Privacy Policy

I'm David H. Frost, sole operator of Frost Labs LLC (Riverdale, Utah). This page tells you what data I collect, what I do with it, and what your rights are. It applies to ai-frost.com, the Calendly discovery-call booking form, the support@ai-frost.com email channel, and any audit or engineering engagement you contract with Frost Labs. It will also apply to the Frost Labs marketplace connector for Odoo when that ships to apps.odoo.com.

1. Who I am

Frost Labs LLC is a Utah-registered single-member LLC. I'm both the controller for the ai-frost.com site and a processor when you send me personal data via support tickets, discovery calls, or paid engagements. EU representative arrangements are described in Section 7.

2. What data I collect

2a. Site visitors (ai-frost.com)

I use Cloudflare Web Analytics. It's privacy-friendly and cookieless. No personal identifiers, no IP storage beyond the time it takes to compute aggregate metrics. The token is in the page source if you want to verify.

2b. Discovery-call bookings (Calendly)

The "Book a 15-min call" buttons link to Calendly (calendly.com), an independent scheduling service. When you book a slot, Calendly collects what you enter into their form. Typically name, email, company (optional), and short answers to qualifying questions about your Odoo + marketplace setup. Calendly is a separate data processor with its own privacy policy and data processing addendum. Frost Labs receives the booking details via email + Calendly's dashboard; I retain them for the duration of the engagement (or 90 days if no engagement follows) then delete.

2c. Support tickets (support@ai-frost.com)

When you email support, I see what you send. If you paste live buyer data into a support ticket, I will have incidentally received that data. Please don't paste live PII unless you've signed a DPA first (see Section 6). I retain support tickets containing identifiable PII for 90 days; anonymized issue patterns indefinitely (so I can answer future "have you seen this before" questions).

2d. Audit and engagement clients

For Odoo + Marketplace Reconciliation Audit audits and longer Engineering Engagements, I collect: company name, contact name/email, scope details for the engagement, and (during the audit/engagement only) read-only access to your Amazon Seller Central / eBay Developer / Walmart Seller Center / Odoo instance as configured by you. I do not store marketplace credentials past the engagement; they remain in your accounts and I prompt you to revoke read-only sub-user access at engagement close. Audit deliverables (PDF report, findings spreadsheet) are retained for 18 months for your follow-up questions, then deleted unless you've extended retention in writing.

2e. Invoicing (Mercury)

I issue invoices via Mercury (mercury.com), my business bank. Mercury sees the invoice line items, amount, and your billing email; payment processing (ACH / credit card) is handled by Mercury's payment processor. Mercury has its own privacy policy. I retain invoice records for 7 years per US tax retention requirements.

2f. Marketplace connector customers (planned product)

When the Frost Labs marketplace connector ships on apps.odoo.com, it will install on your own Odoo instance. It will read from and write to your Odoo database and the marketplace APIs you configure. Frost Labs will have no access to that data flow. Your credentials will sit in your Odoo's fl_marketplaces_secrets table (encrypted at rest with pgcrypto). Your buyer orders, product data, and marketplace responses will stay on your hardware. This section becomes operative when the connector launches.

3. What I do with it

• Reply to your support requests and discovery-call inquiries.
• Schedule and conduct discovery calls (via Calendly + Google Meet).
• Deliver audit reports and engagement work as contracted.
• Issue invoices (via Mercury) and reconcile payments.
• Diagnose bugs and improve the audit/connector practice across engagements (using only anonymized patterns, never your live data without your written consent).

I do not sell data. I don't share it with marketing networks. I don't profile users. I don't use audit/engagement data to train AI models.

4. Legal basis (GDPR-relevant)

• Site analytics: Legitimate interest (Cloudflare aggregates only, no tracking).
• Discovery-call booking: Pre-contractual measure at your request (Art. 6(1)(b) GDPR). You initiated the booking to scope a possible engagement.
• Support tickets: Contract performance (you sent it to get help) plus legitimate interest (improving the practice).
• Audit/engagement engagement: Contract performance.
• Invoicing: Contract performance + legal obligation (tax retention).
• Marketplace connector data flow (when shipped): Not applicable. Frost Labs has no role. You (the controller) decide.

5. Where data is stored / who processes it

• ai-frost.com hosting: Cloudflare Pages (global edge network).
• Site analytics: Cloudflare Web Analytics (cookieless, aggregate only).
• Discovery-call bookings: Calendly (calendly.com) as a sub-processor; bookings forwarded to my Gmail.
• Meetings: Google Meet (auto-generated link per Calendly event). Google is a sub-processor.
• Support tickets & engagement emails: Gmail inbox (Google Workspace) via Cloudflare Email Routing for the support@ / billing@ / marketplace-ops@ aliases.
• Invoicing: Mercury (mercury.com) as my business bank and invoicing tool.
• Audit deliverables & engagement records: local encrypted storage (operator workstation) + private Git repository.
• Marketplace data (yours, in the connector product when it ships): in your Odoo instance. I never see it.

6. DPA (Data Processing Addendum)

For EU customers or any customer who needs a signed DPA before engaging (for an audit, engineering engagement, or future connector install), I provide one based on EU Standard Contractual Clauses Module 2 (controller-to-processor). Email support@ai-frost.com with subject "DPA request" and I'll send the template within 2 business days. Sign-and-return via email or DocuSign.

7. EU Representative (GDPR Art. 27)

Frost Labs LLC is US-based with no EU establishment. At present, Frost Labs does not actively market to EU/EEA residents and does not knowingly conduct large-scale processing of EU personal data. If you are an EU/EEA data subject who has interacted with Frost Labs, you can reach me directly at support@ai-frost.com to exercise your GDPR rights; I respond within 30 days. If material EU customer activity emerges, I will designate an Article 27 representative and list their contact details here at that time.

8. Your rights (GDPR / UK GDPR / CCPA / state US privacy laws)

If you're in the EU/UK, California, or another jurisdiction with a comparable privacy law (Colorado, Virginia, Connecticut, Utah, Texas, etc.), you have rights including: access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with a supervisory authority. To exercise any of these, email support@ai-frost.com. I respond within 30 days; usually within 2-5 business days.

8a. California residents (CCPA / CPRA)

Specifically for California residents under the CCPA as amended by the CPRA:

• Right to know: You can ask what personal information I've collected about you, the sources, the purposes, and any third parties I've shared it with. I'll respond within 45 days.
• Right to delete: You can ask me to delete personal information I've collected from you, subject to legal exceptions (e.g., tax records).
• Right to correct: You can ask me to correct inaccurate information.
• Right to opt-out of sale / sharing: Frost Labs does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right exists if my practices ever change.
• Right to limit use of sensitive personal information: Frost Labs does not collect sensitive personal information as defined by CPRA.
• Right to non-discrimination: Exercising any of these rights will not affect the service you receive.

To exercise California rights: email support@ai-frost.com with subject "California privacy rights request" and include enough detail that I can verify you're the right person (typically the email address you used to contact Frost Labs).

If your data is in your own Odoo instance or marketplace accounts (which is true for almost everything during an audit/engagement), I can't delete it from there. That's your responsibility as the controller of your own systems. I can confirm in writing what data Frost Labs holds about you (typically: support ticket history, Calendly booking record, and any deliverable I produced for you).

9. Data retention

• Calendly bookings (no engagement followed): 90 days, then deleted.
• Calendly bookings + engagement that followed: duration of engagement + 18 months.
• Support tickets containing identifiable PII: 90 days, then deleted.
• Anonymized issue patterns: indefinite (no PII).
• Audit deliverables (PDF reports + findings spreadsheets): 18 months from delivery date, then deleted unless retention extended in writing.
• Engagement records: duration of engagement + 7 years (US tax retention).
• Invoice records (via Mercury): 7 years (US tax retention).
• Site analytics: Cloudflare's own retention (typically 30-90 days, aggregated).

10. Children

Frost Labs does not target children under 16. If you believe a child has provided personal data to me, email support@ai-frost.com and I'll delete it.

11. Changes to this policy

If I make material changes, I'll bump the "Last updated" date at the top and (for active customers) email a notice. Continued use after the change date constitutes acceptance.

12. Contact

For privacy questions, DPA requests, or to exercise your rights:

• Email: support@ai-frost.com
• Postal: Frost Labs LLC, Riverdale, Utah, USA (full address on request)
• EU representative: DataRep (address pending registration)