Version 2026-05-13.4 · Effective May 13, 2026
Sandy Brook DevWorks LLC ("SandyBrook," "we," "us," or "our") operates the Relay platform ("Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information — including information about callers who interact with a Relay-powered phone line — when you or they use the Service.
Account Information. When you sign in we receive your name, email address, and provider account identifier from your chosen authentication method: Google OAuth, email/password (backed by Google Identity Platform), or passkey/WebAuthn. We do not collect or store passwords; passwords for email/password accounts are held by Google Identity Platform. Passkey credentials are stored as public-key material plus a sign-count — no private key ever leaves your device.
Call Data. When a caller dials a Relay-powered phone number, we process and store: call audio (as a WAV recording), the AI-generated transcript, the AI-generated summary, the caller's phone number (E.164), start/end timestamps, and duration. Any structured data produced by the assistant during the call — such as appointment bookings — is also stored.
Configuration Content. Text you enter in Receptionist/Assistant Mode configuration, Knowledge Base entries, and trusted-number labels is stored on our systems so the assistant can use it during calls. If you connect an optional integration (Google Calendar, HubSpot, GoHighLevel), we also store the connection state and a refresh token; refresh tokens are envelope-encrypted with Cloud KMS before persistence.
Billing Metadata. If you subscribe to a paid plan, Stripe stores payment instrument data on its systems; we receive only non-sensitive identifiers (Stripe customer ID, subscription ID, plan tier, invoice status).
Usage Data. IP address, browser type, pages visited, and timestamps, to operate and improve the Service.
We do not sell your data, and we do not use call content to train any model — ours or a sub-processor's. See Section 4.
Delivering the Service requires sharing specific data with the sub-processors listed below. Each row identifies the provider, its role, and the categories of data it receives. Each provider is governed by its own terms and privacy policy.
Twilio, Inc.
PrivacyVoice telephony · call routing · audio transport · WAV recording generation
Data received: caller phone number, called phone number, real-time call audio (transported to our infrastructure), and recorded audio (generated and temporarily held for download). Inbound SMS to Relay-provisioned numbers is silently dropped at the carrier and is never processed by Relay.
Google LLC — Vertex AI / Gemini Live
Data governanceReal-time speech recognition, natural language understanding, text generation, text-to-speech
Data received: real-time caller audio streamed during the call; recorded audio re-submitted after the call for transcription and summarization; the system prompt (tenant configuration + knowledge base content). Not used to train Google's foundation models — see Section 4.
Google LLC — Google Cloud Platform
PrivacyHosting (Cloud Run) · Firestore (tenant + call metadata) · Cloud Storage (recordings) · Cloud KMS (encryption keys) · Cloud Tasks / Scheduler / Logging / Monitoring
Data received: all stored call data (transcripts, summaries, WAV recordings), tenant account and configuration data, application logs (which may contain metadata such as call IDs and timestamps). Data is stored in the United States (region us-central1), encrypted in transit (TLS) and at rest.
Stripe, Inc.
PrivacySubscription billing · payment processing · invoicing
Data received: your email, company name, plan tier, subscription state, invoice line items (minutes used, overage), and payment instrument data that you enter directly into Stripe's hosted Checkout page. Stripe does not receive call audio, transcripts, or summaries.
Brevo (Sendinblue SAS)
PrivacyTransactional email delivery (call summaries, notifications)
Data received: recipient email address, company name, caller phone number, AI-generated summary text, and a link to the call detail page. Call audio is not transmitted via email.
Google LLC — Identity Platform (Firebase Auth)
PrivacyEmail/password authentication storage
Data received: email address and salted/hashed password. Passwords are stored by Google Identity Platform; they are never transmitted to or stored by Relay.
Optional sub-processors (activated by you)
The following sub-processors only receive data when you explicitly connect them in the Relay dashboard. They do not receive any data unless you authorize the connection, and you can disconnect at any time.
HubSpot, Inc.
PrivacyCRM sync (Contacts, Notes, Tasks, Meetings) · activated by tenant OAuth
Data sent (per call): caller name (if captured), caller email (if captured), caller phone number (E.164), AI-generated summary, urgency classification, call duration, and a deep-link back to the Relay call detail page. Refresh tokens stored encrypted; revoked on disconnect.
HubSpot data caching: Relay does not cache HubSpot contact properties, lists, deals, or any other HubSpot data in our systems. The only HubSpot-derived value Relay persists is the HubSpot contact ID Relay itself created or matched during a sync, stored on the matching call's record so retries don't create duplicate Notes/Tasks/Meetings. No HubSpot data is used to train or fine-tune any model.
HighLevel Inc. (GoHighLevel)
PrivacyCRM sync (Contacts, Notes, Opportunities) · activated by tenant OAuth
Data sent (per call): same payload as HubSpot above, scoped to the GoHighLevel sub-account or location you connected. Refresh tokens stored encrypted; revoked on disconnect.
Google LLC — Calendar API
PrivacyAvailability checks and event creation · activated by tenant OAuth
Data sent: availability queries and appointment events (title, start/end, attendee email if provided, body text) written to the dedicated "Relay Bookings" calendar in your Google account. Relay only touches calendars it owns — it cannot read or modify any other calendar in your account. Refresh tokens stored encrypted; revoked on disconnect.
Zapier, Inc.
PrivacyWorkflow automation · activated by installing Relay's Zapier app
Data sent (per matched event): call summary fields you select in your Zap configuration. Delivered to Zapier's platform and on to the downstream tools you've configured in your Zap.
Relay processes call audio and text using Google's Gemini models via Vertex AI. Per Google's Vertex AI data governance policy, customer content (including prompts and model responses) is not used to train or fine-tune Google's foundation models, and is not made available to other customers.
Relay does not operate its own machine-learning models, and we do not use your call content to train, fine-tune, or otherwise improve any model that we or a third party distributes.
Google may retain prompts and responses for a short period for abuse monitoring and to operate the service (see the linked Google policy for exact retention). This is separate from model training.
All data is stored on Google Cloud Platform in the United States (region us-central1).
Data is encrypted in transit (TLS) and at rest (GCP default encryption). Call recordings are stored in
access-controlled private Cloud Storage buckets; transcripts and metadata are stored in Firestore.
Third-party OAuth refresh tokens (e.g., Google Calendar integration) are envelope-encrypted with a customer-scoped Cloud KMS key before persistence.
Call recordings, transcripts, summaries, and related metadata are retained for 90 days by default, after which they are permanently purged by a nightly job. Tenants may change the retention window in dashboard Settings to 30, 60, 90, 180 days, 1 year, 3 years, or unlimited (no automatic purge).
Individual calls can be exempted from automatic purge by applying a Legal Hold flag on the call detail page — for example, when a call is relevant to an active dispute or investigation. Legal Hold preserves the call indefinitely until the tenant removes the flag.
Account information and billing records are retained for the life of your account and for a period afterward as required by law or to resolve disputes.
Deletion on demand. You can delete any specific call at any time from the call detail page, which cascade-deletes both the recording and the transcript/summary. A separate "Delete on behalf of caller" action is provided on the call detail page for handling caller-initiated right-to-erasure requests (CCPA / GDPR Article 17); the deletion is recorded with the reason you provide for audit purposes. Account-wide deletion is available from dashboard Settings; on deletion we purge your call recordings, transcripts, summaries, and configuration from our systems and instruct sub-processors to do the same, subject to their own retention policies.
Depending on your jurisdiction (including under GDPR, UK GDPR, and CCPA/CPRA), you may have the right to:
To exercise these rights, contact us at privacy@sandybrook.io. If you are a caller whose call was handled by a Relay-powered phone line, we typically do not have a direct relationship with you; please contact the business operating the phone line, who is the primary controller of the call data.
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
We may update this Privacy Policy from time to time. Material changes are published with an incremented version number at the top of this page and are announced via dashboard notice or email.
Questions about this Privacy Policy, or about the data we process on your behalf, can be sent to privacy@sandybrook.io. For our Terms of Service, see the linked page.
Sandy Brook DevWorks LLC