Privacy Policy
Last Updated & Effective Date: July 7, 2026 · Rarefied Design Limited
This policy explains how Rarefied Design Limited collects, uses, shares, and protects personal information through Affinity Connect and related services. Before publishing or enforcing this, verify current data flows, subprocessors, retention windows, and commercial terms against production configuration and signed customer agreements.
1. Overview & Contact Information
This Privacy Policy explains how Rarefied Design Limited (“we”, “us”, or “our”) collects, uses, shares, and protects personal information through the Affinity Connect platform and related services. We primarily process personal information to provide agency software, client portal features, AI voice and messaging agents, websites and forms, billing, reporting, integrations, support, security, and operations.
2. Information We Collect
We may collect or process the following categories of information to provide, secure, and improve our services:
Account & Access Information
Names, emails, usernames, roles, passwords in hashed form, session metadata, IP addresses, user agents, and account preferences.
Client & Business Information
Company names, contacts, websites, business addresses, phone numbers, locations, services, brand information, assets, knowledge-base content, credentials, settings, and operational notes.
Communication & Call Records
Client records, business details, opportunities, calls, SMS, live calls, call recordings, transcripts, summaries, post-call webhooks, and GoHighLevel (GHL) sync.
AI Processing & Telemetry
AI voice and text providers, speech-to-text, text-to-speech, image generation, Cloudflare AI Gateway usage/cost telemetry, and AI credit metering.
Billing & Accounting Data
Stripe products/prices/customers/subscriptions/invoices/charges, QuickBooks sync, AI credit wallets/ledgers, manual settlements, bank statement imports, affiliate referrals, and Stripe Connect payouts.
Integration & Advertising Data
Authorized Google OAuth surfaces for GA4, Search Console, Google Business Profile, Google Ads, Google Maps/Places, and related reporting or automation.
Meta Ads, Reddit Ads, conversion uploads, lead webhooks, creative loops, campaign plans, and research runs.
Website Offer & Builder Data
Website-Day offers, intake flows, orders, generated website builds, website forms, Cloudflare/hosting/deployment logs, WordPress/plugin update operations, and website builder/editor state.
Assets & Storage
Asset library, R2/S3-compatible uploads, knowledge-base documents, Google Drive imports, debug screenshots, logs, audit logs, webhook events, API/MCP keys, and connected credentials.
3. Subprocessors & Third-Party Integrations
To provide our automated agency services, website hosting, billing, and AI voice/text agents, we integrate with secure third-party subprocessors. Each subprocessor is vetted for compliance:
- Cloudflare: Secure edge routing, hosting, analytics, Turnstile protection, and AI Gateway telemetry.
- Stripe: Secure checkout, subscription billing, payout processing, and affiliate tracking.
- GoHighLevel (GHL): Lead synchronization, CRM, communication pipelines, and pipeline updates.
- Twilio & SendGrid: SMS delivery, call routing, phone number binding, and transactional notifications.
- OpenAI & Replicate: Large Language Models, speech synthesis, transcription, and generative image rendering.
- Google & Meta APIs: Optional integration for ad-campaign tracking, GA4 telemetry, Google Ads conversions, and GBP updates.
4. Data Protection & Security Standards
We implement industry-standard administrative, technical, and physical security measures designed to protect the integrity and security of the personal data we process:
- Encryption: All data is encrypted in transit using Transport Layer Security (TLS) and at rest within secure cloud environments.
- Access Control: Highly restricted internal developer access to API/MCP keys, credentials, and customer databases.
- Secure Storage: Media assets, documents, and uploads are stored in secure R2/S3-compatible object storage vaults.
- Hashed Credentials: Customer passwords and API secrets are strictly hashed using secure, one-way cryptographic algorithms.
5. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our operational, legal, or regulatory requirements. We will notify you of any material changes by posting the updated policy on this page and updating the effective date above.