PRIVACY POLICY

AGREEMENT TO OUR LEGAL TERMS

This Privacy Policy explains how Obsidian Labs (“Obsidian Labs,” “we,” “us,” or “our”) may access, collect, store, use, and share (“process”) information when you use our services (collectively, the “Services”), including when you:

Visit our website, landing pages, or any site that links to this Privacy Policy (the “Site”);

Use the Review & Referral Engine and related tools, automations, templates, dashboards, integrations, or support resources; or

Engage with us in other related ways, including sales, marketing, events, or support.

If you do not agree with this Privacy Policy, please do not use the Services.

Contact Us
Obsidian Labs
12001 Sunrise Valley Drive, Reston, VA 20191
Phone: 276-245-6428
Email: [email protected]

1. WHAT INFORMATION WE COLLECT

A. Information you provide to us

We collect personal information you voluntarily provide when you register for an account, purchase a subscription, configure your settings, submit forms, contact support, or otherwise interact with us.

Depending on how you use the Services, this may include:

Name, business name, job title

Email address, phone number, mailing address

Login credentials or authentication information (e.g., password, tokens)

Billing details and transaction history (note: payment card data is typically processed by a third-party payment processor rather than stored by us)

Preferences and settings (including communication preferences)

Content you input into the platform (message templates, workflows, tags, notes, etc.)

B. Client-provided “End Customer” information (uploaded or synced)

Because our Services automate review and referral outreach, our business customers may upload or sync contact information relating to their own customers/clients (often called “end customers”). This can include:

- Names

- Phone numbers

- Email addresses

- Appointment/service details (e.g., service date, invoice status, internal notes)

- Consent or opt-in status (if provided by the Client)

Important: In these situations, Obsidian Labs typically acts as a service provider processing this information on behalf of the business customer (the “Client”).

C. Information automatically collected

When you visit or use the Services, we may automatically collect information that does not necessarily reveal your specific identity but helps us operate and secure the Services, such as:

IP address

Device type, browser type, operating system

Language preferences

Referring URLs and pages viewed

Date/time stamps and interaction data

Diagnostic and performance data (errors, crash reports)

D. Cookies and similar technologies

We may use cookies, pixels, and similar tracking technologies to:

Keep the Services functioning

Remember preferences

Understand usage and performance

Improve marketing effectiveness (where permitted)

You can control cookies through your browser settings. If you disable cookies, certain features may not function properly.

E. Information from other sources

We may receive information from third parties such as:

Marketing partners (for lead attribution)

Public sources (business contact info)

Social platforms (if you choose to connect them)

Integration partners (as authorized by you/your Client)

2. HOW WE USE YOUR INFORMATION

We may process information for the following purposes:

- Provide and operate the Services (account access, automations, templates, dashboards, integrations)

- Account management and authentication

- Billing and transactions (through payment processors and invoicing tools)

- Customer support and responding to requests

- Service communications (administrative notices, security alerts, product changes)

- Security and fraud prevention (monitoring, abuse detection, troubleshooting)

- Analytics and product improvement (understanding how features are used)

- Marketing (where permitted by law and your preferences)

- Legal compliance (responding to lawful requests and enforcing rights)

- Review and referral messaging (core purpose)

For Clients using our automation features, we process end-customer contact data to:

- Send SMS, email, or other communications configured by the Client to request reviews or referrals

- Apply timing/cadence rules and opt-out suppression

- Track delivery and response events (e.g., delivered, clicked, opted out)

3. LEGAL BASES FOR PROCESSING (WHERE REQUIRED)

Where required by applicable law, we rely on one or more of the following legal bases:

- Contractual necessity (to provide the Services you requested)

- Legitimate interests (security, improving the platform, preventing fraud, communicating service updates)

- Consent (where required—especially for certain marketing communications or cookies)

- Legal obligations (tax, accounting, regulatory compliance, lawful requests)

If you are a Client uploading end-customer data, you are generally the “controller/business” and Obsidian Labs is generally a “processor/service provider” for that end-customer data, depending on the jurisdiction and the relationship.

4. WHEN AND WITH WHOM WE SHARE INFORMATION

We may share information in the following circumstances:

A. Service providers and vendors

We may share information with vendors that help us run the Services, such as:

Hosting and cloud infrastructure providers

Analytics and performance monitoring providers

Support tools (ticketing/helpdesk)

Payment processors

Messaging and email delivery providers

Security, fraud-prevention, and logging tools

We require service providers to protect information and use it only for the services they provide to us.

B. Integrations you enable

If you connect third-party integrations (e.g., CRM, calendars, review platforms), we may share data as needed to perform the integration based on your configuration and permissions.

C. Business transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to reasonable safeguards.

D. Legal requirements and protection

We may disclose information if required to comply with law, court orders, subpoenas, or lawful government requests, or to protect the rights, safety, and security of Obsidian Labs, our users, or others.

5. SMS / MOBILE OPT-IN DATA (NO SALE OR MARKETING SHARING)

If a Client uses our platform to send SMS messages, the Client (or the end customer) may provide a mobile number and opt-in status for messaging.

We do not sell or share mobile opt-in data for third-party marketing or promotional purposes.

We may share mobile numbers only with messaging vendors/sub-processors (and telecommunications carriers) strictly to deliver messages and provide the Services under contractual confidentiality and limitation obligations.

End users can typically opt out by replying “STOP” (or equivalent). We will make commercially reasonable efforts to suppress numbers upon an opt-out event, subject to the Client’s configuration and compliance obligations.

Note: The Client is responsible for obtaining legally valid consent to message end customers and for maintaining consent records.

6. AI-ASSISTED FEATURES (IF ENABLED)

If the Services include AI-assisted features (for example, suggested responses, content drafts, automation assistance, or similar), then:

Inputs you provide to AI features (and the outputs generated) may be processed to provide those features;

Such processing may involve third-party AI vendors used to deliver the functionality;

You should not input sensitive information you do not have the right to share.

If you wish to disable AI-assisted features (where available), you may do so in your account settings or by contacting support.

7. HOW LONG WE KEEP INFORMATION

We retain personal information for as long as necessary to:

- Provide the Services

- Maintain your account and settings

- Comply with legal obligations (tax/accounting)

- Resolve disputes and enforce agreements

- Maintain security, prevent fraud, and keep backups

- If you request deletion, we will take reasonable steps to delete or anonymize information, subject to legal requirements and operational constraints (e.g., backups, fraud prevention, or financial recordkeeping).

8. HOW WE KEEP INFORMATION SAFE

We use commercially reasonable administrative, technical, and organizational safeguards designed to protect information. However, no system is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining secure passwords and limiting account access.

9. INFORMATION FROM MINORS

Our Services are intended for users 18 years of age or older. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided information to us, contact us at [email protected].

10. YOUR PRIVACY RIGHTS

Depending on where you live, you may have certain rights regarding your personal information, such as:

- Accessing and obtaining a copy of your information

- Correcting inaccuracies

- Deleting information (subject to exceptions)

- Opting out of certain processing (e.g., targeted advertising where applicable)

- Limiting the use of sensitive information (where applicable)

- To exercise rights, contact us at [email protected]. We may verify your identity before fulfilling requests.

- Marketing choices

You can opt out of marketing emails by using the unsubscribe link in the email, or by contacting us. We may still send non-marketing messages (account, billing, security, or service updates).

11. DO-NOT-TRACK SIGNALS

Most browsers offer a Do-Not-Track (“DNT”) setting. Because there is no consistent industry standard, we do not currently respond to DNT signals.

12. UNITED STATES STATE PRIVACY DISCLOSURES

If you are a resident of certain U.S. states (including Virginia), you may have additional rights. We will comply with applicable state privacy laws based on your residency and our role (controller vs. processor/service provider).

Categories of information we may collect

Depending on usage, we may collect identifiers (name, email, phone), commercial information (transactions), internet activity (usage logs), and other categories described above.

“Selling” or “sharing” personal information

We do not sell personal information for money. If certain analytics/advertising tools are considered “sharing” under some state laws, you may have a right to opt out of targeted advertising. You may request opt-out by contacting [email protected].

13. INTERNATIONAL USERS

The Services are hosted in the United States. If you access the Services from outside the U.S., you understand that information may be transferred to and processed in the United States and other locations where our service providers operate.

14. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last updated” date. If changes are material, we may provide additional notice (e.g., via email or in-app notice).

15. CONTACT US

If you have questions or requests regarding this Privacy Policy, contact:

Obsidian Labs
12001 Sunrise Valley Drive, Reston, VA 20191
Phone: 276-245-6428
Email: [email protected]