DealSmart AI, Inc.

Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 11, 2026

This Privacy Policy describes how DealSmart AI, Inc. (“DealSmart,” “we,” “us,” or “our”) collects, uses, stores, and discloses information in connection with DealSmart and related services we provide to automotive dealerships and their customers. It also describes the rights available to individuals whose personal information we process.

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you are a dealership engaging our services, this Policy should be read alongside your Master Services Agreement, which governs our data processing obligations to you in greater detail.

1. Definitions

The following terms have specific meanings throughout this Policy:

Term

Definition

Dealership

An automotive dealership or dealer group that has entered into a services agreement with DealSmart to use DealSmart.

Dealership Customer

An individual who interacts with DealSmart on behalf of, or at the direction of, a Dealership — including end consumers communicating via SMS, email, voice, or other channels.

Personal Information

Any information that identifies or could reasonably be used to identify a natural person, including name, contact details, vehicle information, and communication history.

Platform

The Max AI agent platform and all associated services, integrations, and interfaces provided by DealSmart.

Services

The AI-assisted sales, service scheduling, and customer communication services DealSmart provides to Dealerships through DealSmart.

Subprocessor

A third-party vendor that processes personal information on DealSmart’s behalf in connection with the delivery of the Services.

2. Scope and Applicability

This Privacy Policy applies to:

—Personal information collected from or about Dealership Customers through DealSmart (e.g., messages sent to or received from Max, appointment records, vehicle service history accessed via CRM integration);
—Personal information about Dealership personnel who access or administer DealSmart; and
—Information provided to us by Dealerships in connection with onboarding, configuration, and integration of the Services.

This Policy does not apply to the internal human resources data of DealSmart employees, or to third-party websites, services, or applications that may be referenced within DealSmart but are not operated by DealSmart.

Dealerships as Data Controllers

In providing the Services, DealSmart acts as a data processor on behalf of each Dealership. The Dealership is the data controller with respect to Personal Information about its customers and staff. DealSmart processes that information only in accordance with the Dealership's instructions and the terms of the applicable Master Services Agreement. DealSmart does not use Dealership Customer data for any purpose other than delivering the contracted Services.

3. Information We Collect

3.1 Information Provided by Dealerships

When a Dealership integrates DealSmart with its customer relationship management system (CRM) or other operational systems, it makes available to us certain data necessary to operate the Services. This may include:

—Customer contact information (name, phone number, email address, mailing address);
—Vehicle information (VIN, year, make, model, mileage, service history);
—Appointment and transaction records;
—Communication preferences and opt-out status; and
—Lead and sales opportunity data as maintained in the Dealership’s CRM.

3.2 Information Generated Through Customer Interactions

When a Dealership Customer communicates through DealSmart — by responding to an SMS, receiving or placing a voice call handled by Max, or exchanging email — we process the content of those communications in order to generate an appropriate response and log the interaction. This includes:

—The text of inbound and outbound messages;
—Call metadata (time, duration, channel); and
—Conversational context used to inform Max’s responses within a single interaction.

We do not retain raw recordings of voice calls. Where voice-to-text transcription occurs to facilitate an interaction, the resulting text is written to the Dealership's CRM record and is not separately stored by DealSmart.

3.3 Information Collected Automatically

In operating and maintaining DealSmart, we automatically collect certain technical information, including:

—Log data (system access times, error events, API call records);
—Session information associated with authenticated users of DealSmart; and
—Platform usage and performance data used to monitor service reliability.

This technical data is used solely for operating, maintaining, and improving DealSmart. It is not used to profile Dealership Customers or for marketing purposes.

3.4 Information We Do Not Collect

DealSmart does not collect the following categories of information in the course of operating the Services:

—Social Security numbers, government-issued identification numbers, or biometric identifiers;
—Credit scores, income information, or financial account numbers — DealSmart is designed to prohibit the solicitation or processing of this information through any automated interaction;
—Biometric voice identifiers (voice prints) — we do not use voice processing technology that generates biometric profiles of callers; and
—Sensitive personal characteristics (race, ethnicity, religion, health information, sexual orientation) — we have no basis to collect this information and our systems are designed to avoid it.

4. How We Use Personal Information

DealSmart uses personal information solely for the purposes described below. We do not sell personal information. We do not use personal information to serve advertising. We do not use Dealership Customer data to train artificial intelligence models.

4.1 Providing the Services

The primary use of personal information is to operate DealSmart on behalf of Dealerships. This includes enabling Max to generate and deliver communications to Dealership Customers, schedule and manage service appointments, update CRM records, and support the sales and service workflows that Dealerships have configured within DealSmart.

4.2 Regulatory Compliance

We process personal information as necessary to comply with applicable law and to operate in compliance with telecommunications regulations, including the Telephone Consumer Protection Act (TCPA), the CAN-SPAM Act, the California Consumer Privacy Act (CCPA), and the FTC Safeguards Rule. This includes maintaining records of customer consent and opt-out status, and enforcing communication restrictions at the point of delivery.

4.3 Platform Security and Integrity

We use technical and operational information to detect, investigate, and respond to security incidents, prevent fraud, and maintain the integrity of DealSmart. This processing is necessary for our legitimate interest in providing a secure and reliable service.

4.4 Service Improvement

We may use aggregated, de-identified performance data — from which all personal information has been removed — to evaluate and improve the quality and reliability of the Services. This data cannot be used to identify any individual or any Dealership’s customers.

4.5 Legal Obligations and Dispute Resolution

We may retain and process personal information to the extent required to fulfill our legal obligations, respond to lawful requests from regulatory authorities, or establish, exercise, or defend legal claims.

5. How We Share Personal Information

5.1 With Dealerships

Personal information about Dealership Customers is shared with the Dealership on whose behalf it was collected. This is the central purpose of the Services — Max processes communications and writes the results back to the Dealership's systems so that Dealership staff have a complete record of customer interactions.

5.2 With Subprocessors

We engage third-party service providers (Subprocessors) to assist in operating DealSmart. Each Subprocessor is engaged under a contractual arrangement that limits their use of personal information to the specific function for which they are engaged and requires them to maintain appropriate security and confidentiality standards. Our current Subprocessors, and the functions they perform, are listed in Section 10 of this Policy.

5.3 For Legal Reasons

We may disclose personal information if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation or respond to valid legal process; (b) protect the safety of any person; (c) prevent or investigate fraud, security incidents, or violations of our agreements; or (d) protect the rights and property of DealSmart, our Dealership customers, or others.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of DealSmart's assets, personal information may be transferred as part of that transaction. We will provide notice to affected Dealerships prior to any such transfer, and the acquiring entity will be required to honor the commitments made in this Policy.

5.5 What We Do Not Do

—Sell personal information to third parties for any purpose;
—Share personal information with advertisers or data brokers;
—Use personal information from one Dealership’s customers to benefit another Dealership or any other third party; or
—Make personal information available to external artificial intelligence model providers in identifiable form.

6. Artificial Intelligence Processing

DealSmart uses artificial intelligence to power Max, the AI agent that handles customer interactions on behalf of Dealerships. Max operates within defined behavioral boundaries that govern the type of information it may solicit or generate. DealSmart is designed to prevent Max from requesting sensitive personal information, making financial representations, or generating outputs inconsistent with applicable regulatory requirements. These controls are enforced at the system level and apply across all channels through which Max operates.

7. Data Security

DealSmart maintains administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include:

—Encryption of personal information at rest and in transit using industry-standard protocols;
—Access controls that limit access to personal information to personnel and systems with a legitimate need;
—Tenant isolation controls that ensure personal information belonging to one Dealership is not accessible to any other Dealership or to unauthorized parties;
—Authentication requirements for all Platform access;
—Monitoring and logging of access to personal information; and
—Vendor security assessments for Subprocessors handling personal information.

No method of data transmission or storage is completely secure, and DealSmart cannot guarantee the absolute security of personal information. In the event of a security incident that is reasonably likely to result in unauthorized access to personal information, we will notify affected Dealerships in accordance with applicable law and our contractual obligations.

Data Breach Notification

In the event of a confirmed breach or suspected unauthorized access to personal information, DealSmart will notify the affected Dealership within 72 hours of becoming aware of the incident. Notification will include a description of the nature of the incident, the categories of information involved, and the measures DealSmart is taking or proposes to take in response.

8. Data Retention

DealSmart retains personal information for the period necessary to fulfill the purposes described in this Policy, to satisfy our contractual obligations to Dealerships, and to comply with applicable legal requirements. In practice:

—Personal information about Dealership Customers is retained for the duration of the Services agreement and for such additional period as may be required by law or agreed with the Dealership. Dealerships may request deletion of their customers’ personal information consistent with their own data retention policies and applicable regulatory requirements.
—Communication records generated through DealSmart are written to the Dealership’s CRM and are subject to the Dealership’s own data management practices. DealSmart does not retain independent copies of those records beyond what is necessary for DealSmart operation.
—Technical and operational logs are retained for a period of twelve months unless a longer retention period is required for security investigation or legal purposes.
—Session data and authentication tokens are subject to automatic expiration and are not retained beyond their functional lifespan.

When a Dealership terminates its Services agreement, DealSmart will delete or return personal information associated with that Dealership's account within thirty (30) days of the termination date, except where a longer retention period is required by law.

9. Rights of Individuals

DealSmart processes personal information primarily as a data processor on behalf of Dealerships. Individuals who wish to exercise rights with respect to their personal information held by a Dealership — including rights of access, correction, deletion, or portability — should contact the Dealership directly. DealSmart will support Dealerships in responding to such requests as required by applicable law and our contractual obligations.

Where DealSmart processes personal information as a data controller in its own right (for example, in connection with platform users or prospective customers), the following rights may apply depending on your jurisdiction:

—Right of Access: You may request confirmation of whether we hold personal information about you and, if so, a copy of that information.
—Right of Correction: You may request correction of inaccurate or incomplete personal information.
—Right of Deletion: You may request deletion of personal information we hold about you, subject to our legal obligations to retain certain records.
—Right to Object: You may object to certain processing of your personal information, including for direct marketing purposes.
—Right to Data Portability: Where applicable, you may request that personal information be provided to you in a structured, machine-readable format.
—Right to Opt Out of Sale: DealSmart does not sell personal information. This right is therefore not applicable to our processing activities.

To exercise any of these rights, please contact us at the address provided in Section 12. We will respond to verifiable requests within the timeframe required by applicable law.

10. Subprocessors

DealSmart engages the following categories of Subprocessors in connection with the delivery of the Services. Each Subprocessor is subject to a data processing agreement that governs its handling of personal information.

Service Provider

Purpose

Cloud Infrastructure Provider

Hosting of all Platform systems and data in a secure, US-based private cloud environment.

Telephony Provider

Routing and delivery of SMS and voice communications between DealSmart and Dealership Customers.

Voice Synthesis Provider

Generation of voice responses in AI-assisted phone interactions.

Email Delivery Provider

Transmission of outbound email communications on behalf of Dealerships.

Messaging Platform Provider

Delivery of communications via third-party messaging channels where enabled by the Dealership.

AI Model Providers

Generation of natural language responses. Personal information is anonymized prior to transmission to these providers.

Identity & Auth Provider

Management of user authentication and access control for Platform administrators.

CRM Integration Provider(s)

Synchronization of customer records, appointments, and interaction logs with the Dealership’s customer relationship management system.

Compliance Monitoring Provider

Continuous monitoring of our security and compliance posture in connection with our audit obligations.

We will notify affected Dealerships of material changes to our Subprocessor list in accordance with the terms of the applicable Master Services Agreement. An updated list of named Subprocessors is available to Dealerships upon written request.

11. Regulatory Compliance Commitments

DealSmart designs and operates DealSmart in a manner intended to support Dealerships' compliance with applicable regulations governing customer communications, consumer privacy, and financial data protection. The following frameworks are reflected in the design of DealSmart:

Telephone Consumer Protection Act (TCPA)

The Platform enforces restrictions on outbound communications consistent with TCPA requirements, including respect for quiet hours, processing of opt-out requests, and channel-specific communication preferences. Opt-out instructions received through any channel are applied across all communication channels.

CAN-SPAM Act

Outbound email communications generated by DealSmart include accurate sender identification, non-deceptive subject lines, and functional unsubscribe mechanisms. Unsubscribe requests are processed and honored without delay.

California Consumer Privacy Act (CCPA)

DealSmart supports Dealerships in meeting their obligations under the CCPA. The Platform enforces do-not-contact designations at the point of message delivery. DealSmart does not sell personal information as defined by the CCPA. Dealerships may request data subject access and deletion support from DealSmart as part of their consumer rights response processes.

Fair Credit Reporting Act (FCRA) and Equal Credit Opportunity Act (ECOA)

The Platform is designed to prevent automated interactions from soliciting or processing credit-related information. Max does not make inquiries about credit history, income, or financial status, and is not authorized to make credit decisions or representations.

FTC Safeguards Rule

As a service provider to automotive dealerships that hold non-public personal financial information, DealSmart maintains security controls consistent with the requirements of the FTC Standards for Safeguarding Customer Information, including encryption, access controls, and vendor oversight requirements.

General Data Protection Regulation (GDPR)

Where DealSmart processes personal data of individuals located in the European Economic Area, DealSmart acts as a data processor subject to the instructions of the Dealership as data controller. Data Processing Agreements reflecting the requirements of Article 28 GDPR are available to Dealerships upon request. DealSmart supports the exercise of data subject rights as required under applicable EU and UK data protection law.

12. Contact Information and Policy Updates

Contacting DealSmart

Questions, requests, or concerns regarding this Privacy Policy or DealSmart's data practices may be directed to:

DealSmart AI, Inc.

Attention: Privacy

Email: privacy@getdealsmart.com

Updates to This Policy

DealSmart may update this Privacy Policy from time to time to reflect changes in our practices, the Services we offer, or applicable legal requirements. When we make material changes, we will notify Dealerships through DealSmart or by direct communication prior to the changes taking effect. The effective date at the top of this document will be updated to reflect the date of the most recent revision.

Continued use of DealSmart following notice of a material change constitutes acceptance of the updated Policy. If you have questions about any change, please contact us using the information above.

DealSmart AI, Inc.

Privacy Policy

Effective Date: March 1, 2026 | Last Updated: March 11, 2026

1. Definitions

The following terms have specific meanings throughout this Policy:

Term

Definition

Dealership

An automotive dealership or dealer group that has entered into a services agreement with DealSmart to use DealSmart.

Dealership Customer

An individual who interacts with DealSmart on behalf of, or at the direction of, a Dealership — including end consumers communicating via SMS, email, voice, or other channels.

Personal Information

Any information that identifies or could reasonably be used to identify a natural person, including name, contact details, vehicle information, and communication history.

Platform

The Max AI agent platform and all associated services, integrations, and interfaces provided by DealSmart.

Services

The AI-assisted sales, service scheduling, and customer communication services DealSmart provides to Dealerships through DealSmart.

Subprocessor

A third-party vendor that processes personal information on DealSmart’s behalf in connection with the delivery of the Services.

2. Scope and Applicability

This Privacy Policy applies to:

—Personal information collected from or about Dealership Customers through DealSmart (e.g., messages sent to or received from Max, appointment records, vehicle service history accessed via CRM integration);
—Personal information about Dealership personnel who access or administer DealSmart; and
—Information provided to us by Dealerships in connection with onboarding, configuration, and integration of the Services.

Dealerships as Data Controllers

3. Information We Collect

3.1 Information Provided by Dealerships

—Customer contact information (name, phone number, email address, mailing address);
—Vehicle information (VIN, year, make, model, mileage, service history);
—Appointment and transaction records;
—Communication preferences and opt-out status; and
—Lead and sales opportunity data as maintained in the Dealership’s CRM.

3.2 Information Generated Through Customer Interactions

—The text of inbound and outbound messages;
—Call metadata (time, duration, channel); and
—Conversational context used to inform Max’s responses within a single interaction.

3.3 Information Collected Automatically

In operating and maintaining DealSmart, we automatically collect certain technical information, including:

—Log data (system access times, error events, API call records);
—Session information associated with authenticated users of DealSmart; and
—Platform usage and performance data used to monitor service reliability.

This technical data is used solely for operating, maintaining, and improving DealSmart. It is not used to profile Dealership Customers or for marketing purposes.

3.4 Information We Do Not Collect

DealSmart does not collect the following categories of information in the course of operating the Services:

—Social Security numbers, government-issued identification numbers, or biometric identifiers;
—Credit scores, income information, or financial account numbers — DealSmart is designed to prohibit the solicitation or processing of this information through any automated interaction;
—Biometric voice identifiers (voice prints) — we do not use voice processing technology that generates biometric profiles of callers; and
—Sensitive personal characteristics (race, ethnicity, religion, health information, sexual orientation) — we have no basis to collect this information and our systems are designed to avoid it.

4. How We Use Personal Information

4.1 Providing the Services

4.2 Regulatory Compliance

4.3 Platform Security and Integrity

4.4 Service Improvement

4.5 Legal Obligations and Dispute Resolution

5. How We Share Personal Information

5.1 With Dealerships

5.2 With Subprocessors

5.3 For Legal Reasons

5.4 Business Transfers

5.5 What We Do Not Do

—Sell personal information to third parties for any purpose;
—Share personal information with advertisers or data brokers;
—Use personal information from one Dealership’s customers to benefit another Dealership or any other third party; or
—Make personal information available to external artificial intelligence model providers in identifiable form.

6. Artificial Intelligence Processing

7. Data Security

—Encryption of personal information at rest and in transit using industry-standard protocols;
—Access controls that limit access to personal information to personnel and systems with a legitimate need;
—Tenant isolation controls that ensure personal information belonging to one Dealership is not accessible to any other Dealership or to unauthorized parties;
—Authentication requirements for all Platform access;
—Monitoring and logging of access to personal information; and
—Vendor security assessments for Subprocessors handling personal information.

Data Breach Notification

8. Data Retention

—Personal information about Dealership Customers is retained for the duration of the Services agreement and for such additional period as may be required by law or agreed with the Dealership. Dealerships may request deletion of their customers’ personal information consistent with their own data retention policies and applicable regulatory requirements.
—Communication records generated through DealSmart are written to the Dealership’s CRM and are subject to the Dealership’s own data management practices. DealSmart does not retain independent copies of those records beyond what is necessary for DealSmart operation.
—Technical and operational logs are retained for a period of twelve months unless a longer retention period is required for security investigation or legal purposes.
—Session data and authentication tokens are subject to automatic expiration and are not retained beyond their functional lifespan.

9. Rights of Individuals

—Right of Access: You may request confirmation of whether we hold personal information about you and, if so, a copy of that information.
—Right of Correction: You may request correction of inaccurate or incomplete personal information.
—Right of Deletion: You may request deletion of personal information we hold about you, subject to our legal obligations to retain certain records.
—Right to Object: You may object to certain processing of your personal information, including for direct marketing purposes.
—Right to Data Portability: Where applicable, you may request that personal information be provided to you in a structured, machine-readable format.
—Right to Opt Out of Sale: DealSmart does not sell personal information. This right is therefore not applicable to our processing activities.

To exercise any of these rights, please contact us at the address provided in Section 12. We will respond to verifiable requests within the timeframe required by applicable law.

10. Subprocessors

Service Provider

Purpose

Cloud Infrastructure Provider

Hosting of all Platform systems and data in a secure, US-based private cloud environment.

Telephony Provider

Routing and delivery of SMS and voice communications between DealSmart and Dealership Customers.

Voice Synthesis Provider

Generation of voice responses in AI-assisted phone interactions.

Email Delivery Provider

Transmission of outbound email communications on behalf of Dealerships.

Messaging Platform Provider

Delivery of communications via third-party messaging channels where enabled by the Dealership.

AI Model Providers

Generation of natural language responses. Personal information is anonymized prior to transmission to these providers.

Identity & Auth Provider

Management of user authentication and access control for Platform administrators.

CRM Integration Provider(s)

Synchronization of customer records, appointments, and interaction logs with the Dealership’s customer relationship management system.

Compliance Monitoring Provider

Continuous monitoring of our security and compliance posture in connection with our audit obligations.

11. Regulatory Compliance Commitments

Telephone Consumer Protection Act (TCPA)

CAN-SPAM Act

California Consumer Privacy Act (CCPA)

Fair Credit Reporting Act (FCRA) and Equal Credit Opportunity Act (ECOA)

FTC Safeguards Rule

General Data Protection Regulation (GDPR)

12. Contact Information and Policy Updates

Contacting DealSmart

Questions, requests, or concerns regarding this Privacy Policy or DealSmart's data practices may be directed to:

DealSmart AI, Inc.

Attention: Privacy

Email: privacy@getdealsmart.com

Updates to This Policy

Continued use of DealSmart following notice of a material change constitutes acceptance of the updated Policy. If you have questions about any change, please contact us using the information above.