Privacy Policy

Last Updated: April 27, 2026 (added Google Calendar / Google API Services disclosure — section 5.4)

Table of Contents

1. Introduction and Scope

MissionOaks.dev, LLC, doing business as OzyOps ("we," "us," or "our"), located in Camarillo, California, provides AI-powered receptionist and follow-up services for law firms and solo practitioners. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our services, with special attention to maintaining attorney-client privilege and professional responsibility rules.

Services Covered:

  • OzyOps Services: 24/7 call answering, qualification, and routing
  • Customer Portal: Web-based portal for managing your OzyOps (portal.ozyops.com)
  • Follow-Up Services: Automated SMS sequences and consultation follow-up
  • Marketing Websites: ozyops.com, law.ozyops.com, trades.ozyops.com, health.ozyops.com

By using any of our services, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Business Account Information

  • Account Information: Name, email address, phone number, firm name, address
  • Account Credentials: Email-based authentication (no passwords stored -- we use one-time codes)
  • Billing Information: Payment details processed securely through Stripe (we do not store card numbers)
  • Team Members: Names, email addresses, and roles of users you invite to your account

2.2 End User Information (Prospective Clients/Callers)

  • Contact Details: Name, phone number, email address
  • Case Information: Practice area and legal matter type, urgency level, scheduling preferences
  • Communication Records: Call recordings, transcripts, SMS history

2.3 Call Data

  • Call Recordings: Full audio recordings of all calls handled by our AI
  • Transcriptions: AI-generated text transcripts (may contain errors)
  • Call Metadata: Duration, time/date, caller ID, call disposition, AI analysis
  • SMS Data: Message content, timestamps, delivery status, consent records

3. How We Use Your Information

3.1 Service Delivery

  • Operating the OzyOps to answer, qualify, and route calls
  • Booking consultations based on your availability rules
  • Escalating urgent matters to on-call attorneys or staff
  • Sending automated SMS follow-up sequences
  • Generating analytics and performance reports

3.2 Service Improvement

  • Analyzing de-identified usage patterns to improve our platform
  • Monitoring system performance and reliability
  • Developing new features based on aggregated usage data

AI Training Disclosure: OzyOps does not independently train AI models on your data. Our AI provider (Retell AI) may use de-identified and aggregated communications data to improve their models and services, as described in their Privacy Policy (retellai.com/legal/privacy-policy). For healthcare customers with an executed Business Associate Agreement, Retell's use of data is subject to HIPAA restrictions that prohibit identification of patients or practices.

3.3 Communications

  • Transactional: Billing notifications, usage alerts, service updates (cannot opt out)
  • Marketing: Product announcements, feature updates (can opt out via unsubscribe link)

4. Call Recording and Transcription

Important: All calls handled by our OzyOps are recorded and transcribed. You are responsible for obtaining all required consents from callers. See our Terms of Service, Section 5 for consent obligations.

4.1 Attorney-Client Privilege

The OzyOps handles initial intake and scheduling only. No substantive legal advice is provided, and no attorney-client relationship is formed through AI interactions. All communications are treated with confidentiality consistent with maintaining attorney-client privilege for your subsequent client relationships.

4.2 Recording Practices

  • Collection: All calls are recorded in full, including conversations with the AI
  • Processing: Call audio is processed by Retell AI (for real-time conversation handling) and transmitted via Twilio (telephony provider)
  • Storage: Processed recordings and transcripts are stored securely in our databases with AES-256 encryption
  • Access: Recordings are accessible to you and your authorized team members via the OzyOps dashboard. OzyOps staff access recordings only to investigate technical issues or respond to support requests
  • Retention: Call recordings are retained for 12 months from the call date

5. Data Sharing and Third Parties

We do not sell your personal information. We share information with the following service providers solely to deliver our services:

5.1 Technology Subprocessors

Provider Purpose Data Processed
Retell AI Conversational AI engine Voice data, call transcripts
Twilio SMS messaging only Phone numbers, SMS message content (generic/non-PHI)
Supabase Database and authentication Account data, call records, business data
Stripe Payment processing Billing information only
Resend Transactional email Email addresses, notification content
Sentry Error monitoring Technical errors only
Netlify Application hosting Transient processing (no data storage)
Google Calendar Calendar booking integration (optional, customer-enabled) OAuth tokens (encrypted), free/busy times, appointment events. See section 5.4 for full disclosure.

5.2 Other Disclosures

We may disclose information if required by law, legal process, or to protect the rights, property, or safety of OzyOps, our users, or others.

5.3 Google API Services Disclosure

When you connect your Google Calendar to OzyOps, we use Google's OAuth 2.0 to request narrowly-scoped access. We request only the minimum scopes necessary:

  • https://www.googleapis.com/auth/calendar.events — to write appointment events created by our AI on your primary calendar (and to read those events for follow-ups, rescheduling, or cancellation).
  • https://www.googleapis.com/auth/calendar.freebusy — to read free/busy availability windows so we can offer accurate appointment times to callers.

We do NOT request the full https://www.googleapis.com/auth/calendar scope, which would grant access to calendar settings, sharing controls, and other calendars beyond your primary.

What we access:

  • Free/busy time slots on your connected calendar — to find available appointment times when our AI books on your behalf.
  • We do NOT read existing appointment titles, attendees, descriptions, or any other event content beyond busy/free status.

What we write:

  • Appointment events created by our AI when a client books a consultation through our system. Events include the client name, contact info, and consultation details per your firm's preference.

What we store:

  • Encrypted OAuth access_token and refresh_token in our database (AES-256-GCM at rest), used to call the Google Calendar API on your behalf.
  • The connected Google account email, calendar ID, and timezone — for display in your settings page.
  • We do NOT store or cache any other Google user data.

How to delete:

  • Click "Disconnect" on Settings → Calendar at any time. We immediately delete your stored OAuth tokens and stop accessing your calendar.
  • You can also revoke OzyOps's access at any time at myaccount.google.com/permissions.

Compliance with Google's policies: OzyOps's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not:

  • Use Google user data to train, refine, or develop AI/ML models.
  • Sell, transfer, or share Google user data with third parties for advertising purposes.
  • Allow humans to read Google user data, except (a) with your explicit consent, (b) for security purposes (investigating abuse), (c) to comply with applicable law, or (d) for internal operations where the data has been aggregated and anonymized.

6. Data Security

  • Encryption in Transit: TLS 1.2 or higher for all data transmission
  • Encryption at Rest: AES-256 encryption for stored data
  • Access Controls: Role-based access control (Owner/Manager/Viewer), audit logging
  • Authentication: Email-based one-time codes, optional multi-factor authentication (TOTP)
  • Webhook Security: Cryptographic signature verification on all inbound webhooks

No security system is perfect. While we implement industry-standard safeguards, we cannot guarantee absolute security. You should maintain your own security practices.

7. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information (subject to legal retention requirements)
  • Opt-Out: Unsubscribe from marketing communications
  • Data Portability: Receive your data in a structured, machine-readable format
  • Restrict Processing: Request that we limit how we use your data

To exercise these rights, contact us at privacy@ozyops.com. We will respond within 30 days.

8. Cookies and Tracking

  • Essential Cookies: Required for authentication and security (cannot be disabled)
  • Session Storage: Temporary data for user preferences (cleared on browser close)

We do not use third-party advertising trackers or sell data to advertisers.

9. Data Retention

Data Type During Subscription After Termination
Account Data Retained while active 90 days, then deleted
Call Recordings 12 months from call date (may vary by vertical) Per MSA: 90-day export window, then deleted
Financial Records Retained while active 7 years (tax/legal compliance)
SMS Consent Records Retained while active 3 years after last message (TCPA retention)

You may request early deletion of your data in writing. Upon request, we will provide your data in a structured format within 30 days of termination.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

  • Right to Know: Request disclosure of what personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out of Sale: We do NOT sell personal information
  • Right to Non-Discrimination: We will not treat you differently for exercising your privacy rights

To exercise CCPA rights, contact privacy@ozyops.com or call us. We will verify your identity before processing requests.

11. Children's Privacy

Our services are designed for businesses, not individuals under 18. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us at privacy@ozyops.com and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the portal dashboard. Your continued use of our services after changes constitutes acceptance of the updated policy. The "Last Updated" date at the top reflects the most recent revision.

13. Contact Us

For questions about this Privacy Policy:

MissionOaks.dev, LLC, doing business as OzyOps
Camarillo, California
General: hello@ozyops.com
Privacy: privacy@ozyops.com
Website: https://ozyops.com