Application Firewall (WAF), Bot Fight Mode, and managed challenge pages on all web properties.
• Webhook security: Randomized webhook paths and HMAC signature verification for incoming API requests where supported.
• Monitoring: Automated error monitoring, workflow execution logging, and daily system health checks.

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

12. Data Breach Notification

In the event of a data breach that compromises the security, confidentiality, or integrity of personal information, Ziviro will:

• Investigate the breach promptly and take reasonable steps to contain and remediate the incident.
• Notify affected Business Clients within 72 hours of confirming a breach that affects their data or their End Users' data.
• Notify affected individuals as required by applicable state breach notification laws, including Pennsylvania's Breach of Personal Information Notification Act (73 Pa.C.S. § 2303).
• Cooperate with law enforcement and regulatory authorities as required.
• Provide a written incident report to affected Business Clients detailing the nature of the breach, data affected, remediation steps taken, and measures implemented to prevent recurrence.

13. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to access: Request a copy of the personal information we hold about you.
• Right to correction: Request correction of inaccurate or incomplete personal information.
• Right to deletion: Request deletion of your personal information, subject to legal retention requirements.
• Right to opt out: Opt out of SMS, email, or other automated communications at any time.
• Right to data portability: Request your data in a structured, commonly used, machine-readable format (CSV or JSON).
• Right to restrict processing: Request that we limit how we use your personal information in certain circumstances.
• Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise any of these rights, contact us at hello@getziviro.com or call (267) 656-6998. We will verify your identity before processing your request and respond within 30 days (or within the timeframe required by applicable law). If we need additional time, we will notify you of the reason and the expected response date.

14. State-Specific Privacy Rights

14.1 California (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights:

• Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
• Right to delete: You may request deletion of personal information we have collected, subject to exceptions under Cal. Civ. Code § 1798.105(d).
• Right to opt out of sale/sharing: We do not sell personal information and do not share personal information for cross-context behavioral advertising. No opt-out is necessary, but you may still submit a request.
• Right to correct: You may request correction of inaccurate personal information.
• Right to limit use of sensitive personal information: To the extent we process sensitive personal information, you may request that we limit its use to what is necessary to perform our Services.

To submit a CCPA/CPRA request, email hello@getziviro.com with the subject line "California Privacy Request." We will respond within 45 days.

14.2 Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA)

Residents of Virginia, Colorado, Connecticut, Utah, and Texas have rights to access, correct, delete, and obtain a portable copy of their personal data, as well as the right to opt out of targeted advertising, sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. We do not engage in targeted advertising, sell personal data, or use profiling for consequential decisions. To exercise your rights, contact us at hello@getziviro.com.

14.3 Other States

As additional state privacy laws take effect, we will extend comparable rights to residents of those states. If you are unsure of your rights under your state's privacy law, contact us and we will assist you.

15. Children's Privacy

Our Services are designed for use by businesses and are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected information from a child under 18, we will delete it promptly. If you believe a child under 18 has provided personal information to us, please contact us at hello@getziviro.com.

16. International Data Transfers

Our Services are operated in the United States. All data is stored and processed in the United States. If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using our Services, you consent to such transfer and processing. We do not currently offer Services outside the United States.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will: (a) update the "Last Updated" date at the top of this page, (b) notify active Business Clients via email at least 30 days before the changes take effect, and (c) post a notice on our Site. Your continued use of the Site or Services after the effective date constitutes acceptance of the revised Privacy Policy.

18. Contact Us

If you have questions about this Privacy Policy, our data practices, or wish to exercise any of your privacy rights, contact us:

• Email: hello@getziviro.com
• Phone: (267) 656-6998
• Mailing Address: Ziviro LLC, Hatfield, PA 19440

For TCPA-related inquiries or SMS opt-out issues, you may also text HELP to any Ziviro-powered business number for assistance.