Privacy Policy

Effective April 28, 2026 · askbud io LLC

Effective Date: April 28, 2026 Last Updated: April 28, 2026 Version: 3.0

This Privacy Policy explains how askbud io LLC ("AskBud," "we," "us," or "our") collects, uses, shares, and protects information in connection with our AI voice receptionist service ("Flora") and the website at askbud.io (collectively, the "Service").

This Policy covers two distinct groups:

  • Customers — businesses (such as cannabis dispensaries) that subscribe to the Service.
  • Callers — individuals who place phone calls to a business that uses Flora.

Controller and Processor Roles

For the askbud.io website, self-serve sign-ups, marketing communications, and direct interactions with Customers, AskBud acts as a data controller.

For call audio, transcripts, and Caller information processed on behalf of a Customer in the course of providing the Service, AskBud acts as a processor (or "service provider" under California law) — the Customer is the controller of that data. Where AskBud and a Customer have signed a separate Data Processing Addendum ("DPA"), the DPA governs and controls in the event of any conflict with this Privacy Policy.

1. Information We Collect

1.1 Information from Customers

When you sign up for or use the Service, we collect:

  • Account information: business name, address, owner name, manager email addresses, and similar details
  • Payment information: processed by our payment provider (Stripe); we do not store full card numbers
  • POS integration credentials: API keys and configuration details for systems like Dutchie POS
  • Inventory and product data: product names, descriptions, pricing, and stock levels synced from your POS
  • Usage data: how you interact with our admin dashboard, configuration changes, and support communications

1.2 Information from Callers (Communications Data)

When a caller phones a business that uses Flora, we collect what we refer to in this Policy as "Communications Data":

  • Audio recording: the full audio of the call, beginning after the recording-disclosure message is played by Flora at the start of the call
  • Transcript: an automated text transcript of the call
  • Phone metadata: the caller's phone number (to the extent provided by the telephony network), the call's start and end time, and the call's duration
  • Conversation content: including any information the caller voluntarily shares during the call

Customers are responsible for obtaining all required notices and consents from Callers before forwarding calls to Flora. Flora's recording disclosure and AI-identification message are designed to satisfy notice and consent requirements in any U.S. state.

1.3 Information from Cookies and Web Tracking

When you visit askbud.io, we may collect standard web information such as IP address, browser type, pages visited, and referring URL. We use this data to operate, secure, and improve the website.

1.4 Sensitive Personal Data

We do not seek to collect sensitive categories of data (such as health information, government identifiers, or biometric data) unless strictly necessary for the Service and provided by you. Where required by law, we will obtain your explicit consent before processing sensitive personal data.

2. How We Use Information

We use information to:

  • Provide, maintain, and improve the Service
  • Answer caller questions accurately by reading from your inventory
  • Generate call transcripts, summaries, weekly reports, and other AI-derived insights for Customers
  • Process payments and manage subscriptions
  • Communicate with Customers about account, billing, and service updates
  • Send marketing communications, where permitted (see Section 11)
  • Detect, prevent, and address technical issues, fraud, and abuse
  • Improve the accuracy, reliability, and capabilities of Flora and our AI summarization features
  • Comply with legal obligations

We do not sell personal information. We do not share Caller information with third parties for marketing purposes.

2.1 Use of Communications Data for AI Improvement

To deliver core features of the Service — including call summarization, weekly reports, transcript analysis, and improvements to Flora's accuracy — AskBud may use Communications Data to train, develop, and improve the AI models and features that power the Service. Where feasible, we use Communications Data in aggregated and de-identified form for these purposes.

Limits on AI training use:

  • We will not use Communications Data to train AI models or services intended to compete with our Customers' businesses.
  • We will not use Communications Data to identify, profile, or target individual Callers for marketing.
  • Customers may negotiate, through a signed Master Services Agreement or DPA, a carve-out restricting use of their Communications Data for model training. Absent such a carve-out, the practices described in this section apply.

2.2 Lawful Bases for Processing (GDPR)

Where the General Data Protection Regulation applies, we rely on the following lawful bases for processing personal data, depending on the activity:

  • Contract — to provide the Service to Customers
  • Legitimate interests — to operate, secure, and improve the Service
  • Consent — for marketing communications and certain optional features
  • Legal obligations — to comply with tax, accounting, and law-enforcement requirements

3. Call Recording and AI Disclosure

Flora plays an audible recording-disclosure message at the start of every call and identifies herself as an AI assistant. By continuing the call after the disclosure, the Caller is deemed to have provided consent to the recording.

Customers using the Service authorize and instruct AskBud to record calls on their behalf and represent that they have all necessary authority and consent to do so.

4. How We Share Information

4.1 Service Providers (Subprocessors)

We share data with third-party service providers ("subprocessors") who help us operate the Service. Each subprocessor is contractually bound to handle data in line with its own privacy and security commitments and applicable law. The current list is below; we may add or change subprocessors as the Service evolves, and material changes will be reflected in this Policy.

A. Voice AI and Telephony

  • Retell AI (https://www.retellai.com/legal/privacy-policy) — Voice AI agent platform. Receives call audio, transcripts, and agent configuration. Retell AI may use Communications Data, in aggregated and de-identified form, to train and improve its own AI models under its Privacy Policy and Terms of Service.

B. AI and Machine Learning

C. Cloud Hosting and Infrastructure

D. POS and Business Data

E. Email and Communications

F. Reference and Lookup Services

G. Payments

Future or planned subprocessors (not yet active but disclosed for transparency): Google Analytics for website usage analytics. We will move this to the active list when implemented and notify Customers via this Policy.

4.2 Legal Disclosures

We may disclose information if required by law, subpoena, court order, or other legal process, or to protect the rights, property, or safety of AskBud, our Customers, our Callers, or others. We will not voluntarily disclose Caller data to law enforcement without valid legal process except in genuine emergencies (for example, an imminent threat to life).

4.3 Business Transfers

If AskBud is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction. We will provide notice before information becomes subject to a different privacy policy.

4.4 Aggregated and De-Identified Data

We may share aggregated or de-identified data (data that cannot reasonably identify a Customer or Caller) for analytics, research, marketing, or industry reporting.

5. International Data Transfers

The Service is operated from the United States. If you access or use the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data-protection laws than your country. Where required by applicable law, we use safeguards such as Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA), or other approved transfer mechanisms.

6. Data Retention

  • Call audio recordings: retained for ninety (90) days from the date of the call, then automatically deleted.
  • Call transcripts and summaries: retained for the duration of the Customer's active subscription, plus a reasonable period thereafter for legal, compliance, and dispute-resolution purposes.
  • Inventory and product data: retained as long as the Customer's account is active.
  • Account and billing records: retained as required by law (typically seven years for tax and accounting).
  • Web analytics: retained for up to twenty-six (26) months.
  • Aggregated, de-identified data used for AI improvement: may be retained indefinitely, since it is no longer associated with any identifiable individual.

After termination of a Customer's subscription, the Customer may request export of data within thirty (30) days. After that period, data is deleted on our standard schedule.

We determine retention periods based on the nature of the data, the purposes for which it is processed, and legal requirements. Where feasible, we anonymize or aggregate data instead of retaining it in identifiable form.

7. Data Security

We implement reasonable technical and organizational measures to protect data, including:

  • TLS/SSL encryption for data in transit
  • Encryption at rest for stored data
  • Access controls and authentication for our systems
  • Restricted use of subprocessors with appropriate security commitments
  • Regular review of security practices

In the event of a confirmed security breach affecting Customer Data or Communications Data, AskBud will notify affected Customers without undue delay and in any event within seventy-two (72) hours of discovery, and will notify regulators where required by applicable law.

No system is perfectly secure. We cannot guarantee absolute security of data transmitted to or stored by us.

8. Your Rights and Choices

8.1 For Callers

If you placed a call to a business that uses Flora and you would like to:

  • Know what information was collected about your call
  • Request deletion of the recording or transcript
  • Object to specific uses of your data

Please contact us at privacy@askbud.io with the date, approximate time, and the business you called. Note that we may need to coordinate with the business (our Customer, who is the controller of that data) to fulfill your request.

8.2 For Customers

You can access, update, or delete your account information through your admin dashboard or by contacting help@askbud.io.

8.3 California Residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, share, or disclose
  • Request deletion of personal information (subject to the exceptions in Section 9)
  • Correct inaccurate personal information
  • Opt out of the "sale" or "sharing" of personal information for cross-context behavioral advertising. AskBud does not sell or share personal information for cross-context behavioral advertising.
  • Limit the use of sensitive personal information beyond what is reasonably necessary to provide the Service
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact privacy@askbud.io with the subject line "California Privacy Request." We will verify your identity before fulfilling the request and respond within forty-five (45) days, as required by law.

We honor Global Privacy Control (GPC) signals as an opt-out mechanism where required.

8.4 Other State Privacy Laws

Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Virginia, Utah, Texas, Oregon, and others — have similar rights. Contact privacy@askbud.io to exercise them.

8.5 GDPR Rights (EU/EEA Residents)

If you are in the European Union or European Economic Area, you have the right to:

  • Access, correct, or delete your personal data
  • Object to or restrict processing
  • Receive a portable copy of your personal data
  • Withdraw consent where processing is based on consent
  • Lodge a complaint with your local Data Protection Authority

We will respond to GDPR requests within thirty (30) days. Contact privacy@askbud.io.

8.6 Do Not Track Signals

Our website does not currently respond to "Do Not Track" (DNT) browser signals, as no industry standard has been finalized. Where applicable laws require it, we honor Global Privacy Control (GPC) signals as described above.

9. Right to Deletion — Exceptions

When we receive a verifiable deletion request, we will delete the requested personal information from our records and direct subprocessors to do the same — subject to legitimate exceptions. We may retain personal information when necessary to:

  • Complete the transaction for which the personal information was collected, fulfill the terms of a written warranty, or perform a contract between you and us
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible
  • Debug to identify and repair errors that impair existing intended functionality
  • Comply with a legal obligation (for example, tax, accounting, or audit requirements)
  • Engage in public or peer-reviewed scientific or historical research where deletion would seriously impair such research
  • Enable solely internal uses reasonably aligned with the relationship between you and AskBud
  • Defend legal claims

10. Children's Privacy

The Service is intended for businesses, not individuals under the age of 18. We do not knowingly collect personal information from children under 13 (or under 16 in the European Economic Area) without appropriate consent. If we learn we have inadvertently collected personal information from a child, we will delete it promptly. If you believe we have collected such information, contact privacy@askbud.io.

11. Email Communications

11.1 Transactional Communications

We will send transactional emails related to your account and the Service — for example, billing notifications, service updates, security alerts, password resets, and important policy changes. You cannot opt out of essential service-related communications while you have an active account.

11.2 Marketing Communications

We may send marketing emails — including newsletters, product announcements, promotional offers, case studies, and event invitations — to Customers and prospects who have provided their email address. Every marketing email contains an unsubscribe link. You can opt out of marketing emails at any time by:

  • Clicking "unsubscribe" in any marketing email
  • Emailing privacy@askbud.io with the subject "Unsubscribe"

Opting out of marketing does not affect transactional communications.

11.3 Engagement Tracking

To improve our communications, we may receive a notification when you open a marketing email or click a link. We do not use this data to build advertising profiles or share with third parties for advertising.

12. HIPAA

Unless AskBud and a Customer have signed a separate Business Associate Agreement (BAA), AskBud does not act as a "Business Associate" as defined under HIPAA, and the Service is not designed to receive, store, or process Protected Health Information (PHI). Customers should not configure Flora to elicit, store, or transmit PHI.

13. Cannabis Industry Considerations

Many of our Customers operate in the cannabis industry. We understand that callers to cannabis dispensaries may have heightened privacy concerns. We:

  • Never sell or share Caller data with advertisers, data brokers, or third parties for marketing
  • Do not use Caller phone numbers for outbound marketing
  • Do not provide Caller data to law enforcement except as required by valid legal process or in genuine emergencies
  • Encrypt all stored call data
  • Limit internal access to call data to personnel who need it to operate the Service
  • Will not use Communications Data to train AI models intended to compete with our Customers' businesses

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last Updated" date at the top reflects the most recent version. If we make material changes, we will provide notice via email to Customers or by prominent notice on our website. Where required by law, we will obtain your consent to material changes.

15. Contact Us

askbud io LLC 30 N Gould St #61660 Sheridan, WY 82801