Privacy Policy

01Who we are

We are Fair Lakes LLC, a North Carolina limited liability company doing business as North Desk.

This Privacy Policy describes how Fair Lakes LLC (“North Desk,” “we,” “us,” or “our”) collects, uses, shares, retains, and protects personal information in connection with the North Desk website at trynorthdesk.com (the “Site”) and the North Desk speed-to-lead automation service (the “Service”).

The Service is a multi-tenant B2B platform. Our direct customers are small businesses that subscribe to North Desk to ingest inbound sales leads, respond to those leads by SMS, escalate to AI-powered voice callbacks, and book appointments into their calendars (each a “Customer”). The individuals whose leads our Customers ingest, and whom our Service contacts by SMS or voice on the Customer’s behalf, are “End Users.”

For personal information collected through the Service about End Users, North Desk acts as a processor (or “service provider” under the California Consumer Privacy Act) on behalf of the Customer that ingests the lead. For personal information collected about visitors to the Site and about Customer account holders, North Desk acts as a controller(or “business” under the CCPA).

Contact us at privacy@trynorthdesk.com (privacy and data requests) or support@trynorthdesk.com (general support). Our mailing address is: Fair Lakes LLC, 301 Fair Lakes Dr, Wilmington, NC.

02Information we collect

Account data, the lead and conversation data our Customers process through the Service, integration tokens, usage analytics, and billing details.

Account data (Customers)

When a Customer creates an account, we collect name, business name, business address, email, phone number, password hash, role at the business, and account preferences. If the Customer signs in with a third-party identity provider (Google, Microsoft), we receive the identifiers and profile attributes that the Customer authorizes that provider to share with us.

Customer-provided lead and End User data

Our Customers push lead records into the Service through web forms we host, webhook integrations (for example, from Meta Lead Ads, Google Lead Form Assets, or a Customer’s own form tool), and direct API calls. These lead records typically include the End User’s name, phone number, email, the product or service the End User inquired about, any free-text message the End User submitted, and the End User’s consent to be contacted. The Customer is responsible for the lawful collection and lawful transfer of this information to the Service.

Conversation content (SMS, voice, transcripts)

When the Service contacts an End User on a Customer’s behalf, we process the content of SMS messages sent and received, the audio of voice calls placed or received, machine-generated transcripts of those calls, AI-derived summaries and metadata (for example, caller sentiment, detected intent, detected booking), and delivery metadata from our telephony provider (message status, opt-out keywords received, call duration, call outcome).

Integration tokens and calendar data

When a Customer connects Google Calendar or Microsoft 365 / Outlook Calendar to the Service, we receive OAuth access tokens and refresh tokens issued by Google or Microsoft. We use those tokens to read free/busy availability and to create, reschedule, or cancel calendar events on the Customer’s behalf. We describe our handling of Google and Microsoft data separately in Sections 4 and 5 below.

Payment data

We use Stripe, Inc. as our payment processor. When a Customer enters payment card details, those details are transmitted directly to Stripe and are not stored on North Desk servers. We receive from Stripe a tokenized reference to the payment method, the last four digits of the card, the card brand, billing address, and transaction history. We use Stripe for payments, analytics, and other business services. Stripe may collect personal data including via cookies and similar technologies. Stripe uses this information to operate and improve the services it provides to us, including for fraud detection, loss prevention, authentication, and analytics related to the performance of its services. See Stripe’s Privacy Policyfor Stripe’s data handling practices.

Usage, device, and log data

We collect standard web and application telemetry: IP address, user-agent string, browser and device identifiers, referrer, pages visited on the Site, actions taken in the Service, error logs, and timestamps. We use first-party and third-party cookies and similar technologies for session management, security, and product analytics.

Information you send us directly

If you contact us by email, submit the demo-call form on our Site, or book a discovery call, we collect the information you provide (name, phone number, email, your message, meeting notes) so we can respond.

03How we use information

To provide the Service our Customers pay for, to bill accurately, to keep the platform safe, and to comply with the law.

We use personal information for the following purposes:

• Provide the Service. Ingest leads, send SMS, place and receive voice calls, transcribe and summarize conversations, book calendar appointments, route emergencies, notify Customers of new bookings and opt-outs.
• Bill accurately. Calculate subscription fees, meter conversation and usage counts, process payments through Stripe, collect taxes, and deliver receipts.
• Support our Customers. Respond to support requests, investigate reported issues, and deliver account notifications.
• Secure the platform. Detect and investigate fraud, abuse, Acceptable Use Policy violations, and security incidents; enforce our Terms of Service.
• Improve the product (with limits). Aggregate and de-identified metrics let us understand Service performance and roadmap priorities. We do not use End User conversation content, call audio, transcripts, or calendar data to train general-purpose AI/ML models. See Section 8.
• Comply with law. Respond to legally compelled disclosures, retain records required by TCPA, tax, and accounting rules, and cooperate with legitimate law-enforcement requests.
• Communicate with you. Send transactional notices (billing, security, service changes). With your consent where required, send product announcements or marketing — each marketing email includes a one-click unsubscribe.

What we do not do. We do not sell personal information. We do not share personal information with third parties for cross-context behavioral advertising. We do not use data received from Google APIs, Microsoft Graph, or any End User communications processed through the Service to train general-purpose AI/ML models, or to serve advertising, or to enrich marketing profiles for third parties.

04Google API Services / Limited Use

If you connect Google Calendar, we only touch event data needed to book appointments, and Google’s Limited Use rules control what we can and cannot do with it.

North Desk’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes requested

We request two Google OAuth 2.0 scopes, split so each is at the narrowest surface Google offers for the behavior we need: https://www.googleapis.com/auth/calendar.events.freebusy for reading busy intervals (Google returns only start/end timestamps, never event titles, descriptions, or attendees) and https://www.googleapis.com/auth/calendar.events for writing the appointment event. We do not request the full-calendar scope, the calendar.readonly scope, or any calendar-settings or calendar-list scope.

What we access and why

We read free/busy information and event metadata on the specific calendars the Customer authorizes, so our AI receptionist and speed-to-lead logic can propose times that are actually open. We create, reschedule, and cancel appointments on those calendars in response to End User requests conducted through the Service. We do not read the full content of calendar events the Customer did not schedule through North Desk except where such reading is strictly necessary to avoid double-booking.

How we store and protect Google user data

OAuth access and refresh tokens are encrypted at rest in our Supabase Postgres database. Access to decrypt them is restricted to production Service workers; no employee has standing access to the plaintext tokens. Event metadata necessary to audit bookings (event ID, start/end timestamp, Customer association) is retained for the duration of the Customer’s subscription plus 30 days; we do not mirror the Customer’s full calendar to our database.

What we do not do with Google user data

Consistent with the Google API Services User Data Policy and its Limited Use requirements, North Desk does not:

• (a) transfer, sell, or use information received from Google APIs for serving advertising, including retargeting, personalized advertising, or interest-based advertising;
• (b) transfer or sell information received from Google APIs to third parties such as advertising platforms, data brokers, or information resellers;
• (c) use information received from Google APIs to develop, train, or improve generalized or non-personalized AI or machine learning models, including large language models; or
• (d) allow humans to read Google user data, except (i) with the user’s explicit consent for specific records, (ii) for security investigations, (iii) to comply with applicable law, or (iv) for internal operations, and in that case only after the data has been aggregated and de-identified.

Revoking access

Customers can revoke our access to Google user data at any time from within the North Desk dashboard integrations settings, or directly at myaccount.google.com/permissions. Revocation causes us to purge the associated OAuth tokens within 7 days; event metadata on calendar items we created is retained as described above for audit purposes only.

05Microsoft Graph Services

The same rules we apply to Google apply to Microsoft 365 / Outlook: we only touch what we need to book appointments, and we do not use that data to train AI models.

Scopes requested

We request the Calendars.ReadWrite (delegated) and offline_access scopes via Microsoft identity platform OAuth 2.0. Calendars.ReadWrite allows us to read and write events on the calendars the Customer authorizes. offline_access issues a refresh token so we can continue to book and manage appointments after the user closes the consent window.

What we access and why

We read free/busy availability and event metadata on the specific calendars the Customer or the Customer’s tenant administrator authorizes. We create, reschedule, and cancel appointments on those calendars in response to End User requests handled by the Service.

How we store and protect Microsoft 365 data

OAuth access and refresh tokens issued by Microsoft are encrypted at rest in our Supabase Postgres database with the same controls described for Google in Section 4. Customers and tenant administrators can revoke our access at myapplications.microsoft.com or from within Microsoft Entra ID (Azure Active Directory) at any time.

What we do not do with Microsoft 365 data

North Desk does not use information received from Microsoft Graph for advertising of any kind, does not sell or transfer Microsoft 365 data to third parties other than the subprocessors listed in Section 9 as necessary to provide the Service, does not use Microsoft 365 data to train general-purpose AI/ML models, and does not allow humans to read Microsoft 365 data except with user consent, for security investigations, to comply with law, or after aggregation and de-identification.

06SMS, telephony, and TCPA disclosures

Your phone number is not sold or shared for marketing. STOP opts you out. We honor opt-outs within 10 business days and keep the records for 5 years.

Messaging frequency and costs

When a Customer’s configuration causes the Service to send SMS messages to an End User, message frequency varies by Customer and by the End User’s response pattern. Message and data rates may apply from the End User’s mobile carrier. North Desk does not charge End Users for SMS messages.

Opt-out and help

End Users can reply STOP (or END, CANCEL, UNSUBSCRIBE, QUIT, REVOKE, OPT OUT, or any reasonable equivalent) at any time to opt out of further SMS from the Service on that Customer’s behalf. End Users can reply HELP to receive the Customer’s identity and a support contact. Consistent with the Federal Communications Commission’s 2024 Declaratory Ruling (FCC 24-17) and its 2025 revocation rule, we honor opt-out requests as soon as practicable and in no event later than 10 business days after receipt, and we propagate the opt-out across SMS and voice channels associated with the Customer.

No sharing of mobile information for marketing

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties, except with our telecommunications and messaging service providers (for example, Twilio) solely as necessary to deliver the message to you.

Consent is not a condition of purchase

Where a Customer uses the Service to initiate marketing SMS or AI-voice outreach, the Customer is required by our Terms of Service to obtain prior express written consent (PEWC) from each End User, and consent to receive such messages is never a condition of purchasing any good or service. Our demo-call form on the Site obtains your consent to one automated demo call to the number you provide; that consent is likewise not a condition of purchase.

TCPA compliance

North Desk processes SMS and voice communications in a manner designed to comply with the Telephone Consumer Protection Act (47 U.S.C. § 227), the Federal Communications Commission’s implementing regulations (including 47 CFR § 64.1200 as amended), FCC 24-17 (confirming that AI-generated voice is an “artificial or prerecorded voice” under the TCPA), and the Telemarketing Sales Rule (16 CFR Part 310). We retain opt-in consent records and opt-out records for at least 5 years.

07Call recording and AI voice disclosures

Every call opens by disclosing that the caller is an AI assistant and that the call may be recorded. That satisfies both bot-disclosure laws and two-party consent states.

AI voice disclosure (SB 1001 and parallel laws)

Consistent with California Business & Professions Code §§ 17940–17943 (SB 1001), the Utah AI Policy Act, the Colorado AI Act, and comparable statutes, every voice call placed or answered by the Service opens with a disclosure identifying the caller as an automated assistant calling on behalf of the Customer. A representative opening utterance is:

“Hi, this is [AI assistant name], an automated assistant calling on behalf of [Customer]. This call may be recorded for quality, training, and service purposes. If you’d prefer not to continue, you can hang up now or ask me to connect you to a person.”

Recording and two-party consent

Calls handled by the Service may be recorded and transcribed to deliver the Service, provide support, resolve disputes, and improve accuracy. The opening disclosure above serves as the all-party consent notice for California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, New Hampshire, Oregon, Pennsylvania, and Washington, as well as any other jurisdiction that requires notice of recording. End Users who do not consent to recording can terminate the call at the opening or at any time thereafter.

Caller identification

Consistent with 47 CFR § 64.1200(b)(1), the opening utterance also identifies the entity responsible for the call. For AI-voice marketing calls, the Service additionally offers an automated opt-out mechanism during the call, as 47 CFR § 64.1200(b)(3) requires.

08AI and machine learning

We use LLM providers to power conversations. We do not let them train foundation models on your data, and we enable no-retention configurations where they exist.

Our subprocessors for AI

North Desk uses Anthropic, PBC (Claude family of models) as our primary large-language-model provider. Where explicitly configured for a Customer, we may additionally use OpenAI, L.L.C. We use Vapi Inc. for voice orchestration (speech-to-text, LLM routing, text-to-speech, real-time call state).

No training on Customer Data or End User communications

We do not use End User communications, call audio, transcripts, SMS message content, booking data, or calendar data to train general-purpose or non-personalized foundation models. We contractually prohibit our AI subprocessors from doing so. Specifically:

• Anthropic. Per Anthropic’s Commercial Terms, “Anthropic may not train models on Customer Content from Services.” Where our enterprise tier permits, we will configure Zero Data Retention (ZDR).
• OpenAI. Per the OpenAI Business Terms, OpenAI does not use API inputs or outputs to train its models by default, and we do not opt in to training.
• Vapi. We configure Vapi for the minimum retention required for operational continuity and disable any optional training data collection.
• Google and Microsoft. As described in Sections 4 and 5, data received from Google APIs and Microsoft Graph is excluded from any AI/ML training pipeline by design.

AI accuracy disclaimer

Outputs generated by AI systems — including our voice assistant’s conversational responses, AI-drafted SMS, call summaries, and suggested actions — are probabilistic. They may be incomplete, inaccurate, or contextually inappropriate. Important decisions — including medical, legal, financial, and identity-verification decisions — should not be made solely in reliance on AI outputs. Our Customer remains responsible for reviewing booked appointments, transcripts, and any follow-up actions the Service takes on the Customer’s behalf.

09Subprocessors

The third parties we rely on to run the Service. Each is bound by contract to protect personal information and to process it only on our instructions.

We engage the following subprocessors to provide the Service. We impose contractual confidentiality and data-protection obligations on each. We will notify Customers of material changes to this list in accordance with our Terms of Service and Data Processing Addendum.

10Data retention

We keep only what we need for as long as we need it. Raw audio 90 days, transcripts and SMS content 13 months, account data for the life of the account plus 30 days.

• Raw call audio: up to 90 days after the call, then deleted or aggregated.
• Call transcripts and AI-generated summaries: up to 13 months, then deleted or aggregated.
• SMS message content (including inbound and outbound): up to 13 months, then deleted or aggregated.
• Lead records (name, phone, email, consent metadata) stored on the Customer’s behalf: for the duration of the Customer’s subscription plus 30 days, unless the End User or the Customer requests earlier deletion.
• Customer account data: for the life of the account plus 30 days, after which the account is purged except for records we are required to retain.
• Billing, invoicing, and tax records: 7 years, as required under IRS recordkeeping rules.
• TCPA opt-in consent records and opt-out records: at least 5 years.
• Security and application access logs: up to 12 months.
• Google and Microsoft OAuth tokens: until the Customer revokes access or terminates, then purged within 7 days.

We may retain information for longer where a legal obligation, litigation hold, or security investigation requires it. Where we retain information in aggregate or de-identified form, we commit not to re-identify it and to apply this Privacy Policy to any re-identified data as if it were still personal information.

11Your privacy rights

You can ask to see, correct, export, or delete your personal information, and we respond within 45 days.

All users — how to exercise

Email us at privacy@trynorthdesk.comwith the word “Privacy Request” in the subject line. We respond within 45 days, with a single 45-day extension where allowed by law. For requests that concern personal information we process on a Customer’s behalf (most End User requests), we will route the request to the Customer and assist them in responding, as required by law.

We do not discriminate against anyone for exercising these rights, and we will not require payment, degrade our service, or penalize you in any way for making a privacy request.

California residents (CCPA / CPRA)

If you are a California resident, you have the following rights, subject to limited exceptions:

• Right to know / access: what categories and specific pieces of personal information we have collected, the sources, the purposes, the categories of third parties with whom we have shared it, and the business or commercial purpose for collecting it.
• Right to delete personal information we have collected about you.
• Right to correct inaccurate personal information.
• Right to portability: receive your personal information in a portable, machine-readable format.
• Right to opt out of the sale or sharing of personal information for cross-context behavioral advertising.
• Right to limit use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising any of the above rights.

CCPA — categories of personal information collected

In the past twelve months, we have collected the following statutory categories of personal information as defined in Cal. Civ. Code § 1798.140(v):

• (A) Identifiers — name, email, phone, account ID, IP.
• (D) Commercial information — billing history, subscription tier, transaction data.
• (F) Internet or network activity — log events, page views, error telemetry.
• (G) Geolocation data — IP-derived, non-precise.
• (H) Sensory information — call audio and transcripts of phone calls handled by the Service.
• (I) Professional or employment-related information — a Customer account holder’s role at their business.
• (K) Inferences — AI-derived caller sentiment, intent, and likelihood-to-book scores produced from conversations.
• (L) Sensitive personal information — the contents of mail, email, or text messages to which North Desk is not the intended recipient; and, where disclosed by End Users during a conversation, account log-in credentials and any other category-L information.

We have not “sold” or “shared” personal information as those terms are defined under CCPA/CPRA in the past twelve months, and we do not do so now. We do not offer financial incentives in exchange for personal information.

Do Not Sell or Share My Personal Information (California)

North Desk does not sell personal information and does not share personal information for cross-context behavioral advertising. If you are a California resident and wish to confirm this designation for your own records, email privacy@trynorthdesk.com with the subject line “Do Not Sell or Share.”

Other U.S. states

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Nebraska, Iowa, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island, or any other U.S. state that has enacted a comprehensive consumer privacy law, we extend the rights enumerated above (access, correction, deletion, portability, opt-out of sale/targeted-advertising, limit on sensitive data use, appeal of denial, non-discrimination) in the manner and to the extent your state’s law requires. Where your state’s law provides a right to appeal a denied request, you may appeal by emailing privacy@trynorthdesk.comwith “Appeal” in the subject line; we will respond within the statutory timeframe.

European Economic Area, United Kingdom, Switzerland

If you are located in the EEA, UK, or Switzerland, you may exercise GDPR (or UK GDPR) rights: access, rectification, erasure, restriction, objection, portability, and the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not make such decisions — the Service assists humans, and the Customer remains responsible for any decision). Our legal bases for processing are performance of a contract, legitimate interests in operating and securing the Service, consent (where specifically required), and compliance with legal obligations. You may lodge a complaint with your supervisory authority.

12Data security

Encryption in transit and at rest, scoped access, production-environment segregation, and written incident response.

We use commercially reasonable administrative, technical, and physical safeguards to protect personal information. These include: TLS 1.2 or higher for data in transit; industry-standard encryption at rest in our primary database and object storage; least-privilege access controls and periodic access reviews; multi-factor authentication for administrative access; separation of development and production environments; monitoring and logging of production systems; and a written incident-response procedure. In the event of a personal-data breach that presents a material risk to affected individuals, we will provide notice as required by applicable law.

No system is impenetrable, and no method of transmission or storage is perfectly secure. We cannot and do not guarantee the absolute security of personal information.

13International data transfers

We process personal information in the United States. If you are outside the U.S., your data may be transferred to and processed here.

North Deskis based in the United States, and our service infrastructure is hosted in the United States. If you access the Service from outside the United States, your personal information will be transferred to, processed, and stored in the United States. Where we receive personal information from the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses (SCCs) with our subprocessors, and where available, on our subprocessors’ EU–US Data Privacy Framework certifications. By using the Service from outside the United States, you acknowledge and consent to this transfer.

14Children’s privacy

The Service is not directed to children under 13 and we do not knowingly collect from them.

The Service is a B2B platform intended for businesses and their adult representatives. The Service is not directed to children under 13 (or under 16 where applicable), and we do not knowingly collect personal information from children. If we learn that we have collected personal information from a child in violation of applicable law, we will delete that information promptly. Parents or guardians who believe a child has provided us personal information may contact privacy@trynorthdesk.com.

15Changes to this policy

We’ll update the dates and notify Customers of material changes. Continued use means you accept the changes.

We may update this Privacy Policy from time to time. When we do, we will update the “Effective” and “Last updated” dates at the top of this page. For material changes, we will provide reasonable advance notice by email to Customer account administrators and by notice in the Customer dashboard. Your continued use of the Service after the effective date constitutes your acceptance of the updated Privacy Policy.

16Contact

Questions, requests, complaints — email us and we’ll respond.

For privacy-related questions, requests, or complaints: privacy@trynorthdesk.com.

For general support: support@trynorthdesk.com.

For legal and Terms of Service matters: legal@trynorthdesk.com.

Mailing address: Fair Lakes LLC, 301 Fair Lakes Dr, Wilmington, NC.