Privacy Policy

Effective Date: April 18, 2026

This Privacy Policy applies to the website and product Inflowence, operated by Donald Lee Vaughn Jr, DBA GrowLocal — a US-EIN-registered sole proprietorship. References to "we," "us," and "our" refer to Donald Lee Vaughn Jr, DBA GrowLocal.

This Privacy Policy explains how Inflowence ("we," "us," or "our") collects, uses, and discloses information. Because we are a B2B SaaS provider, our data processing falls into two categories:

Our Customers: The businesses who buy our software.

End-Users: The customers of our Customers (whose data we process on our Customers' behalf).

Mobile Information & SMS Consent

We collect your phone number to send text messages related to our Services. Our SMS program is a mixed program covering two separately-consented categories:

  • Transactional / non-marketing messages: appointment reminders, booking confirmations, lead follow-ups, and service / account notifications.
  • Marketing messages: special offers, discounts, and service updates.

You consent to each category separately via distinct opt-in checkboxes and may opt in to one, both, or neither. Information we collect in connection with the SMS program includes your phone number, which category(ies) you consented to, opt-in timestamp, opt-in source (the chat widget on Inflowence), IP address at the time of opt-in, and the content of messages you send and receive.

No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. Information sharing to subcontractors in support services, such as customer service, is permitted. All other use case categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

Opt-Out & Help. You can opt out of our SMS messages at any time by replying STOP to any message. Reply HELP for assistance, or contact support@inflowence.ai / +1 (602) 755-7345. Message and data rates may apply. Message frequency varies. Carriers are not liable for delayed or undelivered messages.

Email Communications

When you submit any form on Inflowence — including forms you begin but do not finish — we collect the email address and any other contact details you provide in order to follow up with you. This follow-up may include:

  • Transactional email confirming actions you took (booking confirmations, account notifications, support replies).
  • Form-completion reminders when you start a form (for example, the demo request) and do not submit it. The email address you typed is retained for this purpose and a short reminder sequence may be sent so you can resume where you left off.
  • Relevant marketing email about Inflowence features, offers, and service updates.

Your rights. Every marketing or reminder email we send includes a one-click unsubscribe link. Unsubscribing removes you from marketing and reminder sequences; we will still send purely transactional email tied to an active account or booking. You can also email support@inflowence.ai at any time to have your email address removed from our lists.

Sender identity. All automated email is sent by Donald Lee Vaughn Jr, DBA GrowLocal and includes our physical postal address in the footer, in compliance with the US CAN-SPAM Act.

1. Data Roles & Responsibilities

Customer Data (B2B): Regarding our business relationship with you (the Customer), we act as a Data Controller.

End-User Data (The "Service Data"): Regarding the information you upload or that is generated via SMS, Voice, and DMs with your clients, we act as a Data Processor. You (the Customer) remain the Data Controller of your End-Users' information.

2. Information We Collect

A. From Our Customers (You)

Account Information: Name, business email, billing address, and payment details (processed via Stripe/third-party).

Technical Data: IP address, browser type, and usage logs on the Inflowence platform (via Vercel and Upstash).

B. From End-Users (Processed on your behalf)

Communication Content: Transcripts of Voice Agent calls, SMS message history, and social media Direct Messages (WhatsApp, Instagram, Facebook).

Contact Metadata: Phone numbers, social media handles, and timestamps of interactions.

Voice Data: Temporary audio recordings used for AI transcription and intent analysis.

3. The Technical Data Journey

To provide our services, data flows through a specific architecture designed for speed and reliability.

Interaction Trigger: An End-User sends a DM or calls your AI phone receptionist.

Processing Layer (GoHighLevel & AWS): The message is received by GoHighLevel (CRM) or AWS (Voice/Email). Our AI logic analyzes the intent.

Storage Layer (Supabase): The interaction history, lead status, and AI-generated logs are stored in our Supabase database to be displayed in your Inflowence dashboard.

State Management (Upstash): Temporary session data (like an active AI phone call state) is managed via Upstash for real-time performance.

4. How We Use Information

We do not sell End-User data. We use the information solely to:

  • Facilitate multi-channel communications.
  • Improve AI performance using aggregated, de-identified usage data
  • Provide analytics and reporting on your communication performance.
  • Prevent fraud and ensure compliance with our Acceptable Use Policy.

5. Data Retention

Account Data: Retained as long as your account is active.

End-User Communication Data: Retained for the duration of your subscription unless you request deletion.

Voice Recordings: Unless otherwise configured by the Customer, raw audio files are typically deleted after transcription is finalized, though transcripts remain in the database.

6. Third-Party Disclosures (Subprocessors)

We do not sell or rent your information. Consistent with the Mobile Information & SMS Consent section above, we do not share your information with third parties or affiliates for their marketing or promotional purposes; we do share information with subcontractors providing support services (e.g., customer service, infrastructure) strictly to operate and maintain the platform on our behalf. Those subcontractors are:

Infrastructure: AWS, Vercel, Supabase.

Communication Pipes: GoHighLevel, Twilio, Meta Platforms.

Analytics: Upstash.

Data & Infrastructure

To provide transparency about our data processing relationships:

  • Subprocessors List - View the complete list of third-party service providers, including AWS, GoHighLevel, Vercel, Supabase, and others, along with their roles and data locations.

  • Data Processing Addendum (DPA) - For business customers, review our data processing agreement which outlines our obligations as a data processor, security measures, and your rights under applicable US data protection laws.

7. Geographic Scope and Privacy Rights

7.1 Geographic Scope and GDPR Applicability

Service availability. Our Services are offered to businesses located in the United States and Canada. If you are located elsewhere, please do not use the Services or submit personal data through them.

Why GDPR still applies to our processing. Donald Lee Vaughn Jr, DBA GrowLocal is a US-EIN-registered sole proprietorship; the natural person operating the business resides in Germany. Under Article 3(1) of Regulation (EU) 2016/679 ("GDPR"), processing of personal data carried out in the context of the activities of an establishment of a controller in the European Union is subject to the GDPR regardless of whether the processing itself takes place in the Union. Because the operator's establishment is in Germany, the GDPR applies to our processing of personal data, even though the Services themselves are offered only in the United States and Canada. This Privacy Policy is structured to satisfy both US state-privacy-law disclosures and the GDPR's controller-information and data-subject-rights requirements.

Controller identity (GDPR Art. 13(1)(a)). The data controller is Donald Lee Vaughn Jr, DBA GrowLocal, Stromerweg 2, 91058 Erlangen, Germany. Contact: privacy@inflowence.ai / +1 (602) 755-7345. We do not designate an EU Representative under Art. 27 because the Services are not directed at data subjects in the Union.

Lawful bases for processing (GDPR Art. 6). We rely on the following:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services to Customers and, in the Customer's role as controller, to facilitate Customer communications with End-Users.
  • Legitimate interests (Art. 6(1)(f)): Platform security, fraud and abuse prevention, aggregated service improvement, and responding to support requests. Our interests are balanced against your rights and freedoms; you may object at any time (see rights below).
  • Consent (Art. 6(1)(a)): Marketing communications and SMS messages, where required by law. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): Tax, accounting, and telecommunications-compliance recordkeeping under applicable US and German law.

International transfers (GDPR Chapter V). The Services run on US-based infrastructure (AWS, Supabase, Vercel, GoHighLevel, Twilio, OpenAI, and others listed in our Subprocessors List). Personal data processed in the context of the German establishment is transferred from the EU to the United States in the ordinary course of providing the Services. We rely on the European Commission's 2021 Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and, where the receiving organization is certified, the EU-US Data Privacy Framework (Commission Decision (EU) 2023/1795) as the transfer mechanism. You may request a copy of the SCCs applicable to a specific subprocessor by emailing privacy@inflowence.ai.

Data-subject rights under the GDPR (Arts. 15–22). To the extent the GDPR applies to our processing of your personal data, you have the right to access your personal data, request rectification of inaccurate data, request erasure, request restriction of processing, receive your data in a portable machine-readable format, object to processing based on legitimate interests (including a general right to object to direct marketing), and withdraw consent where processing is based on consent. To exercise these rights, email privacy@inflowence.ai. We will respond within one month, extendable by up to two further months for complex requests (Art. 12(3)).

Right to lodge a complaint (GDPR Art. 77). You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany — https://www.lda.bayern.de/.

Automated decision-making. We do not subject data subjects to decisions based solely on automated processing that produce legal or similarly significant effects within the meaning of GDPR Art. 22.

Data Protection Officer. We have assessed our activities under GDPR Art. 37 and determined that a DPO is not mandatorily required because our core activities do not consist of large-scale, systematic monitoring of data subjects nor of large-scale processing of Article 9 special-category data. Privacy inquiries may be directed to privacy@inflowence.ai.

7.2 US State Privacy Rights

We comply with applicable US state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), the Virginia Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA"), the Utah Consumer Privacy Act ("UCPA"), the Connecticut Data Privacy Act ("CTDPA"), the Texas Data Privacy and Security Act ("TDPSA"), and the Oregon Consumer Privacy Act ("OCPA"). Your specific rights depend on your state of residence.

Right to Know / Access. You may request a copy of the personal data we have collected about you, the categories of data, the sources, and the purposes of processing.

Right to Delete. You may request deletion of your account data, subject to exceptions required or permitted by law (e.g., billing records, fraud prevention).

Right to Correct. You may request correction of inaccurate personal data.

Right to Portability. You may request a copy of your personal data in a portable, machine-readable format.

Right to Opt Out of Sale / Sharing / Targeted Advertising. We do not sell or share personal data for cross-context behavioral advertising or targeted advertising. No Global Privacy Control signal handling is required because no such processing occurs. If our practices change, we will post a conspicuous "Your Privacy Choices" link.

Right to Limit Use of Sensitive Personal Information (CCPA/CPRA). Sensitive PI we may process for Customers includes phone numbers, precise approximate IP-derived location, voice-call audio, and account credentials. We use Sensitive PI only to provide the Services and do not use it for inferences to build a profile. You may request limitation of such use by contacting us below.

Right to Appeal (VCDPA, CPA, CTDPA, TDPSA, OCPA). If we decline to act on a verified rights request, you have the right to appeal that decision. To appeal, email our Privacy Officer (address below) with the subject "Privacy Rights Appeal" within 60 days of our decision. We will respond to your appeal in writing within 60 days. If the appeal is denied, you may contact your state Attorney General.

Right to Opt Out of Profiling (CPA, CTDPA, OCPA). We do not engage in profiling in furtherance of decisions that produce legal or similarly significant effects. No opt-out mechanism is required. If our practices change, we will update this section.

Non-Discrimination. We will not discriminate against you for exercising any of these rights (no denial of Service, different prices, reduced quality, etc.).

How to exercise rights. Submit a verifiable request to privacy@inflowence.ai. We will respond within the timeframe required by applicable law (generally 45 days, extendable by 45 days).

Authorized agents. You may designate an authorized agent to make a request on your behalf. We may require written authorization and verification of identity.

End-User data. Where we act as a service provider / processor, Customers (the businesses that use our Services) are the controller of their End-Users' data and are responsible for providing End-User opt-out mechanisms (e.g., "Reply STOP to opt out of text messages"). We will assist Customers in fulfilling verified End-User requests.

Shine the Light (California Civil Code § 1798.83). California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes, so no such disclosures exist to report.

8. Security

We implement enterprise-grade security via our infrastructure providers (AWS and Supabase), including:

Encryption at Rest: All database entries are encrypted.

Encryption in Transit: Data is transmitted via HTTPS/TLS 1.3.

Access Control: Strict internal policies regarding who can access Customer databases for support purposes.

9. Contact Us

For any privacy-related inquiries or to exercise your data rights, please contact:

Privacy Officer Email: privacy@inflowence.ai

By using Inflowence, you acknowledge that you have read, understood, and agree to this Privacy Policy.