privacy policy

This Privacy Policy describes how Wymzy Industries LLC ("Wymzy," "we," "us," or "our") collects, uses, and protects your information when you use the Wymzy Suite. We are committed to protecting your privacy and being transparent about our data practices.

This policy covers the Wymzy Suite at app.wymzy.ai and all of its product modules: Foxfire, Bullfrog, Muscadine, Yellowjacket, Sassafras, Pawpaw, Junebug, Crawdad, Dragonfly, Nightjar, Cattail, Honeybee, and Mayhaw, as well as the wymzy.ai marketing website.

1. Information We Collect

Account Information

When you create a Wymzy account, we collect:

• Your name
• Your email address
• Your username (optional)
• A hashed version of your password (we never store passwords in plain text)
• An optional profile photo URL

Content You Create

Depending on which product modules you use, we store content you provide. By module:

• Foxfire — Google Business Profile data, reviews, responses, posts, business photos, and SMS campaign recipient lists
• Bullfrog — files you upload, galleries, file requests, and share links
• Muscadine — scheduled social media posts, connected account identifiers, post-performance metrics, plus email and SMS campaign content, recipient lists you upload, and delivery/open/click counts
• Yellowjacket — digital business card content (name, headline, bio, contact information, social links, portfolio items, custom domain settings, and anonymized visitor analytics such as view counts and referring URLs)
• Sassafras — receipt images, AI-extracted transaction details, and exported reports
• Pawpaw — invoice line items, client names and emails, invoice payment status, and identifiers for your connected Stripe Express account
• Junebug — event types, availability settings, blocked dates, booking details, guest names, and guest emails
• Crawdad — job records, schedule entries, completion status, notes, and photos tied to jobs you track
• Dragonfly — third-party contact data (names, emails, phone numbers, companies, titles, notes, tags) that you add to your CRM
• Nightjar — product catalog entries, stock levels, categories, and stock-adjustment history
• Cattail — loyalty program configuration, member names and emails, point balances, and transaction history
• Honeybee — messages fetched from connected email or SMS accounts, sender and recipient metadata, thread organization, and any replies you compose through the inbox
• Mayhaw — estimates and quotes you build, line items, customer signatures, view and acceptance history, and any deposits collected at signing

Usage Data

We collect basic, privacy-respecting usage data such as page-view counts, feature usage metrics, and error diagnostics. We do not use tracking pixels, fingerprinting, or third-party advertising trackers. We do not build advertising profiles.

Payment Information

Payments are processed by Stripe. We do not receive, process, or store your full credit card number, debit card number, or bank account details. Stripe may provide us with limited information such as the last four digits of your card for display purposes. Stripe's handling of your payment data is governed by its own Privacy Policy.

For Pawpaw, we use Stripe Connect (Express). When you receive a customer payment through a Pawpaw invoice, that payment is processed through your connected Stripe account, and the payment card data is held by Stripe — not by us.

2. Connected Third-Party Accounts

Some modules require you to connect an account with a third-party service. When you connect one of these accounts, you explicitly grant us permission to access it on your behalf using industry- standard OAuth flows. You can disconnect at any time from within the relevant module.

Google (Foxfire, Muscadine, Honeybee)

If you connect your Google account, we may request access to:

• Your Google Business Profile (to read reviews, publish posts, update business information)
• Your Gmail account (to read and send email messages through the unified inbox in Honeybee)

We store OAuth access tokens and refresh tokens so that we can continue to perform the actions you requested. We do not use Google user data for any purpose other than delivering the feature you connected. We do not transfer Google user data to third parties other than as necessary to provide the requested service, and we comply with the Google API Services User Data Policy, including the Limited Use requirements.

Microsoft (Honeybee)

If you connect your Microsoft Outlook account to Honeybee, we request read and send access to your mailbox via Microsoft Graph so we can present your messages in the unified inbox and send replies you compose.

Meta (Muscadine)

If you connect a Facebook or Instagram account to Muscadine, we request permission to publish posts you schedule and to read post-performance data.

Twilio (Honeybee, Foxfire SMS)

For SMS features, we use Twilio to send and receive messages on phone numbers you provision. Message content and delivery metadata are stored so that conversations remain available across sessions.

Revocation

You can disconnect any connected account at any time. We revoke our tokens immediately. Cached data already retrieved may persist in your account history until you delete it or your account.

3. How We Use Your Information

We use the information we collect to:

• Provide the Suite — create your account, store your content, authenticate you across modules, and deliver the features you use
• Process payments — manage subscriptions and bundle pricing through Stripe
• Communicate with you — send essential service-related emails such as billing confirmations, security notices, and product updates
• Improve our products — understand how our products are used so we can fix bugs, improve performance, and develop new features
• Protect the Suite — detect and prevent fraud, abuse, and violations of our Terms of Service

We do not use your information for advertising. We do not sell your personal information. Ever.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to anyone. We share your information only with the following service providers, solely to operate our products:

We may also disclose your information if required by law, such as in response to a subpoena, court order, or other legal process, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

5. Cookies and Tracking Technologies

We use a small number of cookies and similar technologies to operate the Suite, keep you signed in, and — with your consent — understand how our products are used. We do not use advertising cookies, retargeting pixels, or any form of cross-site tracking.

Essential Cookies

These cookies are required for the Suite to function. They are set when you sign in and cannot be disabled without breaking core features.

• Session cookie — a signed authentication token scoped to .wymzy.ai that keeps you logged in across all product modules (single sign-on). Expires after 30 days, or sooner when you sign out.
• CSRF token — a short-lived cookie set by our authentication provider that protects sign-in and account-change requests from cross-site forgery attacks.
• Consent preference — a small value stored in your browser that remembers whether you have accepted or rejected analytics cookies, so we do not show the consent banner on every visit.

Analytics Cookies (Opt-In)

When you first use the Suite, we show a consent banner asking whether you would like to help us understand how our products are used. Analytics cookies are only set if you click "accept". If you reject or ignore the banner, no analytics cookies are set and no analytics script is loaded on your device.

• PostHog — product analytics that record which features you use, how often, and where errors occur. We configure PostHog with IP anonymization. You can change your choice at any time from the consent banner.
• Vercel Speed Insights — anonymous performance metrics (page load time, Core Web Vitals) collected by our hosting provider. These are device-level measurements that do not identify you.
• Sentry — error tracking that captures unhandled exceptions so we can fix bugs. Sentry uses session-level identifiers rather than persistent cookies, and is scoped to our application only.

Third-Party Cookies

Some cookies are set directly by third-party services when you use specific features. We do not control these cookies, but they are limited to the operation of the feature you are using:

• Stripe— sets cookies on its payment widgets and hosted billing pages to process payments securely and prevent fraud. Governed by Stripe's own Privacy Policy.
• Google, Microsoft, Meta— if you connect one of these accounts via OAuth (for Foxfire, Muscadine, or Honeybee), the provider may set its own authentication cookies during the sign-in flow. Governed by each provider's privacy policy.

Managing Cookies

You can control cookies in several ways:

• Accept or reject analytics cookies from the consent banner the first time you visit. You can change this choice at any time by clearing your site data and revisiting the Suite.
• Configure your browser to block or delete cookies. Blocking essential cookies will prevent you from signing in. Blocking analytics cookies has no effect on your ability to use the Suite.
• Use private browsing or incognito mode — cookies do not persist between sessions in that mode.

Do Not Track

Because we do not use cross-site advertising tracking, we do not respond to browser "Do Not Track" signals separately. Our analytics cookies are opt-in regardless of any DNT setting.

6. Publicly Shared Content

Some modules allow you to publish content publicly. When you publish, the content becomes accessible to anyone with the link or URL:

• Yellowjacket — digital business cards at public URLs or your connected custom domain
• Junebug — public booking pages where clients can schedule appointments without an account
• Pawpaw — public invoice payment pages sent to your clients
• Mayhaw — public estimate links your customers open to review and sign quotes
• Bullfrog — share links and file-request pages that you explicitly create and distribute
• Sassafras — shared receipt/report links that you explicitly generate

Only the information you choose to publish is made public. Your account email, password, and payment information are never publicly visible. You can unpublish any content at any time to remove it from public access.

7. Data Retention

We retain your account information and content for as long as your account is active. If you delete your account, we will permanently delete your personal data and content from our servers within 30 days, with the following exceptions:

• We retain a minimal financial record of past transactions (amount, date, invoice number) for as long as required by tax and accounting law.
• We retain anonymized, aggregated usage data that cannot be used to identify you.
• Data published to third-party services via Connected Accounts (such as a social post published to Facebook via Muscadine) lives on that third-party platform and is governed by their retention policies. You must remove it there directly.

8. Data Security

We take reasonable technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• All data in transit is encrypted using TLS/HTTPS
• Database connections are encrypted and access is restricted to the production application
• Passwords are hashed using bcrypt — we never store plain-text passwords
• Payment processing is handled by PCI-compliant providers (Stripe)
• Authentication tokens are signed and expire automatically
• OAuth tokens for Connected Accounts are stored encrypted and are revocable at any time

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

9. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information, including:

• Access — request a copy of the personal data we hold about you
• Correction — update or correct inaccurate information (you can do this directly in most modules)
• Deletion — request that we delete your account and all associated data (available from your account settings)
• Data portability — request your data in a machine-readable format
• Do Not Sell — we do not sell personal information, so there is nothing to opt out of, but California residents under the CCPA have the right to make this request and receive confirmation

To exercise any of these rights, contact us at info@wymzy.ai. We will respond to requests within 30 days.

10. Children's Privacy

The Wymzy Suite is not intended for children under the age of 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will take steps to delete that information promptly.

If you are a parent or guardian and believe your child under 13 has provided us with personal information, please contact us at info@wymzy.ai.

11. Third-Party Links

Our products may contain links to third-party websites and services that are not operated by us. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We encourage you to review the privacy policies of any third-party site you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice in the Suite. The "Effective Date" at the top of this page indicates when the policy was last revised.

Your continued use of any Wymzy product after any changes take effect constitutes your acceptance of the revised Privacy Policy.

13. Contact Us

If you have any questions about this Privacy Policy or our data practices, contact us at: