Dealer AI HQ

Legal · Privacy Policy

Privacy Policy.

Effective May 22, 2026

Dealer AI runs the Dealership OS — autonomous BDC, voice, inventory, ads, service, and F&I — for car dealers. Running that OS means we touch real customer information, real phone calls, and real money. This policy explains what we collect, how we use it, who we share it with, and the rights you have over it.

01Scope and roles

This Privacy Policy applies to information processed by Dealer AI HQ, Inc. (“Dealer AI,” “we,” “us”) through the marketing site at dealeraihq.com, the Dealer AI dashboard, the dealer-facing rooftop sites we host on dealer subdomains and custom domains, the Dealer AI voice and SMS infrastructure, our APIs, and any related services (collectively, the “Service”).

Two different relationships

  • If you are a dealer (a customer of Dealer AI), Dealer AI is the “business” and you are the consumer for personal information about you and your team members (account info, billing, login activity).
  • If you are a customer of a Dealer AI dealer (a lead, a buyer, a service customer, a person who called the dealership), Dealer AI is acting as a “service provider” / “processor” for the dealership. The dealership is the controller of that information and decides how it is used. Privacy questions about that data should be directed to the dealership in the first instance, with Dealer AI as a backstop.

02Information we collect

Account and billing information

When a dealership signs up for Dealer AI we collect business contact information (name, work email, phone, dealership name, address), account credentials, and billing information. Payment card details are tokenized by our payment processor (Stripe) and never stored on Dealer AI servers.

Inventory, CRM, and operational data

To run the Dealership OS we ingest inventory feeds, lead records, deal jackets, appointment schedules, service tickets, ad-spend metrics, and DMS / CRM exports that the dealer chooses to connect. This data is the dealership’s and stays the dealership’s; we process it on the dealer’s instructions to make agents work.

Conversation data (calls, SMS, email)

The Service places, receives, and records inbound and outbound phone calls, sends and receives SMS, and sends and receives email on behalf of the dealership. We capture call recordings, real-time call transcripts, SMS message bodies, email bodies, sender/recipient identifiers, timestamps, delivery status, and call quality metadata. Recording and retention happen at the dealership’s direction (see §5).

Lead / consumer information

When a consumer interacts with a Dealer AI rooftop — by calling the dealership, filling a credit application, booking a service or sales appointment, or chatting with the dealer site agent — we process the information they provide. This can include name, contact details, vehicle of interest, trade-in information, employment and income (for credit pre-qualification), driver’s license images and SSN where the dealership has elected to collect those for credit pre-qualification, IP address, and device metadata.

Dealer AI does notcollect government identifiers (driver’s license number, SSN) on the marketing site at dealeraihq.com. Those fields exist only on dealer-hosted credit pre-qualification flows where the dealership is the controller and presents its own consumer-facing privacy notice.

Usage and device information

We collect IP address, browser type, device type, pages viewed, click events inside the dashboard, agent action logs, error reports, and similar telemetry to operate, secure, and improve the Service.

Information from third parties

We may receive information from inventory providers, CRM vendors, lead aggregators, identity verification services, credit-bureau soft-pull partners, and ad platforms that the dealership connects to Dealer AI. We use that information only to deliver the Service the dealership has asked us to deliver.

03How we use information

  • Provide and operate the Service — answer phones, route leads, run agents, deliver the dashboard, sync inventory, send confirmations, and produce analytics.
  • Authenticate users, prevent fraud, and protect the integrity of the Service.
  • Communicate with dealers about their account, service updates, billing, security incidents, and product changes.
  • Improve the Service and develop new features. When we use data to improve our own systems, we use aggregated or de-identified information wherever practical.
  • Comply with legal obligations, enforce our agreements, and respond to lawful requests from public authorities.
  • With the dealership’s permission, send marketing communications to people who have opted in.

04AI and model processing

The Service uses large language models, speech-to-text models, text-to-speech models, and embedding models hosted by third-party AI providers (currently OpenAI, Anthropic, xAI, and Vercel-hosted inference). Inputs to those providers can include lead records, call transcripts, SMS bodies, email bodies, inventory data, and operator instructions.

Dealer AI does notpermit our AI providers to use customer content to train their foundation models. Our enterprise agreements with OpenAI, Anthropic, and xAI carry zero-data-retention or no-training commitments consistent with their published business-tier terms. The dealer’s data is processed transiently to produce a response and is not used to make general-purpose models smarter.

Automated decisions

AI agents draft messages, suggest pricing actions, schedule appointments, and propose follow-ups. Material decisions — delivering a vehicle, extending credit, refunding a deposit, waiving a fee — require human review by the dealership unless the dealership has explicitly configured otherwise. The dealership remains responsible for the accuracy, fairness, and compliance of any action an agent takes on its behalf.

Output is not professional advice

Output from the Service is not legal, financial, tax, medical, or appraisal advice. AI systems can produce inaccurate or fabricated information (“hallucinate”). Dealers should review agent output before relying on it in a regulated transaction.

05Calls, SMS, and email

Recording and consent

Dealer AI records phone calls placed and received through the Service so the dealership can review, train staff, and audit AI behavior. The dealership is responsible for obtaining the consent required by the call-recording laws that apply to its jurisdiction and the jurisdictions of the parties on the call. This includes “all-party” (two-party) consent states such as California, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington. Dealer AI provides configurable opening disclosures (“this call may be recorded for quality and training”) that the dealership can deploy on inbound and outbound flows.

SMS and TCPA

The dealership is responsible for obtaining and maintaining the prior express consent required to send SMS and place outbound calls under the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule, the CAN-SPAM Act, and state analogues. Dealer AI honors STOP / HELP / opt-out keywords automatically and exposes a per-lead unsubscribe control in the dashboard.

Email

Outbound email sent through Dealer AI carries a working unsubscribe link and the physical mailing address of the sending dealership, as required by CAN-SPAM. Dealer AI processes bounces, complaints, and unsubscribe events to protect deliverability and to honor opt-outs across the rooftop.

06How we share information

  • With the dealership. Information about a consumer who interacts with a Dealer AI rooftop is shared with the dealership that controls that rooftop.
  • With subprocessors who run pieces of our stack (hosting, telephony, AI inference, email delivery, analytics, payments). See §7.
  • For legal reasons. We may disclose information to comply with applicable law, lawful court orders or subpoenas, or law-enforcement requests; to protect our rights and property; or to protect the safety of our users or others.
  • In a corporate transaction. If Dealer AI is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction subject to commercially reasonable confidentiality obligations.
  • With consent.We may share information for any other purpose disclosed at the time we collect it, with the relevant party’s consent.
Dealer AI does not sell personal information for monetary consideration, and does not share personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) or similar US state statutes.

07Subprocessors

Dealer AI relies on a small number of vetted vendors to run the Service. The current list, with the function each performs, is below. We update this list when we add or replace a subprocessor; material changes are reflected on this page.

  • Vercel — application hosting, edge delivery, image processing.
  • Neon — managed Postgres database (US region).
  • Twilio — telephony (PSTN inbound/outbound, SIP, SMS), real-time media streaming.
  • OpenAI — large-language-model and speech-to-speech inference (Realtime API), text-to-speech, transcription, and embeddings.
  • Anthropic — large-language-model inference (Claude family) for analysis, drafting, and policy checks.
  • xAI — large-language-model inference (Grok family) for select voice and analysis flows.
  • Resend — transactional and marketing email delivery, bounce/complaint handling.
  • Stripe — payment processing and billing.
  • Cloudflare — DNS, edge security, DDoS mitigation.
  • Sentry / Logtail — error monitoring and structured logging.
  • Google Workspace — internal email, calendar, and document storage for the Dealer AI team.

A current subprocessor list, with notice procedures, is available to enterprise customers under our Data Processing Addendum (DPA). Email legal@dealeraihq.com to request the DPA.

08Data retention

We retain information for as long as the dealership’s account is active and as needed to provide the Service. After an account is terminated, we delete or de-identify customer content within 90 days unless retention is required by law, required for fraud prevention, or required for the establishment, exercise, or defense of legal claims. Backups age out on a rolling 30-day cycle.

Dealers can configure shorter retention windows for call recordings and transcripts in the dashboard. Aggregated and de-identified analytics may be retained indefinitely.

09Security

We protect information with administrative, technical, and physical safeguards designed for the sensitivity of the data and the risks of the Service. These include encryption in transit (TLS 1.2+), encryption at rest (AES-256 for the primary datastore and call-recording bucket), strict role-based access for the Dealer AI team, hardware-backed MFA for production access, automated dependency scanning, and periodic third-party penetration testing.

No system is perfectly secure. If you believe an account has been compromised, contact security@dealeraihq.com immediately.

10Your rights

US state privacy rights

Depending on where you live, you may have the right to: know what personal information we hold about you; access and obtain a copy of that information; correct inaccurate information; delete personal information; opt out of any “sale,” “sharing,” or “targeted advertising” (we don’t do any of these — see §6); and not be discriminated against for exercising a right. California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia residents have these rights under their state statutes.

If you are interacting with a Dealer AI rooftop as a consumer (lead, buyer, service customer), please send rights requests to the dealership directly. The dealership is the controller of that information. We will assist the dealership in responding to verified requests.

For information that Dealer AI controls (e.g., information about you as a dealer-employee), submit a request to privacy@dealeraihq.com. We will verify your identity and respond within the time period required by your jurisdiction (typically 45 days). You may designate an authorized agent. We do not charge a fee for the first request in any 12-month period.

Appeal

If we deny your request you may appeal by replying to our response or emailing privacy@dealeraihq.com.

11Cookies and tracking

The marketing site uses a small set of first-party cookies and similar technologies for session management, preference storage, and aggregate analytics. The authenticated dashboard uses session cookies that are essential to operating the Service. We do not deploy third-party advertising trackers on dealeraihq.com or on dealer rooftop sites we host.

You can control cookies through your browser settings. Blocking some cookies will break parts of the Service that rely on them.

12International transfers

Dealer AI processes information in the United States. If you access the Service from outside the United States, your information will be transferred to, processed, and stored in the US. The US may have data protection laws that are different from those of your country. By using the Service or providing information to us, you consent to that transfer.

13Children

The Service is intended for use by dealerships and adults. We do not knowingly collect personal information from children under 16. If you believe a child has provided information to us, contact privacy@dealeraihq.com and we will delete it.

14Changes to this policy

We may update this Privacy Policy from time to time. The “Effective” date at the top of the page reflects the most recent change. For material changes we will provide additional notice — for example by emailing the dealership account contact or posting a notice in the dashboard.

15Contact

Dealer AI HQ, Inc.

Privacy: privacy@dealeraihq.com

Legal: legal@dealeraihq.com

Security: security@dealeraihq.com