Privacy Policy
Nephew — Fleek Labs, Inc.
Last Updated: March 30, 2026
What This Policy Covers
This privacy policy explains how Nephew, operated by Fleek Labs, Inc. (“we,” “us,” “our”), collects, uses, stores, and protects information when you use our AI-powered marketing platform (“the Service”). This policy applies to business owners who subscribe to Nephew (“Subscribers”) and to customers of those businesses whose information may be processed through our platform (“End Users”).
Information We Collect
From Subscribers (Business Owners)
Account information. Name, email address, phone number, business name, business address, business type, and payment information. Collected during signup and onboarding.
Business data. Website content, Google Business Profile data, social media profiles, review data, advertising account data, keyword rankings, analytics data, and other marketing performance metrics. Collected through automated audits, API connections (via OAuth), and ongoing monitoring as part of the Service.
Communication data. Messages exchanged between you and Nephew through our chat interface, SMS, email, Slack, or other communication channels you connect. Call recordings and transcripts of business phone calls routed through our platform, subject to applicable consent requirements.
Platform credentials. OAuth tokens for connected platforms (Google Ads, Google Search Console, Meta, social media accounts). We never store raw passwords. All credentials are encrypted and stored in a separate security vault.
Content you create or approve. Blog posts, social media content, email campaigns, ad creatives, website copy, and other marketing materials generated through the Service.
From End Users (Your Customers)
Contact information. Names, phone numbers, and email addresses that End Users provide through Subscriber websites, contact forms, booking systems, phone calls, or in-person interactions with the Subscriber's business.
Interaction data. Call recordings and transcripts (when call recording is enabled and proper consent is obtained), chat conversations with business chat widgets, form submissions, booking requests, and review content.
Technical data. IP addresses, browser type, device information, and pages visited on Subscriber websites hosted by our platform. Collected through standard web analytics.
We do NOT collect sensitive personal information such as Social Security numbers, financial account numbers, health information, or government-issued identification from End Users.
How We Use Information
To Deliver the Service
We use Subscriber and End User information to provide our AI-powered marketing services, including: generating and optimizing website content, managing advertising campaigns, responding to reviews, sending appointment confirmations and follow-up messages, analyzing business performance, transcribing and analyzing business phone calls, generating marketing recommendations, and providing business intelligence insights.
To Improve the Service
We use anonymized, aggregated data across all Subscribers to improve our AI models and marketing strategies. This means patterns like “plumbing businesses in suburban markets see higher engagement from Tuesday morning posts” may be derived from aggregate data. No individual business or End User is identifiable in this aggregated data.
To Communicate With Subscribers
We send Subscribers service-related communications including weekly performance reports, approval requests, system notifications, and business intelligence insights through their preferred communication channel.
To Send Messages on Behalf of Subscribers
We send SMS messages, emails, and other communications to End Users on behalf of Subscribers. These messages include appointment confirmations, review requests, lead follow-ups, service reminders, and other business communications. All such messages are sent under the Subscriber's business name, not under the Nephew brand.
How We Protect Information
All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. API credentials and OAuth tokens are stored in a separate encrypted vault with additional access controls. Database access requires role-based authentication. We use Supabase (hosted PostgreSQL) with row-level security policies that ensure each Subscriber's data is isolated from every other Subscriber's data. We do not store raw passwords for any connected platform. All platform access uses OAuth tokens which can be revoked at any time.
Data Ownership
Subscribers own their data. All content generated by the Service (website copy, blog posts, social media content, email campaigns, ad creatives, marketing materials), all customer data (contact information, interaction history, booking records), and all performance data (analytics, rankings, ad performance) belong to the Subscriber.
Export anytime. Subscribers can request a full export of all their data at any time by asking Nephew in chat or contacting support. We will provide a complete data export in machine-readable format (JSON/CSV) within 24 hours.
Deletion on cancellation. When a Subscriber cancels:
- All content is exported and provided to the Subscriber within 48 hours
- All OAuth tokens and API credentials are revoked immediately
- All End User personal information is retained for 90 days (for potential reactivation and legal compliance), then permanently deleted
- Anonymized, aggregated performance data (containing no personally identifiable information) may be retained to improve our Service
Information Sharing
We never sell data. We do not sell, rent, or trade any Subscriber or End User information to third parties. Not to data brokers, not to advertising networks, not to analytics companies. Never.
Service providers. We share information with third-party service providers that help us deliver the Service, including: cloud hosting (Supabase, Vercel, Cloudflare), payment processing (Stripe), communication (Twilio for SMS and voice), email delivery (Resend), advertising platforms (Google Ads, Meta — only for managing Subscriber ad campaigns), social media platforms (via Ayrshare — only for publishing Subscriber content), and AI model providers (Anthropic, OpenRouter — for generating content and analysis). These providers process data only as needed to provide their services and are bound by their own privacy obligations.
No cross-Subscriber sharing. One Subscriber's business data, customer data, or performance data is never shared with or visible to any other Subscriber. Cross-Subscriber insights are derived only from anonymized, aggregated patterns.
Legal requirements. We may disclose information if required by law, regulation, legal process, or governmental request.
Call Recording and Transcription
Our platform may record and transcribe business phone calls routed through our system to provide call intelligence, lead capture, and business insights. Call recording is subject to applicable federal and state consent laws. Subscribers are responsible for ensuring proper consent is obtained from all call participants as required by the laws of their jurisdiction. We provide configurable consent options during onboarding, including automated consent announcements. Subscribers can disable call recording at any time. Call recordings are stored encrypted and are accessible only to the Subscriber and our system for service delivery purposes.
SMS and Text Messages
We send SMS messages to End Users on behalf of Subscribers. All SMS messaging complies with the Telephone Consumer Protection Act (TCPA) and A2P 10DLC regulations. End Users can opt out of text messages at any time by replying STOP to any message. We honor all opt-out requests immediately and permanently. Message frequency varies based on the Subscriber's service configuration. Standard message and data rates may apply. We maintain records of consent for all SMS recipients.
Cookies and Tracking
Subscriber websites hosted on our platform use standard web analytics (PostHog) to track visitor behavior for the purpose of marketing optimization. This includes page views, session duration, traffic sources, and conversion events. We do not use third-party advertising cookies or cross-site tracking on Subscriber websites unless the Subscriber has specifically connected advertising platforms (Google Ads, Meta) that use their own tracking pixels for campaign optimization. Subscribers can configure their website's cookie and tracking behavior through Nephew.
Your Rights
For Subscribers (Business Owners)
You can access, export, correct, or delete your data at any time by asking Nephew in chat or contacting support. You can revoke any connected platform access at any time. You can cancel your subscription at any time with no data held hostage.
For End Users (Customers of Our Subscribers)
If you are a customer of a business that uses Nephew, your personal information is controlled by that business. To exercise your privacy rights (access, deletion, correction), please contact the business directly. We will assist the business in fulfilling your request.
California Residents (CCPA)
Nephew acts as a “service provider” under the CCPA, processing personal information on behalf of Subscribers. California residents who are End Users of Subscriber businesses may exercise their rights under the CCPA by contacting the Subscriber directly. Subscribers may contact us to facilitate any CCPA requests related to End User data.
European Residents (GDPR)
Nephew acts as a “data processor” under the GDPR. Subscribers are the “data controllers.” We provide a Data Processing Agreement (DPA) to Subscribers on request. Our servers are located in the United States. For EU data transfers, we rely on Standard Contractual Clauses (SCCs). End Users in the EU should contact the Subscriber business to exercise their GDPR rights.
Children's Privacy
Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 16, we will take steps to delete that information.
Data Retention
| Data Type | Retention Period |
|---|---|
| Subscriber account information | Duration of subscription + 90 days |
| End User contact information | Duration of subscription + 90 days, then deleted |
| Marketing content (posts, ads, website) | Duration of subscription, exported on cancel |
| Call recordings | 90 days, unless Subscriber configures longer retention |
| Chat conversation history | Duration of subscription + 30 days |
| Analytics and performance data | Duration of subscription + 90 days |
| Anonymized aggregate data | Indefinite (no PII, no business-identifiable info) |
| OAuth tokens and API credentials | Revoked immediately on disconnect or cancel |
Changes to This Policy
We may update this privacy policy from time to time. We will notify Subscribers of material changes through the Service (via chat message or email) at least 30 days before the changes take effect. The “Last Updated” date at the top of this policy indicates when it was last revised.
Contact Us
If you have questions about this privacy policy or our data practices, contact us at:
Fleek Labs, Inc.
Email: hey@getnephew.com