Privacy Policy

Loray (loray.ai)
Effective date: April 25, 2026
Last updated: April 25, 2026 · Policy 3

About Loray

Loray is a B2B SaaS platform that provides AI-powered SMS and voice communication tools for independent contractors and small businesses ("Clients"). This policy covers how Loray collects, uses, and protects data at the platform level — both Client data (contractors using the platform) and end-user (contact) data processed on behalf of Clients.

1. Roles Under Data Protection Law

Loray operates in two distinct roles depending on the data in question:

Data Controller — for data collected directly from Clients, prospective Clients, website visitors, and users of Loray's website, application, and administrative tools. This includes account information, billing data, company configuration, support communications, website analytics, and marketing preferences.
Data Processor — for data belonging to contacts who interact with a Client's business, such as phone numbers, SMS conversations, voice call audio, transcripts, call metadata, service requests, and appointment details. Loray processes this data strictly on the Client's behalf and under their documented instructions.

If you are a contact of a business that uses Loray, that business is generally the controller of your data. Loray acts as a processor or service provider for that business.

2. Data Collected by Loray

2a. Client Data (Contractors)

Loray may collect the following Client data:

Name, email, and company name
Purpose: account management, authentication, onboarding, support, and communication.
Retention: duration of account + 90 days.

Billing information
Purpose: subscription billing and payment processing through Stripe.
Retention: per Stripe's policies; Loray retains only transaction metadata needed for account, tax, and accounting purposes.

Business configuration
Examples: services offered, business hours, service area, business address, booking preferences, phone settings, AI assistant configuration, and TCR brand/campaign IDs.
Purpose: AI assistant personalization, appointment booking, SMS compliance, and platform operation.
Retention: duration of account.

Support and correspondence records
Purpose: customer support, troubleshooting, security review, and account administration.
Retention: duration of account + 24 months.

2b. Contact Data (End Users — processed on behalf of Clients)

Loray may process the following contact data on behalf of Clients:

Phone numbers
Storage: stored encrypted during active messaging; hashed copies may be retained for opt-out enforcement, deduplication, fraud prevention, and compliance.
Retention: duration of conversation with the Client, plus up to 24 months, subject to Client settings and legal retention obligations.

SMS conversation content
Storage: encrypted at rest and protected in transit using TLS 1.2 or higher.
Retention: duration of Client relationship + 24 months, unless deleted earlier by the Client or required by law.

Voice call audio recordings
Storage: encrypted at rest and protected in transit using TLS 1.2 or higher.
Retention: 30 days after the call, then permanently deleted, unless a shorter retention period is configured or deletion is required earlier.

Voice call transcripts
Storage: encrypted at rest.
Retention: duration of Client relationship + 24 months, unless deleted earlier by the Client or required by law.

Call metadata
Examples: timestamps, call duration, caller phone number, direction of call, and delivery status.
Storage: encrypted at rest.
Retention: duration of Client relationship + 24 months.

Opt-in and opt-out consent records
Examples: hashed phone number, timestamp, source, channel, consent artifact, STOP/START events.
Purpose: TCPA, A2P 10DLC, carrier compliance, and suppression list enforcement.
Retention: at least 4 years, or longer where required for legal compliance.

2c. Website, Cookies, and Analytics Data

When you visit loray.ai, use Loray's website, open emails from Loray, or interact with forms, demos, or marketing pages, Loray may collect limited website and analytics data.

This may include:

IP address
browser type and version
device type and operating system
referring website
pages viewed
time spent on pages
approximate location derived from IP address
form submissions
email engagement events, such as opens or clicks
cookie identifiers or similar technologies

Loray uses this information to:

operate and secure the website
understand how visitors use the website
improve website performance and user experience
respond to demo, contact, or support requests
measure the effectiveness of communications and marketing
detect abuse, fraud, or security issues

Loray may use cookies, pixels, local storage, log files, and similar technologies. Cookies may be used for essential site functionality, analytics, security, preferences, and, if enabled, marketing measurement.

You can control cookies through your browser settings. Blocking some cookies may affect website functionality. Where required by law, Loray will provide additional cookie notices, consent controls, or opt-out options.

Loray does not use end-user contact data processed on behalf of Clients for targeted advertising.

2d. Marketing Communications

Loray may use Client or prospective Client contact information to send product updates, onboarding messages, service notices, and marketing communications.

You may opt out of marketing emails at any time by using the unsubscribe link in the email or by contacting [email protected]. Loray may still send transactional or service-related messages, such as billing notices, security alerts, account updates, and required compliance notifications.

3. How Loray Uses Data

Loray uses data to:

operate the AI assistant, SMS infrastructure, and voice infrastructure for Clients
provide onboarding, authentication, account management, and customer support
process billing, subscriptions, usage credits, and top-ups
configure Client-specific business settings and AI assistant behavior
send and receive SMS messages and voice calls
transcribe voice calls and generate AI assistant responses
schedule, confirm, and manage appointments
ensure TCPA, A2P 10DLC, carrier, and opt-out compliance
detect, prevent, and investigate fraud, abuse, security incidents, and service misuse
maintain audit logs and platform reliability
improve platform performance using aggregated or de-identified analytics
comply with legal obligations

Loray does not sell, rent, or share end-user contact data with any third party for marketing or advertising purposes.

Loray does not use Client data or end-user contact data to train AI models.

Loray does not share mobile phone numbers, SMS opt-in records, or SMS consent data with third parties or affiliates for their own marketing or promotional purposes.

4. Subprocessors

Loray uses third-party subprocessors to provide hosting, telephony, messaging, speech transcription, speech synthesis, AI language processing, payments, email delivery, and compliance-related services.

Each subprocessor is restricted to the purpose listed in Loray's subprocessor list and is subject to written contractual obligations, including confidentiality, security, and data protection obligations.

A current, detailed list is maintained at loray.ai/subprocessors.

Current subprocessors include:

Telnyx — SMS delivery, voice calls, phone number provisioning, and A2P 10DLC support
Deepgram — speech-to-text transcription for voice calls
Google Cloud — text-to-speech voice generation for AI assistant responses
Anthropic — primary AI language model for AI response generation
OpenAI — fallback AI language model for specialized processing and redundancy
Stripe — subscription billing and payment processing
TCR (The Campaign Registry) — A2P 10DLC brand and campaign registration
Resend — transactional email delivery
OVHcloud — application hosting, database storage, Redis cache, and network services

All subprocessors are currently located in the United States or operate through US-based service endpoints.

5. Data Security

Loray uses administrative, technical, and organizational safeguards designed to protect personal data.

Security measures include:

Encryption in transit: TLS 1.2 or higher for data transmitted between user devices, Loray systems, and subprocessors.
Encryption at rest: AES-256 or equivalent encryption for stored personal data where applicable.
Phone number handling: phone numbers are stored encrypted during active use; hashed copies may be retained for opt-out enforcement, deduplication, fraud prevention, and compliance.
Access control: production data access is restricted to authorized personnel with a legitimate business need.
Audit logging: administrative and sensitive actions are logged where appropriate.
Network isolation: production systems are separated from development and internal corporate environments where technically feasible.
Data minimization: Loray limits data sent to AI subprocessors where possible, including by removing direct phone-number identifiers before sending conversation context to AI language models.
TCPA compliance: STOP requests are honored promptly and suppression records are retained for compliance.

No system can be guaranteed to be completely secure. However, Loray uses reasonable safeguards designed to protect data against unauthorized access, disclosure, alteration, or destruction.

In the event of a data breach affecting personal information, Loray will notify affected Clients and applicable regulators as required by law, generally within seventy-two (72) hours of discovering the breach where such timing is legally required.

6. Jurisdiction & Legal Basis

Loray operates under the laws of the United States.

SMS services are governed by applicable telecommunications and consumer protection laws, including the Telephone Consumer Protection Act (TCPA), 47 U.S.C. § 227. Loray's A2P 10DLC campaigns are registered with TCR (The Campaign Registry) as required by major US carriers.

Voice call recording and transcription are conducted in accordance with applicable federal and state wiretapping and call-recording laws, with call-participant notification where required.

All Loray infrastructure is hosted in the United States, and all subprocessors operate through US-based service endpoints.

Loray does not currently target or market its services to the European Economic Area, the United Kingdom, or Switzerland. If Loray processes data from those regions in the future, additional notices and safeguards may apply.

7. Data Retention & Deletion

Loray retains data only for as long as reasonably necessary to provide the service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support legitimate business operations.

Summary:

SMS conversation content: duration of Client relationship + 24 months
Voice call audio: 30 days after the call, then permanently deleted
Voice call transcripts: duration of Client relationship + 24 months
Call metadata: duration of Client relationship + 24 months
Opt-out records: at least 4 years, or longer where required for legal compliance
Client account data: duration of subscription + 90 days after cancellation
Billing records: 7 years, or as required for tax and accounting purposes
Website analytics data: retained for a limited period based on analytics provider settings and business needs
Support records: duration of account + 24 months

Clients may request deletion of their data and associated contact data by contacting [email protected]. Loray will honor deletion requests subject to legal retention obligations, fraud prevention, security, backup retention, dispute resolution, and compliance requirements.

End users who wish to delete data processed on behalf of a Client should first contact the Client. Loray may assist the Client in responding to such requests.

8. Your Rights

For Clients, prospective Clients, and website visitors

Depending on where you live, you may have the right to:

access the personal information Loray holds about you
correct inaccurate personal information
request deletion of personal information
export personal information in a portable format
opt out of marketing emails
opt out of certain cookies or analytics where applicable
object to or restrict certain processing
appeal a denied privacy request, where required by law

To exercise these rights, contact [email protected].

Loray may need to verify your identity before fulfilling a privacy request. Verification may include confirming control over your email address, account, or other information reasonably necessary to process the request.

For end users who interact with a Client using Loray

If you are a contact or customer of a business that uses Loray, please contact that business directly to exercise privacy rights. That business controls the purposes and means of processing your data.

For platform-level requests, or if the Client is unresponsive, you may contact Loray at [email protected]. Loray may forward the request to the relevant Client or assist the Client in responding.

End-user rights may include:

access to data processed about you
correction of inaccurate data
erasure or deletion, subject to legal retention
opt out of SMS at any time by replying STOP to the originating message
complaint to the relevant regulator, where applicable

9. U.S. State Privacy Rights

Residents of certain U.S. states, including California and other states with consumer privacy laws, may have additional rights regarding their personal information.

Depending on your state of residence and the nature of your relationship with Loray, these rights may include:

Right to know/access — request confirmation of whether Loray processes your personal information and access to that information.
Right to delete — request deletion of personal information, subject to legal exceptions.
Right to correct — request correction of inaccurate personal information.
Right to portability — receive certain personal information in a portable format.
Right to opt out of sale or sharing — opt out of the sale of personal information or sharing for cross-context behavioral advertising, where applicable.
Right to opt out of targeted advertising — opt out of certain advertising or tracking activities, where applicable.
Right to limit use of sensitive personal information — limit certain uses of sensitive personal information, where applicable.
Right to appeal — appeal a denied privacy request, where required by law.
Right to non-discrimination — Loray will not discriminate against you for exercising privacy rights.

Loray does not sell end-user contact data.

Loray does not share mobile phone numbers, SMS opt-in data, or SMS consent records with third parties or affiliates for their own marketing or promotional purposes.

Loray does not use end-user contact data processed on behalf of Clients for targeted advertising.

If Loray uses advertising or analytics technologies on its website that may be considered "sharing" under certain state privacy laws, website visitors may exercise applicable opt-out rights by using available cookie controls, browser settings, recognized opt-out preference signals where supported, or by contacting [email protected].

To submit a U.S. state privacy request, email [email protected] with the subject line "Privacy Request." If you use an authorized agent, Loray may request proof that the agent is authorized to act on your behalf and may also require you to verify your identity directly.

10. Children

Loray is a business-to-business service and is not directed to children under 13. Loray does not knowingly collect personal information from children under 13.

If Loray learns that it has collected personal information from a child under 13 without appropriate consent, Loray will take reasonable steps to delete that information.

11. Changes to Subprocessors

Loray updates its subprocessor list at loray.ai/subprocessors when subprocessors are added, removed, or changed.

Clients are notified by email at least 30 days in advance of additions or changes that may materially affect data processing.

Clients may object in writing to a new subprocessor within 15 days of notice. If the objection cannot be resolved, the Client may terminate the affected service without penalty.

12. Changes to This Policy

Loray may update this Policy from time to time. Material changes will be notified to Clients by email at least 30 days in advance where required or appropriate.

The "Last updated" date above reflects the current version.

13. Contact

For privacy questions, data requests, or legal inquiries:

Privacy email: [email protected]
Legal email: [email protected]
Website: loray.ai