Legal
Privacy Policy
Last updated

What we actually do with your data

Your data is yours, not ours. We don't sell it, we don't share it with third parties for marketing, and we never train AI on it.

We don’t sell it. We don’t hoard it. We don’t train AI on it. Here’s exactly what we do with it:

  • We use it to coach YOU. Period.
  • We aggregate anonymous patterns across users to show you market trends ("top buyer objections in your area this month") — but no other user ever sees YOUR data.
  • Export anytime. Delete anytime.

No fine print. Your data shapes YOUR business.

Read the full legal version below

This Privacy Policy is the legal text. For the plain-English version of how we think about your data, see Our Promise to Agents.

Our Promises →

Version: v0.1 STARTER — attorney review pending Last updated: May 13, 2026 Status: Draft for Google OAuth verification publication. Binding final version will supersede this document after attorney review (target: post-May 10, 2026 Phase 2 budget gate).

A note before we begin

We wrote this policy in plain language first. Every section starts with a one-sentence summary so you can scan quickly, then read deeper if you want. If anything here is unclear, email us and we will fix it.

This is a STARTER version (v0.1). It reflects our actual data practices as of launch, but it has not yet completed formal attorney review. We are publishing it because Google OAuth verification, Twilio trust-hub onboarding, and several partner integrations all require a live, publicly hosted privacy policy URL. When attorney-reviewed v1.0 ships, it will replace this document and we will notify users per Section 10.

1. Who we are

Summary: GigiGuides.Ai is operated by Giant Guidance Inc. You can reach us at the contact address below.

Legal entity: Giant Guidance Inc. ("Giant Guidance," "we," "us," "our")

Product name: GigiGuides.Ai (also referred to as "GigiGuides" or "GiGi")

Product description: GigiGuides.Ai is an AI-powered coaching, compliance-advisory, and team-visibility platform built for real estate professionals, brokerages, mortgage brokers, and title companies. "GiGi" is our conversational coaching persona.

Mailing address: 6276 S Cook St, Centennial, CO 80121, United States

Privacy contact email: privacy@gigiguides.ai (aliased to our founder inbox during MVP-1; dedicated team address at Phase 2)

General contact email: hello@gigiguides.ai (aliased to our founder inbox during MVP-1)

Data Protection Officer / Privacy Lead: Bradley Holcomb, Founder & CEO, Giant Guidance Inc. (formal DPO appointment will transition to a dedicated role at Phase 2)

If you have a privacy question, a data access request, or a complaint, write to privacy@gigiguides.ai. We respond within 15 business days at the latest; most requests are handled within 5.

2. Information we collect

Summary: We collect what we need to coach you, protect your clients, and keep your brokerage compliant — and nothing we do not need.

We collect the following categories of information:

2.1 Account and identity data

  • Name, email address, phone number
  • Brokerage or company affiliation
  • License state, license number, and license type (where relevant to compliance overlays)
  • Role (agent, team lead, broker, admin, title officer, loan officer, etc.)
  • Billing contact information (handled by our payment processor; we do not store full card numbers)

2.2 Authentication data

  • OAuth tokens from connected services (Google Workspace, CRM platforms, calendar tools)
  • Password hashes (we never store plaintext passwords)
  • Multi-factor authentication settings and device fingerprints

2.3 Call, conversation, and coaching data

  • Audio recordings of calls placed or received through our Twilio-integrated telephony layer (with all applicable consent flows per state law)
  • Transcripts generated by Deepgram from those recordings
  • AI-generated coaching notes and compliance observations produced by Anthropic Claude models operating on those transcripts
  • Chat and conversation history between you and GiGi

2.4 CRM and workflow integration data

  • Contact records, deal stages, and activity history imported from connected CRMs (e.g., Follow Up Boss)
  • Email content and calendar events where you have granted explicit scope
  • Document uploads related to transactions (listing agreements, buyer broker agreements, disclosures, etc.)

2.5 End-client personal information

Through normal brokerage activity, our platform processes personal information about your end-clients — the buyers, sellers, borrowers, and other real estate consumers you serve. This includes names, contact information, property addresses, financial context shared during calls, and transaction details. Per our Privacy Ops Brief v0.1, Section 1.7, end-client PII is always redacted from any cross-account or team-visibility view by default. End-clients are not our direct users; you (the licensed professional) are the data controller for your client relationships, and we act as a data processor on your behalf.

2.6 Usage and device analytics

  • Pages visited, features used, session duration
  • Device type, browser, operating system, IP address
  • Error logs and performance telemetry
  • Audit-log entries (see Section 5 for retention)

2.7 What we do NOT collect

  • We do not buy supplemental consumer data from data brokers.
  • We do not track you across unrelated third-party websites.
  • We do not use session-replay tools that capture keystrokes or sensitive form fields.
  • We do not collect biometric identifiers.

3. How we use your information

Summary: We use your data to run the product, coach you better, and flag compliance risk. We improve the service only using anonymized, aggregated patterns — never your identifiable data and never for model training.

3.1 Core product functionality

  • Provide the coaching conversations, compliance advisories, and team-visibility features you signed up for
  • Route calls, generate transcripts, and produce coaching summaries
  • Sync with your connected CRM and calendar
  • Authenticate you and protect your account

3.2 Coaching analysis

  • Produce personalized coaching feedback based on your call patterns, conversion behavior, and stated goals
  • Within your paid account, your account owner and designated leads (team lead, brokerage admin, lo brokerage admin, title brokerage admin) can see your client work — pipeline, compliance flags, sentinel firings, scorecards. This is by design for legal oversight, risk management, and coaching. Across paid accounts, you are firewalled completely. GiGi staff (Anthropic + Giant Guidance employees) cannot see your data. No one can impersonate you. Demo and marketing surfaces use synthetic mock personas, never real data.

3.3 Hierarchy visibility detail

Summary: Visibility inside a paid account follows the org chart. Visibility across accounts and to GiGi staff is closed off entirely.

GigiGuides supports the role tree that paid accounts actually use to run their business. Visibility flows downward along this tree, never upward, never sideways across accounts, and never to GiGi staff.

Role tree (visibility flows downward, never upward or sideways):

account owner
└── brokerage_admin
    ├── team_lead
    ├── lo_brokerage_admin
    └── title_brokerage_admin
        ├── agent
        ├── mortgage_professional
        └── title_professional
            └── transaction_coordinator
  • Account owner and the three brokerage admin roles (brokerage_admin, lo_brokerage_admin, title_brokerage_admin) can see the client work of every user under them in the tree within the same paid account.
  • Team leads (team_lead) can see the client work of agents, mortgage professionals, and title professionals reporting to them, but not peers in other teams.
  • Agents, mortgage professionals, and title professionals see only their own client work and the work of transaction coordinators (TCs) assigned to them.
  • Transaction coordinators (transaction_coordinator) see only the transaction files they have been explicitly assigned to. TCs do not see other TCs' files and do not see the wider book.
  • Voice notes remain personal-scope only. Admins above you in the tree can see your client work — pipeline, compliance flags, sentinel firings, scorecards — but they cannot read or play your personal voice notes or voicemail dictations. Voice notes are user-owned and stay owner-only.
  • Cross-account visibility is a hard firewall. No user in account A can see any data in account B under any circumstance. This is enforced by row-level security in our database, not by UI gating.
  • GiGi staff (Anthropic + Giant Guidance employees) cannot see any user data. We do not have an impersonation tool, and we will not build one. If support needs to reproduce what you see, they use a synthetic mock account (see §7.1).

If your account's hierarchy is set up incorrectly — for example, a team lead is missing from a roster, or a TC has been assigned the wrong files — your account owner or brokerage admin can correct it in the brokerage settings. If you believe someone has been granted visibility they should not have, email privacy@gigiguides.ai.

3.4 Compliance monitoring (ADVISORY ONLY)

  • Scan conversations and artifacts against our 10-state compliance overlay (CO, CA, TX, FL, IN, VA, DC, MD, PA, DE at MVP-1; expanding to 50 states + 6 US territories by MVP-2)
  • Flag potential regulatory risks for broker review
  • These outputs are advisory only. The licensed broker or equivalent supervising professional is solely responsible for regulatory compliance. See our Terms of Service for the full disclaimer.

3.5 Service improvement (anonymized aggregation only)

  • We analyze anonymized, aggregated patterns to improve prompts, detection rules, and UX
  • We never use identifiable customer data for product improvement
  • We never train, fine-tune, or retool any model on your data. This is a hard architectural and contractual rule, enforced under our Vertical Expansion Rights Clause §3.2 ("No Forks, No Training, No Retooling")

3.6 Communication

  • Product updates, security alerts, and billing notices
  • Optional coaching digests and team reports (you control frequency)
  • We do not share your email with third-party marketers
  • Investigate abuse, fraud, security incidents, or violations of our Terms of Service
  • Respond to lawful legal process (see Section 4.2)

4. Sharing and disclosure

Summary: We share data only with vetted service providers who help us run the product, and only when legally required. We do not sell your data. Ever.

4.1 Service providers (sub-processors)

We rely on a short, deliberately chosen stack of sub-processors. Each one is bound by a data processing agreement that requires confidentiality, security controls, and data minimization.

Sub-processorPurposeData shared
Anthropic (Claude API)Primary AI coaching and compliance analysisTranscripts and conversation context (no model training permitted under our contract)
OpenAILLM fallback, voice text-to-speech, Whisper audio transcriptionPrompt text, audio for transcription, generated audio responses (no model training permitted under our contract)
Voyage AIText embeddings for semantic search and retrievalDocument and query text submitted for embedding
DeepgramSpeech-to-text transcriptionAudio recordings
TwilioTelephony, SMS, call routingCall metadata, audio streams
SupabasePrimary database and authenticationAll application data, encrypted at rest, row-level security enforced
Stripe, Inc.Subscription billing & payment processingBilling name, email, payment token
ResendTransactional email deliveryEmail address, message content
PlaidBanking and financial-account integration (when activated by user)Linked-account metadata, transaction data the user authorizes
Functional Software, Inc. (Sentry)Application error tracking & performance monitoringScrubbed error logs, request IDs, performance traces
Google LLCOAuth sign-in, Gmail, Google Calendar, and Google Contacts integrations (where user grants scope)OAuth tokens, email content, calendar events, and contact records the user authorizes
Microsoft CorporationOAuth sign-in and Outlook (mail/calendar/contacts) integrations (where user grants scope)OAuth tokens, email content, calendar events, and contact records the user authorizes

This list may evolve as the product matures. Material additions will be disclosed per Section 10.

We disclose information to law enforcement, courts, regulators, or other third parties only when:

  • We receive a lawful, legally binding request (subpoena, court order, warrant, valid regulatory request)
  • We have a good-faith belief disclosure is required to prevent imminent harm or investigate fraud or abuse
  • You have given us explicit consent

Where legally permitted, we notify affected users before disclosure so you can object or seek a protective order.

4.3 Business transfers

If Giant Guidance Inc. is acquired, merged, or reorganized, your information may transfer to the successor entity. The successor is bound by this policy (or a policy no less protective) and we will notify users before the transfer takes effect.

4.4 We do not sell personal information

We do not sell personal information as defined under CCPA, CPRA, VCDPA, or any other applicable US privacy law. We do not share personal information for cross-context behavioral advertising.

5. Data retention

Summary: We keep what we need for as long as it is useful and legally required, then we delete or anonymize. Our full retention schedule is below.

Per our Privacy Ops Brief v0.1 retention tiers:

Data typeRetention
Audit logs (hashed actors, no PII)Indefinite
Anonymized aggregated patterns and analyticsIndefinite
Call transcripts containing PII10 years maximum, then auto-anonymized; raw PII-bearing transcript discarded
Account metadataFull account lifecycle + 30-day soft-delete window + 5 years anonymized thereafter
Audio recordings3 years raw, then converted to anonymized transcript only; raw audio discarded

Soft-delete grace period: When you delete your account, your data enters a 30-day soft-delete state. During that window you can recover the account in full. After 30 days, the deletion becomes irreversible for everything except (a) audit logs, which retain only hashed references, and (b) anonymized aggregate patterns, which by definition no longer identify you.

Legal holds: If we receive valid legal process requiring preservation, retention periods pause for the scope of the hold and resume when it is lifted.

6. Your rights

Summary: You can see your data, fix it, take it with you, and delete it. Rights vary by where you live; we apply the highest reasonable floor everywhere.

6.1 Rights available to all users

  • Access: Request a copy of personal information we hold about you
  • Correction: Ask us to fix inaccurate information
  • Deletion: Ask us to delete your account and associated data (subject to Section 5 retention rules and legal hold exceptions)
  • Portability: Receive your data in a structured, machine-readable format
  • Objection / restriction: Ask us to stop or limit certain processing
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without penalty

6.2 California (CCPA / CPRA)

California residents have the rights above plus:

  • Right to know categories and specific pieces of personal information collected
  • Right to opt out of sale or sharing (we do not sell or share, so there is nothing to opt out of — but the right exists)
  • Right to limit use of sensitive personal information
  • Right to non-discrimination for exercising privacy rights

6.3 Virginia (VCDPA)

Virginia residents have access, correction, deletion, portability, and opt-out rights for targeted advertising, sale, and certain profiling. We do not conduct targeted advertising or sell personal data.

6.4 Maryland

We comply with the Maryland Personal Information Protection Act, including its breach notification requirements, and apply the Maryland Online Data Privacy Act data-minimization standards to Maryland residents.

6.5 Colorado, Connecticut, Texas, and other states

Where state law grants equivalent rights (CPA, CTDPA, TDPSA, and others), we extend those rights to residents of those states.

6.6 How to exercise your rights

Email privacy@gigiguides.ai with "Privacy Request" in the subject line. We respond within 45 days; complex requests may be extended by an additional 45 days with notice. We verify requests to protect your account. You may appeal any denial by replying to our response.

7. Security

Summary: We encrypt your data, enforce least-privilege access, audit everything, and notify you promptly if something goes wrong.

  • Encryption in transit: TLS 1.2+ for all client-server communication
  • Encryption at rest: Call recordings, transcripts, and sensitive records encrypted at rest in Supabase-managed storage
  • Row-level security (RLS): Database access enforced per-user and per-tenant via Supabase RLS policies
  • PII redaction: End-client PII is redacted by default from all cross-account and team-visibility views (Privacy Ops Brief §1.7)
  • Hierarchy visibility within an account; no GiGi staff access; no impersonation: Within your paid account, your account owner and designated leads (team lead, brokerage admin, lo brokerage admin, title brokerage admin) can see your client work — pipeline, compliance flags, sentinel firings, scorecards — per §3.3. Across paid accounts, you are firewalled completely. GiGi staff (Anthropic and Giant Guidance employees) cannot access any individual user's data, and we cannot impersonate any user.
  • Audit logs: Every sensitive action is logged with hashed actor identifiers, retained indefinitely (see Section 5)
  • Access controls: Role-based access control, principle of least privilege, MFA required for administrative access

7.1 Mock persona policy

All marketing demos, sales walkthroughs, and staff training use synthetic personas. Real user data never appears in any surface not owned by the user. We do not have, and will not build, the ability to log in as you or view your individual data; if support needs to see what you see, they use a mock account.

  • Breach notification: If a security incident affects your personal information, we notify affected users and applicable regulators within timeframes required by law (typically 72 hours for GDPR-like standards, state-specific timelines for US residents)

No system is perfectly secure. We commit to continuous improvement and honest disclosure.

8. International data transfers

Summary: At MVP-1, we operate entirely within the United States. If that changes, we will update this policy and implement appropriate safeguards.

At MVP-1 launch, GigiGuides.Ai operates US-only. Data is stored and processed within the United States. We do not currently offer the service to users outside the US.

If we expand internationally, we will implement appropriate transfer mechanisms (e.g., Standard Contractual Clauses, UK IDTA, adequacy decisions where available) and update this policy with at least 30 days' notice.

9. Children

Summary: GigiGuides is for licensed real estate professionals. It is not for children.

GigiGuides.Ai is a professional tool for licensed real estate agents, brokers, mortgage professionals, title professionals, and their support staff. All users must be at least 18 years old. We do not knowingly collect personal information from children under 13 (or under 16 where applicable state law sets that floor). If we learn that a minor has created an account, we will delete it promptly.

End-client data processed through the platform may incidentally include minors (e.g., a family member mentioned on a call). We do not intentionally process children's data and we apply the same PII redaction and retention rules to any incidental references.

10. Changes to this policy

Summary: When we change this policy, we tell you. Material changes come with advance notice.

We will update this policy as the product evolves, as laws change, or as we complete attorney review of this STARTER version.

  • Non-material changes (clarifications, typo fixes): updated "Last updated" date, no user notification required
  • Material changes (new data categories, new sub-processors, expanded uses): at least 30 days' advance notice by email and in-product banner, with the prior version available on request
  • Version history: maintained in the footer of this document

Continued use of the service after a material change takes effect constitutes acceptance. If you disagree with a change, you may delete your account per Section 6 before the effective date.

11. State-specific disclosures

Summary: A few states require extra disclosures. Here they are.

California (CCPA / CPRA "Notice at Collection")

Categories of personal information collected (past 12 months): identifiers; customer records; commercial information; internet/network activity; geolocation (coarse, IP-derived); audio/electronic information (call recordings); professional/employment information; inferences drawn from the above. Sources: directly from you; from your connected integrations (CRM, email, calendar, telephony); from device/usage telemetry. Purposes: listed in Section 3. Sale or sharing: None. We do not sell or share for cross-context behavioral advertising. Retention: per Section 5. Sensitive personal information: We process account credentials and call audio. We do not use sensitive PI for any purpose beyond providing the service and detecting fraud/security issues.

Virginia (VCDPA)

You have the right to access, correct, delete, port, and opt out of sale, targeted advertising, and certain profiling. We do not sell, conduct targeted advertising, or use profiling that produces legal or similarly significant effects. Appeal rights: described in Section 6.6.

Maryland

We comply with the Maryland Personal Information Protection Act and apply Maryland Online Data Privacy Act data-minimization standards to Maryland residents' personal information.

Colorado (CPA)

You have access, correction, deletion, portability, and opt-out rights (sale, targeted advertising, profiling). We extend the universal opt-out mechanism where technically feasible.

Texas (TDPSA)

Texas residents have the rights listed in Section 6.1 plus Texas-specific opt-out rights.

Other states

Where your state has granted privacy rights comparable to those above (CT, UT, IA, IN, TN, NH, NJ, MT, OR, DE, and others), we extend those rights to residents of your state.

12. Contact for privacy requests and complaints

Summary: One email address for everything privacy-related.

Privacy requests, data subject rights, questions, complaints: privacy@gigiguides.ai

Mailing address: Giant Guidance Inc. 6276 S Cook St Centennial, CO 80121 United States

Regulatory complaints: You may also file a complaint with your state attorney general's office, the California Privacy Protection Agency, or another relevant regulator. We would prefer the chance to make it right first, but we respect your right to go directly to a regulator.

13. SMS Communications and A2P Compliance

Summary: GigiGuides sends optional SMS notifications via Twilio over a US 10DLC registered carrier. You explicitly opt in during onboarding, and you can opt out at any time. We never share your phone number with third-party marketers.

GigiGuides sends SMS notifications via Twilio (US 10DLC registered carrier).

Message types: lead-followup reminders, weekly coaching plan summaries, compliance deadline alerts, drill practice prompts, and account safety check-ins.

Frequency: typically 1-5 messages per week per active user. Frequency may vary.

Opt-in: users explicitly consent during the in-app onboarding by tapping a clearly-labeled button. Default state is OFF — users must affirmatively opt in. The exact in-app consent screen reads: "Get GigiGuides reminders and alerts via SMS? You will receive 1-5 messages per week including lead-followup reminders, compliance deadline alerts, weekly coaching summaries, and drill practice prompts. Standard messaging and data rates may apply. Reply STOP at any time to opt out, or HELP for support."

Opt-out: text STOP, END, CANCEL, QUIT, UNSUBSCRIBE, REVOKE, OPTOUT, or STOPALL to the GigiGuides number at any time. Opt-out is processed immediately. You can also toggle SMS off in Settings → Notifications.

Help: text HELP or INFO to receive support information. You can also email support at hello@gigiguides.ai.

Rates: Standard messaging and data rates may apply. Carrier rates are determined by your mobile carrier and are not controlled by GigiGuides.

Privacy of phone numbers: We do not sell or share your phone number with third parties for marketing purposes. Phone numbers are used solely for delivering the SMS notifications you opted into.

  • v0.1 — 2026-04-20 — STARTER — attorney review pending. Drafted in good faith to satisfy Google OAuth verification prerequisites and other partner integrations. Content reflects actual MVP-1 data practices as of April 2026. Binding final version (v1.0) will supersede this document following attorney review, targeted for post-May 10, 2026 Phase 2 budget gate.
  • 2026-05-13 — Sub-processor + retention corrections. Removed inaccurate "no OpenAI" statement; expanded sub-processor table to disclose OpenAI (LLM fallback, voice TTS, Whisper), Voyage (embeddings), Plaid (banking), Resend (transactional email replacing Microsoft 365), and Google + Microsoft OAuth/mail/calendar integrations; aligned soft-delete grace period to the 30-day window enforced in code (SOFT_DELETE_GRACE_DAYS).
  • 2026-05-27 — Hierarchy-visibility model. Replaced the "anonymized aggregates only / no admin access" stance in §3.2 with the hierarchy-visibility model: within a paid account, account owner and designated leads (team lead, brokerage admin, lo brokerage admin, title brokerage admin) see the client work of users beneath them in the org chart, by design for legal oversight, risk management, and coaching. Cross-account visibility remains a hard firewall. GiGi staff (Anthropic + Giant Guidance employees) remain blind to all user data, and impersonation remains forbidden. Added new §3.3 detailing the role tree, TC scoping, and personal-scope voice notes. Updated §7 security bullet accordingly. Renumbered prior §§3.3–3.6 to §§3.4–3.7.

GigiGuides.Ai is a product of Giant Guidance Inc. "GiGi" is a trademark of Giant Guidance Inc.