Privacy Policy
Last updated: [EFFECTIVE_DATE]
This Privacy Policy explains how [COMPANY_NAME] ("we", "us", or "our"), registered in England and Wales with company number [COMPANY_NUMBER], collects, uses, shares, and protects personal data in connection with the services provided through [DOMAIN] (the "Service").
This policy is issued in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to handling your personal data responsibly and transparently.
1. Identity and Contact Details of the Data Controller
The data controller for personal data collected through the Service is:
[COMPANY_NAME] [REGISTERED_ADDRESS] Company Registration No: [COMPANY_NUMBER]
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at [SUPPORT_EMAIL].
For data protection matters, you may also contact our Data Protection Officer directly at [DATA_PROTECTION_OFFICER].
As a business customer using the Service, you are the data controller for personal data relating to your end-users (for example, WhatsApp messages from your customers). We act as a data processor on your behalf for that personal data, governed by our Data Processing Addendum (DPA). This Privacy Policy primarily covers personal data about you as our customer — your account information, billing data, and your direct interactions with the Service.
2. Data Protection Officer Contact Details
We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws. You can contact our DPO at:
Data Protection Officer [DATA_PROTECTION_OFFICER]
Our DPO is responsible for advising on our data protection obligations, monitoring compliance with UK GDPR and the Data Protection Act 2018, and serving as the point of contact for data subjects and the Information Commissioner's Office (ICO).
We encourage you to contact the DPO if you have any concerns about how your personal data is being handled, or if you wish to exercise any of your data subject rights.
3. Purposes of Processing and Lawful Basis
We process your personal data for the following purposes, relying on the corresponding lawful bases:
| Purpose | Personal Data Used | Lawful Basis |
|---|---|---|
| Creating and managing your account | Name, email address, company details | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Processing subscription payments | Name, payment card details (tokenised), billing address | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Providing and improving the Service | Usage data, agent configurations, conversation logs | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Sending transactional communications | Email address | Performance of a contract (UK GDPR Art. 6(1)(b)) |
| Sending marketing communications | Email address, usage profile | Legitimate interests (UK GDPR Art. 6(1)(f)) |
| Fraud prevention and security | IP addresses, device data, access logs | Legitimate interests (UK GDPR Art. 6(1)(f)) |
| Compliance with legal obligations | All relevant data | Legal obligation (UK GDPR Art. 6(1)(c)) |
| Analytics to improve the Service | Aggregated usage statistics | Legitimate interests (UK GDPR Art. 6(1)(f)) |
Where we rely on legitimate interests, we have assessed that our interests in providing a secure, functional, and improving Service are not overridden by your interests, rights, or freedoms. You may object to processing based on legitimate interests at any time (see Section 8).
4. Categories of Personal Data We Collect
We collect the following categories of personal data about our customers:
Account and Identity Data: Full name, email address, company name, job title, telephone number, and account password (stored as a cryptographic hash).
Billing and Payment Data: Billing address, VAT number, and payment card information. Note that full card numbers are not stored by us — payment processing is handled by Stripe, Inc. under their own privacy policies. We retain tokenised references and billing metadata.
Usage and Technical Data: IP addresses, browser type, device identifiers, session timestamps, feature usage patterns, API request logs, and error reports.
Communications Data: Records of support requests, email correspondence, and any information you voluntarily provide when contacting us.
Agent Configuration Data: System prompts, skill configurations, workflow definitions, and other configuration data you upload to the Service.
Conversation Logs (as Processor): Where you use the Service to deploy AI agents, we process conversation data on your behalf as your data processor. This data is subject to your instructions and the Data Processing Addendum.
5. Recipients of Personal Data
We share your personal data with the following categories of recipients:
Service Providers (Data Processors): We engage trusted third-party service providers who process data on our behalf, including cloud infrastructure providers, payment processors, email delivery services, and analytics providers. All processors are bound by data processing agreements and are required to implement appropriate security measures.
Key sub-processors include:
- Amazon Web Services (AWS): Cloud infrastructure and data storage. Data is hosted in the
eu-west-2(London) region by default. - Stripe, Inc.: Payment processing. Subject to Stripe's Privacy Policy.
- Large Language Model Providers: Your AI agent's conversations may be processed by third-party LLM providers (such as Anthropic, Inc. and OpenAI, Inc.) to generate responses. We use these services under agreements that restrict their use of your data to service delivery only.
Legal and Regulatory Authorities: We may disclose personal data to law enforcement, regulatory bodies, or courts where required by law, or to establish, exercise, or defend legal claims.
Business Transfers: In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the acquiring entity, subject to the same protections described in this policy.
We do not sell personal data to third parties.
6. International Transfers of Personal Data
The Service is hosted primarily on Amazon Web Services infrastructure in the eu-west-2 (London) region. For UK-based customers, we process data within the UK and European Economic Area (EEA) wherever possible.
Some of our sub-processors, including LLM providers such as Anthropic, Inc. (United States) and OpenAI, Inc. (United States), may process data outside the UK and EEA. For these transfers, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs): We enter into SCCs approved by the UK Information Commissioner's Office (UK IDTA) with processors in third countries where no adequacy decision applies.
- Transfer Impact Assessments: We conduct transfer impact assessments where required to ensure adequate protection for personal data transferred outside the UK.
A list of sub-processors and the safeguards applicable to their international transfers is available on request by contacting [DATA_PROTECTION_OFFICER].
7. Data Retention Periods
We retain personal data only for as long as necessary for the purposes set out in this policy, or as required by law:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of subscription + 2 years | Contractual obligations, dispute resolution |
| Billing and payment records | 7 years from transaction | UK tax and accounting law |
| Conversation logs | Configurable (default 90 days), up to 2 years | Service delivery, quality improvement |
| Support communications | 3 years from last contact | Dispute resolution, compliance |
| Security and access logs | 12 months | Security monitoring, incident investigation |
| Marketing consent records | Until consent is withdrawn + 2 years | Demonstrating compliance |
Upon expiry of the retention period, or upon account deletion, data is permanently erased from our systems, including backups, within 30 days. You may request earlier deletion as described in Section 8.
8. Your Data Subject Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access (Article 15): You have the right to obtain a copy of the personal data we hold about you and information about how it is processed. We will respond to valid access requests within one calendar month.
Right to Rectification (Article 16): You have the right to request correction of inaccurate or incomplete personal data. You can update most account information directly through the Service dashboard.
Right to Erasure (Article 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where you object to processing. Deletion requests will be processed within 30 days, subject to our obligations to retain certain data as required by law.
Right to Restriction of Processing (Article 18): You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of data or where processing is unlawful but you oppose erasure.
Right to Data Portability (Article 20): Where processing is based on your consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21): You have the right to object to processing based on legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
Rights in Relation to Automated Decision-Making (Article 22): See Section 12 for details of any automated decision-making or profiling that may have legal or similarly significant effects on you.
To exercise any of these rights, please contact us at [SUPPORT_EMAIL] or contact our DPO at [DATA_PROTECTION_OFFICER]. We may need to verify your identity before processing your request. We will respond within one calendar month and will not charge a fee for reasonable requests.
9. Right to Withdraw Consent
Where processing is based on your consent (for example, for marketing communications), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
You may withdraw consent to marketing communications at any time by:
- Clicking the "Unsubscribe" link in any marketing email we send.
- Updating your communication preferences in your account settings at [DOMAIN]/settings.
- Contacting us at [SUPPORT_EMAIL].
We will process your withdrawal request promptly and cease the relevant processing without undue delay.
10. Right to Lodge a Complaint with the ICO
If you believe we have not handled your personal data in compliance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Website: https://ico.org.uk Helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact our DPO at [DATA_PROTECTION_OFFICER] in the first instance.
11. Statutory or Contractual Requirement
Providing certain personal data is a requirement for entering into and performing the contract for the Service:
- Account creation: You must provide a valid email address and name to register for the Service. Without this, we cannot create your account.
- Payment processing: You must provide valid payment details to subscribe to a paid plan. Without this, we cannot provide paid services.
- WhatsApp integration: To connect your WhatsApp Business Account, you must authorise us to access your Meta account. This is required to enable the WhatsApp features of the Service.
Providing personal data for marketing communications is entirely voluntary. You may decline without affecting your access to the core Service.
12. Automated Decision-Making and Profiling
AI Agent Interactions: The Service uses artificial intelligence to generate automated responses to messages from your end-users through your deployed agents. These automated responses are generated based on the configuration you provide and the conversation context. While responses are automated, they do not constitute decisions with legal or similarly significant effects on individuals in the ordinary course of service delivery.
Risk Scoring and Security: We use automated systems to detect fraudulent activity, abuse of the Service, or security threats. Where such systems generate a significant outcome (for example, account suspension), you will have the opportunity to request human review by contacting [SUPPORT_EMAIL].
Marketing and Usage Profiling: We may analyse usage patterns to understand how you use the Service and to personalise communications. This profiling is based on legitimate interests and does not produce legal or similarly significant effects. You may object to such profiling at any time.
We do not use personal data to make solely automated decisions with legal or similarly significant effects without providing you the right to request human intervention.
13. Source of Personal Data
We collect personal data from the following sources:
Directly from you: Account registration, payment information, support requests, and configuration data you provide when setting up or using the Service.
Automatically from your use of the Service: Technical data including IP addresses, device information, browser type, session data, and feature usage patterns collected as you interact with the Service.
From third parties: Where you connect third-party services (such as your WhatsApp Business Account via Meta's Embedded Signup), we receive information necessary to establish and maintain that integration. We also receive data from payment processor Stripe when you make transactions.
From public sources: Company registration details may be verified against public databases (e.g., Companies House) where required for our compliance obligations.
We do not purchase personal data from data brokers or other commercial data sources.