Privacy Policy — Dispatch Bros

1. Introduction

Dispatch Bros Inc. ("Dispatch Bros," "we," "us," or "our") operates a multi-tenant field service dispatch and operations platform (the "Platform") for home service businesses. This Privacy Policy describes the personal information we collect, how we use and share it, how long we keep it, and your rights.

This policy applies to the Platform, our public website, our mobile applications, and related services. It does not cover third-party services that you connect to the Platform; those are governed by their own policies.

By using the Platform you acknowledge that you have read and understood this policy. If you do not agree, please discontinue use.

2. Our role and who this policy covers

The Platform is sold to businesses ("Tenants") — for example, garage door, HVAC, plumbing, and similar field service operators. Several different people may interact with the Platform:

Tenant administrators and staff (owners, admins, dispatchers, technicians) who sign in to operate the Platform.
End-customers of a Tenant whose contact information, job records, and communications a Tenant uploads or generates while using the Platform.
Recipients of communications sent through the Platform, such as people receiving SMS, WhatsApp, voice calls, or transactional emails initiated by a Tenant.

For Tenant staff, Dispatch Bros generally acts as the controller of the personal information used to provide accounts and the Platform itself. For end-customer data that a Tenant uploads or generates inside the Platform, Dispatch Bros generally acts as a service provider or processor — the Tenant remains responsible for the lawful collection, notice, consent, and use of its own customer data, including obtaining any required communications consents.

3. Information we collect

We collect information that Tenants and Tenant staff provide directly, information generated automatically by use of the Platform, and information from the service providers listed in Section 10.

Account and profile information

Email address, first and last name, phone number, role (owner, admin, dispatcher, technician), commission rate where applicable, technician home base address and coordinates if supplied, account active/inactive status.
Authentication credentials are managed by Supabase Auth. Passwords are stored as salted hashes by Supabase; we do not see your plaintext password.
For Tenant signup: company name, intended plan, and free-trial state.

Tenant business records (entered or generated by Tenants)

End-customer records: name, phone number, email, physical address, geocoded latitude/longitude, notes, and opt-out status.
Jobs, scheduling, technician assignments, status, photos, technician and customer notes, estimated and final cost.
Estimates, invoices, line items, change orders, contracts and signing records.
Finance records used to compute commissions, payouts, and company share, plus an audit log of finance edits.
Job-related photos uploaded into our object storage for tenant-facing display.

Communications data

SMS messages (inbound and outbound), including direction, from/to numbers, message body, status, provider message identifiers, delivery and failure events, and any links to jobs.
WhatsApp conversations and messages, including direction, phone numbers, message body, message type, provider message identifiers, status, and the raw provider payload as returned by Meta's WhatsApp Business API.
Voice call metadata, including call SID, direction, from/to numbers, status, started/ended timestamps, customer linkage, and call notes.
Voice call recordings when a Tenant has call recording enabled. Recordings are downloaded from Telnyx by our servers and stored in our object storage. Tenants control whether recording is enabled at the company level.
Call flow / IVR configurations and per-tenant Telnyx subaccount state used to route calls.

Payment and billing data

Stripe customer identifiers, Stripe subscription identifiers, payment intent identifiers, charge identifiers, and the last four digits and brand of saved payment methods where applicable.
Tenant subscription tier, plan limits, billing history, and webhook event ledger entries used for reconciliation and fraud prevention.
Stripe Connect onboarding state for Tenants who collect field payments through the Platform.
We do not receive or store full payment card numbers. Card input is handled by Stripe Elements / the Stripe Payment Element directly between you and Stripe.

Location information

End-customer addresses are geocoded via the Google Maps Geocoding API to obtain latitude/longitude for routing and map display.
Technician live location is collected only in the foreground while the technician explicitly opts in via the mobile app and is shown on the dispatcher map. We do not run silent background tracking.

Device and push notification information

Mobile push notification tokens (Apple Push Notification service or Firebase Cloud Messaging), platform (iOS or Android), token kind, application version, operating system version, device model, last seen / last active timestamps, and an active/inactive flag.
We use these to deliver transactional notifications such as inbound-SMS alerts and to keep the application functioning. We do not use device data for advertising profiling.

AI-feature inputs and outputs

When a Tenant uses an AI feature inside the Platform (such as summary generation, message drafting, insights, or recommendations), we send the prompt and a relevant business context — for example summary statistics about jobs, invoices, estimates, customer counts, or specific message content — to our AI provider on the Tenant's behalf.
We store AI assistant chat history per company so that the assistant can maintain context for the Tenant.
AI output may be inaccurate or incomplete. Tenants are responsible for reviewing and verifying AI-generated content before relying on it or sending it to customers.

Automatically collected information

Activity log entries describing who performed which action (login, job creation/update/close, finance edits, role changes, settings changes, customer/invoice mutations) and when.
Webhook delivery records and provider event logs used for reconciliation, debugging, and incident response.
Operational logs that may include browser type and basic request metadata for diagnostics and abuse prevention.
For our public review/feedback tracking endpoint, we may log IP address and user agent at the time the event was submitted for abuse prevention, attribution, and review-routing diagnostics.

4. How we use information

We use the information described above to:

Provide, operate, and maintain the Platform.
Carry out a Tenant's instructions: scheduling, dispatch, invoicing, communications, payments, and reporting.
Send and receive SMS, WhatsApp, and voice communications as configured by a Tenant.
Geocode addresses and optimize technician routing on a Tenant's map.
Process subscription billing and, where enabled, Tenant's own customer payments through Stripe Connect.
Generate analytics, summaries, and recommendations a Tenant requests.
Maintain account, finance, and audit logs for security, compliance, accounting, and dispute resolution.
Detect and prevent fraud, abuse, account takeover, and security incidents.
Provide customer support and respond to your inquiries.
Comply with legal obligations and enforce our terms.
Improve the Platform's reliability and operational quality.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

5. Communications, telephony, WhatsApp, and recordings

The Platform sends and receives messages and calls on a Tenant's behalf. Telnyx provides our SMS, voice, phone numbers, and WebRTC infrastructure. Meta's WhatsApp Business Platform provides our WhatsApp messaging.

Outbound and inbound SMS bodies, sender/recipient phone numbers, message IDs, and delivery events flow through Telnyx and are stored in our database. Inbound webhook payloads may also be retained in support of delivery and dispute review.
STOP / HELP / START keywords are detected on inbound SMS and automatic replies are sent through Telnyx. The Platform blocks outbound SMS to recipients who have opted out.
Voice call metadata is captured for every call. If a Tenant has call recording enabled (the per-company toggle), the Platform downloads the recording from Telnyx and stores it in our object storage for the Tenant's playback and compliance use.
For WhatsApp, we connect to a Tenant's WhatsApp Business Account via Meta's Embedded Signup. Message content, templates, conversations, and delivery metadata pass through Meta and are also stored in our database to display conversations in the Platform.
WhatsApp use is also governed by Meta's WhatsApp Business Policy and Meta's Privacy Policy.

Tenants are solely responsible for obtaining any consents required by applicable law (for example, telephone consumer protection laws, two-party call recording rules, and SMS marketing rules) before sending marketing or recorded communications. Tenants are responsible for honoring opt-out and do-not-contact requests they receive directly.

6. Payments and billing

Subscription billing for the Platform itself is processed by Stripe. Where a Tenant enables in-app payment collection from their own customers (Stripe Connect), Stripe also processes those payments.

We do not receive or store full payment card numbers. Card data is entered into Stripe Elements / the Stripe Payment Element and is sent directly to Stripe.
We store Stripe customer IDs, subscription IDs, payment intent IDs, charge IDs, the last four digits and card brand where applicable, plan and trial state, and a billing history ledger used for reconciliation, fraud prevention, dispute handling, and tax/accounting requirements.
When a Tenant collects payment from one of its own customers or saves a card on file, Stripe may receive end-customer data needed to create the charge or the saved-card record: customer name, customer email when provided, customer phone when provided for receipts, billing postal code (where supplied), and Dispatch-Bros-internal identifiers (such as tenant company ID, end-customer ID, job number, invoice ID, payment-collector user ID, payment / collection-mode flags, and tip / tax amounts) attached as Stripe metadata for reconciliation. Where a billing postal code is supplied, we send the postal code together with country code "US". We do not currently send Stripe a full street address.
Stripe's own privacy practices apply to data submitted directly to Stripe.

7. Location data

Two kinds of location data may be processed:

Customer addresses entered by Tenants are geocoded through the Google Maps Geocoding API to obtain latitude / longitude. The original address text and the resulting coordinates are stored against the customer record so that maps and routing can be displayed.
Technician live location is collected only while the technician opts in inside the mobile application and is shown on the dispatcher map. We store a single latest location per technician, and the data is deleted when the technician's account is deleted. The Platform does not run silent background tracking.

Google's use of address text to perform the geocoding is subject to Google's own privacy and data terms.

8. AI features

Some features of the Platform use AI to summarize, draft, or recommend. When a Tenant uses an AI feature, the Platform sends a prompt and a contextual payload — which can include items such as recent jobs, invoices, estimates, customer names, service or job descriptions, message content, and other business context — to our AI provider, which is Anthropic, so that the model can return a response. The Platform's AI chat assistant additionally stores assistant message history per company so that the assistant can maintain context.

Anthropic processes the submitted prompt and context to return a response. We disclose AI processing here so Tenants can decide whether to use AI features with their business data. AI output may be inaccurate, outdated, or incomplete and should always be reviewed by the Tenant before being relied on, sent to a customer, or used as a system of record.

9. Push notifications and device information

When a user installs and signs in to the mobile application and grants notification permission, we register the device with Apple Push Notification service (APNs) on iOS or Firebase Cloud Messaging (FCM) on Android. We store, against that user's account:

The push notification token, platform (iOS or Android), token kind (APNs or FCM), application version, operating system version, device model, an active/inactive flag, and last seen / last active timestamps.
These device identifiers are used to deliver transactional notifications and to keep the application functioning across upgrades and reinstalls. We do not use device data for advertising profiling.

Inbound-SMS push notifications include a short message preview. The preview contains the sender phone number, an internal message identifier, and the first portion of the message body (truncated to a short character limit) so that the user sees a meaningful preview on their lock screen. The full message body is only viewable inside the application.

When a user signs out or unregisters a device, the Platform marks the matching device token record inactive so future notification fan-out skips it. The row may remain for operational history and deduplication.

10. Service providers and subprocessors

We use the following service providers to operate the Platform. Data shared with each is limited to what is necessary for the service they provide.

Supabase — database, authentication, file storage, and realtime infrastructure. Most Platform data is stored here.
Vercel — application hosting, edge delivery, and request logging for the Platform.
Stripe — subscription billing, Stripe Connect onboarding for Tenants, and payment processing.
Telnyx — SMS and voice telephony, phone number provisioning, voice call recording delivery, and browser-based SIP credentials.
Meta (WhatsApp Business Platform) — WhatsApp Business Account onboarding, message delivery, and webhook events.
Anthropic — AI text generation for in-product AI features (summaries, message drafts, insights, the AI assistant).
Google Maps Platform — address geocoding and mapping for routing and dispatch.
Resend — transactional email delivery (account, billing, invoice, and notification emails).
Apple Push Notification service (APNs) — iOS push notification delivery.
Google Firebase Cloud Messaging (FCM) — Android push notification delivery.

We may engage additional service providers for limited operational purposes such as analytics, error monitoring, or email delivery. We will update this list as those providers change.

11. Data retention and account deletion

The Platform retains data according to the role each record plays. Some categories are deleted immediately on account deletion, some are anonymized, and tenant business records are retained.

When you delete your account

Your sign-in account is banned so that the password and any refresh tokens can no longer be used to log in.
Personally identifying fields on your profile (such as full name and phone number) are anonymized — for example replaced with a placeholder such as "Deleted user" — and the profile is marked inactive. This is a soft delete: the row itself is retained so that other records that reference your profile (jobs, finance entries, audit logs, payments) remain consistent and traceable.
Live, ephemeral data tied directly to your sign-in is deleted, including your latest GPS location entry and your per-user telephony credentials.

What is retained, and why

Tenant business records are not deleted by an individual user's account deletion. These records belong to the Tenant business and may include:

Customer records, jobs, invoices, estimates, contracts, signed agreements, and finance entries used for accounting and dispute resolution.
SMS, WhatsApp, and voice call records, plus any call recordings that were captured while recording was enabled.
Payment ledger entries, Stripe identifiers, billing history, and webhook event records used for reconciliation, fraud prevention, chargeback defense, and tax / accounting requirements.
Activity logs and audit trails used for security, compliance, and incident response.

These records may be retained for as long as the Tenant's account remains active and for additional periods after that where retention is required for legal, regulatory, accounting, tax, dispute, fraud-prevention, or other legitimate operational reasons.

Tenant-level deletion and end-customer requests

Tenants who wish to close their entire workspace (and not just an individual user) can contact us at the email address in Section 19. End-customers of a Tenant who wish to exercise rights about their personal information should contact the Tenant directly, since the Tenant is the controller of that data; we will assist a Tenant in responding to verified requests.

Third-party-side records

Records held by service providers (for example, Stripe transaction history, Telnyx carrier logs, Meta WhatsApp message delivery records) follow each provider's own retention practices and applicable telecommunications and financial regulations. We may not be able to compel providers to delete records they are required to retain.

Normal retention schedule

The categories below describe our normal operational retention windows. These are policy targets and may be longer where required or permitted by law, contract, dispute, or service-provider obligations. Most categories are not automatically purged on these dates — operational deletion happens on tenant closure, on request where applicable, or through ordinary database lifecycle.

Data category	Normal retention window
Account / profile data	Retained while the account is active. On self-delete, identifying profile fields are anonymized immediately or within 30 days. Inactive workspace and account records may be retained up to 7 years where they are tied to tenant business records.
Authentication, session, and security logs	Normally retained up to 24 months. May be retained longer for security investigations or legal obligations.
Tenant business records, customer records, jobs and service records	Retained while the tenant workspace is active. After tenant closure, normally retained up to 7 years for accounting, tax, legal, warranty, dispute, and audit purposes unless earlier deletion is legally appropriate.
SMS and WhatsApp content and metadata	Retained while the tenant workspace is active. After tenant closure, normally retained up to 7 years as tenant business communications unless deletion is legally appropriate.
Call metadata	Retained while the tenant workspace is active. After tenant closure, normally retained up to 7 years.
Call recordings	Retained while the tenant workspace is active. After tenant closure, normally retained up to 2 years unless needed for legal, regulatory, accounting, fraud-prevention, warranty, or dispute reasons. This is a normal policy retention window — recordings are not currently auto-purged on a fixed automated schedule.
Invoices, estimates, contracts, change orders	Retained while the tenant workspace is active. After tenant closure, normally retained up to 7 years.
Payments, Stripe identifiers, and payment metadata	Normally retained up to 7 years, or longer if required for tax, accounting, chargeback, dispute, fraud-prevention, or legal obligations. Stripe also retains its own records under its own policies.
Audit, activity, and finance logs	Normally retained up to 7 years because they protect financial, accounting, and security integrity.
Job photos and videos	Retained while the job and tenant workspace are active. After tenant closure, normally retained up to 2 years unless needed for warranty, dispute, legal, or accounting purposes. Stored in a private bucket and accessed only via short-lived signed URLs.
AI prompts, context, and chat history	Stored per company. Retained while the tenant workspace is active. After tenant closure, normally retained up to 2 years unless needed for audit, abuse, dispute, or legal reasons.
Push tokens and device records	Active tokens are retained while the user and device are active and are deactivated on sign-out, device unregister, or account deletion. Inactive device records are normally retained up to 24 months for deduplication, security, and diagnostics.
GPS latest row	Only the latest technician location is stored. Deleted immediately on user self-delete; otherwise overwritten by newer location updates or cleared when no longer needed for active dispatch operations.
Feedback and review IP / user-agent event logs	Normally retained up to 24 months for abuse prevention, attribution, diagnostics, and review-routing integrity.

Exceptions: we may retain information longer where required or permitted for legal, tax, accounting, regulatory, security, fraud-prevention, backup, dispute, warranty, chargeback, enforcement, or litigation-hold purposes. Records held by service providers follow each provider's own retention practices.

12. Security

We use the following security measures:

Encryption in transit using TLS for all connections to the Platform and its public APIs, and at-rest encryption provided by our hosting and database providers.
Database row-level security policies that scope each Tenant's data to that Tenant.
Role-based access controls (owner, admin, dispatcher, technician) inside each Tenant.
Webhook signature verification for incoming provider callbacks where a signing key is configured.
Service-role secrets are kept server-side only; the browser cannot perform privileged data writes.

No method of transmission or storage is 100% secure. While we work to protect your data, we cannot guarantee absolute security.

13. Your privacy rights

Subject to applicable law and the controller/processor framing in Section 2, you may have the right to:

Access the personal information we hold about you and obtain a copy.
Correct inaccurate or incomplete information.
Request deletion of your personal information, subject to the retention rules in Section 11.
Object to or restrict certain processing.
Withdraw consent where processing is based on consent.
Receive your information in a portable, structured, commonly-used format where required by law.

To exercise any of these rights, contact us at the email in Section 19. We may need to verify your identity before fulfilling a request and will respond within the time period required by applicable law.

For end-customer data that a Tenant uploads or generates inside the Platform, we generally direct the request to the Tenant, who is the controller of that data.

14. California privacy rights

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) may give you the following rights:

The right to know what personal information we collect, use, disclose, and (if applicable) sell or share.
The right to delete personal information, subject to lawful retention exceptions described in Section 11.
The right to correct inaccurate personal information.
The right to receive a portable copy of your personal information.
The right to opt out of the sale or sharing of personal information for cross-context behavioral advertising. We do not sell personal information and do not share it for cross-context behavioral advertising; there is no opt-out to exercise.
The right to limit use of sensitive personal information, to the extent we use it.
The right not to be discriminated against for exercising these rights.

You may submit a request by contacting us at the email in Section 19. An authorized agent may submit a request on your behalf with appropriate verification.

15. EEA / UK privacy rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent UK and Swiss laws may give you rights over your personal information.

Roles. For Tenant staff data, Dispatch Bros generally acts as the controller. For end-customer data that a Tenant uploads or generates inside the Platform, Dispatch Bros generally acts as a processor on behalf of the Tenant, who is the controller of that data.
Legal bases. We process personal information under one or more of the following legal bases: performance of a contract with you or your Tenant; our legitimate interests in operating, securing, and improving the Platform; compliance with legal obligations; and consent where required.
Your rights. Subject to applicable law, you may request access, correction, erasure, restriction of processing, objection to processing, and portability. You may also lodge a complaint with your local data protection authority.

Requests can be sent to the email in Section 19. We will respond within the time period required by applicable law.

16. Children

Dispatch Bros is a business-to-business platform intended for use by adults who operate or work for service businesses. The Platform is not directed to children under 18, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take reasonable steps to delete it.

17. International transfers

Dispatch Bros is operated from the United States. The service providers in Section 10 may also process data in the United States and in other countries. Where required by applicable law, we will use appropriate transfer mechanisms before transferring personal information internationally.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Platform after changes constitutes acceptance of the updated policy.

19. Contact us

If you have questions about this Privacy Policy, wish to exercise privacy rights, or need to submit a deletion request, contact us:

Privacy / data requests: privacy@dispatchbros.ai

General contact: info@dispatchbros.ai

Mailing address: Dispatch Bros Inc., 2 Mockingbird Cir C1, Houston, TX 77074

Website: app.dispatchbros.ai

This document describes our current practices. It is not legal advice and does not create attorney-client relationship or any representation about regulatory compliance. We recommend that Tenants consult their own legal counsel regarding their obligations under applicable laws.