1. Introduction
This Privacy Policy describes how RNA Executive Solutions LLC (d/b/a BizPilot and MyBizPilot) ("BizPilot," "MyBizPilot," "we," "us," or "our"), collects, uses, discloses, and protects information when you interact with our platform, services, and website at mybizpilot.com. RNA Executive Solutions LLC is the legal entity that owns and operates the MyBizPilot / BizPilot platform, SMS messaging services, and AI receptionist services. (The entity was previously filed as "Heartbeat Consultants LLC" and was renamed; all prior agreements and data remain under the renamed entity.)
BizPilot serves two audiences:
- Business Subscribers: Businesses (salons, spas, clinics, wellness studios) that use our SaaS platform and consulting services
- End Users: Customers of those businesses who interact with BizPilot-powered services (SMS, voice calls, online booking)
2. Information We Collect
2.1 Business Subscriber Information
- Account Information: Business name, address, contact details, owner/staff names and emails
- Service Catalog: Services offered, pricing, staff schedules, business hours
- Customer Records: Customer names, phone numbers, emails, visit history, spending data (as provided by you)
- Communications: SMS messages, call recordings, transcripts, email content sent through our platform
- Financial Information: Subscription tier, payment history (processed by Stripe; we do not store full card numbers)
- Brand Assets: Logos, brand guidelines, website content provided during onboarding
2.2 End User Information
- Phone Number: When you text or call a BizPilot-powered business number
- Message Content: SMS messages you send to inquire about appointments and services
- Voice Data: Call recordings when you interact with the AI phone receptionist
- Appointment Information: Name, preferred times, service preferences you provide
- Usage Data: Message timestamps, delivery status, interaction patterns
2.3 Website Visitors
- Analytics Data: Pages visited, time on site, referral source, browser type, device type, approximate location (via PostHog)
- Form Submissions: Name, email, phone, and business details submitted through contact or waitlist forms
3. How We Use Your Information
3.1 Service Delivery
- Operating the CRM, appointment booking, and customer management features
- Processing voice calls through the AI receptionist (recording, transcription, response generation)
- Sending and receiving SMS messages for appointment management
- Generating analytics, performance reports, and business insights
- Delivering consulting services (competitive analysis, brand strategy, SEO audits)
- Provisioning Google Workspace email for business subscribers
3.2 AI Processing
- Voice AI: Call audio is processed in real-time by ElevenLabs for AI voice responses and by OpenAI for transcription
- Chat AI: Customer queries and business context are processed by OpenAI (primary) and Anthropic (fallback) for generating AI chat responses
- Knowledge Retrieval: Call transcripts and business knowledge may be vectorized (converted to numerical representations) and stored in Pinecone for AI-powered knowledge retrieval
- No Model Training: Your data is not used to train third-party AI models. Our processor agreements prohibit this.
3.3 Product Improvement
- Analyzing aggregated, anonymized usage patterns to improve platform features
- Monitoring errors and performance via Sentry
- Tracking website engagement via PostHog analytics
4. Information Sharing and Sub-Processors
We do not sell, rent, or share personal information with third parties for marketing or promotional purposes.
We share information only with the following categories of recipients:
4.1 Sub-Processors
| Processor |
Purpose |
Data Shared |
| Twilio |
Voice & SMS infrastructure |
Phone numbers, SMS content, call audio |
| ElevenLabs |
AI voice agent |
Call audio, conversation transcripts |
| OpenAI |
AI chat & text processing |
Customer queries, business context |
| Anthropic |
AI chat (fallback) |
Customer queries |
| Neon |
Database hosting |
All database records (encrypted at rest) |
| Render |
Application hosting |
Application data, environment variables |
| Stripe |
Payment processing |
Payment info, subscription data |
| Resend |
Transactional email |
Email addresses, email content |
| Google Workspace |
Business email provisioning |
Business email content |
| Sentry |
Error monitoring |
Error logs (may contain request data) |
| Pinecone |
Vector database |
Vectorized transcripts, knowledge embeddings |
| PostHog |
Product analytics |
Anonymized usage data, interaction events |
4.2 Business Partners
End user information is shared with the specific business you are interacting with (the salon, spa, clinic, etc. that uses BizPilot).
4.3 Legal Requirements
We may disclose information when required by law, regulation, or court order, or to protect our rights, safety, or property.
5. B2B Data Processing Relationship
For business subscribers, BizPilot acts as a data processor. The business subscriber is the data controller who determines the purposes and means of processing their customers' data. Our processing is limited to service delivery as described in the subscriber's Statement of Work.
Business subscribers are responsible for obtaining necessary consents from their customers for data collection and processing through BizPilot.
6. SMS/Text Messaging Privacy
SMS messaging services on the MyBizPilot platform are operated by RNA Executive Solutions LLC (d/b/a MyBizPilot) on behalf of the specific end business (salon, spa, clinic, or wellness studio) whose appointment or service the end user is booking. When end users opt in to receive SMS messages from a BizPilot-powered business:
- Every opt-in clearly identifies both the end business (the specific salon, spa, or studio) and the platform operator (RNA Executive Solutions LLC, d/b/a MyBizPilot) as described on our SMS Consent page
- Messages are transactional only — appointment confirmations, reminders, and post-visit review requests
- Message frequency: up to 4 messages per month, per end-business relationship
- Message and data rates may apply
- Opt out at any time by replying STOP to any message
- Reply HELP for assistance
- Mobile information and SMS opt-in data will not be shared with or sold to third parties or affiliates for marketing or promotional purposes under any circumstances
- Consent is not a condition of purchase or booking — end users may book without opting in to SMS
7. Analytics and Tracking
7.1 PostHog Analytics
We use PostHog for website and product analytics. PostHog collects:
- Page views and navigation paths
- Button clicks and form interactions
- Scroll depth and time on page
- Browser type, device type, and approximate location
- Referral sources and outbound link clicks
Analytics data is used to improve our website and product experience. We do not use this data to identify individual users for marketing purposes.
7.2 Cookies
We use the following cookies:
- Authentication cookies (httpOnly, secure): Required for platform login sessions
- Analytics cookies (PostHog): Used for aggregated usage analytics
We do not use third-party advertising cookies or tracking pixels.
8. Data Security
We implement industry-standard security measures including:
- Encryption: All data transmitted over HTTPS/TLS; database connections require channel binding
- Multi-Tenant Isolation: Row-Level Security (RLS) policies on all tenant-scoped database tables
- Authentication: JWT-based auth with httpOnly cookies; CSRF protection via custom headers
- SQL Injection Prevention: All queries use parameterized SQL
- Access Control: Role-based access; sensitive billing data in separate admin-only tables
- Input Validation: JSON schema validation on all API endpoints
- Monitoring: Real-time error detection and alerting via Sentry
9. Data Retention
| Data Category |
Retention Period |
Basis |
| Customer contact info |
Duration of service + 30 days |
Service delivery |
| Appointment records |
Duration of service + 30 days |
Service delivery |
| SMS messages |
Duration of service + 30 days |
Service delivery, compliance |
| Call recordings |
Per ElevenLabs retention policy |
AI processing |
| Transcripts |
Duration of service + 30 days |
Knowledge retrieval |
| Analytics data |
Duration of service + 90 days |
Performance reporting |
| Payment records |
7 years |
Tax/legal compliance |
| Error logs |
90 days |
Debugging, security |
| Waitlist submissions |
Until processed or 1 year |
Sales pipeline |
Upon service termination or written request: active data is deleted within 30 days; backups are purged within 90 days.
10. Your Rights
10.1 All Users
You have the right to:
- Access: Request a copy of the personal information we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (subject to legal retention requirements)
- Portability: Request your data in a standard, machine-readable format
- Opt-Out of SMS: Reply STOP to any message at any time
10.2 California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request the categories and specific pieces of personal information we have collected about you
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions
- Right to Opt-Out of Sale: We do not sell personal information. There is no need to opt out.
- Non-Discrimination: We will not discriminate against you for exercising your CCPA rights
To exercise CCPA rights, contact us at support@mybizpilot.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days.
10.3 Business Subscriber Data Rights
Business subscribers may export all their data at any time through the platform or by written request. We provide data in CSV or JSON format within 10 business days.
11. Data Breach Notification
In the event of a data breach affecting your personal information, we will:
- Notify affected business subscribers within 72 hours of becoming aware of the breach
- Provide details of the nature and scope of the breach
- Describe the measures taken to address the breach
- Cooperate with any required notifications to regulatory authorities or affected individuals
12. International Data Transfers
All data is processed and stored in the United States. Our infrastructure is hosted in US data centers (Render: US East; Neon: US). If you are accessing our services from outside the United States, you consent to the transfer of your data to the US.
13. Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to business subscribers. Changes will be posted on this page with an updated "Last Updated" date. Continued use of our services after changes constitutes acceptance.
15. Contact Us
For questions about this Privacy Policy, data practices, or to exercise your rights:
16. Consent
By using our platform, services, or website, you consent to the collection and use of information as described in this Privacy Policy and our Terms of Service.