Privacy Policy.

This Privacy Policy explains how Ravari AI (“we,” “us”) collects, uses, retains, shares, and protects information from visitors to ravarisolutions.com, prospects we engage in outbound, demo participants, and clients we serve. Ravari AI is a Wyoming trade name of Hadley Holdings LLC, the operating entity for all legal purposes. We keep this policy short and concrete; if anything is unclear, email ravari2025@gmail.com.

Quick map of who you are: if you are a visitor read §§1–6, 8, 17–20. If you are a prospect or demo participant add §§9–12. If you are a California resident add §§7 and 8. If you are in the EU/UK add §§7 and 16. If you are a client, the Service Agreement we signed with you controls; this policy describes our default posture.

1. Who we are & how to contact us

• Operator: Hadley Holdings LLC, a Wyoming limited liability company, operating under its Wyoming trade name “Ravari AI” (Reg. No. 2026-001895710). Online business — no physical storefront.
• Phone: +1 (386) 270-5505
• Email for privacy & data-subject requests: ravari2025@gmail.com (subject line “Privacy Request” — we acknowledge within 5 business days and respond within the timeframes in §7).
• Mailing address for legal service: Hadley Holdings LLC — d/b/a Ravari AI, 30 N Gould St Ste N, Sheridan, WY 82801.

2. What we collect

2.1 When you visit the website

• Standard request data — IP address, user agent, pages viewed, referrer, timestamps, language. Used for security, abuse prevention, and basic traffic understanding. Held by our hosting provider (Cloudflare Pages) under their standard logs retention.
• Analytics (only when enabled and you consent where required) — aggregate page-view and click data via Google Analytics 4 and/or Meta Pixel. We do not collect special-category data through analytics.

2.2 When you book a 15-minute audit call

We collect what the booking form asks for — name, email, phone, business name, and any notes you write. This information lives in our CRM (GoHighLevel) and is used solely to schedule and conduct the call, send you a confirmation, and follow up if you ask.

2.3 When you try the live AI Receptionist demo

To place the demo call you provide your name, business, industry, mobile number, and email, and you tick a consent checkbox. The call is recorded so we can email you a recap. Recordings are auto-deleted from our active systems after 30 days unless you request a copy be retained. Consent records (the form submission with timestamp, IP, and language) are retained for at least 4 years as required for TCPA defense.

2.4 When you become a client

We process the data you give us to deliver the service: business hours, service area, pricing rules, FAQ content, escalation rules, and read-only or operator-level access to your CRM, calendar, and phone system as the configuration requires. We do not access more than the work requires and we do not retain copies after disengagement (see §6).

2.5 LinkedIn outbound

If we connect with you on LinkedIn, the data we use comes from your public profile and our research notes (e.g., observed Google-review themes). You can ask us to delete those notes at any time — see §7.

2.6 Categories of personal information (CCPA mapping)

For California residents, the categories we may collect map as follows. We do not use any of this for cross-context behavioral advertising and we do not sell personal information for monetary consideration.

Category (Civ. Code §1798.140)	Examples	Source
A. Identifiers	Name, email, phone, IP address, online identifiers	You; your browser
B. Customer-records info	Business name, mailing address (if provided)	You
F. Internet activity	Pages viewed, referrer, timestamps, click events	Your browser
G. Geolocation (general)	Approximate location derived from IP	Your browser
H. Audio & visual	Demo-call recordings, transcripts	You (with consent)
K. Inferences	Lead-quality scoring, qualification status	Derived from above
L. Sensitive PI (SPI)	None routinely. If a demo caller spontaneously discloses account credentials or similar SPI, the segment is redacted before transcript storage.	You (incidental)

3. How we use the data

• Schedule and conduct calls you have asked for.
• Operate the services you have hired us for.
• Send confirmations, recaps, and follow-ups directly related to your request.
• Improve our website and services through aggregated, non-identifying analytics.
• Comply with law and respond to lawful requests.
• Defend our legal rights, investigate fraud, and enforce our Terms.

What we do not do: we do not sell personal information for money, we do not share it with advertisers for cross-context behavioral advertising, we do not train any third-party AI model on your conversations, and we do not use demo recordings or client call audio to fine-tune any general-purpose model.

4. Processors & vendors

We use a small set of vendors to run the business. Each one processes data only on our instructions and under their own enterprise privacy commitments. We will update this list when we add or change a processor in a way that meaningfully affects how your data is handled.

Processor	Purpose	Data class
Cloudflare	Website hosting, DNS, edge security, analytics	Request logs (IP, user agent, URL)
GoHighLevel (LeadConnector)	CRM, calendar, forms, voice agent, SMS, email	Contact details, call recordings, transcripts, conversation logs
Google Analytics 4	Aggregate site analytics (when enabled)	Anonymized usage events
Meta (Facebook) Pixel	Aggregate ad attribution (when enabled)	Anonymized usage events
Google Workspace	Internal email, shared docs	Email correspondence with you
OpenAI / Anthropic / ElevenLabs	LLM inference, voice synthesis powering the AI agents	Prompts, conversation snippets — no training on Ravari data per their enterprise terms
Twilio (via GoHighLevel)	SMS / voice carrier transit	Phone numbers, message bodies, call metadata

5. Cookies, GPC & analytics

The site uses:

• Strictly necessary: Cloudflare may set a small cookie or token to detect bots and DDoS. These are not used for tracking.
• Analytics & advertising: if Google Analytics 4 or Meta Pixel is enabled, those vendors set their own cookies/identifiers. In jurisdictions that require consent (EU/UK/EEA, and California for “share/sell”), we will not initialize these tools without your explicit opt-in.

Global Privacy Control. We honor the Global Privacy Control (GPC) browser signal as a valid opt-out of sale/sharing under the CCPA/CPRA and as an objection signal under GDPR/UK GDPR. If your browser sends GPC, we will not load advertising cookies or pixels for that session.

6. Retention

• Website logs: as long as Cloudflare retains them (typically 7–30 days).
• Demo call recordings: 30 days, then auto-deleted from our active systems.
• CRM contact records (prospects): until you ask us to delete them, or 24 months of inactivity, whichever comes first.
• CRM contact records (clients): for the duration of the engagement plus 24 months for tax/audit reasons. Call recordings and transcripts under the Client Service Agreement default to 90-day retention, configurable.
• TCPA / written consent records: minimum 4 years from collection (defends against the 4-year statute of limitations).
• Backups: may persist beyond active deletion for up to 35 days before they roll off.

7. Your rights (universal, CCPA, GDPR)

7.1 Universal

Regardless of where you live, you can ask us to:

• See what we hold about you.
• Correct anything inaccurate.
• Delete what we hold (subject to legal retention).
• Opt out of marketing emails or follow-up SMS — every message we send carries a stop instruction; replying STOP to any SMS works as well.
• Take your data — we will export it in a common, machine-readable format.
• Lodge a complaint with a regulator.

7.2 California residents (CCPA / CPRA)

You have the right to: know (categories collected, sources, purposes, disclosures), access, delete, correct, portability, opt out of sale or sharing (we don't sell, but we honor the right), limit use of sensitive personal information, and non-discrimination for exercising any right. You may use an authorized agent. We respond within 45 days (extendable once by 45 days with notice). Verification: we will ask for two data points that match what we already hold; we will not require account creation. Metrics on requests received in the prior calendar year are available on request.

7.3 EU / UK / EEA residents (GDPR / UK GDPR)

Lawful bases we rely on: consent (analytics, marketing, demo recording), contract (delivering services), legitimate interests (security, fraud prevention, operating and improving our services), legal obligation (tax, recordkeeping, lawful requests). You have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time without affecting prior processing. We respond within one month (extendable by two months for complex requests).

If we are not your natural controller (e.g., we process on a client's behalf in a Service Agreement), we will route your request to that controller and notify you who that is. We are not currently established in the EU/UK and do not actively target EU/UK consumers; if you are reading from there and want to interact, your data will be handled per this policy.

7.4 Other US states

Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and any state with a comprehensive privacy law in force as of your request date have the substantively similar rights to access, delete, correct (where the law provides), portability, opt out of targeted advertising / sale, and (where applicable) opt out of profiling for decisions producing legal or similarly significant effects. Send the same request to the email in §1.

Send any request to ravari2025@gmail.com. Subject line: “Privacy Request — [Right Requested].”

8. Do Not Sell or Share / Limit Use of SPI (California)

We do not sell personal information for monetary consideration. We do not engage in cross-context behavioral advertising in any way that would constitute “sharing” under CCPA/CPRA. To the extent any future change to our practices would, we will (a) update this section, (b) provide a clear “Do Not Sell or Share My Personal Information” opt-out link, and (c) honor the GPC signal as described in §5. To exercise the right to limit use of sensitive personal information, email us at the address in §1 with subject line “Limit Use of SPI.”

9. AI processing & automated decisions

The AI Receptionist, AI Texter, Review AI, and Cold Lead Reactivation services use third-party large language models and voice models to generate responses, draft messages, score sentiment, and surface qualified leads. None of these systems make solely automated decisions producing legal or similarly significant effects about a consumer (Article 22 GDPR / California ADMT regulations). In particular:

• The AI receptionist does not deny service, set price, qualify creditworthiness, or finalize transactions.
• The AI texter does not finalize sales or commitments without a human on the client side.
• The Review AI sentiment-gate does route customers to either a public review request or a private feedback path; this is a routing decision, not a consequential one, and the customer always has the option to leave a public review independently.

If your jurisdiction grants you a right to information about automated decision-making (CCPA ADMT regs, Article 22 GDPR), you may request a plain-English description of the logic involved and request human review by emailing the address in §1.

10. AI voice & bot disclosure

Per the FCC's February 2024 declaratory ruling, AI-generated voices are “artificial” voices under TCPA §227(b). Per California SB 1001 (Bot Disclosure Law), Utah's UAIPA, and analogous state rules, automated agents must self-identify in commercial conversations.

• The AI Receptionist opens every call with: “Hi, this is the automated assistant for [Client]. This call may be monitored or recorded.”
• The AI Texter discloses on the first message of any new conversation that responses are handled by an automated assistant on behalf of the client business.
• If you ask the agent at any point whether it is a human or AI, the agent will answer truthfully.

Where the AI Receptionist is operated for a client, the client is the caller of record under TCPA and bears the consent and disclosure obligations on the lists they connect; we are the technical processor.

11. Call recording (two-party consent posture)

Although federal law (18 USC §2511) requires only one-party consent, multiple states require all-party consent: California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Oregon, Pennsylvania, and Washington. Because we operate nationally and our callers and clients span those states, we treat all-party consent as our default. The opening line in §10 above is engineered to satisfy that bar. If you ask not to be recorded, the agent disables recording for the remainder of the call. Demo-call recordings are deleted on the schedule in §6.

12. SMS & messaging compliance

SMS programs operated through Ravari follow CTIA Messaging Principles & Best Practices and applicable carrier rules:

• Opt-in disclosure: “Msg & data rates may apply. Msg frequency varies. Reply HELP for help, STOP to cancel.” plus links to this policy and the Terms at the point of opt-in.
• STOP keywords honored: STOP, END, QUIT, CANCEL, UNSUBSCRIBE, OPTOUT, REVOKE, and any reasonable variation. Removal is immediate; suppression propagates within 10 business days under FCC rules.
• HELP keyword returns the program name, sender identity, and contact for support.
• Quiet hours: 8:00 a.m. – 9:00 p.m. called-party local time, per 47 CFR §64.1200(c)(1).
• 10DLC (A2P): client is the registered Brand on The Campaign Registry; Ravari operates as the Reseller via GoHighLevel.

13. Security

We treat security as part of the work, not a footnote. Specifically:

• API tokens and credentials are stored in OS-level credential managers (Windows DPAPI), never on disk in plain text.
• Internal scripts that talk to vendor APIs are pinned to vendor hostnames and use HTTPS only.
• The public website is served from Cloudflare Pages with a strict Content Security Policy and no server-side execution.
• Demo call recordings auto-delete on a 30-day timer.
• Vendor API tokens rotate on a 90-day cadence and immediately on any suspected exposure.
• Multi-factor authentication is required on all administrative accounts (Cloudflare, GoHighLevel, Google Workspace).
• Code changes go through an adversarial security review before reaching production.

Security disclosure. If you discover what looks like a security issue, email ravari2025@gmail.com with “Security” in the subject line. We acknowledge within 48 hours and respond to high-severity reports within 5 business days. We will not pursue legal action against good-faith researchers who follow standard coordinated-disclosure norms.

14. Children's data (COPPA)

The site is not directed at children under 13 (or under 16 in jurisdictions that set the bar there). We do not knowingly collect data from children. If you believe we have, contact us and we will delete it.

15. Healthcare data (HIPAA carve-out)

The standard Ravari deployment is not HIPAA-compliant and clients must not transmit individually identifiable health information through Ravari workflows without first executing a separate Healthcare Addendum and Business Associate Agreement with us. If you are a covered entity (clinic, dental, chiropractic, etc.) and need a HIPAA-aligned configuration, raise it on the audit call and we will scope a separate engagement on enterprise tiers of all underlying processors with the necessary BAAs in place.

16. International transfers

We are based in the United States. Our processors are largely U.S.-based. If you are in the EU, UK, or another region with data-export rules, by using the site or contacting us you understand your data may be transferred to and processed in the United States. We rely on the EU-US Data Privacy Framework where the recipient is self-certified and on the European Commission's 2021 Standard Contractual Clauses (and UK Addendum where applicable) as the contractual safeguard, plus a transfer-impact assessment when required.

17. Payment data scope (PCI)

We do not collect, transmit, or store payment-card numbers. Where invoicing involves card payment, the card data is captured directly by a PCI-DSS Level 1 service provider (e.g., Stripe via GoHighLevel) and never touches Ravari systems. We rely on the provider's PCI compliance and request their attestation on demand.

18. Changes to this policy

We will post any material change here and update the “Effective & last updated” date at the top. We do not email all past contacts about every minor wording change — but if a change meaningfully affects how we handle your data, we will email active contacts with the substantive update.

19. Governing law & jurisdiction

This policy is governed by the laws of the State of Wyoming, United States, without regard to conflict-of-laws principles. Disputes about this policy are subject to the dispute-resolution clause in our Terms of Service, which controls. Data-breach notifications to affected Wyoming residents are made in accordance with the Wyoming Data Breach Notification Act, W.S. § 40-12-501 et seq.; notifications to residents of other states follow those states' statutes.

20. Contact & complaints

Privacy or data-subject requests: ravari2025@gmail.com (subject “Privacy Request”).

Regulators:

• EU/UK/EEA: your local Data Protection Authority. UK: Information Commissioner's Office (ICO).
• California: California Privacy Protection Agency (CPPA).
• US Federal: FTC consumer complaint portal.