Skip to main content

Privacy Policy

Effective Date: July 5, 2026  ·  Last Updated: July 5, 2026

The short version: MJR Collective AI is the AI growth system for local businesses — websites, Google, Meta ads, and a 24/7 AI receptionist under one month-to-month plan. We collect only what we need to run your account and your marketing. We never sell your data. Traffic is encrypted, passwords are hashed, and tracking is minimal — no ad pixels unless a page explicitly has one turned on. Want your data accessed, corrected, or deleted? One email: support@mjrcollectiveai.com.

Jump to section

Who We Are

MJR Collective AI ("we," "us," or "our") is a technology company based in Virginia, United States. We provide a modular AI growth system for local businesses:

We also continue to support a small number of existing clients with legacy legal-industry tools (see Section 12). Our platform is available at mjrcollectiveai.com. Questions or concerns? Email us at support@mjrcollectiveai.com.

What We Collect & What We Don't

We collect only what is necessary to provide and improve our services. Here is a clear breakdown:

What We Collect

  • Your name, business name, city, email address, and phone number (for example, when you request a free audit or book a call)
  • Your website address and public business listings, which we review as part of the free audit
  • Call recordings and transcripts from the AI receptionist, when your business uses that module
  • Lead details captured on those calls: caller name, phone number, reason for calling, and appointment preferences
  • Login credentials (email + hashed password — never plain text)
  • Payment method details (processed entirely by Stripe — we never see your card number)
  • Usage analytics: pages visited, features used, and aggregate performance data
  • Basic security logs (login IP address and timestamp)

What We Do NOT Collect

  • Social Security Numbers or government IDs
  • Bank account numbers or financial credentials
  • GPS or precise device location
  • Biometric data
  • Your contact lists or social media logins
  • Data belonging to children under 18
  • Any data sold to third parties or data brokers

Personal information you provide must be true, complete, and accurate. Please notify us of any changes.

Third-Party Processors We Use

We partner with the following trusted service providers. Each receives only the minimum data necessary to perform its function.

Hosting
Vercel
Hosts our websites and backend API. All traffic is encrypted via HTTPS/TLS. Vercel may log IP addresses and request metadata for security.
vercel.com/privacy →
Database
Supabase (PostgreSQL)
Stores lead, appointment, account, and CRM data. Data is encrypted at rest and in transit, hosted on infrastructure in the United States.
supabase.com/privacy →
Payments
Stripe
Processes all subscription payments. We never see or store your credit card number. Stripe is PCI-DSS Level 1 certified — the highest standard in payment security.
stripe.com/privacy →
Email
Google / Gmail
Delivers transactional email: free audit results, lead alerts, appointment confirmations, and password resets. We do not send marketing email without your consent.
google.com/privacy →
Ads & Social
Meta Platforms
Used when clients activate the Meta Ads Engine or connect Instagram. Ad campaigns run inside the client's own Meta ad account. An optional Meta Pixel may run on marketing pages only when explicitly enabled.
facebook.com/privacy →
Voice AI
ElevenLabs
Powers the AI receptionist. Handles inbound call audio and transcription. Call recordings and transcripts are stored per ElevenLabs' data retention settings.
elevenlabs.io/privacy →
AI Processing
Groq
Provides fast AI language processing for features like audit generation and receptionist logic. Receives text only — never payment or credential data.
groq.com/privacy →
AI Processing
Microsoft Azure OpenAI
Provides AI text processing for document generation, including legacy document features. Receives text only — no files are uploaded to Azure.
azure.microsoft.com/privacy →

How We Use Your Data

We use collected information solely for the following purposes:

🔍 Free Audits — Review your Google presence, website, and call handling, and email you a plain-English breakdown of what we found.
📋 Lead Capture & CRM — Save lead information, schedule appointments, and manage records inside your business's dashboard.
📞 AI Receptionist — Answer, transcribe, and log calls to your business number so no customer slips through.
📣 Marketing Modules — Run and optimize ad campaigns, SEO, and outreach on your behalf, when you activate those modules.
✉️ Notifications — Send audit results, lead alerts, appointment confirmations, and system notifications to your registered email address.
💳 Billing — Process subscription payments via Stripe and manage your account status.
🔒 Security — Detect and prevent unauthorized access, brute-force login attempts, and suspicious account activity.
📈 Platform Improvement — Analyze aggregate usage patterns (non-personally identifiable) to improve service quality.

We do not use your data to train AI models, sell to advertisers, or share with any party not listed in this policy.

Cookies & Tracking Technologies

We keep tracking minimal:

Authentication Token — When you log in to the dashboard, a JSON Web Token (JWT) is stored in your browser's localStorage. This keeps you logged in during your session. It is not a tracking cookie and is not accessible to third-party scripts.

Accessibility Preferences — If you use the accessibility widget on our website, your preferences (text size, contrast mode, etc.) are saved to localStorage to persist across visits.

Meta Pixel (optional, off by default) — Some of our marketing pages include an optional Meta Pixel that is only active when explicitly enabled. When active, it measures ad performance (page views and form submissions) and may set cookies governed by Meta's privacy policy. When it is not enabled, no pixel loads and no data is sent to Meta.

Beyond that, we do not use advertising cookies, Google Analytics, cross-site tracking, or any third-party behavioral analytics.

When & With Whom We Share Data

We do not sell, rent, or trade your personal information — ever. We share data only in these limited situations:

Service Providers: We share data with the processors listed in Section 3 above, solely to operate the platform. Each provider receives only what it needs to do its job.

Your Own Ad Accounts: If you activate the Meta Ads Engine, campaigns run inside your own Meta ad account — so campaign data lives in an account you own and control.

Legal Requirements: We may disclose data if required by law, court order, or government authority, or to protect the rights, property, or safety of MJR Collective AI, our clients, or the public.

Business Transfers: If MJR Collective AI is acquired or merges with another company, your data may be transferred as part of that transaction. We will notify you via email before your data becomes subject to a different privacy policy.

With Your Consent: We may share data for any other purpose with your explicit prior consent.

Data Retention

We retain data for as long as your account is active or as needed to provide services:

Audit requests & leads — Retained while we work with you, and deleted on request.

Lead & appointment records — Retained for the life of your business's account. You may delete individual records at any time from the dashboard.

Call recordings & transcripts — Summaries are stored in our database. Raw audio and full transcripts are governed by ElevenLabs' retention policy (configurable in the voice platform settings).

Account & billing data — Retained until account deletion is requested, plus any legally required retention period (e.g., tax records: 7 years).

Security logs — Failed login attempts and IP logs are retained for 90 days for fraud prevention.

To request deletion of your data, email support@mjrcollectiveai.com with the subject line "Data Deletion Request."

Security Measures

We have implemented multiple layers of technical and organizational security controls:

🔒 Encryption in Transit
All data in transit is encrypted via HTTPS/TLS. HSTS headers are enforced on all endpoints.
🔐 Hashed Passwords
All passwords are hashed with bcrypt. Plain-text passwords are never stored or logged.
🗝️ Access Controls
Data access is restricted to authenticated, authorized users. Each business's data is isolated from every other business's.
🛡️ Account Lockout
Accounts lock automatically after repeated failed login attempts to prevent brute-force attacks.
🚦 Rate Limiting
All API endpoints are rate-limited to prevent abuse, scraping, and automated attacks.
🎫 JWT Sessions
Authenticated sessions use signed JWTs with automatic expiration. Tokens are never transmitted in URLs.
🌐 CORS Allowlist
Our API only accepts cross-origin requests from approved domains (mjrcollectiveai.com).
🔍 Suspicious Activity Logs
Unusual login patterns and high-frequency requests are flagged and logged for review.

While we implement industry-standard security practices, no system is 100% secure. If you discover a potential security vulnerability, please report it responsibly to support@mjrcollectiveai.com.

Your Privacy Rights

Depending on where you are located, you may have the following rights regarding your personal information:

Access
Request a copy of the personal data we hold about you.
Correction
Request that we correct inaccurate or incomplete data.
Deletion
Request deletion of your account and associated personal data.
Portability
Request your data in a structured, machine-readable format.
Restriction
Request that we restrict processing of your data in certain circumstances.
Opt-Out
Opt out of non-essential communications at any time via the unsubscribe link or by emailing us.

How to exercise your rights: Email support@mjrcollectiveai.com with the subject line "Privacy Request." We will acknowledge your request within 5 business days and respond within 30 calendar days.

Virginia residents (VCDPA): As a Virginia-based company, we comply with the Virginia Consumer Data Protection Act. You have the right to access, correct, delete, and obtain a copy of your personal data, and to appeal a decision we make about your request. Contact us to exercise these rights.

EEA, UK & Swiss residents (GDPR): If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the rights above under the GDPR, plus the right to lodge a complaint with your local data protection authority. Our legal bases for processing are contract performance, legitimate interest, and consent.

Children's Privacy

Our platform is designed for professional use by businesses and is not directed to anyone under 18 years of age. We do not knowingly collect, solicit, or market to children under 18.

If we learn that we have inadvertently collected personal information from a child under 18, we will promptly delete that information and deactivate any associated account. If you believe we may have collected data from a minor, please contact us immediately at support@mjrcollectiveai.com.

Data Breach Notification

If we confirm a data breach that affects your personal information, we will notify affected users by email within 72 hours of confirming the breach. The notice will describe what happened, what data was involved, what we are doing about it, and what you can do to protect yourself.

Where required, we will also notify the appropriate regulators and authorities within the timelines set by applicable law.

Legacy Legal-Industry Services

We continue to deliver a small set of legacy tools to existing clients in the legal industry: AI intake, demand letter drafting, and AI medical record summaries.

Medical record summaries are processed only at the client's direction, for the client's own files, using text the client submits. MJR Collective AI is a general-purpose technology provider — we are not a healthcare provider, health plan, or healthcare clearinghouse, and the AI summarizer is not a HIPAA-covered service. We do not offer or sign Business Associate Agreements (BAAs). Clients are solely responsible for confirming that their use of these tools complies with their own legal, professional, and regulatory obligations before submitting any document.

We do not store original medical record documents — only the AI-generated summaries a client chooses to save to their account.

International Data Transfers

MJR Collective AI is based in Virginia, USA. Our primary database is hosted on infrastructure in the United States. If you access our services from outside the United States, your data will be transferred to and processed in the United States.

If you are located in the EEA, United Kingdom, or Switzerland, please note that the United States may not have data protection laws equivalent to those in your country. We take all reasonable measures to protect your personal information in accordance with this Privacy Policy and applicable law.

By using our services, you consent to the transfer of your information to the United States under the terms described in this policy.

Updates to This Policy

We may update this Privacy Policy periodically to reflect changes in our services, legal requirements, or best practices. The "Last Updated" date at the top of this page will always reflect the most recent revision.

For material changes — changes that significantly affect your rights or how we use your data — we will notify active users by email at least 14 days before the change takes effect. Continued use of our services after that date constitutes your acceptance of the revised policy.

We encourage you to review this policy periodically to stay informed.

Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

MJR Collective AI

📧 Email: support@mjrcollectiveai.com

📞 Phone: (571) 356-3125

🌐 Website: mjrcollectiveai.com

📍 State of Incorporation: Virginia, United States

For privacy-specific requests, use the subject line "Privacy Request" in your email. We respond within 30 days.