Legal & Compliance

Privacy Policy

Last Updated & Effective Date: July 7, 2026 · Rarefied Design Limited

Important Compliance Notice

This policy explains how Rarefied Design Limited collects, uses, shares, and protects personal information through Affinity Connect and related services. Before publishing or enforcing this, verify current data flows, subprocessors, retention windows, and commercial terms against production configuration and signed customer agreements.

1. Overview & Contact Information

This Privacy Policy explains how Rarefied Design Limited (“we”, “us”, or “our”) collects, uses, shares, and protects personal information through the Affinity Connect platform and related services. We primarily process personal information to provide agency software, client portal features, AI voice and messaging agents, websites and forms, billing, reporting, integrations, support, security, and operations.

Legal EntityRarefied Design Limited
Business Address15606 The Gore Rd, Caledon Village, ON L7C 3E5, Canada
General Support Email[email protected]
Privacy & Data Email[email protected]

2. Information We Collect

We may collect or process the following categories of information to provide, secure, and improve our services:

Account & Access Information

Names, emails, usernames, roles, passwords in hashed form, session metadata, IP addresses, user agents, and account preferences.

Client & Business Information

Company names, contacts, websites, business addresses, phone numbers, locations, services, brand information, assets, knowledge-base content, credentials, settings, and operational notes.

Communication & Call Records

Client records, business details, opportunities, calls, SMS, live calls, call recordings, transcripts, summaries, post-call webhooks, and GoHighLevel (GHL) sync.

AI Processing & Telemetry

AI voice and text providers, speech-to-text, text-to-speech, image generation, Cloudflare AI Gateway usage/cost telemetry, and AI credit metering.

Billing & Accounting Data

Stripe products/prices/customers/subscriptions/invoices/charges, QuickBooks sync, AI credit wallets/ledgers, manual settlements, bank statement imports, affiliate referrals, and Stripe Connect payouts.

Integration & Advertising Data

Authorized Google OAuth surfaces for GA4, Search Console, Google Business Profile, Google Ads, Google Maps/Places, and related reporting or automation.

Meta Ads, Reddit Ads, conversion uploads, lead webhooks, creative loops, campaign plans, and research runs.

Website Offer & Builder Data

Website-Day offers, intake flows, orders, generated website builds, website forms, Cloudflare/hosting/deployment logs, WordPress/plugin update operations, and website builder/editor state.

Assets & Storage

Asset library, R2/S3-compatible uploads, knowledge-base documents, Google Drive imports, debug screenshots, logs, audit logs, webhook events, API/MCP keys, and connected credentials.

3. Subprocessors & Third-Party Integrations

To provide our automated agency services, website hosting, billing, and AI voice/text agents, we integrate with secure third-party subprocessors. Each subprocessor is vetted for compliance:

  • Cloudflare: Secure edge routing, hosting, analytics, Turnstile protection, and AI Gateway telemetry.
  • Stripe: Secure checkout, subscription billing, payout processing, and affiliate tracking.
  • GoHighLevel (GHL): Lead synchronization, CRM, communication pipelines, and pipeline updates.
  • Twilio & SendGrid: SMS delivery, call routing, phone number binding, and transactional notifications.
  • OpenAI & Replicate: Large Language Models, speech synthesis, transcription, and generative image rendering.
  • Google & Meta APIs: Optional integration for ad-campaign tracking, GA4 telemetry, Google Ads conversions, and GBP updates.

4. Data Protection & Security Standards

We implement industry-standard administrative, technical, and physical security measures designed to protect the integrity and security of the personal data we process:

  • Encryption: All data is encrypted in transit using Transport Layer Security (TLS) and at rest within secure cloud environments.
  • Access Control: Highly restricted internal developer access to API/MCP keys, credentials, and customer databases.
  • Secure Storage: Media assets, documents, and uploads are stored in secure R2/S3-compatible object storage vaults.
  • Hashed Credentials: Customer passwords and API secrets are strictly hashed using secure, one-way cryptographic algorithms.

5. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our operational, legal, or regulatory requirements. We will notify you of any material changes by posting the updated policy on this page and updating the effective date above.