Privacy Policy

Loray (loray.ai) Effective date: April 24, 2026 Last updated: April 24, 2026 Policy v1

About Loray: Loray is a B2B SaaS platform that provides AI-powered SMS communication tools for independent contractors and small businesses ("Clients"). This policy covers how Loray collects, uses, and protects data at the platform level — both Client data and end-user (contact) data processed on behalf of Clients.

1. Roles Under Data Protection Law

Loray operates in two distinct roles:

Data Controller — for data collected directly from our Clients (contractors who use the Loray platform): account information, billing data, company configuration.
Data Processor — for data belonging to contacts who interact with a Client's business (phone numbers, call logs, SMS conversations). Loray processes this data strictly on the Client's behalf and under their instructions.

2. Data Collected by Loray

2a. Client Data (Contractors)

Data	Purpose	Retention
Name, email, company name	Account management	Duration of account + 90 days
Billing information (via Stripe)	Payment processing	Per Stripe policy
Business configuration (services, location, hours)	AI assistant personalization	Duration of account
TCR brand/campaign IDs	A2P 10DLC SMS compliance	Duration of account

2b. Contact Data (End Users — processed on behalf of Clients)

Data	How it's stored	Retention
Phone numbers	SHA-256 hash only — raw number never stored after processing	90 days
SMS conversation content	Encrypted at rest, TLS 1.2+ in transit	90 days
Call logs (missed calls)	Metadata only (timestamp, duration)	30 days
AI conversation transcripts	Encrypted, used to generate responses	90 days
Opt-out records	Hashed phone + timestamp	Indefinite (compliance)

3. How Loray Uses Data

To operate the AI assistant and SMS communication service for Clients
To ensure TCPA and A2P 10DLC compliance (opt-out enforcement, campaign management)
To provide billing, support, and account management to Clients
To improve platform performance and reliability (aggregated, anonymized analytics only)

Loray does not sell, rent, or share contact data with any third party for marketing or advertising purposes.

4. Third-Party Sub-processors

Sub-processor	Role	Data shared
Telnyx	SMS and voice carrier	Phone numbers, SMS content in transit
Anthropic	AI response generation	Anonymized conversation context
OpenAI	AI language model — fallback and specialized tasks	Anonymized conversation context
Stripe	Payment processing	Billing data (Client only)
TCR (The Campaign Registry)	A2P 10DLC brand/campaign registration	Client business info (EIN, legal name, address)

Full subprocessor list: https://loray.ai/subprocessors

5. Data Security

All phone numbers are stored as irreversible SHA-256 hashes — raw numbers are never persisted.
All data in transit is encrypted using TLS 1.2 or higher.
Data at rest is encrypted using AES-256.
Access to production data is restricted to authorized personnel only, with audit logging.
Loray is TCPA-compliant: all opt-out requests (STOP) are honored immediately and recorded.

6. Jurisdiction & Legal Basis

Loray operates under United States law. SMS services are governed by the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227, and the CAN-SPAM Act. Loray's A2P campaigns are registered with TCR (The Campaign Registry) as required by major US carriers.

For users in the European Economic Area: Loray processes contact data under the lawful basis of legitimate interests (GDPR Art. 6(1)(f)) on behalf of Clients who have obtained consent from their contacts. Raw personal data (phone numbers) is immediately hashed upon receipt — Loray does not store identifiable phone numbers.

7. Data Retention & Deletion

SMS conversation logs: 90 days
Call logs: 30 days
Opt-out records: retained indefinitely for TCPA compliance
Client account data: retained for the duration of the subscription + 90 days after cancellation

Clients may request deletion of their data and all associated contact data by contacting [email protected].

8. Your Rights

If you are a contact (end user) and wish to exercise your rights regarding data processed on behalf of a Client, please contact that Client directly. For platform-level requests, contact us at [email protected].

Right to access your data
Right to erasure ("right to be forgotten")
Right to opt out of SMS at any time by replying STOP

9. Contact

For privacy-related questions or requests:

Email: [email protected]
Website: loray.ai