Privacy Policy
Last updated: May 8, 2026
PastClient is currently in private beta.
This policy describes our current practices for design partners and early customers. It will be revised before general availability. If anything here materially changes, we will notify active accounts directly by email and post the new effective date at the top of this page.
What we collect
We only collect what we need to run the service for you and your past clients.
- Agent account information. Name, email, phone, brokerage, license details, billing information, and authentication metadata for the operator of the account.
- Past-client data uploaded by the agent. Contact records, closed-transaction history, addresses, and any notes or tags the agent imports from their CRM or via CSV.
- Message-content metadata. Send logs, delivery receipts, opens, clicks, replies, opt-outs, and call outcomes across SMS, email, and AI voice. We retain message content where required to evidence consent and compliance.
- Product telemetry. Aggregated usage events (page views, feature engagement) tied to your agent account so we can debug and improve the product.
What we do with it
- Operate the service: authenticate you, store your data, render your dashboards, and deliver outreach you author.
- Draft AI messages for your review using Anthropic Claude (via OpenRouter). Drafts are generated from the agent's own contact context; the agent approves before send.
- Enrich past-client records with property, tenure, and life-event signals via RentCast, BatchData, and People Data Labs, and validate phone numbers via Twilio Lookup.
- Maintain audit trails for TCPA, A2P 10DLC, CAN-SPAM, and state-level recording-disclosure compliance.
- Communicate with you about your account, billing, product updates, and security.
What we don't do
- We do not sell your data, your past-client data, or any data derived from them.
- We do not use agent-uploaded contact data to train AI models — ours, our vendors', or anyone else's.
- We do not share your past-client list with other agents, brokerages, or third parties for marketing.
- We do not run advertising trackers on the authenticated product.
Sub-processors
PastClient relies on the following providers to deliver the service. Each receives only the data needed for its function and is bound by a data-processing agreement.
- Supabase — authentication and primary database.
- Vercel — application hosting and edge delivery.
- Postmark — transactional email delivery.
- Telnyx — SMS and voice telephony infrastructure (per-agent A2P 10DLC).
- Retell — AI voice agent runtime.
- Anthropic Claude (via OpenRouter) — AI message drafting and classification.
- RentCast, BatchData, People Data Labs — past-client enrichment (property, tenure, life-event signals).
- Twilio Lookup — phone-number validity and line-type checks.
We'll publish a versioned sub-processor list with an opt-in change-notification feed before general availability.
Data retention
Past-client records are retained for as long as your account is active. You can delete individual contacts or your entire workspace at any time from Settings, and we honor verified deletion requests within 30 days.
Outreach send logs (timestamps, recipient, channel, opt-out status, consent evidence) are retained for seven years after the message is sent. Federal TCPA actions carry a four-year limitations window and many state-level analogs reach further; the seven-year window protects both you and us if a past client later disputes a contact.
Past-client rights
Past clients of an agent using PastClient can request access, correction, or deletion of records held about them by contacting the agent directly or our privacy team.
STOP, UNSUBSCRIBE, QUIT, CANCEL, END, and OPT OUT keywords on SMS — and the unsubscribe link on email — immediately suppress that channel. Per the FCC's April 2025 opt-out rule, opt-outs propagate across SMS, email, and voice within 10 business days, and we treat any revocation of consent as applying to all channels for that contact.
AI voice and prior express written consent
AI voice calls are sent only to past clients for whom the agent has captured prior express written consent (PEWC) for AI and prerecorded calls. Established Business Relationship (EBR) does not satisfy TCPA's PEWC requirement for AI voice to mobile numbers, and we do not let accounts work around this.
At intake, agents capture a PEWC checkbox per contact with timestamp, IP/source, and the disclosure shown. That record is retained alongside the outreach log for the full retention window above.
Recording disclosure
Voice calls are disclosed as AI nationwide (CA AB 2905). In all-party-consent states — including California, Florida, Washington, Oregon, and Massachusetts — calls are recorded only after an audible disclosure and the recipient's affirmative consent on the call. In single-party-consent states, the agent's consent is captured at account configuration.
Security
Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to a small founder/engineering group, gated by SSO and audited. We'll publish a SOC 2 readiness summary before general availability.
Contact
Privacy questions, deletion requests, or sub-processor inquiries: privacy@pastclient.ai.
While we're in private beta, the founder team responds to every privacy message directly — usually same-day.