[Little Engine, Inc.] · Effective date: April 20, 2026 · Version 1.0
This Privacy Policy explains how [Little Engine, Inc.] (“Little Engine,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with our software, websites, mobile and desktop applications, AI agent, and related services (collectively, the “Service”). It applies to (a) independent service providers who sign up for an account (“Providers”), (b) clients of those Providers who interact with the Service by SMS, web link, or otherwise (“Clients”), and (c) visitors to our marketing websites.
This Policy should be read together with our Terms and Conditions. Capitalized terms not defined here have the meaning given in the Terms and Conditions.
Little Engine helps Providers run their independent businesses. The Service includes an AI agent that can send and receive messages on behalf of a Provider, schedule and reschedule appointments, request payments, and take other actions the Provider has authorized. Most Clients of Providers will primarily interact with the Service through SMS messages sent from the Provider's business phone number, and may also interact through secure personalized web links.
Because of this design, two important relationships shape how data is handled:
We collect the categories of information described below.
| Category | Examples | Source |
|---|---|---|
| Provider account data | Name, email, mobile number, business name and category, business address, profile photo, business hours, service offerings, pricing, cancellation and rescheduling policies | Provided by the Provider during sign-up and in settings |
| Client contact records | Name, mobile number, email, address, notes, tags, preferences, custom fields, profile photo | Entered by the Provider or by the Client (e.g., during client onboarding or from a Provider-initiated import) |
| Communications | SMS and MMS sent or received through the Service, in-app messages, voice notes, email or push notification content | Generated through use of the Service |
| Appointments and calendar | Appointment time, location, service, status, fees, notes; events imported from connected external calendars | Created in the Service or synced from connected accounts |
| Payments and billing | Tokenized payment method references, transaction amounts, payout records, package balances, fees | Payment card details are entered by the Client directly into Stripe's secure form and tokenized by Stripe; Providers never see raw card data. Other billing data is generated through use of the Service. |
| AI interaction data | Prompts to and responses from AI agents, tool-call history, approval and rejection decisions, agent memory blocks | Generated through use of the AI agent features |
| Device and technical data | IP address, device type, OS version, app version, push notification tokens, crash reports, performance traces | Collected automatically when you use the apps or websites |
| Authentication data | Phone number, one-time verification codes, session tokens, hashed device tokens, OAuth tokens for connected accounts | Generated during sign-in and account-linking flows |
| Consent records | Timestamps of consent to the Terms, Privacy Policy, and provider-specific cancellation and rescheduling policies | Captured at the time you accept |
We do not collect raw payment card numbers or bank account credentials. Those are handled directly by our payment processor. We do not knowingly collect personal information from children under 13 (see Section 11). We do not request government identification numbers (such as Social Security or passport numbers) from Providers or Clients through the Service.
We use information to:
We do not use the contents of Provider or Client communications to train foundational AI models for third parties or for general-purpose model development. We may use de-identified or aggregated data to evaluate, debug, and improve the Service's AI features (for example, by reviewing failure cases or scoring agent performance). Our AI sub-processors operate under contractual commitments that restrict their use of our data; see the sub-processor list in Section 6.
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar requirements, we rely on the following legal bases:
Little Engine provisions a dedicated business phone number for each Provider through Twilio and registers messaging campaigns under U.S. A2P 10DLC requirements. By signing up, Providers represent that they have a lawful basis and the necessary consent to message each Client they add. The first message a Client receives identifies the Provider and includes opt-out instructions.
Clients can opt out of SMS at any time by replying STOP. Replying HELP returns help text and a contact reference. Standard message and data rates may apply. Opting out of SMS does not delete the underlying contact record held by the Provider; to request deletion, see Section 9.
AI-generated messages sent through the Service are sent in the voice of, and on behalf of, the Provider. The Provider is responsible for the content of all messages sent from their business phone number.
We share information in the following circumstances:
We use the sub-processors below to deliver the Service. Each is bound by a written agreement that limits their use of personal information to providing services on our behalf and requires them to apply appropriate safeguards. This list reflects our current production stack and may change; the most current version will be maintained in this Privacy Policy and we will provide notice of material changes.
| Vendor | Purpose | Categories of Data | Location |
|---|---|---|---|
| Twilio, Inc. | SMS/MMS messaging, voice, phone number provisioning, A2P 10DLC compliance, identity verification codes | Phone numbers, message content, delivery metadata, verification codes | United States |
| Stripe, Inc. / Stripe Connect | Payment processing, payouts to providers, payment method storage | Cardholder data (tokenized), bank account details for payouts, transaction history, billing identifiers | United States |
| Letta, Inc. | AI agent platform: agent memory, orchestration, tool execution | Conversation transcripts, provider business settings, client interaction history, agent memory blocks | United States |
| Anthropic, PBC · OpenAI, L.L.C. · Google LLC (Gemini) | Large language model inference for AI agent reasoning and message generation | Prompts and conversation context (may include message content and provider/client identifiers) | United States |
| Cloudflare, Inc. (R2) | Object storage and CDN for media files (avatars, attachments, vCards) | Uploaded images, audio recordings, documents, and associated metadata | United States / Global edge |
| Google LLC (Firebase / FCM) | Push notification delivery, device token management, optional real-time data sync | Device tokens, notification payloads, sync metadata | United States |
| Google LLC (Calendar API, OAuth) | Bidirectional calendar sync, Google Meet link generation | Calendar events, OAuth tokens, account email (only with explicit user authorization) | United States |
| Pinecone Systems, Inc. | Vector database for semantic search and agent memory retrieval | Vector embeddings of conversation and business content (no raw PII) | United States |
| Amplitude, Inc. | Product analytics and user behavior measurement (provider app only) | Hashed user identifiers, in-app event data, device/OS metadata | United States |
| Functional Software, Inc. (Sentry) | Application error monitoring and performance tracing | Stack traces, error metadata, sanitized request context | United States |
| Apple Inc. (APNs) | Push notification delivery on iOS devices (via Firebase) | Device push tokens, notification payloads | United States / Global |
| Shake Technologies, Ltd. | In-app bug and feedback reporting (provider app only) | Screenshots, app state snapshots, device metadata, user-submitted reports | European Union |
| Railway Corp. | Application hosting, managed PostgreSQL, managed Redis (current production) | All application data at rest and in transit during processing | United States |
Information you provide is shared with the parties intended by the Service. Information a Client sends to a Provider's number is delivered to that Provider; information a Provider records about a Client (such as appointments and notes) may be referenced in messages and confirmations sent to that Client.
When a Provider connects a third-party account such as Google Calendar, we exchange information with that account as needed to provide the integration. The third party's own privacy policy governs its handling of the data.
Google API Services User Data
Google API Data Use Disclosure: The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements.
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction. We will require the recipient to honor commitments in this Policy or notify you of material changes.
We may disclose information when we believe in good faith that disclosure is required by law, legal process, or governmental request, or to protect the rights, property, or safety of Little Engine, our users, or others. Where permitted, we will notify the affected user before disclosure.
We share information with other parties at your direction or with your consent (for example, when you choose to share a vCard or invoice).
We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising.
We retain personal information for as long as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention behaviors include:
We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit using TLS, encryption at rest for sensitive fields and stored device tokens, role-based access controls, audit logging, and least-privilege practices for production systems. Authentication is phone-based with one-time verification codes; session tokens have limited lifetimes. No system is perfectly secure; we cannot guarantee that information will never be accessed, disclosed, altered, or destroyed by a breach of any of our safeguards.
Depending on where you live, you may have the following rights with respect to personal information about you:
Providers can exercise most of these rights directly in the app (for example, by editing or deleting Client records, exporting data, or closing their account). Clients should generally direct requests to the Provider whose Service they are interacting with, since the Provider is the controller of that data. We will support Providers in fulfilling Client requests.
To submit a request directly to Little Engine, contact us at [privacy@littleengine.com]. We may need to verify your identity before fulfilling certain requests. We will respond within the timeframes required by applicable law.
California residents have additional rights under the California Consumer Privacy Act, as amended by the CPRA. The categories of personal information we collect, the purposes for which we collect them, and the categories of third parties with whom we share them are described in Sections 2, 3, and 6. We do not “sell” or “share” personal information as those terms are defined under California law. To exercise your California rights, contact us at the address in Section 14. Authorized agents may submit requests on your behalf with appropriate proof of authorization.
Little Engine is operated from the United States and most of our sub-processors store and process data in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States or other countries that may have data-protection rules different from those of your jurisdiction. Where required, we rely on appropriate transfer mechanisms (such as the European Commission's Standard Contractual Clauses) to provide protection for international transfers.
The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from anyone under 13. Providers are responsible for ensuring that Clients added to the Service are old enough to consent to receive messages and to engage the Provider's services under applicable law. If you believe a child has provided us with personal information, please contact us at the address in Section 14 and we will take appropriate action.
The Service may link to or interoperate with third-party services (for example, Google Calendar, Stripe, or web links shared with Clients). The privacy practices of those services are governed by their own policies, which we encourage you to review.
We may update this Policy from time to time. When we make material changes, we will update the “Effective date” at the top and provide reasonable notice (for example, by email to Providers, an in-app notice, or a notice on our website) before the change takes effect. Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated Policy.
If you have questions about this Policy or about our handling of personal information, contact us at:
Little Engine Ai Inc.
14205 N Mo Pac Expy Ste 570 PMB 159864
Austin, Texas, 78728-6529
Email: hello@littleengine.com
Phone: +1 (512) 300 4334
Effective: April 20, 2026