Privacy

How ABI handles your information.

This policy explains what data moves through ABI when you interact with a business that uses it — calls, text messages, bookings — and what your rights are.

Last updated: May 1, 2026

§ Who we are

AB Integration Inc. operates ABI on behalf of service businesses.

AB Integration Inc. (“we”, “us”, “our”) is a Toronto-based company that builds and operates ABI — an operational layer for appointment-based service businesses. ABI captures inbound calls, sends and receives text messages, syncs bookings into the business’s scheduling platform, and keeps a memory of each customer for the business it serves.

This policy applies to end customers of businesses that use ABI — the people who call, text, or book with one of our client businesses. The client business is the controller of its customer data; we act as its service provider. The client business will have its own privacy notice that governs its broader relationship with you. This policy describes what we, AB Integration Inc., do with the data while it’s in our system.

§ What we collect

Phone numbers, names, bookings, and what you said.

When you contact a business that runs on ABI, we record the following:

  • Phone number. Stored in E.164 format (e.g. +14165551234). Your phone number is the identifier we use to recognize you across calls and text messages.
  • Name. When you give it on a call or in a message, or when it is included in a booking from the business’s scheduling platform.
  • Booking details. Service, date, time, duration, the staff member assigned to you, and the booking’s status (booked, completed, cancelled, no-show).
  • Conversation content. The transcript of voice calls handled by the ABI agent, and the text of inbound and outbound SMS messages on the business’s ABI line. Calls and messages handled directly by humans on the business’s side are not transcribed by us.
  • Attachments. Documents and photos you text in via MMS — for example, insurance cards, referral letters, intake forms, or progress photos. We attach these to your customer profile by phone number so the client business has them on file ahead of your appointment, and so the voice and SMS receptionist can refer to them when relevant.
  • Lifecycle metadata. Derived from your booking history: how often you book, how long it has been since your last visit, whether you have missed appointments, and whether you appear to be a returning or new customer. We use these to decide whether and when to send a reminder or recovery message.
  • Operational metadata. Timestamps, message identifiers from the SMS carrier, call identifiers from the voice provider, and delivery status (sent / failed). We use this to keep the system honest about what was actually delivered.

We do not collect government IDs, payment card numbers, social insurance numbers, biometric data, or geolocation. Payment, where it occurs, is handled inside the client business’s own booking platform — not by us.

§ How we use it

To run the business’s customer lifecycle, and nothing else.

Every piece of data we keep has an operational purpose:

  • Recognize returning callers. When you call back, the agent already knows your name, your last booking, and what service you typically come in for, so you don’t have to repeat yourself.
  • Send confirmations and reminders. When a booking is created we send a confirmation; we send reminders 24 hours and 2 hours before the appointment.
  • Recover dormant customers. If your usual cadence between appointments has elapsed, the business may send you a recovery message inviting you to rebook. There is a cooldown between messages and a hard cap on how many we send before we stop.
  • Ask for a review. A short while after your appointment ends, we may send a review request linking to the business’s preferred review platform.
  • Answer inbound text messages. When you SMS the business’s number, we route your message through an automated receptionist that answers questions about hours, location, pricing, and how to book. Free-form replies are generated using a language model (see Sub-processors below).
  • Build context for the business. Documents and photos you send in via MMS are attached to your profile so the staff seeing you have the relevant context before your appointment — for example, a clinic seeing your intake form or a referral letter ahead of your visit.
  • Improve the service. We review aggregate operational metrics — delivery rates, classification accuracy, no-show rates — to keep the system working. We do not use your conversations to train external AI models.

We do not sell your information. We do not share it with advertisers, data brokers, or resellers. We do not use it for marketing on behalf of any party other than the specific business you contacted.

§ Who can see it

The business you contacted, their staff, and us.

  • The client business. The business that contracts ABI sees its own customers’ profiles, bookings, conversation transcripts, and message logs through the ABI dashboard. Their staff have access scoped by login.
  • AB Integration Inc. personnel. Authorized engineers and operators on our team access data on a need-to-know basis to configure, support, and maintain the platform. We do not permit our personnel to access customer data for any other purpose.
  • Sub-processors. The third-party services listed in the next section process data on our behalf to deliver messages, host the database, run the voice agent, and classify intents. They are bound by their own contracts with us and may only use the data to perform the service they were engaged for.
  • Nobody else. No data brokers, no advertisers, no resellers.

§ Sub-processors

The third-party services we rely on, named honestly.

  • Twilio — sends and receives SMS on the business’s phone number. Receives the recipient phone number and the message body. US-based.
  • Retell AI — runs the voice agent that answers calls. Receives the caller’s phone number and a short profile we look up before the call (name, last service, last booking) so the agent can greet you correctly. Returns the call transcript when the call ends. US-based.
  • OpenAI — classifies the intent of inbound SMS messages and drafts replies for general questions. We use the gpt-4o-mini model. Inputs sent to OpenAI are: the inbound message, up to the last ten messages of that conversation for context, and (for free-form replies) the business’s configuration: hours, pricing, FAQs, and location. By contract, OpenAI does not train its models on data sent through the API. US-based.
  • Supabase — our primary database and file storage. Customer profiles, bookings, conversations, and message logs live in the Supabase Postgres database. MMS attachments you send (insurance cards, referral letters, intake forms, progress photos) live in Supabase Storage. Both are hosted in the US East region and encrypted at rest.
  • Railway — hosts the ABI backend service. Application traffic and logs run through Railway. US-based.
  • Resend — delivers email alerts to the business’s staff (for example, competitor watchdog notifications). End-customer SMS and call data does not flow through Resend. US-based.
  • Booking platform integrations. ABI pushes bookings, customer names, and phone numbers into whichever scheduling platform the client business uses. Depending on the deployment, this may include Square Appointments, Google Calendar, Vagaro, Phorest, or Jane. The platform’s own privacy practices apply once data is written there.

Most sub-processors above are based in the United States. If you are in Canada or elsewhere, your data may be processed outside your jurisdiction as a result. We choose providers with strong contractual data-handling commitments and align with PIPEDA, PHIPA, and HIPAA where the deployment requires.

§ How long we keep it

For as long as the client business runs on ABI, then on request.

Customer profiles, conversation transcripts, and message logs persist while the client business stays on ABI. Lifecycle automation depends on this history — recognizing you as a returning caller, knowing your booking cadence, knowing whether to send a recovery message — so we don’t auto-purge records on a fixed schedule.

When a client business ends its subscription, we retain their data for a short, reasonable period to support a possible return, then delete it on request. Where the client business has a regulatory retention obligation (for example, health-record retention under PHIPA), we follow their direction.

If you are an end customer of one of our client businesses and you want your record deleted, contact us at anthony@abintegration.ca and we will process the deletion in coordination with the business.

§ Security

Encrypted in transit, encrypted at rest, scoped access.

  • In transit. All traffic between our service, our sub-processors, and the dashboard runs over TLS.
  • At rest. Database storage at Supabase is encrypted at rest. SMS and voice transcripts inherit this when written to the database.
  • Attachment storage. Documents and photos you send via MMS are stored in Supabase Storage, encrypted at rest, with access limited to the client business that received the message (via the dashboard) and authorized AB Integration personnel.
  • Access control. Database service-role credentials are held in environment variables on the backend and are never exposed to the dashboard or to end customers. Dashboard access is scoped per client business and per staff login.
  • Designed for regulated environments. The system was built for health-adjacent and other regulated service businesses, not retrofitted to them.

§ Your rights

Access, correction, deletion, opt-out.

  • Know what we hold. You can ask us for a copy of your record — the profile, conversations, and messages we have on you for a specific business.
  • Correct it. If something we hold is wrong (your name, your phone number), we will fix it.
  • Delete it. You can request deletion of your record, including any documents or photos you have sent in via MMS. We will process the request in coordination with the client business, subject to any legal retention obligation that applies (for example, regulated health records).
  • Opt out of SMS. Reply STOP to any text message from a business that uses ABI. The SMS carrier honors STOP at the network level and we will stop sending you messages on that number. Reply HELP for the carrier’s assistance message.

To exercise any of these rights, email anthony@abintegration.ca with the phone number you used to contact the business and the business’s name. We will verify and respond within a reasonable period.

§ Compliance framing

Built to PIPEDA and PHIPA, HIPAA-aligned for US deployments.

ABI is built to align with Canadian privacy law — PIPEDA nationally and PHIPA for Ontario health-information custodians. For US deployments that handle protected health information, we operate under HIPAA-aligned controls and execute Business Associate Agreements with the client business and our sub-processors where required.

This policy does not replace the privacy notice of the business you contacted. They are the data controller; we are their service provider acting on their instructions.

§ Contact

Questions about your data, or this policy.

Email us. We will respond within a reasonable period and route your request to the right person on our side, or to the client business where coordination is needed.

anthony@abintegration.ca

AB Integration Inc. · Toronto, Canada

Last updated: May 1, 2026