Receptive AI

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy explains how DISTACK SOLUTIONS (SMC-PRIVATE) LIMITED ("we", "our", "us"), incorporated in Pakistan, collects, uses, stores, and protects information when you use Receptive AI, our AI receptionist platform (the "Service"). Receptive AI is a product of Distack Solutions and is operated from getreceptive.com.

We act as a data controller for information about our direct customers (the businesses that sign up for Receptive AI), and as a data processor for information about end-users our customers interact with through the Service (their callers, emailers, web chat visitors, and WhatsApp customers).

1. Who we are

2. What we collect

2.1 From our customers (businesses)

  • Account information: name, email address, phone number, business name, role.
  • Workspace configuration: AI receptionist name, greeting, tone, knowledge base content, business hours, custom instructions.
  • Authentication data: hashed passwords, session tokens.
  • Billing information: only what is required by our payment processor (we do not store payment card numbers ourselves).
  • Connection credentials for third-party services (e.g. WhatsApp Business access tokens, email provider keys), encrypted at rest.

2.2 From end-users (the people contacting our customers)

When an end-user contacts a Receptive AI customer through any supported channel, we receive and process:

  • The content of the message they send (text, voice transcript, email body, WhatsApp message text).
  • Their identifier on that channel: phone number for calls and WhatsApp, email address for email, anonymous session ID for web chat.
  • Display name if shared by the channel (e.g. WhatsApp profile name).
  • Metadata: timestamp, channel, message ID assigned by the provider, delivery/read status.
  • AI-generated metadata: extracted intent, sentiment, conversation summary, any structured data the AI identified during the interaction.

We collect this information solely so the Service can route, respond to, and record the interaction on behalf of the customer business. End-users should contact the business they messaged for end-user data requests; we will assist that business in responding within the timeframes required by applicable law.

2.3 Automatically collected technical data

  • Browser type, operating system, IP address, referrer URL.
  • Pages visited and actions taken within the application.
  • Cookies strictly necessary for authentication and session management. We do not place advertising cookies.

3. How we use the information

  • To operate the Service: respond to inbound messages, maintain conversation history in the customer's inbox, surface AI-generated insights.
  • To authenticate users and protect account security.
  • To improve product quality (debugging, error tracing, abuse prevention) using aggregated and de-identified telemetry.
  • To send transactional notifications (account events, integration failures) to customers.
  • To comply with legal obligations.

We do not sell personal information. We do not use end-user conversation content to train general-purpose AI models. Conversation content is sent to language model providers (e.g. OpenAI) only as required to generate the immediate AI reply, under contractual data-processing terms with those providers.

4. WhatsApp Business Platform data handling

When a customer connects their WhatsApp Business Account to Receptive AI:

  • We receive an access token from Meta granting send and receive permissions for that WhatsApp Business Account. The token is encrypted at rest using AES-256-GCM and is never exposed to client-side code.
  • WhatsApp messages from end-users are delivered to our webhook endpoint, signed with HMAC-SHA256 and verified before processing.
  • We respect Meta's 24-hour customer service window: AI replies and free-form messages are only sent within 24 hours of the end-user's most recent message, in accordance with Meta's WhatsApp Business Platform policies.
  • Outbound WhatsApp messages are sent only on behalf of the customer business, in response to end-user inbound messages or per the customer business's explicit instruction.
  • We do not use WhatsApp message content for any purpose other than operating the Service for the customer business that owns the WhatsApp Business Account.
  • We do not retain WhatsApp media files beyond what is needed to render them in the customer's inbox; we do not redistribute media.
  • If a customer disconnects their WhatsApp integration, we revoke the stored access token, stop processing inbound messages for that account, and delete or de-identify associated message records per the schedule in Section 8.

5. Google Calendar and Google user data

Receptive AI offers an optional integration with Google Calendar so the AI receptionist can check a customer's availability and book appointments on their behalf. This section describes how we access, use, store, share, retain, and delete data obtained through Google APIs, as required by the Google API Services User Data Policy, including the Limited Use requirements.

5.1 Data accessed (Google OAuth scopes)

When a customer connects their Google account, Receptive AI requests only the minimum OAuth scopes required to provide the calendar booking feature:

  • openid, email, profile — to identify the connected Google account and display its email address in the integration settings (for example, "Connected as user@example.com"). We call Google's /userinfo endpoint once at connect time and store only the email address.
  • https://www.googleapis.com/auth/calendar.readonly — to list the calendars the customer has write access to (hidden and deleted calendars are excluded) and to read free/busy windows on the calendar(s) the customer selects, so the AI receptionist can offer real available time slots to end-users.
  • https://www.googleapis.com/auth/calendar.events — to create calendar events on the calendar the customer has selected when an end-user books an appointment with the AI receptionist. When creating an event, Receptive AI also asks Google to attach a Google Meet video link to the event (via conferenceData) so the customer and the end-user have a video room ready to go.

We do not request the full calendar read/write scope, the calendar.events.readonly scope, or any other Google scope. We do not access Gmail, Drive, Contacts, Tasks, or any other Google service. We currently only create calendar events — we do not modify or delete events on the customer's calendar.

Specifically, when the AI receptionist looks up availability, the only data we read from existing events on the customer's calendar is the busy time windows (start and end timestamps) returned by Google's freeBusy API. We do not read event titles, descriptions, locations, attendee lists, attachments, or any other content of the customer's existing calendar events.

5.2 How we use Google user data

Data obtained from Google APIs is used solely to:

  • Display the connected Google account's email address in the customer's workspace so they can confirm which account is linked.
  • List the customer's writable calendars so they can choose which calendar Receptive AI should book against.
  • Read free/busy time on the selected calendar(s) so the AI receptionist can propose real available appointment times to end-users.
  • Create a calendar event on the selected calendar when an end-user agrees to a specific time. The event we create contains: the booking title, a short description (a one-or-two-sentence note about the reason for the booking, generated from the conversation), the start and end time, the end-user's display name and email address as an attendee, and a Google Meet conference link.
  • Instruct Google to send the standard Google Calendar invitation email to the event attendees (sendUpdates=all) so the end-user receives the invite and Meet link without us having to send a separate email ourselves.

Receptive AI's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we do not:

  • Use Google user data to serve advertising of any kind.
  • Sell Google user data or transfer it to third parties for advertising, credit-worthiness, or any unrelated purpose.
  • Use Google user data to develop, improve, or train generalized or non-personalized AI and/or machine-learning models.
  • Allow humans to read Google user data, except (a) with the user's explicit consent for specific data, (b) when necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and de-identified.

5.3 Sharing of Google user data

We do not share Google user data with third parties, except:

  • With infrastructure sub-processors (cloud hosting and database providers) strictly to operate the Service on the customer's behalf, under written data-processing agreements. These sub-processors are not authorised to access Google user data for any other purpose.
  • With the customer business whose workspace the integration belongs to (the data is theirs).
  • When required by law and limited to what the law requires.

We do not send the content of the customer's existing Google Calendar events (titles, descriptions, attendee details, or attachments) to third-party language model providers. The AI receptionist's view of the customer's calendar is limited to anonymised busy/free time windows, which are not personal data in themselves. The AI does generate a short description for the new booking it is about to create (based on the conversation with the end-user); that description is sent to Google as part of the event we create, on the customer's behalf.

5.4 Storage and protection of Google user data

  • Google OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM. The encryption key is held in a dedicated environment variable (separate from keys used for other integrations) and is stored separately from the database that holds the encrypted tokens.
  • Tokens are never exposed to client-side code. All Google API calls (userinfo, calendarList, freeBusy, events.insert, token refresh, revocation) are made server-side from our backend.
  • The only data we persist from Google after a successful booking is: the connected account's email address, the list of calendars (id, name, timezone, primary flag) shown to the customer at configuration time, the calendar id the customer selected, and the event id and link returned by Google when we created an event. All of this is stored under the same row-level security controls described in Section 11 — each workspace can only access its own connected calendar data.
  • All connections between Receptive AI and Google APIs use TLS 1.2 or higher.
  • Staff access to systems that hold Google user data follows the principle of least privilege and is logged.

5.5 Retention and deletion of Google user data

A customer may disconnect their Google account from Receptive AI at any time:

  1. Sign in to Receptive AI.
  2. Open Integrations → Google Calendar from the left navigation (or visit getreceptive.com/integrations/google-calendar directly).
  3. Click Disconnect.

Within seven days of disconnection (and typically immediately) we:

  • Revoke the stored OAuth tokens with Google's token revocation endpoint (https://oauth2.googleapis.com/revoke).
  • Delete the encrypted access token and refresh token records from our database.
  • Stop making any further Google Calendar API calls for that account.

You may also revoke Receptive AI's access directly from your Google Account at any time: visit myaccount.google.com/permissions, select Receptive AI, and click Remove access. Within seven days of such revocation we delete the associated tokens from our systems as described above.

Calendar events that Receptive AI created in your Google Calendar remain on your calendar after disconnection; you can delete them from within Google Calendar. Booking records stored within Receptive AI follow the conversation retention schedule in Section 8. To request earlier deletion of those records, email privacy@getreceptive.com.

6. Sharing and disclosure

We share data only with:

  • Sub-processors who help us operate the Service: cloud hosting, database, language model providers, email delivery, voice/telephony providers, error monitoring. Each sub-processor is bound by a written data-processing agreement.
  • Customer businesses, in respect of end-user data their workspace generated.
  • Authorities, where required by law and limited to what the law requires.

We do not sell personal information and do not share it for cross-context behavioural advertising.

7. International transfers

We are based in Pakistan. Our cloud infrastructure may store and process data in regions outside Pakistan, including the United States and the European Union. Where such transfers involve personal data of EEA, UK, or Swiss residents, we rely on Standard Contractual Clauses or equivalent safeguards with our sub-processors.

8. Retention

  • Customer account data: retained while the account is active and for up to 90 days after deletion to allow for restoration.
  • Conversation history (calls, chats, emails, WhatsApp): retained for 24 months by default; customer businesses can configure a shorter retention period in their workspace settings.
  • Backups: rolled forward on a 30-day cycle; deletion requests are honoured within the next backup cycle.
  • Aggregated, de-identified analytics: retained indefinitely.

9. Your rights

Depending on where you are located, you may have rights to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete data (subject to legal retention obligations).
  • Restrict or object to certain processing.
  • Data portability — receive your data in a machine-readable format.
  • Withdraw consent where processing is based on consent.
  • (California residents) Opt out of any "sale" or "share" of personal information — we do not engage in either, but you may still submit the request.
  • Lodge a complaint with a supervisory authority.

To exercise any of these rights, email privacy@getreceptive.com from the email address associated with your account, or contact the customer business you interacted with if you are an end-user. We respond within 30 days.

10. Data deletion procedure

You can request deletion of your personal data at any time. Two paths:

10.1 Customer (business) account deletion

  1. Sign in to your Receptive AI account.
  2. Navigate to Settings → Account.
  3. Click Delete account and confirm.
  4. Your workspace, conversation history, knowledge base, and connected integrations are scheduled for deletion. Account data is removed within 30 days; backup copies are purged within 60 days.
  5. If you cannot access your account, email privacy@getreceptive.com from the email address on file. We will verify your identity and process the deletion within 30 days of verification.

10.2 End-user data deletion (you contacted a business using Receptive AI)

  1. Email privacy@getreceptive.com with the subject line "End-user data deletion".
  2. Include: the business you contacted, the channel (phone, email, web chat, WhatsApp), and the identifier you used (phone number / email).
  3. We will forward the request to that business and assist them in fulfilling it within the timeframe required by applicable law.

10.3 Google Calendar data deletion

If you connected a Google account to Receptive AI to enable calendar booking, you can revoke our access and have us delete the stored Google OAuth tokens at any time. The full procedure (in-app disconnect, revocation at myaccount.google.com/permissions, what we delete and when) is described in Section 5.5 above. To additionally request deletion of the booking records Receptive AI created from your bookings, email privacy@getreceptive.com.

10.4 Facebook / Meta data deletion

If you authorised Receptive AI through Meta Embedded Signup (e.g. by connecting your WhatsApp Business Account), you can revoke our access at any time:

  1. Sign in to facebook.com/settings/applications.
  2. Find Receptive AI in the list of authorised apps.
  3. Click Remove.

Within seven days of revocation we delete the associated access token from our systems and stop processing inbound WhatsApp messages for that account. Stored conversation history is retained per Section 8 unless you also email privacy@getreceptive.com to request its deletion.

11. Security

  • All connections to our application are encrypted with TLS 1.2 or higher.
  • Sensitive credentials (third-party access tokens) are encrypted at rest with AES-256-GCM. Encryption keys are stored separately from the database.
  • Database access is restricted by row-level security; each workspace can only see its own data.
  • We follow the principle of least privilege for staff access. All staff with data access are bound by confidentiality obligations.
  • We log security-relevant events and review them regularly for anomalies.

12. Children

Receptive AI is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

13. Changes to this policy

We may update this Privacy Policy. The "Last updated" date at the top reflects the latest version. Material changes will be communicated to customers by email or in-product notice at least 14 days before they take effect.

14. Governing law and contact

This Privacy Policy is governed by the laws of Pakistan. Any dispute arising from it will be subject to the exclusive jurisdiction of the competent courts of Pakistan.

Privacy questions and requests: privacy@getreceptive.com.
Postal address available on request.