Privacy Policy

1. Data We Collect About You (Business Accounts)

When you create an account and use the Service, we collect:

• Account data: email address, business name, business type, date and version of terms acceptance
• Authentication data: managed by Supabase; we do not store passwords
• Billing data: payment method details (held by Stripe — we do not store card numbers), invoices, and billing history
• Configuration data: bot greeting, qualification questions, booking link
• Channel credentials: encrypted access tokens for your WhatsApp and Instagram connections
• Usage data: lead statistics, outcome survey responses, credit balance

2. Data We Process on Your Behalf (Your Customers)

When your customers interact with your AI bot, we process on your behalf as your data processor:

• Contact identifiers: WhatsApp phone numbers and Instagram user IDs
• Names: where provided by your customer during conversation
• Conversation content: inbound and outbound messages, including qualification answers
• Booking behaviour: whether a booking link was sent and clicked
• AI-generated replies: responses generated by the AI on your behalf
• Outcome data: survey responses you submit about lead outcomes

As the data controller for your customers' data, you are responsible for ensuring you have a lawful basis to process it and for maintaining your own privacy notice to your customers.

3. How We Use Your Data and Legal Basis

4. AI Processing

The Service uses artificial intelligence to generate automated replies to your customers. This involves sending conversation content to our AI provider (Anthropic) for processing. We have contractual data processing agreements in place with Anthropic. Customer messages are processed solely to generate responses on your behalf and are not used to train third-party AI models without appropriate agreements.

AI processing involves automated decision-making in the sense that the AI generates responses without human review. However, the ultimate business decisions (how to serve your customers, whether to accept a booking) remain with you as the business owner. No automated decisions with legal or significant effects are made about your customers by the Service itself.

In accordance with ICO guidance on AI and data protection, we maintain records of our AI processing activities, conduct data protection impact assessments where required, and implement safeguards to minimise privacy risks.

5. Sub-Processors and Third Parties

We share data with the following categories of third-party service providers (“sub-processors”) solely to operate the Service:

Transfers to the US and other third countries are made under Standard Contractual Clauses (SCCs) approved by the UK ICO or equivalent transfer mechanisms. We do not sell personal data to third parties.

6. Data Retention

• Account and business data: retained for the duration of your account and deleted within 90 days of account closure, unless we are required to retain it by law.
• Lead and conversation data: retained for the duration of your account. Deleted within 90 days of account closure.
• Billing records: retained for 7 years from the invoice date to comply with HMRC record-keeping requirements.
• Terms acceptance records: retained for the duration of the account and for a reasonable period after closure as evidence of consent.

7. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption of channel access tokens at rest, HTTPS for all data in transit, access controls, and regular security reviews. We will notify you and the ICO of any personal data breach as required by UK GDPR.

8. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

• Access: request a copy of the data we hold about you
• Rectification: ask us to correct inaccurate data
• Erasure: ask us to delete your data in certain circumstances
• Restriction: ask us to restrict processing in certain circumstances
• Portability: receive your data in a structured, machine-readable format
• Objection: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at shehanr12@outlook.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

We use strictly necessary cookies for authentication and session management (via Supabase). We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notification. Continued use of the Service after the effective date constitutes acceptance of the updated policy.