Legal

Privacy Policy

Effective June 21, 2026

1. Introduction

This Privacy Policy describes how StoneFrame Labs Inc. (“CurbsideOps,” “we,” “us,” or “our”) collects, uses, and shares information when you use the CurbsideOps service, including our website at curbsideops.com, our admin portal, and the CurbsideOps Telegram bot (together, the “Service”).

By using the Service, you agree to the collection and use of information in accordance with this Policy.

2. Information We Collect

Information you provide

  • Account data. When you sign up, we collect your name, email address, and password (handled by our authentication provider, Clerk). For business accounts, we also collect your business name, city, state, phone number, and timezone.
  • Staff data. When you invite crew members, you provide their names, phone numbers, emails, and Telegram handles so the Service can reach them.
  • Operational data. Brands, trucks, events, warehouse locations, feedback form responses, and photos you or your staff submit.
  • Billing data. Handled by Stripe. We store your Stripe customer and subscription identifiers; we do not store full payment card numbers.

Information from integrations

When you connect a third-party account, we receive data from that service on your behalf. This may include: Google Calendar events and attendees; Gmail drafts you create through the Service; Square sales, orders, tips, and location data; Bouncie GPS telemetry (vehicle location, trips, IMEI); Telegram chat and message metadata; Quo (OpenPhone) SMS metadata; and Azure Maps and OpenWeatherMap query results.

Information collected automatically

  • Usage and telemetry. AI model identifiers, token counts, execution duration, and error traces, so we can meter usage and diagnose issues.
  • Session cookies. Set by our authentication provider (Clerk) to keep you logged in. We do not use third-party advertising or analytics cookies.

3. How We Use Information

  • To provide, operate, and improve the Service.
  • To deliver automated briefings, reminders, weather alerts, sales summaries, and other messages to you and your crew over Telegram, SMS, or email.
  • To process payments, manage subscriptions, and meter token-based usage.
  • To respond to support requests and communicate about the Service.
  • To detect, prevent, and address security issues, abuse, or violations of our Terms.
  • To comply with legal obligations.

4. AI Processing

The Service uses large language models (currently Anthropic’s Claude, accessed through Amazon Web Services Bedrock) to answer questions, draft messages, and generate briefings. Inputs may include your staff names, calendar events, sales figures, event locations, and the text of messages your crew sends through the Telegram bot.

We do not use your data to train third-party foundation models. AWS and Anthropic process this data as subprocessors under their own terms; see the list of subprocessors below. AI outputs can be inaccurate — always verify important information before acting on it.

5. Sharing and Subprocessors

We do not sell your personal information. We share information only with the service providers we rely on to run CurbsideOps, and only as needed to provide the Service:

  • Clerk — authentication and identity.
  • Render — application hosting, PostgreSQL database, and Redis queue.
  • Vercel — hosting for our website, admin dashboard, and portal.
  • Cloudflare — R2 object storage for media you upload.
  • Amazon Web Services — Bedrock (AI inference) and AgentCore Memory.
  • Anthropic — AI model inference (via Bedrock).
  • Stripe — subscription billing and payment processing.
  • Google — Calendar and Gmail integrations you authorize.
  • Square — POS and sales integration you authorize.
  • Bouncie — GPS fleet tracking you authorize.
  • Telegram — messaging transport for the crew bot.
  • Quo (OpenPhone) — SMS delivery.
  • Microsoft Azure — maps and routing.
  • OpenWeatherMap — weather data.
  • Sentry (optional) — error monitoring.

We may also disclose information if required to do so by law, to enforce our Terms, or to protect the rights, property, or safety of CurbsideOps, our users, or others. If we undergo a merger, acquisition, or asset sale, your information may be transferred as part of that transaction.

6. Data Retention

We retain your account data for as long as your account is active. Operational data (events, conversations, logs) is retained to support the Service and for reasonable audit and billing purposes. When you delete a tenant or close your account, we delete associated records (including staff, credentials, and event reports) within a reasonable period, subject to backups and legal retention obligations.

7. Security

We encrypt third-party credentials and bot tokens at rest. Tenant data is isolated using PostgreSQL row-level security so one customer’s data cannot be accessed by another. Access to production systems is restricted to authorized personnel. No system is perfectly secure; we cannot guarantee absolute security, but we work to protect your information with appropriate technical and organizational measures.

8. Your Rights

Depending on where you live, you may have the right to access, correct, delete, or export your personal information, and to object to or restrict certain processing. You may also withdraw consent for an integration at any time by disconnecting it in the portal. To exercise these rights, email support@curbsideops.com. We will respond within the time required by applicable law.

9. International Users

CurbsideOps is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to, stored, and processed in the U.S. and other jurisdictions where our subprocessors operate.

10. Children

The Service is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

11. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you through the Service or by email. Continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the changes.

12. Google API Services — Limited Use

CurbsideOps’s access to, use of, and transfer of information received from Google APIs adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we access, and why

  • Google Calendar (scopes calendar and calendar.events) — to read and write the events that make up your catering and service schedule, so the assistant can show, create, and update bookings on your behalf.
  • Gmail — read (scope gmail.readonly) — to read incoming catering-inquiry emails so the assistant can extract lead details (customer, date, location, party size) into your Catering Inbox. We access only what is needed to surface and organize leads.
  • Gmail — compose (scope gmail.compose) — to create draft replies to those inquiries for you to review. The Service never sends email on your behalf; we deliberately do not request the gmail.send scope.

How we limit use

  • We use Google user data only to provide and improve these user-facing features — never for advertising, and never to train generalized AI/ML models.
  • We do not sell Google user data, and do not transfer it to others except as needed to provide the Service, to comply with applicable law, or as part of a merger or acquisition with notice to you.
  • We do not allow humans to read your Google data except (a) with your consent, (b) for security purposes or to comply with applicable law, or (c) where the data has been aggregated and anonymized.
  • Google credentials are encrypted at rest and isolated per tenant with PostgreSQL row-level security. You can revoke access at any time by disconnecting the integration in the portal or from your Google Account permissions page.

13. Contact

StoneFrame Labs Inc. d/b/a CurbsideOps
Questions, requests, or privacy concerns: support@curbsideops.com