This Privacy Policy explains how Qualify Base (“Qualify Base”, “QualifyBase”, “we”, “us”, or “our”) collects, uses, discloses, stores, and protects personal information when you use our website at https://qualifybase.com and the QualifyBase platform, including our web application, APIs, integrations, AI agents, and related services (collectively, the “Service”).
QualifyBase is an AI-powered lead qualification and engagement platform for businesses (primarily dental clinics, health tourism agencies, and service providers) that automatically answers incoming leads across WhatsApp, Instagram Direct, Facebook Messenger, SMS, voice phone calls, and web chat; qualifies them using AI; follows up; books appointments; and hands off qualified leads to human sales representatives.
Data controller / operator:
Qualify Base
16192 Coastal Highway, Lewes, Delaware 19958, United States
Email: info@qualifybase.com
1. Summary of Key Points
- Two categories of users: (a) business customers that subscribe to QualifyBase (“Customers”), and (b) end-users / prospective patients that Customers communicate with via QualifyBase (“End Users” or “Leads”). For Lead data, the Customer is the data controller and QualifyBase is a data processor acting on the Customer's behalf.
- What we collect: account info, contact data, conversation messages, call audio and transcripts, lead qualification data, calendar availability, payment information, and technical usage data.
- OAuth integrations: We use Google OAuth (Google Calendar) and Meta OAuth (Facebook Pages, Instagram, Messenger) strictly to deliver the features you explicitly connect. We request only the minimum scopes required.
- Google API Services User Data: Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. See Section 7.
- Meta Platform data: We handle Instagram and Facebook Messenger data in accordance with Meta Platform Terms and Developer Policies. See Section 8.
- We do not sell your personal information. We do not use data received through Google OAuth or Meta OAuth for advertising, and we do not use it to train general-purpose AI/ML models.
- Your rights: You can access, correct, export, or delete your personal information. See Section 14.
- Data deletion: To request deletion of your personal data, follow the step-by-step instructions at https://qualifybase.com/data-deletion.
2. Information We Collect
2.1 Information you provide when creating an account
- Full name, email address, password (stored hashed), avatar (optional).
- Business / clinic name, business type, country, preferred language.
- Team member details when you invite colleagues (email, name, role).
- Notification preferences (email, WhatsApp, in-app).
2.2 Information you provide when configuring the Service
- AI agent configuration: agent name, system prompt, goals, required lead fields, working hours, language, voice settings, pricing/behavior rules.
- Knowledge base content: web URLs, uploaded PDFs and documents, FAQ pairs, free-text knowledge blocks.
- Channel credentials and connection tokens (encrypted at rest) for the channels you enable: phone numbers (Twilio), WhatsApp Business, Instagram / Facebook Page connections (via Meta OAuth), Google Calendar connections (via Google OAuth), web chat widget.
- Billing information (processed by Stripe; see Section 3).
2.3 Lead / End-User data processed on behalf of Customers
When a lead contacts a Customer through a channel connected to QualifyBase, or when a Customer uploads or imports leads, we process the following on the Customer's behalf:
- Contact details: name, phone number (normalized to E.164 format), email address, city, country, preferred language.
- Interest / intent data: requested treatment, service, budget, timeline, and any other fields the Customer configures.
- Message content: full text of inbound and outbound messages across all enabled channels (WhatsApp, Instagram DM, Facebook Messenger, SMS, web chat).
- Voice data: audio recordings and transcripts of inbound and outbound phone calls, call duration, call status, call metadata.
- Media attachments: photos (including dental/oral photos), documents, and other files that leads send.
- AI-generated data: lead scores, scoring rationales, AI overviews, conversation classifications, and suggested follow-ups.
- Appointment data: scheduled date/time, duration, timezone, notes, status (confirmed, cancelled, rescheduled, completed, no-show), and associated calendar event IDs.
- Behavioral metadata: conversation state, timestamps, reply windows (including the Instagram/Messenger 24-hour messaging window), follow-up history, delivery status.
Customers are responsible for (a) obtaining any legally required consent from Leads before communicating with them via QualifyBase, (b) displaying required notices (e.g. call recording disclosure, AI-agent disclosure where required), and (c) ensuring they have a lawful basis to upload or process Lead data.
2.4 Information collected automatically
- Log data: IP address, browser type and version, operating system, device type, referring pages, pages visited, date/time of requests, error traces.
- Authentication cookies and session tokens (HTTP-only, strictly necessary) managed via Supabase Auth.
- Security events: login attempts, failed logins, session activity.
- Product usage: features used, buttons clicked, routes visited, to help us improve the Service.
2.5 Information collected from third parties
- Google (if you connect Google Calendar): free/busy availability, calendar event metadata (summary, date/time, attendees you add) — used solely to read availability and create/update appointment events you explicitly trigger. See Section 7.
- Meta (Facebook / Instagram) (if you connect a Page / IG account): Page id and name, Instagram business account id, inbound DMs, Messenger conversations, sender user ids, and message metadata — used solely to deliver and respond to messages through the channels you explicitly connect. See Section 8.
- Stripe: subscription status, payment method type, billing country, invoice status. We do not receive full card numbers.
3. Third-Party Services / Sub-processors
We rely on carefully selected sub-processors to deliver the Service. Each sub-processor is contractually bound to protect personal information and to process it only in accordance with our instructions.
| Sub-processor | Purpose | Categories of data | Location |
|---|---|---|---|
| Supabase, Inc. | Primary database (PostgreSQL), authentication, object storage for media files | Account data, contacts, messages, transcripts, images, audio recordings, documents | EU / US (region dependent) |
| Render Services, Inc. | Web application and background worker hosting, cron job execution | HTTP request logs, deployment logs, job metadata | United States |
| ElevenLabs, Inc. | Conversational AI voice agent, speech-to-text, text-to-speech, WhatsApp relay | Conversation transcripts, call audio, lead variables (name, phone, interest) | United States |
| Twilio, Inc. | Phone number provisioning, voice call routing, SMS delivery | Phone numbers, SMS content, call metadata | United States |
| Anthropic, PBC (Claude API) | AI lead scoring, call summarization, conversation analysis | Conversation transcripts, lead metadata used for scoring | United States |
| Meta Platforms, Inc. | Instagram Direct, Facebook Messenger, WhatsApp Cloud API | Messages, sender ids, page / IG account metadata, access tokens | United States / Global |
| Google LLC | Google Calendar API for appointment scheduling | Free/busy slots, calendar event details, refresh/access tokens | United States / Global |
| Stripe, Inc. | Billing and payment processing | Business name, billing email, payment method, usage metrics | United States |
A current list of sub-processors is available from info@qualifybase.com upon request.
4. How We Use Information
- To provide, operate, and maintain the Service, including routing messages, placing and receiving calls, running AI agents, scoring leads, and creating appointments.
- To authenticate users, protect accounts, and enforce access controls.
- To communicate with Customers about their account, billing, security, product updates, and support.
- To process payments and manage subscriptions.
- To improve, test, and monitor the Service, including debugging, error tracking, and product analytics performed on aggregate or pseudonymized data.
- To comply with legal obligations, enforce our Terms of Service, prevent fraud, and protect the rights, safety, and property of Qualify Base, Customers, and End Users.
We do not: (a) sell personal information; (b) use data obtained via Google OAuth or Meta OAuth for advertising; (c) use Customer or Lead data to train general-purpose AI or ML models; or (d) share Lead data with any party except the sub-processors listed in Section 3, strictly for the purposes stated.
5. Legal Bases for Processing (EEA / UK)
- Performance of a contract — to provide the Service you requested.
- Legitimate interests — to secure, improve, and support the Service, and to prevent abuse.
- Consent — where required (e.g. optional marketing communications, or where the Customer has obtained consent from its Leads).
- Legal obligation — to comply with applicable laws and lawful requests.
6. AI and Automated Processing
QualifyBase uses large language models and conversational AI to respond to leads, classify conversations, extract structured data, and generate lead scores. Specifically:
- ElevenLabs Conversational AI is used to generate voice agent responses, transcribe calls, and relay text conversations. The full conversation (messages and/or audio) is sent to ElevenLabs only for the duration of the active session or to produce post-call transcripts.
- Anthropic Claude is used to score leads (interest, qualification, urgency, engagement, buying signal), summarize calls, and extract contact fields. Only the data necessary for the scoring task is sent (e.g. the most recent ~50 messages of a conversation and the agent's goals).
- Our AI vendors have contractually committed not to train their foundation models on QualifyBase Customer or Lead data.
Where required by local law, Customers must disclose to Leads that they may be interacting with an AI system and that calls may be recorded.
7. Google User Data (Google OAuth & Limited Use)
QualifyBase's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
7.1 Scopes we request
https://www.googleapis.com/auth/calendar.readonly— to read your Google Calendar free/busy slots so the AI agent can offer available appointment times.https://www.googleapis.com/auth/calendar.events— to create, update, and cancel calendar events that correspond to appointments booked through QualifyBase.
We request only the minimum scopes necessary to deliver the feature you connect. If Google offers a more narrowly scoped alternative in the future that meets our functional needs, we will migrate to it.
7.2 How we use Google user data
- Read free/busy availability from the calendar you explicitly connected, to show available appointment slots.
- Create calendar events when a lead books an appointment through QualifyBase, including a title, date/time, duration, lead name, phone, and treatment/service interest in the event description.
- Update or cancel those events if the lead reschedules or cancels.
7.3 How we store Google user data
- OAuth access tokens and refresh tokens are stored encrypted at rest in our database (Supabase) and are used only to call the Google Calendar API on your behalf.
- Calendar event identifiers (
external_event_id,google_calendar_id) are stored so we can update events later. - We do not store the full contents of your calendar, and we do not read calendar events that were not created by QualifyBase except to determine free/busy availability.
7.4 How we share Google user data
We do not sell, rent, or share Google user data with third parties. Google user data is not used for advertising. Google user data is not used to train generalized AI/ML models. Google user data may only be transferred to sub-processors listed in Section 3 to the extent strictly necessary to provide the Service you requested.
7.5 Revoking access
You can revoke QualifyBase's access to your Google account at any time from within the QualifyBase dashboard (Setup → Calendar → Disconnect) or directly at https://myaccount.google.com/permissions. When you disconnect, we stop making API calls and delete the stored OAuth tokens.
8. Meta Platform Data (Facebook / Instagram / Messenger)
QualifyBase integrates with Meta Platforms to let Customers respond to messages from their Instagram Business accounts and Facebook Pages. This integration is governed by Meta's Platform Terms, Developer Policies, and applicable Messenger & Instagram Graph API policies.
8.1 Permissions we request
pages_show_list— to list the Facebook Pages you manage so you can select one to connect.pages_manage_metadata— to subscribe the selected Page to webhook events so we can receive incoming messages.pages_messaging— to send and receive Facebook Messenger messages on the connected Page.instagram_basic— to identify the Instagram Business account linked to the connected Page.instagram_manage_messages— to send and receive Instagram Direct messages on the connected account.
8.2 How we use Meta platform data
- Receive incoming Messenger and Instagram Direct messages in real time.
- Generate and send responses from the Customer's AI agent or human reps, within the 24-hour standard messaging window imposed by Meta.
- After the 24-hour window, we only send messages that comply with Meta's messaging rules (e.g. using the
HUMAN_AGENTtag where permitted and explicitly triggered by a human). - Display incoming conversations in the Customer's dashboard and unified inbox.
8.3 How we store Meta platform data
- Page access tokens and Instagram user access tokens are stored encrypted at rest.
- Message content, sender identifiers, and timestamps are stored in the Customer's isolated database tenant (protected by row-level security).
- Media attachments (images, voice notes) sent via Messenger/Instagram are downloaded and stored in Supabase object storage so the Customer can reference them later.
8.4 How we share Meta platform data
We do not sell Meta platform data. We do not use Meta platform data for advertising. We do not use Meta platform data to train general AI/ML models. Meta platform data is shared with sub-processors (Section 3) only as strictly necessary to deliver the Service — for example, passing message text to ElevenLabs or Anthropic to generate an AI reply to the lead.
8.5 Revoking access
You can revoke QualifyBase's access to your Meta Pages / Instagram at any time from the QualifyBase dashboard (Setup → Channels → Disconnect) or from your Facebook Business Integrations page at https://www.facebook.com/settings?tab=business_tools. When you disconnect, we stop making API calls and delete the stored OAuth tokens.
8.6 User data deletion instructions (Meta requirement)
To request deletion of data QualifyBase has received from Meta platforms about you, see our dedicated Data Deletion Instructions page. In summary: disconnect the integration as described above and email info@qualifybase.com from the email address associated with your account with the subject “Data Deletion Request”. We will delete all associated data within 30 days and confirm deletion.
QualifyBase also implements Meta's automated Data Deletion Callback at https://qualifybase.com/api/webhooks/meta/data-deletion. When a user triggers the “Remove QualifyBase” flow from their Facebook or Instagram settings, Meta sends a signed request to this endpoint, we verify the signature with our App Secret, generate a confirmation code, and return a URL where the user can check the status of the deletion.
9. WhatsApp Business Data
When a Customer connects WhatsApp Business (either directly via Meta's WhatsApp Cloud API or via ElevenLabs' WhatsApp relay), QualifyBase processes inbound and outbound WhatsApp messages on the Customer's behalf. Message content, sender phone numbers, timestamps, and any media attachments are stored in the Customer's tenant. WhatsApp data is handled in accordance with Meta's WhatsApp Business Policy and is subject to the same confidentiality, non-advertising, and no-ML-training commitments described in Sections 7 and 8.
10. Cookies and Similar Technologies
QualifyBase uses only strictly necessary cookies to operate the Service. Specifically:
- Authentication cookies (HTTP-only, Secure) issued by Supabase Auth to keep you signed in. Expiration: session & refresh token lifetime.
- Preference cookies (e.g. sidebar collapsed state). No personal identifiers.
- Security cookies for CSRF protection.
We do not use third-party advertising cookies and we do not operate any advertising network. We do not run cross-site tracking. If we add product analytics in the future (e.g. PostHog), we will update this policy and, where required, present a cookie banner with a consent choice.
11. Data Retention
- Account data is retained for as long as the Customer has an active subscription, and for up to 90 days after termination to allow reactivation, unless the Customer requests earlier deletion.
- Lead / contact data, messages, transcripts, and recordings are retained for as long as the Customer keeps them in the Service. Customers may delete individual contacts, conversations, or call recordings at any time from the dashboard. Deleted items are purged from primary storage immediately and from backups within 30 days.
- OAuth tokens (Google, Meta) are retained until the Customer disconnects the integration or the Customer's account is deleted, after which they are purged.
- Billing records are retained as required by applicable tax and accounting laws (typically 7 years).
- Security logs are retained for up to 12 months.
12. Security
- All data is transmitted over TLS 1.2+ (HTTPS).
- Data is encrypted at rest in our database and object storage.
- OAuth access and refresh tokens and other channel credentials are encrypted with application-layer encryption before being persisted.
- Multi-tenant isolation is enforced at the database level via PostgreSQL row-level security (RLS), so a Customer can only access its own organization's data.
- Role-based access control separates admins from sales reps within a Customer organization.
- We enforce least-privilege access for employees and require strong authentication for internal tooling.
- We maintain backups and a documented incident-response procedure.
No system is perfectly secure. If we become aware of a personal data breach affecting your information, we will notify you and the appropriate regulators as required by applicable law.
13. International Data Transfers
QualifyBase is operated from the United States. Your information may be processed in the United States, the European Union, and other countries where our sub-processors operate. Where we transfer personal data from the EEA, UK, or Switzerland to a country that has not been recognized as providing adequate protection, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
14. Your Rights
Depending on your location, you may have the following rights regarding your personal information:
- Access — obtain a copy of your personal data we hold.
- Rectification — correct inaccurate or incomplete data.
- Erasure (“right to be forgotten”) — request deletion of your data.
- Restriction — limit how we process your data.
- Objection — object to processing based on legitimate interests.
- Portability — receive your data in a structured, machine-readable format.
- Withdraw consent — where processing is based on consent.
- Lodge a complaint with your local supervisory authority.
To exercise any of these rights, email us at info@qualifybase.com. If you are an End User / Lead, please direct your request to the business that contacted you; we will support that business in fulfilling your request.
Data deletion requests: For detailed, step-by-step instructions on how to request deletion of your personal data — including data received from Meta platforms (Facebook, Instagram, Messenger, WhatsApp) — please visit our dedicated Data Deletion Instructions page at https://qualifybase.com/data-deletion. We process all valid deletion requests within 30 days.
California residents (CCPA / CPRA): You have the right to know the categories of personal information we collect, use, disclose, and sell (we do not sell), the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising these rights.
15. Children's Privacy
QualifyBase is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact info@qualifybase.com and we will promptly delete it.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced in the product and/or by email to Customers before they take effect. The “Last updated” date at the top indicates when the policy was last revised. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
17. Contact Us
For any privacy-related questions, requests, or concerns, please contact:
Qualify Base
16192 Coastal Highway, Lewes, Delaware 19958, United States
Email: info@qualifybase.com