PrivacyPolicy

1. Introduction & Scope

This Privacy Policy explains how A&S AI Solutions LLC d/b/a Olynx ("Olynx," "we," "us," or "our") collects, uses, shares, and protects personal information in connection with the Olynx platform, websites at olynxai.com and tenant-branded subdomains, AI features (Olli, Olynx Studio, Smart Pulse, voice agents, lead-capture, RAG-grounded chat), the Included Website service operated with our Design Partner A&S AI Solutions, and any related products or services (collectively, the "Services").

This Policy applies to: (a) "Customer Account Data" — information about the contracting businesses, owners, and employees who subscribe to Olynx as paying customers ("Customers"), for which Olynx acts as an independent controller; and (b) "End Customer Data" — information about the homeowners, property managers, commercial clients, leads, and other end users whom our Customers serve through the Services, for which Olynx acts as a service provider / processor on the Customer's behalf.

This Policy does not govern (i) information our Customers collect outside the Services, (ii) third-party websites linked from the Services, or (iii) information processed by our Customers using the Services in their independent capacity. Customers are responsible for their own privacy practices and notices toward their end users.

By using the Services, you acknowledge the practices described here. If you do not agree, do not use the Services. This Policy is incorporated by reference into the Olynx Terms of Service.

2. Who We Are; Controller / Processor Framing

Olynx is operated by A&S AI Solutions LLC, a Delaware limited liability company. We are a US-only company serving US-only businesses and their US-based end customers.

Controller vs. Processor. The Services involve two distinct flows of personal information, which determine our legal role:

Customer Account Data — Olynx is the controller. We decide what information we need from Customers (contracting businesses and their staff) to operate, bill for, secure, and improve the Services. Categories include account credentials, billing identifiers, business profile data, support communications, telemetry from contractor-side use of the Services, and identifiers tied to Customer staff who sign in. The legal bases (for users protected by state laws with that concept) are contract performance, legitimate interests in operating a SaaS platform, and consent where required.

End Customer Data — Olynx is a service provider (CCPA/CPRA), processor (VCDPA, CPA, CTDPA, UCPA, TDPSA, OCDPA, MTCDPA), and a Business Associate only if a Business Associate Agreement is executed (none is signed today; the Services are not HIPAA-cleared). Our Customers determine what End Customer Data is collected and why; we process it under their instructions, the Terms, and any Data Processing Addendum.

This Policy treats both categories together for transparency, but the legal obligations attached to each differ. Where they materially diverge, we say so.

3. Categories of Personal Information We Collect

Identifiers — name, email address, phone number (E.164 normalized), postal address, business name, business address, EIN where voluntarily provided, IP address, device identifiers, browser fingerprint approximations (limited), unique account IDs, OAuth tokens (Google, where the Customer connects Gmail or Calendar).

Customer records (Cal. Civ. Code §1798.80(e)) — billing name and contact, payment-method last-four and brand (Stripe holds the full instrument; we do not), Stripe customer/subscription IDs, bank routing identifiers only where required for payouts via Stripe Connect.

Commercial information — subscription tier (Founders or Standard), purchase history, refund history, products and services configured, estimates, proposals, invoices, contract documents, materials and labor pricing snapshots, takeoff measurements, and related contracting work product.

Internet/network activity — pages viewed, features used, session timestamps, click and form-submission events, error and performance telemetry, referring URLs, and similar usage analytics from the Olynx app.

Geolocation — approximate location derived from IP, and precise location only where the Customer or End Customer explicitly enters or selects an address via the Google Maps integration (used for routing, takeoff calibration, and dispatch).

Audio, electronic, visual, and sensory information — uploaded photos and PDFs (job-site photos, blueprints, scanned documents), uploaded audio for transcription, voice-agent call audio and transcripts (only where a Customer enables the voice agent and the End Customer is on a live call with it), and video frames captured in the takeoff and Studio features.

Professional or employment information — Customer-staff roles, job titles, crew assignments, license numbers and trade certifications where the Customer chooses to store them, scheduling and shift data.

Inferences — derived signals such as Smart Pulse health scores, lead qualification scores, churn-risk indicators, AI-generated summaries of proposals or chats, suggested next actions. These inferences are produced from the categories above and are treated as personal information.

Authentication and security data — hashed passwords, session tokens (handled by Supabase Auth and ES256-signed JWTs), MFA factors where enabled, audit-log entries describing security-sensitive actions.

We do not knowingly collect Sensitive Personal Information as defined by the CPRA. We do not knowingly collect data from anyone under 18. We do not sell personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as defined by the CPRA, except as described in §8 (marketing pixel on public pages).

4. Sources of Personal Information

Directly from Customers — when a Customer signs up, completes onboarding, configures the workspace, uploads materials, sends proposals, runs estimates, configures their Included Website, or contacts support.

Directly from Customer staff — when an invited team member accepts an invitation, completes their profile, or uses the Services in the course of their work for the Customer.

Directly from End Customers — when an End Customer interacts with a Customer's Olynx-hosted Included Website, fills out a lead-capture form, signs a proposal or contract via the e-sign flow, pays an invoice through Stripe Connect, replies to a Customer's outbound SMS or email sent through the Services, speaks with a voice agent the Customer has deployed, or uses the client portal at /my.

From third-party platforms with Customer authorization — Google (Gmail sending, Calendar syncing, Maps Platform when an address is geocoded), Stripe (payment events, subscription status, payout status), the Customer's own CRM imports (CSV uploads), and the Design Partner's website-build pipeline.

From cookies and similar technologies — see §8.

From service providers and infrastructure — log data from Vercel, Supabase, and other infrastructure described in §6, generated automatically as a byproduct of running the Services.

From publicly available sources — limited business registry and address validation lookups during onboarding (sourced via the Maps Platform).

We do not buy personal information from data brokers.

5. Purposes for Which We Use Personal Information

Service delivery — creating and maintaining accounts, authenticating users, provisioning tenants, configuring features, generating and rendering estimates and proposals, executing electronic signatures under the ESIGN Act and UETA, processing payments through Stripe Connect, sending Customer-initiated SMS and email through Twilio and Resend, operating the voice agent through LiveKit and OpenAI Realtime, and delivering the Included Website.

AI features — running prompts through our model providers (see §7) to generate drafts, suggestions, summaries, lead-qualification scores, transcriptions, voice responses, and other AI outputs. AI features are off by default for high-sensitivity flows and are explicitly enabled by the Customer; per-user consent applies to local on-device AI.

Billing and financial operations — charging subscription fees, applying coupons, processing refunds, generating invoices, recording bookkeeping entries, and reporting taxes where required.

Security, fraud prevention, and abuse detection — monitoring sign-in patterns, throttling abuse, investigating suspicious activity, defending against bots and credential stuffing, and responding to incidents.

Product analytics and improvement — measuring feature use to decide what to build, fix, and prioritize. We do not use End Customer Data for model training; see §7.

Customer support — answering tickets, debugging issues, replaying user flows where the user has triggered a session-replay event (none enabled today; we will update this Policy before enabling).

Legal and compliance — complying with subpoenas, court orders, tax laws, anti-money-laundering rules tied to Stripe Connect, ESIGN/UETA record retention, TCPA/CAN-SPAM consent ledgers, two-party-consent recording laws, and state privacy statutes.

Internal management — vendor management, audit, insurance, corporate transactions, and other ordinary business operations.

6. Sharing & Sub-Processors

We share personal information only with the parties below, only for the purposes described, and only under written contracts that impose confidentiality and security obligations consistent with applicable law.

Infrastructure and hosting • Vercel Inc. — application hosting, edge runtime, CDN. US-based. • Supabase Inc. — primary database, authentication, file storage, edge functions, realtime. US region.

Payments and financial • Stripe, Inc. — Stripe Connect platform, subscription billing, payment intents, customer billing portal, payouts. Stripe is an independent controller for its own fraud and risk purposes.

Communications • Twilio Inc. — outbound and inbound SMS, A2P 10DLC registration, voice telephony where used. • Resend Inc. — transactional email delivery. • Google LLC — Gmail API, Calendar API, Maps Platform, Google OAuth for sign-in. • Meta Platforms, Inc. — WhatsApp Business and Messenger lead-capture (when Customer enables), Meta advertising pixel on marketing pages (see §8).

AI providers • Google LLC (Vertex AI / Gemini) — prompt and output processing for Gemini-family models. • OpenAI, L.L.C. — GPT-family models, gpt-realtime-2 for the live voice agent, Whisper transcription where applicable. Zero-Data-Retention is asserted at the platform level where supported by the provider. • Anthropic, PBC — Claude-family models used in selected Olli orchestrator paths. • Cartesia, Inc. — voice synthesis for the Olli voice persona. • LiveKit, Inc. — real-time audio transport for the voice agent. • IBM Corporation (Granite 4.0 1B) — runs locally in the user's browser via consent-gated on-device inference.

Design Partner • A&S AI Solutions LLC — Olynx's operator and the Design Partner that builds and hosts the Included Website.

Other recipients • Professional advisors — outside counsel, auditors, and insurers, under professional confidentiality. • Corporate transactions — in connection with a merger, acquisition, financing, reorganization, or asset sale. • Legal process — government authorities, courts, and other parties where required by law.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined by the CPRA, except via the Meta pixel on marketing pages (see §8). The list above is current as of the Effective Date.

7. AI Processing

Olynx uses AI extensively. We want you to understand exactly how.

Where prompts go. When you use an AI feature, the text, image, or audio you submit (the "Prompt") plus selected context from your workspace is sent to one of the AI providers listed in §6 (Google Vertex/Gemini, OpenAI, Anthropic, Cartesia, LiveKit). The provider processes the Prompt and returns an output ("AI Output"). The Prompt and AI Output transit our infrastructure on the way to and from the provider.

No training on Customer Content. We do not use Customer Account Data or End Customer Data to train, fine-tune, or improve Olynx-owned or third-party foundation models. We rely on the providers' enterprise / API terms — including Zero-Data-Retention configurations where the provider supports them — to ensure providers do not train their general models on data we route through their APIs.

On-device AI (Granite). The IBM Granite 4.0 1B model runs locally in your browser via WebGPU. When you use Granite-powered features, the model weights are loaded to your device and inference happens on your hardware. Prompts and outputs do not leave your device for Granite, except for limited cumulative usage telemetry (event counts, latency, error rates — no Prompt content).

AI Grounding Knowledge Base. To reduce model hallucination on factual questions, Olynx maintains a curated reference corpus consisting of (a) U.S. federal, state, and local statutes, regulations, agency guidance, and other government-authored materials, and (b) summaries, paraphrases, and excerpts of widely-adopted technical and building codes used solely as Retrieval-Augmented Generation ("RAG") context. This corpus is not Customer Content, is not used to train Olynx-owned or third-party foundation models, and is not legal, tax, engineering, or professional advice. AI outputs grounded in this corpus may be inaccurate, incomplete, or out of date; you are solely responsible for verifying any code, regulatory, or legal output against the current official source before relying on it.

AI is not advice. AI Outputs from Olynx are not legal advice, tax advice, engineering judgment, professional licensure-bearing work, medical advice, or financial advice. Estimates, proposals, code references, and regulatory summaries produced by AI are starting points, not authoritative answers. You must independently verify any output before relying on it.

Human review of AI Outputs. Olynx employees do not routinely review individual Prompts or AI Outputs. We may review aggregated metrics, sampled outputs (de-identified where feasible) for safety and quality, and specific Prompts in response to abuse reports, support tickets, or legal process.

Consent gates. Several AI features — including on-device AI weight download and the voice agent — require explicit per-user consent before they run. You can withdraw consent at any time in account settings.

8. Cookies, Analytics, and Tracking Technologies

Strictly necessary — sign-in sessions (Supabase Auth ES256 JWTs, session cookies), CSRF protection, tenant resolution from the request host, and security throttling. These cannot be disabled while using the Services.

Functional — remembering your locale (en/es), accessibility preferences, last-used workspace, and similar interface state. These improve usability but the Services work without them.

Analytics and performance — limited first-party measurement of feature usage, error rates, and performance.

Marketing — on the public marketing pages at olynxai.com (not inside the authenticated app), a Meta advertising pixel may load to measure ad campaign performance and build look-alike audiences for Olynx's own contractor-recruiting ads. This is the only category that could plausibly involve "sharing" for cross-context behavioral advertising under CCPA/CPRA. Today, our marketing pages do not present a pre-load consent gate, and we honor opt-out only through provider-level controls; we are actively working to add a consent banner and a server-honored Global Privacy Control signal handler. Until that ships, you may opt out of Meta tracking via your browser controls and Meta's own ad preferences.

Do Not Track and similar signals. Our current systems do not respond to legacy browser DNT headers. Our handling of the Global Privacy Control signal is described in §12.

You can clear or block cookies in your browser. Blocking strictly necessary cookies will break sign-in.

9. Data Retention

Active accounts. While your account or your Customer's account is active, we retain the personal information needed to operate the Services.

After cancellation or termination — Customer Account Data. We retain Customer Account Data for thirty (30) days after cancellation or termination to allow reactivation, export, and dispute handling, and we may retain billing and tax records for up to seven (7) years to comply with financial recordkeeping laws.

After cancellation or termination — End Customer Data. Olynx returns or deletes End Customer Data on the Customer's instructions following termination, subject to a reasonable wind-down window described in the Terms. If the Customer does not issue instructions, we delete End Customer Data within ninety (90) days of termination, except for records we are legally required to retain.

E-signed records. Executed contracts, proposals, and signature audit trails are retained for the duration legally required (generally seven years) regardless of account status.

Backups. Encrypted backups roll off on the schedule set by our infrastructure providers; deletion from primary stores may take up to thirty (30) days to fully propagate through backups.

Aggregated and de-identified data. We may retain aggregated or de-identified data that cannot reasonably be used to identify any individual, indefinitely, for product analytics and reporting.

10. Security

We take security seriously, and we want to describe what we actually do — not what sounds impressive in a privacy policy.

What is in place today: • Transport. All traffic between your browser or device and Olynx flows over HTTPS/TLS. • Authentication. Sign-in is mediated by Supabase Auth using ES256-signed JSON Web Tokens, with session refresh and revocation. Optional multi-factor authentication is available for Customer admin accounts. • Tenant isolation. The application enforces tenant boundaries through PostgreSQL Row Level Security policies and server-side authorization checks. • Storage. Personal information is stored in managed services operated by Supabase and Vercel, which apply their own platform-level encryption-at-rest and access controls. We rely on these providers' representations. • Secrets. Production secrets are held in our deployment platform's secret store and rotated on discovery of exposure. • Logging and monitoring. We log security-sensitive events to audit tables and to our infrastructure providers' log systems. • Least privilege. Database roles, edge function privileges, and SECURITY DEFINER routines are reviewed regularly.

What is not in place today, that we want you to know: • We do not currently offer customer-managed encryption keys (CMEK / BYOK). • We do not yet have SOC 2, ISO 27001, HITRUST, PCI-DSS Level 1, or HIPAA attestations. Stripe handles PCI scope on our behalf for cardholder data. • We do not yet operate a 24/7 security operations center; incident response is on-call.

Breach notification. If we determine that a security incident has resulted in the unauthorized acquisition of personal information that triggers a notification duty under state law, we will notify affected individuals, our Customers (where the affected data is End Customer Data they control), and applicable regulators within the statutory window — without unreasonable delay.

No system is perfectly secure. Even with the controls above, breaches can happen. We focus on minimizing the blast radius and being honest when something goes wrong.

11. Your Privacy Rights by State

California — CCPA / CPRA. You have the right to know, delete, correct, opt out of "sale" or "sharing" for cross-context behavioral advertising, limit use and disclosure of Sensitive Personal Information, non-discrimination, and data portability. We do not sell personal information for monetary consideration. Our handling of cross-context behavioral advertising on marketing pages is described in §8 and §12.

Virginia — VCDPA. You have the right to confirm processing, access, correct, delete, port, and opt out of targeted advertising, sale, and profiling with significant legal effects. You may appeal a denial.

Colorado — CPA. You have the right to access, correct, delete, port, and opt out of targeted advertising, sale, and certain profiling. Colorado requires recognition of universal opt-out mechanisms — see §12.

Connecticut — CTDPA. You have the right to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling. Universal opt-out mechanisms must be honored — see §12.

Utah — UCPA. You have the right to access, delete, port, and opt out of targeted advertising and sale. UCPA does not provide a right to correct or to appeal.

Texas — TDPSA. You have the right to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling. You may appeal a denial.

Oregon — OCPA. You have the right to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling.

Montana — MTCDPA. You have the right to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling.

End Customer requests. If you are an End Customer of one of our Customers (e.g., a homeowner contacted by a contractor using Olynx), the contractor is the controller of your data. We will refer your request to the relevant Customer and assist them in responding.

12. Global Privacy Control and Universal Opt-Out Signals

California, Colorado, and Connecticut require businesses to honor browser-level "Global Privacy Control" (GPC) and similar universal opt-out signals as a valid request to opt out of the sale or sharing of personal information for cross-context behavioral advertising.

Current status. Olynx's authenticated application does not engage in "sale" or "sharing" of personal information for cross-context behavioral advertising. Our marketing pages, however, currently load a Meta advertising pixel without a pre-load consent gate, and our servers do not yet read the Sec-GPC request header. We are implementing GPC handling and will update this Policy once that work is live.

Target. We commit to honoring GPC signals across our marketing surface no later than September 30, 2026. Inside the authenticated app, where no "sale" or "sharing" occurs, GPC will be logged but is not operative.

How to opt out today. Until GPC handling ships, you may opt out of Meta tracking through your browser's tracking-protection settings, your browser extensions, and Meta's own ad preferences. You may also email privacy@olynxai.com to record a manual opt-out tied to your account, which we will honor server-side from the moment we process the request.

13. Children

The Services are not directed to children. We do not knowingly collect personal information from anyone under eighteen (18) years of age, and we do not knowingly market the Services to minors. If you believe a child has provided us personal information, contact privacy@olynxai.com and we will delete it. The Services are not designed for COPPA-covered uses.

14. International Transfers

Olynx is a US-only company serving US-only businesses and their US-based end customers. The Services, including all primary data storage and the majority of processing, are operated in the United States.

We are not designed, marketed, or contractually configured for use by, or to process the personal information of, individuals in the European Union, the United Kingdom, Switzerland, Brazil, Canada, China, or other jurisdictions with foreign-transfer regimes. We do not offer Standard Contractual Clauses or equivalent cross-border transfer mechanisms.

If you access the Services from outside the United States, you do so on your own initiative and at your own risk, and you consent to the transfer of your personal information to the United States and to its processing under US law.

15. Data Subject Request Process

How to submit a request. Email privacy@olynxai.com with the subject line "Privacy Request — [Type]" where [Type] is one of: Access, Correct, Delete, Port, Opt-Out, Limit Use of Sensitive PI, Appeal, or Other. Include enough information for us to identify your account.

Verification. We will verify your identity through information already associated with your account, an authenticated sign-in challenge, or, where necessary, additional information reasonably required to confirm you are the person whose data is at issue. Authorized agents may submit on your behalf with verifiable written authorization.

Timing. We will acknowledge receipt of your request within ten (10) business days. We will substantively respond within forty-five (45) days, extendable by an additional forty-five (45) days where reasonably necessary, with notice to you of the extension.

Fees. We do not charge a fee for the first request from a given individual in any twelve-month period. We may charge a reasonable fee for, or refuse, requests that are manifestly unfounded or excessive.

Denials. If we deny a request in whole or in part, we will tell you why and how to appeal under your state's law.

End Customer requests. If you are an End Customer of one of our Customers, we will route your request to the relevant Customer (the controller) and assist them in responding. You may also contact the Customer directly.

16. Data Deletion

You may request deletion of your personal information at any time. We commit to completing verifiable deletion requests within forty-five (45) days of identity verification, subject to the legal-hold exceptions in §9.

Self-service deletion. We are building an in-app self-service deletion control. Until it is fully operational, you may submit deletion requests by emailing privacy@olynxai.com. We will not refuse a deletion request because the in-app control is not yet live.

What "deletion" means. Verified deletion removes your personal information from the primary stores Olynx operates within the response window. It propagates through encrypted backups within an additional sixty (60) days as backups roll off. Records subject to a legal retention obligation (see §9) are retained for the period required by law and then deleted.

17. Contact Us

Email — privacy@olynxai.com Subject line — Privacy Request — [Type] (per §15)

A registered agent postal address will be added in a future amendment.

We aim to acknowledge privacy emails within ten (10) business days. Urgent security matters should also be copied to security@olynxai.com.

You may also contact the privacy regulator in your state.

18. Changes to This Policy

We may update this Policy from time to time. The "Effective Date" at the bottom indicates the date of the most recent revision. We will not retroactively apply a materially-less-protective version of this Policy to personal information already collected.

For material changes, we will provide at least thirty (30) days' advance notice by email to account administrators, by an in-app banner, and by updating the "Effective Date" with a clear "Materially updated" callout.

For non-material changes (typos, clarifications, sub-processor list refreshes that do not expand purposes, contact-information updates), we will simply update the Effective Date.

Your continued use of the Services after the Effective Date of an update constitutes acknowledgment of the updated Policy. If you do not agree, you may cancel under the cancellation terms of the Terms of Service.

19. Effective Date

Effective Date: June 5, 2026.

Last Materially Updated: June 5, 2026.

This Privacy Policy supersedes any prior privacy notice published by Olynx or A&S AI Solutions LLC.