Privacy Policy

This privacy policy applies to ScoreACut, a brand operated by ClearShield Advisory LLC d/b/a ScoreACut.

Last updated: May 10, 2026

ClearShield Advisory LLC ("we", "us", "our"), operating the ScoreACut brand, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and safeguard information when you interact with our services. ScoreACut is an AI-powered voice receptionist for personal-grooming and salon professionals. Our platform answers inbound phone calls, books appointments, issues quotes, and — where the merchant has authorized it — issues payment links and invoices on the merchant's behalf. For privacy questions, contact us at support@scoreacut.com.

We serve two categories of people, and this policy addresses both:

Merchants — business owners who subscribe to ScoreACut and connect their phone, calendar, and optionally their payment processor to our platform.
End users (callers) — consumers who call a phone number managed by ScoreACut on behalf of a merchant, and who may receive SMS messages or payment links as a result.

Information We Collect From End Users (Callers)

Contact information: Name, phone number, and (where given) email address provided during phone calls
Call data: Inbound calls answered by our AI voice agent are recorded, transcribed in real time, and retained for up to 12 months for quality assurance and tenant access. You are notified at the beginning of each inbound call that recording may be active. Outbound calls placed by a tenant from the in-app dialer (Twilio Voice) are not recorded. Recordings are stored encrypted in our secure storage and are accessible only to the tenant whose number received the call.
Appointment details: Date, time, service requested, and notes related to scheduled appointments
Quote inputs: Information you provide that our AI uses to generate a quote (e.g., move origin/destination, bedroom count, service type)
SMS consent status: Whether you opted in or out of receiving text message confirmations, quotes, or payment links
Payment interactions: If the merchant has enabled payment collection and you elect to proceed with a deposit or invoice, the payment itself is processed by the merchant's own Stripe or Square account — see "Payment Processor Integration" below. We do not see, store, or transmit cardholder data.
Website usage data: Standard analytics data such as pages visited, browser type, and IP address

Information We Collect From Merchants

Business profile: Legal business name, trade name (DBA), business type, service area ZIP codes, business hours, and owner contact information
Billing information: Subscription payment details processed through Stripe. We do not store raw card numbers; Stripe stores those on its own PCI-compliant infrastructure.
User accounts: Owner and staff email addresses and passwords for portal and iOS-app login (authenticated via Google Sign-In, Sign in with Apple, or email & password)
Pricing configuration: Per-tenant pricing rules the merchant enters into their portal
OAuth authorization tokens: When a merchant connects Google Calendar, Stripe, or Square, we store the access and refresh tokens issued by those providers so we can act on the merchant's behalf during calls. See "Third-Party Authorizations" below.

How We Use Your Information

For end users:

To schedule and confirm appointments you request from the merchant
To generate quotes when you ask for pricing
To send SMS confirmations, quote follow-ups, or payment links (only with your explicit verbal consent during the call)
To provide the merchant with contact information and call notes so they can follow up with you
To improve call quality and agent accuracy

For merchants:

To operate the voice agent on the merchant's phone number
To book appointments into the merchant's connected Google Calendar
To issue payment links or invoices against the merchant's Stripe or Square account when the agent is asked to do so during a call
To bill the merchant for their ScoreACut subscription
To send transactional notifications (onboarding welcome, OAuth connection confirmations, usage summaries, billing notices)
To provide customer support
To comply with legal obligations

Third-Party Authorizations (OAuth)

Our voice agent integrates with third-party platforms on the merchant's behalf. The merchant explicitly authorizes each integration through a standard OAuth flow initiated from their ScoreACut portal. For each integration, we request only the permissions necessary to perform the merchant's requested functions.

Google Calendar

When a merchant authorizes Google Calendar access, we receive an OAuth refresh token with the https://www.googleapis.com/auth/calendar scope. We use this token solely to create, update, and read appointment events on the merchant's primary calendar during a live call. We do not read unrelated calendar data, and we do not use calendar contents for any purpose other than appointment booking on that specific merchant's behalf. Refresh tokens are stored encrypted at rest.

Google API Services User Data Policy — Limited Use disclosure: ScoreACut's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements. The use of raw or derived user data received from Workspace APIs will adhere to the Google User Data Policy, including the Limited Use requirements. Specifically, ScoreACut does not use Google Workspace API data to develop, improve, or train generalized AI/ML models; we do not transfer this data to third parties except as necessary to provide or improve user-facing features that are prominent in our application's user interface; we do not allow humans to read this data unless we have the merchant's affirmative agreement, it is necessary for security purposes, or it is required by law; and we do not use this data for serving advertisements.

Stripe (Stripe Connect)

When a merchant connects Stripe, we use the Stripe Connect OAuth flow to obtain the merchant's Stripe account ID. All payment link and invoice creation is performed via Stripe's API using our platform's credentials together with a Stripe-Account header identifying the merchant's connected account. We never receive or store the merchant's own Stripe secret key. Funds from payment links and invoices flow directly from the payer to the merchant's Stripe account — we do not touch the money.

Square

When a merchant connects Square, we obtain OAuth access and refresh tokens from Square via the OAuth 2.0 flow, scoped to the minimum permissions required (PAYMENTS_WRITE, ORDERS_WRITE, INVOICES_WRITE, CUSTOMERS_WRITE, MERCHANT_PROFILE_READ). We use these tokens solely to create payment links, invoices, and related customer/order records during calls. Tokens are stored encrypted in AWS Secrets Manager, automatically refreshed before expiry, and revoked when the merchant clicks "Disconnect" in their portal. Funds flow directly from the payer to the merchant's Square account — we do not touch the money.

Revocation

Merchants may revoke any integration at any time by clicking "Disconnect" on the relevant provider in their ScoreACut portal Settings page, or by revoking directly through Stripe's, Square's, or Google's own dashboards. Upon revocation, the associated tokens are deleted from our systems within 24 hours.

Cardholder Data and PCI Scope

We do not store, process, or transmit cardholder data. When an end user pays a deposit or invoice generated through our platform, they interact directly with Stripe's or Square's hosted payment pages. The card number, expiry, and CVV are entered on the processor's infrastructure and never traverse our systems. This keeps us out of PCI DSS scope for cardholder data environments.

SMS Messaging

We send SMS messages only when an end user explicitly consents during a phone call with our voice assistant. Messages are limited to appointment confirmations, quote follow-ups, and payment/invoice links triggered by the same call. We do not send marketing, promotional, or recurring messages. You can opt out at any time by replying STOP to any message. Standard message and data rates may apply. Typical frequency: one message per booking or payment request.

Use of AI Technology and Subprocessors

Our phone system uses AI-powered voice assistants to handle inbound calls. This includes AI language models to conduct conversations, AI voice synthesis to generate spoken responses, and AI transcription to convert speech to text. Your call audio and transcribed text are processed by these AI service providers solely to facilitate the call and execute the merchant's requested actions (booking, quoting, payment link generation). We do not use your data to train AI models.

The specific service providers we use for these capabilities include:

Twilio (twilio.com) — telephony, SMS delivery, inbound number provisioning, programmable voice infrastructure
VAPI (vapi.ai) — real-time voice agent orchestration; receives inbound call audio, real-time transcripts, and tool-call payloads
Anthropic (Claude) and OpenAI — language model inference for conversational responses
ElevenLabs (elevenlabs.io) — AI voice synthesis and, when a tenant enables the optional voice-cloning feature, processing of a 20–60 second voice sample to produce a tenant-specific synthetic voice
Amazon Web Services (AWS) — cloud hosting, secrets storage, database, and call-recording storage
Resend (resend.com) — transactional email delivery

Each provider receives only the minimum data needed to perform its function and is contractually bound to handle your data in accordance with their own privacy commitments.

Information Sharing

We do not sell, rent, or trade personal information. We share information only with:

Service providers: Third-party infrastructure that powers our service — AI voice and language model providers, call-handling telephony, SMS delivery providers, cloud hosting, email delivery, payment processors (Stripe for our own subscription billing), and the merchant-authorized third parties above. These providers are bound by their own privacy policies and access only the minimum data needed to perform their function.
The merchant whose business you called: Your contact info, appointment details, and call notes are shared with the merchant — that is the point of the service.
Legal requirements: When required by law, regulation, or legal process.

Data Security

We implement technical and organizational measures to protect personal information, including encryption in transit (TLS) and at rest, IAM-scoped access to sensitive stores, OAuth token storage in AWS Secrets Manager, and the principle of least privilege for internal access. No method of transmission or storage is completely secure, but we follow industry-standard practices.

Data Retention

We retain personal information only as long as necessary to fulfill the purposes described in this policy or as required by law. Inbound call recordings and transcripts are retained for up to 12 months. OAuth tokens are deleted immediately upon disconnection. Billing records are retained as required by tax and accounting regulations.

Account cancellation: when a tenant cancels their subscription, the account enters a 30-day soft-delete window during which the data is hidden from active use but recoverable by support on tenant request. After 30 days, all tenant data — call recordings, transcripts, contacts, connected-account tokens, and billing history — is hard-deleted from our systems and is not recoverable.

Your Rights

You have the right to:

Request access to the personal information we hold about you
Request correction or deletion of your personal information
Opt out of SMS messages by replying STOP at any time
Withdraw consent for data processing where applicable
Revoke third-party OAuth authorizations (merchants only) at any time

Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

Email: support@scoreacut.com
Website: scoreacut.com

See also our Terms & Conditions and SMS Consent Policy.