Privacy Policy
Effective: May 13, 2026
This Privacy Policy explains what information StillOpen collects, how we use it, and the choices you have. StillOpen is operated by Cole Cummings (StillOpen.ai). Contact: [email protected].
1. Who this applies to
StillOpen serves three groups of people:
- Business owners across any service business (med spas, photographers, vets, gyms, salons, dental practices, therapists, contractors, real estate agents, dog trainers, and home-service operators) who pay for a StillOpen account and run the AI front desk on their website or Facebook Page.
- Agency partners who white-label StillOpen and resell it to their client roster of service businesses.
- End customers and prospects who chat with a StillOpen-powered bot embedded on a business owner's site or who message a business owner's Facebook Page.
2. Information we collect
From business owners (account holders)
- Name and email address (collected through our authentication provider, Clerk).
- Business information you provide or that we scrape from your public website with your permission, including business name, services, prices, hours, service area, and owner contact details. We refer to this collectively as your "knowledge base."
- Payment information processed by Stripe. StillOpen never stores your full card number; Stripe handles all card data per PCI DSS standards.
- If you connect Google Calendar: an OAuth refresh token that lets us check your availability and create events on your behalf.
- If you connect a Facebook Page: your Facebook Page ID, Page Name, and a long-lived Page Access Token issued by Meta. We use this token only to receive Messenger events sent to your Page and to reply on your Page's behalf.
From homeowners and prospects (end users)
- The text content of messages you send to a StillOpen-powered bot, including any name, phone number, address, or job description you choose to share.
- For Facebook Messenger conversations: the Page-Scoped ID (PSID) Meta assigns to you for each Page. The PSID is opaque and unique per Page; it is not your Facebook user ID.
- Standard request metadata such as timestamps and IP address (used only for rate limiting and abuse prevention).
3. How we use information
- To run the AI front desk: route incoming messages to Claude (Anthropic) and return a reply in the business owner's voice.
- To send replies through the channel the message arrived on (the website widget, Meta Messenger, etc.).
- To book jobs into the business owner's connected calendar and notify them of new leads via email.
- To process payments and manage subscriptions (handled by Stripe).
- To enforce rate limits, prevent abuse, and protect the service.
- To communicate with business owners about the service (transactional emails sent via Resend).
4. Who we share information with
StillOpen does not sell your information. We share specific data with the following service providers, only as needed to run the service:
- Anthropic (Claude API): receives the system prompt, conversation history, and the latest user message in order to generate a reply. Anthropic does not train on data sent through their API.
- Meta Platforms (Facebook Messenger Send API): receives the reply text and the recipient PSID so the message can be delivered to the customer's Messenger inbox.
- Stripe: receives payment information for processing charges.
- Resend: receives email addresses and message content for transactional emails (lead notifications, onboarding).
- Clerk: receives email and authentication credentials for account login.
- Google: if Google Calendar is connected, receives event titles, times, and attendee emails for booking.
- Cloudflare: provides hosting, DNS, and edge storage (Cloudflare Workers KV) for our application data.
We may also disclose information when required by law, to protect StillOpen's legal rights, or in connection with a corporate transaction such as a merger or acquisition.
5. Where data is stored
Application data (knowledge bases, conversation logs, FB Page tokens, OAuth tokens) is stored in Cloudflare Workers KV, replicated globally and encrypted at rest. Customer payment data is held by Stripe. Authentication data is held by Clerk.
6. How long we keep data
- Account and knowledge-base data: for the lifetime of your account, plus up to 90 days after cancellation.
- Conversation logs: up to 12 months for service-quality and abuse-prevention purposes.
- FB Page tokens: until you disconnect the Page or delete your account.
- Rate-limit and abuse logs: up to 30 days.
- Payment records: held by Stripe per their retention rules.
7. Your rights
You can:
- Access the data we hold about you by emailing [email protected].
- Correct inaccurate data we hold about you.
- Delete your data at any time. See our Data Deletion page for the process.
- Disconnect connected services (Facebook Page, Google Calendar) directly from the dashboard.
- Export your knowledge base content on request.
8. Children
StillOpen is not intended for individuals under 13 years of age. We do not knowingly collect information from children under 13. If you believe a child has provided information to us, contact [email protected] and we will delete it.
9. Cookies and tracking
StillOpen does not set advertising or analytics cookies on the marketing site. The dashboard uses session cookies set by Clerk strictly for authentication.
10. Security
We use industry-standard practices including TLS in transit, encryption at rest, signed webhooks (HMAC-SHA-256 for Meta, signed tokens for Stripe), and short-lived OAuth state to protect your data. No system is perfectly secure, and we encourage you to report any suspected vulnerability to [email protected].
11. International users
StillOpen is operated from the United States. If you are accessing the service from outside the US, your information may be transferred to and processed in the US.
12. Changes to this policy
We may update this Privacy Policy from time to time. The "Effective" date at the top of this page reflects the latest version. Material changes will be communicated to account holders by email.
13. Contact
Questions or requests about this policy:
Cole Cummings
[email protected]