Privacy Policy
Morrow Systems Group LLC
Effective Date: June 12, 2026
Morrow Systems Group LLC (“Morrow,” “we,” “us,” or “our”) operates Trodelo and related services. This Privacy Policy describes what data we collect, how we use it, and how we protect it.
Who this policy covers
Trodelo serves two distinct groups, and the way data rights and obligations apply differs between them:
- The Contractor — the licensed electrical contractor (and the employees and contractors of its organization) that registers for and subscribes to the Service. For the Contractor's own account, login, and billing data, Morrow acts more like a controller, determining how that data is used to operate and bill the subscription. By creating an account or otherwise using the Service as a Contractor, you agree to the practices described in this Policy.
- The Contractor's end customers — the callers, leads, and homeowners who interact with the Service by voice, SMS, or the public links their Contractor sends. For this group's personal information (their job, contact, and call data — together with the Contractor's other job data, the “Customer Data”), the Contractor is the controller and Morrow acts as the Contractor's processor, handling that data only to provide the Service on the Contractor's behalf. End customers do not enter into a subscription with us; their interactions are governed by this Policy and by the notices presented within the Service (the call-recording disclosure and the SMS opt-in / opt-out terms).
These defined terms — “Contractor,” “end customers,” and “Customer Data” — have the same meaning as in our Terms of Service. Where this Policy refers to a controller/processor distinction, the same allocation governs how data rights and obligations apply between the parties.
Sources of the data we hold
We obtain personal information from three sources:
- Directly from the Contractor — account, login, and billing details, and the job and configuration data the Contractor enters into the Service.
- Automatically through use of the Service — server logs, timestamps, and interaction records generated as the Service runs.
- Indirectly, about the Contractor's end customers — contact details, call recordings and transcripts, photos, and job details collected when end customers call the AI receptionist, reply to SMS, or use a link the Contractor sends. This data is Customer Data the Contractor controls.
1. Information We Collect
We collect information necessary to provide our services:
- Account information: Name, email address, phone number, and role (provided during account setup).
- Job and service data: End-customer names, addresses, phone numbers, and details about electrical work requested, inspected, or performed.
- Call recordings and transcripts: When the AI receptionist answers an inbound call, the call is recorded and transcribed so the receptionist can run discovery, schedule, and create an accurate job record. See “Call Recording & Transcription” below.
- Photos and evidence: Images uploaded by the Contractor or end customers during the service process.
- Communications: SMS messages and emails sent through the platform to end customers (estimates, notifications).
- Billing data: The Contractor's subscription billing information, and end-customer payments for service-call fees. Card details are entered into and handled by our payment processors (see “Payment Data” below); we do not store full card numbers.
- Usage data: Server logs, timestamps, and interaction records used to maintain and improve service quality.
2. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain Trodelo and related services.
- Generate AI-assisted investigation steps, solution briefs, and estimates.
- Record and transcribe inbound calls handled by the AI receptionist so it can run discovery, schedule, and build an accurate job record.
- Send transactional messages (estimates, job notifications) to end customers on behalf of the Contractor.
- Comply with legal obligations and respond to lawful requests.
Consent — shared responsibility. Because Morrow operates the AI receptionist and sends SMS under Morrow's own carrier-registered A2P 10DLC brand, Morrow provides the call-recording disclosure spoken at the start of each call, captures SMS opt-in before texting, and honors opt-out (STOP/HELP) requests. The Contractor is responsible for having a lawful basis to contact the people it reaches through the Service — for example, callers who contact its business, or people who provided their number for a follow-up they requested — and for configuring the Service truthfully. Each party complies with the laws applicable to its role.
3. SMS / Text Messaging
When you opt in to SMS communications from Trodelo — by submitting a service-request form on our website, or by giving verbal consent during a call to our service line — we collect and use your mobile phone number to send you service-related text messages. These include appointment confirmations, photo upload requests, estimates, and service follow-ups.
SMS is sent under Trodelo's own carrier-registered A2P 10DLC brand, and opt-out (STOP/HELP) is honored on every message. See our SMS Opt-In Policy for the full list of opt-in methods, sample messages, frequency expectations, and how to opt out.
Message frequency varies based on service activity. Message and data rates may apply.
No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All categories of personal information exclude text messaging originator opt-in data and consent — this information will not be shared with any third parties.
You can opt out at any time by replying STOP to any text message. After replying STOP, you will receive one final confirmation message and no further texts unless you opt in again. For help, reply HELP, or contact us at [email protected].
4. Call Recording & Transcription
Trodelo's AI receptionist records and transcribes inbound phone calls it answers on the Contractor's behalf. Callers hear a recording disclosure at the start of the call before the conversation proceeds.
- Why: Recordings and transcripts let the receptionist run discovery, schedule appointments, collect service-call fees, and build an accurate, auditable job record — and let the Contractor review what was discussed.
- How it's processed: Audio is transcribed and interpreted by our AI and voice-processing providers, which process the data solely on our behalf under contractual data-protection obligations. We do not use call recordings or transcripts to train generalized or third-party AI models.
- Where it's stored: Recordings and transcripts are stored on our cloud-hosting provider's infrastructure with encryption in transit and access controls, associated with the Contractor's organization and the relevant job.
- Retention: Recordings and transcripts are retained for as long as the Contractor's account is active or as needed to provide the Service, comply with legal obligations, and resolve disputes, and are deleted on request subject to applicable legal retention requirements.
Call recordings and transcripts are Customer Data the Contractor controls; Morrow processes them on the Contractor's behalf. End customers can request access to or deletion of their data — including recordings and transcripts — through our Request your data form. Because recordings and transcripts are especially sensitive, releasing them requires an extra identity check (see “Your Rights” below).
5. Information Sharing
We do not sell, rent, or share your personal information with third parties for marketing or advertising purposes.
We may share information only in the following limited circumstances:
- Service providers: We use third-party service providers to operate the platform, including providers of cloud infrastructure, artificial intelligence processing, SMS delivery, and email delivery. These providers process data solely on our behalf and under contractual data protection obligations.
- Within your organization: Job data is shared among members of the same contractor organization as necessary to perform and supervise work.
- With customers: Estimates, job details, and findings reports are shared with the customer associated with a job, as directed by the contractor.
- Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
6. Payment Data
Billing and card data — for both the Contractor's subscription and end-customer service-call payments — is entered into and handled by our payment processors, Stripe and Square, which the customer interacts with directly at checkout. Trodelo does not store full card numbers. We retain only non-sensitive references (such as a payment or customer identifier and the last four digits) needed to reconcile a payment to a job or subscription. Your use of a processor's checkout is also subject to that processor's own terms and privacy policy.
7. Third-Party Service Providers
We work with third-party service providers in the following categories to deliver platform functionality: our payment processors (Stripe and Square), our cloud-hosting provider, our AI and voice-processing providers, our telephony/SMS provider, and our email-delivery provider. All providers are bound by contractual data protection obligations and process data solely on our behalf and under our instructions.
Enterprise customers or Contractors who require a detailed list of subprocessors for compliance purposes may request our Sub-Processor Register by contacting us at the address below. Such disclosure is subject to a confidentiality agreement.
8. Google API User Data
When a Trodelo user connects their Google account, we receive and process Google user data under the scope of the Google API Services User Data Policy, including its Limited Use requirements. A contractor connecting a calendar grants only Calendar and email access. Separately, a Trodelo platform administrator may connect their own Google account with additional Gmail permissions to send demo and sales follow-up emails — contractors and end customers are never asked for Gmail access. We disclose our handling of all of this below.
8.1 Data we receive from Google
When a contractor connects a calendar, Trodelo requests calendar.app.created(access limited to calendars Trodelo itself creates — never your existing or personal calendars), userinfo.email, and openid (account email and basic identity). When a Trodelo platform administrator connects their own account for follow-up emails, two additional scopes apply: gmail.send (send-only) and gmail.settings.basic (read send-as aliases). Specifically:
- Email address and basic identity (
userinfo.email,openid) — used to label the integration and verify the right account is connected. - Calendar data (the
calendar.app.createdscope) — limited to the dedicated “Trodelo Jobs” calendar that Trodelo creates: its calendar ID and name, the free/busy windows on it, and the appointment events Trodelo writes. This scope grants no access to your existing or personal calendars. Trodelo uses it only to create that dedicated calendar, read its free/busy so the AI receptionist does not double-book, and write and sync the appointments it creates. - Send email — platform administrators only (
gmail.send) — requested only when a Trodelo administrator connects their own account, to send follow-up emails from that account so replies return to them. Send-only: it does not let Trodelo read any inbox or message. Contractors and end customers never grant this. - Send-as aliases — platform administrators only (
gmail.settings.basic) — read-only access to the administrator's verified “send mail as” addresses, so they can choose the From address. We read only the alias list, never message content.
8.2 How we use Google user data
- Scheduling. The AI receptionist reads the free/busy windows on the “Trodelo Jobs” calendar so it can offer a slot that doesn't double-book an appointment already on it.
- Job confirmation. Once a customer books, Trodelo creates a calendar event with the job summary, customer name, and service address, in the “Trodelo Jobs” calendar of the assigned technician.
- Two-way sync. If the user reschedules or cancels the event from Google Calendar, Trodelo's reconciler picks up the change and updates the corresponding job record.
- Email follow-ups (platform administrators only). When a Trodelo administrator connects their own account, Trodelo sends follow-up emails (e.g., demo follow-ups) from it using the send-only Gmail permission, and reads the account's send-as aliases so the administrator can choose the From address.
8.3 How we store Google user data
- OAuth refresh tokens are encrypted at rest using Fernet symmetric encryption. The encryption key is held only on the Trodelo backend and is never exposed to users or third parties.
- OAuth access tokens are short-lived (1 hour) and held only in process memory while a request is being served.
- Calendar event content (title, description, attendees) is not stored in Trodelo's database. We persist only the calendar ID, the event ID, and the start/end times needed to keep the job row in sync.
- Free/busy blocks are read on demand for the slot-offering decision and not persisted.
8.4 How we share Google user data — Limited Use disclosure
Trodelo's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We do not use Google user data to serve advertisements.
- We do not transfer Google user data to third parties except as necessary to provide or improve user-facing features (e.g., the same cloud-hosting provider listed in Section 7) and only under contractual data protection obligations.
- We do not allow humans to read Google user data unless we have the user's affirmative consent for a specific message, doing so is necessary for security purposes (e.g., investigating abuse), or doing so is necessary to comply with applicable law.
- We do not use Google user data to train generalized or third-party machine-learning or AI models. The AI receptionist's scheduling decisions read free/busy windows on demand and discard them after the response is generated.
- We do not read your Gmail inbox or message content. The Gmail permissions we request are send-only (
gmail.send) plus read-only access to your send-as aliases (gmail.settings.basic).
8.5 How users can revoke access and delete data
A user may revoke Trodelo's access to their Google data at any time, in either of two ways:
- From Trodelo: Sign in, open Profile → Calendar, and click Disconnect. Trodelo immediately deletes the stored refresh token, revokes it with Google's token-revocation endpoint, and removes the integration row from our database. Calendar events that Trodelo previously wrote to the user's account are not deleted automatically — the user retains full ownership of them.
- From Google: Visit myaccount.google.com/permissions and remove access for “Trodelo.” Trodelo's stored refresh token becomes invalid; the integration row remains in our database until the user signs in again and we detect the revocation.
For a complete deletion of all Google-derived data Trodelo holds about you, see our Data Deletion page.
9. Data Retention
We retain job data, investigation findings, call recordings and transcripts, and service records for as long as the Contractor's account is active or as needed to provide services, comply with legal obligations, and resolve disputes. Temporary access links (such as estimate and capture links) expire automatically. You may request deletion of your data at any time, subject to applicable legal retention requirements.
10. Where We Process Data
Trodelo is operated from the United States, and the personal information we process is stored and processed in the United States by us and our service providers. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, where data-protection laws may differ from those in your location.
11. Data Security
We implement industry-standard security measures to protect your data, including encrypted connections (TLS), access controls, and secure storage. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
12. Cookies and Tracking Technologies
We use cookies and similar technologies to operate the platform, maintain user sessions, and support platform functionality. We do not use cookies for cross-site advertising or third-party tracking. By using the platform, you consent to our use of cookies as described here.
13. Your Rights
Depending on your location, you may have certain rights regarding your personal data, including the right to:
- Request access to the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your data, subject to legal retention requirements.
- Opt out of certain data uses where required by applicable law.
California (CCPA/CPRA). California residents have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (CPRA), including the right to know, the right to delete, the right to correct inaccurate personal information, the right to limit the use and disclosure of sensitive personal information, the right to opt out of the “sale” or “sharing” of personal information for cross-context behavioral advertising, and the right to non-discrimination for exercising these rights. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CPRA.
Other U.S. states. Residents of other U.S. states with comprehensive privacy laws may have comparable rights to access, correct, delete, and opt out of certain processing of their personal information. We honor these rights to the extent they apply to you.
How to exercise your rights. We will respond to a verifiable request within the timeframe required by applicable law (generally within 45 days, with an extension where permitted), and we may need to verify your identity before acting on a request.
End-customer requests. If you are an end customer of a Contractor (a caller, lead, or homeowner), your personal information is Customer Data the Contractor controls. The fastest way to exercise your rights is our Request your data form, where you can ask to delete your data or get a copy of it. We verify it's you with a code sent to your email or phone, then notify the Contractor (the controller): a deletion is carried out automatically after a short review window unless the Contractor halts it for a valid reason, and a copy is released once the Contractor approves it. Releasing especially sensitive items (call recordings and transcripts) requires an additional identity check. You may also contact the Contractor that handled your call or job directly. Contractors and other account holders may exercise their rights by contacting us at the address below.
14. Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.
15. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of material changes by posting the updated policy on this page with a revised effective date.
16. Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the State of Georgia, without regard to its conflict of law provisions. Any disputes arising under this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Georgia.
17. Contact
If you have questions about this Privacy Policy or your data, contact us at:
Morrow Systems Group LLC
[email protected]