Privacy Policy

Must Haves, Inc. ("MustHavesAI," "we," "us," or "our") operates the website musthavesai.com and provides managed AI powered business infrastructure services for local service businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Our role: We operate as both a direct service provider (collecting information from clients who sign up for our platform) and as a data processor (handling end customer data on behalf of our clients' businesses). This policy covers both roles.

1. Information We Collect

Information You Provide Directly

• Account Information: Name, email address, phone number, business name, business address, and billing details when you sign up for our services.
• Intake Form Data: Business details, services offered, service area, industry, and automation preferences submitted through our intake or onboarding forms.
• Payment Information: Credit card and billing information processed securely through Stripe. We do not store full card numbers on our servers.
• Communications: Messages you send us via email, chat, phone, or support channels.
• QuickBooks Data: If you connect your QuickBooks Online account, we access invoice, payment, and customer data as needed to deliver syncing and automation services. We only access the data scopes required for the features you enable.

Information We Collect on Behalf of Our Clients

When you interact with a business that uses our platform (for example, by calling their business number, submitting a form on their website, or receiving a text message), we may collect:

• Contact Information: Name, phone number, email address, and physical address.
• Communication Records: SMS messages, call recordings, call transcripts, voicemail content, and email correspondence.
• Appointment and Service Data: Scheduling information, service requests, and job details.
• Review and Feedback Data: Review responses and satisfaction feedback.

This data is collected and processed on behalf of the client business. The client business is the data controller for their customer data, and their privacy practices govern how that data is used.

Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on the platform, and interaction patterns.
• Device Information: Browser type, operating system, IP address, and device identifiers.
• Cookies and Tracking: Session cookies, authentication tokens, CSRF tokens, and analytics data (see Section 8 for details).

2. How We Use Your Information

• To provide, maintain, and improve our managed business infrastructure services.
• To build and configure websites, lead capture systems, and automation workflows for your business.
• To send and receive SMS messages, phone calls, and emails on behalf of client businesses.
• To process payments and manage subscriptions through Stripe.
• To sync financial data with QuickBooks Online when you connect your account.
• To power AI features including chat responses, call answering, and lead qualification.
• To communicate with you about your account, service updates, and support requests.
• To monitor and analyze usage trends to improve the platform.
• To detect and prevent fraud, abuse, or unauthorized access.
• To comply with legal obligations and enforce our terms.

3. Third Party Services

We share data with the following third party service providers as needed to deliver our services. We do not sell your personal information.

We may also share information when required by law, subpoena, or government request, or in connection with a merger, acquisition, or sale of assets.

4. SMS and Text Message Data

Our platform sends and receives text messages on behalf of client businesses. Here is how we handle SMS data:

• Consent: Text messages are only sent to individuals who have provided appropriate consent as required by the Telephone Consumer Protection Act (TCPA) and applicable state laws. Marketing messages require prior express written consent. Informational messages (such as appointment reminders and missed call responses) require prior express consent.
• Opt Out: Every marketing text includes opt out instructions. Recipients can reply STOP at any time to stop receiving messages. Opt out requests are honored immediately.
• Message Content: SMS messages are stored in our database to provide delivery confirmation, conversation history, and support troubleshooting. Messages are retained for the duration of the client's account plus 30 days.
• Carrier Data: We do not share SMS message content with third parties for advertising or marketing purposes. Message data is transmitted through Twilio and is subject to Twilio's privacy practices.
• Quiet Hours: Automated marketing messages are not sent before 8:00 AM or after 9:00 PM in the recipient's local time zone.

5. AI Powered Features

Our services include AI powered features such as chat responses and voice call answering. When you interact with these features:

• Conversations may be recorded, transcribed, and stored to deliver the service and improve quality.
• AI systems process conversation content to generate responses. This data is sent to our AI providers (Groq for chat, Retell AI for voice) for processing.
• AI call recordings and transcripts are retained for 90 days and are accessible to the client business through their dashboard.
• The AI receptionist identifies itself as an automated assistant and does not impersonate a human.

6. Data Security

We implement industry standard security measures to protect your information:

• Encryption in transit using TLS/SSL on all connections.
• Encryption at rest for stored data.
• Role based access controls limiting data access to authorized personnel.
• Secure authentication with session management and CSRF protection.
• Payment data handled exclusively by Stripe (PCI DSS compliant). Card numbers never touch our servers.
• Regular security monitoring and updates.
• Automated daily backups with 30 day retention.

No method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

7. Data Retention and Deletion

• Active Accounts: We retain your information for as long as your account is active and as needed to provide services.
• After Cancellation: Upon account termination, your data is available for export for 30 days. After 30 days, we delete your personal data from our systems, except where retention is required by law or for legitimate business purposes (such as billing records and tax documentation).
• Communication Logs: SMS messages, call recordings, and email logs are retained for the duration of the client account plus 30 days.
• AI Call Recordings: Retained for 90 days from the date of the call.
• Billing Records: Retained for 7 years as required for tax and accounting purposes.
• Deletion Requests: You may request deletion of your personal data at any time by contacting us. We will process deletion requests within 30 days, subject to legal retention requirements.

8. Cookies

We use the following types of cookies:

• Essential Cookies: Authentication tokens and CSRF tokens required for the platform to function. These cannot be disabled.
• Analytics Cookies: We use Vercel Analytics and Google Analytics to understand how visitors use our website. These cookies collect aggregated, anonymous usage data.

You can control cookie preferences through your browser settings. Disabling essential cookies may prevent you from using parts of the platform. We do not use cookies for third party advertising or cross site tracking.

9. Your Privacy Rights

General Rights

Regardless of your location, you may:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Opt out of marketing communications.
• Export your data in a standard, portable format (CSV or JSON).

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request a detailed description of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out: We do not sell or share your personal information for cross context behavioral advertising. If this practice ever changes, we will provide a "Do Not Sell or Share My Personal Information" link.
• Non Discrimination: We will not discriminate against you for exercising your CCPA rights.

Indiana Residents (ICDPA)

If you are an Indiana resident, the Indiana Consumer Data Protection Act (ICDPA), effective January 1, 2026, provides you with rights including:

• The right to confirm whether we are processing your personal data and to access that data.
• The right to correct inaccuracies in your personal data.
• The right to delete your personal data.
• The right to obtain a copy of your personal data in a portable, readily usable format.
• The right to opt out of the processing of your personal data for targeted advertising, the sale of personal data, or profiling.

We honor ICDPA rights regardless of whether we have met the processing thresholds that trigger mandatory compliance. If you are an Indiana resident and wish to exercise these rights, contact us using the information below.

How to Exercise Your Rights

To exercise any of these rights, contact us at corey@musthavesai.com. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request.

10. Children's Privacy

Our services are designed for businesses and are not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected personal information from a minor, we will take steps to delete that information promptly. If you believe we have collected information from a minor, please contact us immediately.

11. Data Breach Notification

In the event of a data breach that compromises your personal information, we will notify affected individuals and applicable regulatory authorities as required by Indiana law (within 45 days of discovery) and other applicable state breach notification laws. Notification will include the nature of the breach, the types of information involved, and steps you can take to protect yourself.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of our services after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at: