Privacy Policy

This policy explains what we collect, how we use it, who we disclose it to, and your choices.

Last updated: October 29, 2025

It applies to our websites, products, and services offered by Scotty AI, Inc. using the Calltree brand ("we", "us", "our").

1) Scope & our role

  • For most Service Data we handle on behalf of our business customers, they are the controller and we act solely as their processor/agent under our contract and their instructions.
  • For limited information we collect directly from business contacts through our sites or service administration, we are the controller.

2) What we collect

  • Business contact and account information — name, work email, phone, organization, role, preferences, and information you choose to share when you contact us.
  • Service Data — customer‑provided information and operational metadata needed to operate the service. We do not collect HR/employee data in the employment context under this policy.

3) How we use information

  • Deliver, secure, and maintain our AI customer‑service agent solutions.
  • Provide support and respond to requests.
  • Monitor performance, troubleshoot, and improve features.
  • Comply with law, enforce terms, and protect rights, safety, and users.

When we act as a processor, we handle Service Data only as permitted by our contract.

4) Disclosures to third parties

  • Service providers (processors) that operate and support our services (e.g., hosting, security, support).
  • Public authorities or other parties where required by law, including to meet national security or law‑enforcement requirements.
  • A successor in a merger, acquisition, or similar transaction.

We remain responsible for onward transfers to our agents under the DPF (see below).

5) International transfers and data location

We operate in the United States and the United Kingdom.

  • For UK customers, we store personal data in the UK by default.
  • If EU or UK personal data is accessed from or transferred to the United States (for example, for support), we rely on the EU‑U.S. Data Privacy Framework and the UK Extension to the EU‑U.S. DPF (also known as the UK‑US Data Bridge). For other cross‑border transfers, we may apply appropriate safeguards (such as the EU SCCs and, for UK data, the UK IDTA or UK Addendum) or restrict access to the region.

6) EU‑U.S. Data Privacy Framework and UK Extension — Non‑HR data

Scotty AI, Inc. complies with the EU‑U.S. Data Privacy Framework (EU‑U.S. DPF) and the UK Extension to the EU‑U.S. DPF as set forth by the U.S. Department of Commerce. Scotty AI, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU‑U.S. Data Privacy Framework Principles with regard to personal data received from the European Union and the United Kingdom. If there is any conflict between this notice and the DPF Principles, the Principles govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Complaints and independent recourse (free). We will respond within 45 days to complaints at privacy@calltree.ai. If unresolved, you may file a complaint — at no cost to you — with our Independent Recourse Mechanism (IRM): JAMS Data Privacy Framework Program: https://www.jamsadr.com/DPF-Dispute-Resolution.

Binding arbitration. As a last resort, you may invoke binding arbitration under Annex I of the DPF.

Onward transfers. We require third‑party agents to provide at least the same level of protection as the DPF Principles, and we remain responsible as described above.

Public authorities. We may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law‑enforcement requirements.

Supervision. Scotty AI, Inc. is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Scope. Our DPF participation covers Non‑HR personal data only.

7) Your rights and choices

If we are the controller of your information (for example, business contact or account information), you may access, correct, delete, port, object to, or restrict certain processing by emailing privacy@calltree.ai. EU/UK individuals may request access to personal data we hold about them and request correction or deletion by emailing privacy@calltree.ai.

Choice for controller data. You may opt out of our disclosure of your personal data to any third party other than our agents/service providers, or our use of your personal data for a materially different purpose than it was collected for, by emailing privacy@calltree.ai. If we ever collect sensitive personal data, we will obtain opt‑in consent.

Service Data handled as a processor. For Service Data that we process on a customer's behalf, please contact that customer to exercise your privacy rights. We will assist them in responding to your request.

8) Security and retention

We apply administrative, technical, and physical safeguards appropriate to the nature of the data and retain personal data only as long as needed for the purposes above, to comply with law, or as set out in our contracts; then we delete or anonymise it.

9) Children

Our services are not directed to children under 16 and we do not knowingly collect their personal information.

10) Changes

We may update this notice. We will post the new date at the top and, if changes are material, provide additional notice.

11) Contact

Scotty AI, Inc. — Calltree brand
Attn: Privacy
Email: privacy@calltree.ai
221 Kearny Street, Fifth Floor, San Francisco, CA 94108