Privacy Policy

Last updated: 12 May 2026

This Privacy Policy describes how Sutherland Commerce Group LLC ("Costello", "we", "us", or "our") collects, uses, and shares information when you use the Costello platform, website, or any related services (collectively, the "Service").

1. Who we are

The Service is operated by Sutherland Commerce Group LLC, a Wyoming, USA limited liability company trading as "Costello". You can reach us at support@costellohq.com.

2. Information we collect

We collect only the information needed to provide and operate the Service:

• Account information — your email address, business name, password (stored hashed via Supabase Auth), and billing details (processed by Stripe; we do not store full card numbers).
• Business knowledge base — content you upload or enter to train the AI receptionist: services, prices, FAQs, policies, booking URLs, personality preferences, and any documents you choose to attach.
• Conversation data — messages exchanged between end users and your AI receptionist on the messaging channels you connect (Instagram, Facebook Messenger, WhatsApp). We store these to enable conversation continuity, billing accuracy, and (where you opt in) analytics.
• Messaging-channel access tokens — encrypted Meta long-lived access tokens you grant us via OAuth. Stored encrypted at rest and used solely to send and receive messages on your behalf.
• Usage telemetry — message counts, model invocations, latency metrics. Used for billing, capacity planning, and abuse detection.
• Standard web logs — IP address, browser user agent, timestamps. Retained for security investigation for up to 90 days.

3. How we use information

We use the information described above to:

• Provide, operate, and maintain the Service;
• Bill you accurately and process payments;
• Communicate with you about your account, security, and product updates;
• Detect and prevent abuse, fraud, and Acceptable Use Policy violations;
• Improve the Service, including through aggregated and de-identified analysis;
• Comply with legal obligations.

We do not sell your personal information. We do not use the content of your conversations or your customers' messages for training third-party AI models.

4. Who we share information with

We share information only with the service providers we need to operate the Service:

• Meta Platforms, Inc. — to send and receive messages on Instagram, Messenger, and WhatsApp on your behalf;
• Anthropic, OpenAI, Google — for the AI model inference that powers your AI receptionist's replies and classifications;
• Supabase — for database hosting and authentication;
• Vercel, Railway — for application hosting;
• Stripe — for payment processing;
• Resend — for transactional email delivery;
• Law enforcement or regulators — only where required by valid legal process.

Each of these providers operates under their own privacy policies and appropriate data-processing agreements. We do not share your information for their independent marketing or model-training purposes.

5. International transfers

The Service operates from the United States and Singapore. By using the Service, you consent to the transfer and processing of your information in these jurisdictions. Where required, we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards for international data transfers.

6. Retention

We retain your account information and business knowledge base for as long as your account is active. Conversation data is retained for the lifetime of your account plus 90 days after account closure to allow re-activation. After that retention period, we delete or anonymise the data unless we are required to retain it for legal compliance (e.g. tax records, fraud investigation).

7. Your rights

Subject to applicable law, you have the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Request deletion of your account and associated data;
• Export a copy of your business knowledge base in a portable format;
• Object to or restrict certain processing;
• Lodge a complaint with a supervisory authority.

To exercise any of these rights, email support@costellohq.com. We will respond within 30 days. We may need to verify your identity before acting on your request.

8. Security

We implement reasonable technical and organisational measures designed to protect your information, including encryption in transit (TLS) and at rest, envelope-encrypted access tokens, role-based access controls, and audit logging. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential.

9. Children

The Service is intended for use by business operators aged 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us at support@costellohq.com so we can delete it.

10. Cookies and tracking

We use strictly-necessary cookies for authentication and session management. We do not use third-party advertising or behavioural-tracking cookies on the authenticated platform. The marketing site may use privacy-preserving analytics (e.g. Vercel Web Analytics) which does not place tracking cookies.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, where the change is material, notify you by email. Your continued use of the Service after a change constitutes acceptance of the updated policy.

12. Contact

Privacy questions, requests, or concerns: support@costellohq.com.