Hobb Privacy Policy

Last updated / Effective date: July 11, 2026

Draft for counsel review. This document was prepared to satisfy the F1 legal-page requirement (public Privacy Policy live on hobb.ai, gating Google restricted-scope verification and Meta/WhatsApp onboarding). It is a thorough, compliance-mapped starting point — not legal advice. Have Delaware/California privacy counsel review it before publishing, and complete every [BRACKETED] placeholder. See README.md in this folder for the remaining legal work and the Google/Meta submission checklist.

This Privacy Policy explains how Redo AI, Inc. ("Redo AI," "we," "us," or "our"), operator of the Hobb application and the website at hobb.ai (together, the "Service"), collects, uses, stores, shares, and protects information. It also describes the privacy rights available to you and how to exercise them.

Hobb is a customer-relationship management (CRM) tool for real-estate professionals. It connects to your email, provisions phone numbers, helps you make and receive calls and messages, optionally records and transcribes calls, and uses artificial intelligence to turn your conversations into organized contacts and follow-up tasks.

If you do not agree with this Policy, do not use the Service.


1. Who we are and how to contact us

The data controller / business responsible for your information is:

Redo AI, Inc. [Redo AI, Inc. registered mailing address — TO CONFIRM] Privacy inquiries and data-rights requests: privacy@joinredo.com Legal notices: legal@joinredo.com

For most purposes under this Policy, Redo AI is the "business" (CCPA/CPRA) or "controller" of your account, billing, and usage data. For the third-party personal information you load into or route through Hobb — for example, information about your contacts, leads, and clients — Redo AI generally acts as a "service provider" / "processor" that processes that information on your behalf and under your instructions (see Section 9).


2. Summary (the short version)

  • We collect the information you give us (account, billing), information from the accounts you connect (email, calendar, phone/messaging), and information generated as you use Hobb (calls, messages, transcripts, tasks, contacts, logs).
  • We use it to run the Service: sync and read your email, capture and organize your communications, extract tasks and contacts, place and receive calls and messages, transcribe recorded calls, bill you, and keep the Service secure.
  • We do not sell your personal information, and we do not use your data for advertising.
  • Google user data obtained through Gmail is handled under Google's Limited Use requirements, and is never used to train generalized/non-personalized AI models (see Section 6).
  • We use a small set of trusted sub-processors (Section 8) and require them to protect your data.
  • You have rights over your data — including access, deletion, and correction — described in Section 12.

3. Information we collect

a. Information you provide directly.

  • Account data: name, email address, business/brokerage name, and authentication identifiers when you sign up or sign in.
  • Billing data: subscription tier, credit-ledger balance, and payment records. Card details are collected and processed directly by our payment processor, Stripe — Redo AI does not store full card numbers.
  • Support and communications: messages you send us, and the contents of support requests.
  • Provisioning/KYC data: for phone-number features, the legal/business name and business address required to provision a number and (where applicable) register an emergency-calling address.

b. Information from accounts and channels you connect. When you connect a mailbox or channel, we access data through that provider's API, subject to the permissions (scopes) you grant:

  • Email (Gmail / Google Workspace): message metadata and content, drafts, and labels, via Google APIs. See Section 6 for the specific Google scopes, uses, and Limited Use commitments.
  • Email (Microsoft Outlook / Microsoft 365): message metadata and content via the Microsoft Graph API, subject to the permissions you grant.
  • Calendar (optional): calendar event data, if you enable calendar features.
  • Voice, SMS, and WhatsApp: call and message metadata and content sent or received through a Hobb-provisioned phone number, processed through our telephony provider (Telnyx). This includes phone numbers, timestamps, call duration and status, message bodies, and — where you enable it and consent is captured — call audio recordings and their transcripts.

c. Information generated by your use of the Service.

  • Derived records: contacts, "person" records, importance/behavioral scores, extracted to-dos and follow-up tasks, each linked to its source communication.
  • Usage and device data: log data, IP address, browser/extension version, feature usage, and diagnostic events.
  • Cookies and similar technologies: see our Cookie Policy and Section 11.

d. Information about third parties (your contacts). To provide the Service, Hobb necessarily processes personal information about the people you communicate with — your leads, clients, and other contacts — including their names, email addresses, phone numbers, the content of your communications with them, and inferences (such as behavioral importance scores) derived from those communications. You are responsible for having a lawful basis and any required notice or consent to load this information into Hobb and to record/transcribe communications with these individuals (see Sections 7 and 9, the Terms of Service, and the Acceptable Use Policy).

We do not knowingly collect information from anyone under 18. The Service is for business use by adults (see Section 14).


4. How we use information

We use the information above to:

  • Provide the core Service — sync and read your connected mailbox; capture calls, SMS, and WhatsApp messages; build unified contact records; extract and surface to-dos and follow-ups; place and receive calls and messages; draft replies (Hobb writes drafts to your mailbox; you send them — Hobb never sends email as you).
  • Record and transcribe calls where you enable recording, and generate AI transcripts and summaries.
  • Operate AI features — a privacy-preserving pipeline scrubs personal identifiers from message text before it is sent to our AI sub-processors for extraction and classification (see Section 6).
  • Bill and administer your account — manage subscriptions, the credit ledger, receipts, and dunning.
  • Secure and maintain the Service — authenticate users, prevent fraud and abuse, debug, and enforce our terms.
  • Communicate with you — send transactional messages (sign-in links, receipts, service notices) and respond to support.
  • Comply with law and enforce our agreements.

We do not use your data, or your Google user data, for advertising or to build advertising profiles. We do not sell your personal information.

Legal bases (for users protected by GDPR/UK-GDPR, e.g., future UK/NL markets)

Where applicable, we rely on: performance of a contract (to provide the Service you request), legitimate interests (to secure, improve, and operate the Service, balanced against your rights), consent (for example, for recording and certain optional features), and legal obligation.


5. Categories of personal information and retention (CCPA/CPRA disclosure)

For the preceding 12 months, we have collected the following statutory categories of personal information. We collect these from you, from the accounts/channels you connect, from your use of the Service, and from our sub-processors. We disclose categories to sub-processors for the business purposes described in Section 4; we do not sell or "share" (for cross-context behavioral advertising) any category.

CCPA/CPRA categoryExamples in HobbSourcesBusiness purposeDisclosed to (categories)Sold / Shared?Retention
IdentifiersName, email, account ID, phone number, IP addressYou; connected accounts; usageProvide Service, authenticate, secureHosting, telephony, payment, AI sub-processorsNoLife of account + up to [X] months, then deleted
Commercial informationSubscription tier, credit balance, transaction recordsYou; StripeBilling, account administrationPayment processorNoAs required for tax/accounting ([e.g., 7 years])
Internet/electronic activityLog data, feature usage, extension/app diagnosticsUsageSecurity, debugging, improvementHosting, monitoringNo[e.g., 12 months]
Audio/electronic informationCall recordings and transcripts (where enabled)Voice channelProvide call-capture/transcription featureTelephony, transcription, AI sub-processorsNo[Default 3–6 months] unless you set otherwise
Communications contentEmail content, SMS/WhatsApp content, draftsConnected mailbox; messaging channelsCapture, extraction, draftingHosting, AI sub-processors (scrubbed)NoLife of account, subject to deletion controls
Professional/employment infoBrokerage/business name, roleYouProvide ServiceHostingNoLife of account
InferencesBehavioral importance/contact scores, extracted tasksDerived from your dataPrioritization, task surfacingHostingNoLife of account
Sensitive personal informationContents of email/text messages where Redo AI/you are not the intended recipient; precise financial or contact details that may appear in messagesConnected mailbox; messagingProvide the Service you requestedHosting, AI sub-processors (scrubbed)NoAs above

Sensitive personal information note. Under the CPRA, "sensitive personal information" includes the contents of a consumer's mail, email, and text messages unless the business is the intended recipient. Because Hobb reads your mailbox to provide the Service, we process such content. We use and disclose sensitive personal information only as necessary to provide the Service you have requested and for the permitted purposes recognized under the CPRA (such as performing services, ensuring security, and detecting malicious activity). We do not use it to infer characteristics about you. Because our use is limited to these purposes, the "Limit the Use of My Sensitive Personal Information" right has limited application; even so, you may contact us at privacy@joinredo.com with any request and we will honor applicable rights.

Retention figures in the table marked […] must be finalized with counsel and reflected in the product's deletion automation (see README.md). Where a specific period is not set, we retain personal information for as long as your account is active and as needed to provide the Service, then delete or de-identify it within a reasonable period, unless a longer period is required by law.


6. Google user data (Gmail) — access, use, and Limited Use commitment

Hobb's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Scopes we request (least-privilege). Hobb requests the narrowest Gmail scopes required for the features you enable:

ScopeWhat it enablesWhen requested
gmail.readonlyRead your email so Hobb can sync, extract tasks/contacts, and triageBaseline email feature
gmail.composeWrite reply drafts into your Gmail Drafts (drafts only)When draft-assist is enabled
gmail.modifyApply/remove Hobb's organizing labels (no deleting, no settings changes)When label write-back is enabled

Hobb never requests gmail.send and cannot send email as you. Hobb drafts; you send.

How we access, use, store, and share Google user data.

  • Access: with your explicit OAuth authorization, Hobb connects to your Gmail through Google's APIs using the scopes above. Your Google refresh token is stored encrypted and is used only to maintain your connection.
  • Use: we use Google user data solely to provide and improve the user-facing features prominent in Hobb — syncing and reading your mail to surface to-dos and follow-ups, building contact records, and (if enabled) drafting replies. Message text is passed through a personal-data scrubbing step before AI processing.
  • Storage: we store the minimum message data needed to provide these features (including a restricted, access-controlled store of message content and derived, PII-scrubbed records), encrypted in transit and at rest, on our hosting sub-processor's infrastructure.
  • Sharing/transfer: we do not transfer Google user data to others except as permitted by the Limited Use requirements — namely: (i) as necessary to provide or improve user-facing features and only with your consent; (ii) for security purposes (e.g., investigating abuse); (iii) to comply with applicable law; or (iv) as part of a merger, acquisition, or asset sale with your explicit prior consent.
  • Human access: we do not allow humans to read your Google user data except (i) with your affirmative agreement to view specific messages, (ii) where necessary for security, (iii) to comply with law, or (iv) where the data is aggregated and de-identified for internal operations.

Limited Use — the four prohibitions. Consistent with Google's policy, Hobb does not:

  1. Transfer or sell your Google user data to third parties like advertising platforms, data brokers, or information resellers;
  2. Transfer, sell, or use your Google user data for serving ads, including retargeting, personalized, or interest-based advertising;
  3. Transfer, sell, or use your Google user data to determine credit-worthiness or for lending purposes; or
  4. Transfer, sell, or use your Google user data to create, train, or improve (directly or indirectly) any machine-learning or artificial-intelligence model, other than a model personalized to you for the specific user-facing feature that is the reason you connected Gmail.

AI model-training commitment. We do not retain or use Google Workspace/Gmail user data to develop, improve, or train generalized or non-personalized artificial-intelligence or machine-learning models. Our AI sub-processors are contractually bound not to train their models on your content.

Revoking access. You can disconnect Hobb at any time in-app or via your Google Account → Security → Third-party access, which revokes Hobb's access. On disconnection we stop syncing and delete or de-identify stored Google user data in line with Section 12.

6a. Microsoft (Outlook) data

When you connect Outlook/Microsoft 365, Hobb accesses your mail through the Microsoft Graph API under the permissions you grant, and uses that data on the same least-privilege, no-advertising, no-generalized-AI-training basis described above for Google data. Your Microsoft refresh token is stored encrypted and used only to maintain your connection. You can revoke access in your Microsoft account settings or in-app.


7. Calls, messages, recording, and transcription

  • Provisioned numbers. When you activate a phone number, calls, SMS, and WhatsApp messages route through that Hobb-provisioned number via our telephony sub-processor (Telnyx). Native-dialer calls on your personal SIM are never recorded by Hobb.
  • Recording is consent-gated. Where you enable recording, Hobb plays a recording/transcription announcement at the start of the call. You are responsible for complying with call-recording laws, which in some U.S. states require the consent of all parties. Our Acceptable Use Policy sets out your obligations, and Hobb provides controls to disable recording. We treat transcripts with the same protection as the underlying audio.
  • Transcription and AI analysis. Recorded audio may be transcribed and summarized by automated systems. We do not build voiceprints or perform biometric speaker-identification.
  • Messaging. For SMS and WhatsApp you send through Hobb, you are the message sender and are responsible for obtaining recipient consent and honoring opt-outs (STOP/HELP), consistent with the TCPA, CTIA/10DLC rules, WhatsApp's Business Messaging Policy, and the Acceptable Use Policy.

8. Sub-processors and third parties we share with

We share personal information only with service providers that process it on our behalf under contract, and as required by law. We do not sell personal information. Our current sub-processors include:

Sub-processorFunctionData involved
SupabaseApplication hosting, database, authenticationAccount, content, derived records, logs
TelnyxTelephony: numbers, voice, SMS, WhatsApp (BSP), call recording/transcriptionCall/message metadata & content, recordings, transcripts
AnthropicLLM processing for task/contact extraction and draftingPII-scrubbed message text
Voyage AIText embeddings for search/matchingPII-scrubbed text
StripeSubscription billing and paymentsBilling/payment data
Google LLC / MicrosoftSource email/calendar providers you connectData you authorize via OAuth

A current, maintained sub-processor list is available at [hobb.ai/legal/subprocessors — TO PUBLISH]. We require each sub-processor to protect personal information and to process it only per our instructions, under a data-processing agreement or equivalent service-provider terms.

We may also disclose information: (i) to comply with law, legal process, or lawful government requests; (ii) to protect the rights, safety, and security of Hobb, our users, and the public; (iii) to enforce our terms; and (iv) in connection with a merger, acquisition, financing, or sale of assets, subject to the commitments in this Policy (and, for Google user data, with your explicit prior consent).


9. Your data and our role (controller vs. service provider)

For the personal information you and your organization load into or generate through Hobb about your contacts and clients, Redo AI acts as your service provider / processor: we process that information to provide the Service, under your instructions, and we do not use it for our own purposes, retain, use, or disclose it outside the direct business relationship, or combine it with data from other sources except as permitted by law. You are the business / controller for that information and are responsible for providing any notices and obtaining any consents required to collect it, record communications, and use Hobb to contact those individuals.

If you are an end-recipient (a contact of a Hobb user) and want to exercise privacy rights, please contact the Hobb user (the agent/brokerage) who holds your information; we will assist them as their service provider. You may also contact us at privacy@joinredo.com and we will route your request appropriately.


10. How we protect information

We use technical and organizational safeguards including encryption in transit and at rest, encryption of stored third-party credentials, strict secret management, per-organization data isolation enforced in every data query, least-privilege access scopes, fail-closed production configuration, and monitoring. Connected-account credentials (such as your Gmail/Outlook refresh tokens) are encrypted with a key that is itself tightly controlled. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly to incidents. To report a security concern, contact [security@joinredo.com — TO CONFIRM].


11. Cookies and similar technologies

hobb.ai and the Hobb app use cookies and similar technologies for essential functionality (sign-in, security), preferences, and limited analytics. We do not use cookies for cross-context behavioral advertising. For details and your choices, see our Cookie Policy. We honor recognized browser opt-out preference signals, including the Global Privacy Control (GPC), as a valid opt-out of sale/sharing where applicable.


12. Your privacy rights and choices

Depending on where you live, you may have some or all of the following rights:

  • Access / know the personal information we hold about you, its sources, purposes, and the categories of third parties we disclose it to.
  • Delete your personal information.
  • Correct inaccurate personal information.
  • Portability — receive a copy of certain data in a portable format.
  • Opt out of "sale" or "sharing" of personal information (note: we do not sell or share personal information).
  • Limit the use of sensitive personal information (see the note in Section 5).
  • Non-discrimination — we will not discriminate against you for exercising your rights.
  • Appeal — if we deny a request, you may appeal by replying to our decision or writing to privacy@joinredo.com; you may also contact your state attorney general.

How to exercise your rights. Email privacy@joinredo.com, or use the in-app account/privacy controls (including self-service disconnect and deletion). We will verify your request (typically by confirming control of the account email) and respond within the time required by applicable law (generally 45 days under U.S. state laws, extendable once). An authorized agent may submit a request on your behalf with proof of authorization.

California "Your Privacy Choices." California residents may exercise the rights above, including opting out of sale/sharing (again, we do not sell or share) and limiting sensitive-PI use, via privacy@joinredo.com or the in-app "Your Privacy Choices" control, and through the GPC signal.

Other U.S. states. Residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Texas, and others) have equivalent rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising, sale, and certain profiling. Exercise them the same way.


13. Data location and international transfers

Hobb currently serves the United States, and personal information is processed in the United States and other locations where our sub-processors operate. If we expand to the United Kingdom, the European Union/Netherlands, or elsewhere, we will update this Policy and implement appropriate transfer safeguards (such as Standard Contractual Clauses / UK IDTA and the EU-U.S. Data Privacy Framework where relevant).

14. Children

The Service is intended for business use by adults and is not directed to anyone under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact privacy@joinredo.com and we will delete it.

15. Changes to this Policy

We may update this Policy from time to time. We will post the updated version with a new "Last updated" date and, for material changes, provide additional notice (such as in-app or by email). Your continued use of the Service after an update means you accept the revised Policy. Where required, we will obtain your consent.

16. Contact us

Redo AI, Inc. — [registered mailing address — TO CONFIRM] Privacy: privacy@joinredo.com · Legal: legal@joinredo.com


This Privacy Policy is a draft prepared for Redo AI, Inc. and must be reviewed by qualified legal counsel before publication. Bracketed items require confirmation. See README.md for outstanding legal items and the Google/Meta submission checklist.