Skip to main content

Data Processing Policy

Last updated: 26 May 2026

1. Introduction

This Data Processing Policy (“Policy”) describes how AI-Assist for SMEs (“we”, “us”, “our”) processes personal data in connection with our AI automation platform and related services (the “Service”). This Policy forms part of our commitment to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

For the purposes of data protection law, AI-Assist for SMEs acts as the data controller for personal data collected through the Service. This means we determine the purposes and means of processing your personal data. Our ICO Registration Number is ZC106782.

This Policy should be read in conjunction with our Privacy Policy and Terms of Service.

2. Data Processing Purposes

We process personal data for the following specific purposes:

  • Service Delivery: To provide, operate, and maintain our AI automation platform, including user account management, AI chatbot functionality, and automation tools.
  • Payment Processing: To process subscription payments, manage billing cycles, issue invoices, and handle refunds.
  • Communications: To send transactional emails (account verification, password resets, billing notifications) and, where consented, marketing communications.
  • Service Improvement: To analyse usage patterns, diagnose technical issues, and improve the performance and features of the Service.
  • Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraudulent activity, and abuse of the Service.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes, including tax and accounting obligations.

3. Lawful Basis for Processing

We rely on the following lawful bases under Article 6 of the UK GDPR:

  • Performance of a Contract (Article 6(1)(b)): Processing necessary to deliver the Service you have subscribed to, including account creation, service provision, and payment processing.
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our Service, ensuring security, and preventing fraud, where these interests do not override your fundamental rights and freedoms.
  • Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent, such as for marketing communications and non-essential cookies.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, including tax reporting, financial record-keeping, and responding to lawful requests from authorities.

4. Sub-Processors

We use the following third-party sub-processors to deliver the Service. Each sub-processor is bound by a Data Processing Agreement (DPA) that requires them to process personal data in accordance with UK GDPR:

Sub-ProcessorPurposeData ProcessedLocation
SupabaseDatabase hosting, authentication, and data storageAccount data, service data, authentication tokensEU (eu-west-2)
VercelApplication hosting, edge functions, content deliveryIP addresses, technical data, access logs, request/response payloads in transitGlobal (Edge Network); customer data routed via EU regions where available
StripePayment processing and subscription managementBilling details, payment card tokens, transaction history, customer emailUS/EU (Stripe holds UK GDPR adequacy)
ResendTransactional email delivery (welcome, verification, password reset, MFA, billing notifications, marketing)Email addresses, names, email contentUS (SCCs in place)
AnthropicClaude AI models (Aria assistant, chatbot widgets, lead scoring)Chat messages, knowledge-base content, lead enquiries. No long-term retention by Anthropic per their commercial terms.US (SCCs in place)
TwilioSMS delivery (appointment reminders, lead notifications, missed-call text-back)Phone numbers, message content, delivery metadataUS/EU (SCCs in place)
Google (Workspace APIs)Google Calendar integration (event creation, availability lookup) via OAuthOAuth tokens, calendar event metadata, attendee email addresses (only for users who explicitly connect Google Calendar)US/EU/Global (SCCs in place; UK adequacy under the EU-UK Data Bridge)
ZoomZoom meeting creation for bookings via OAuthOAuth tokens, meeting metadata (only for users who explicitly connect Zoom)US (SCCs in place)
SentryApplication error monitoring (production only; gated behind cookie consent on the client)Error stack traces, user-agent strings, anonymised user IDs. PII scrubbing enabled.US (SCCs in place)
OpenAIFallback AI provider (only used if Anthropic is unavailable; not currently active)Chat messages (only when fallback triggers)US (SCCs in place)
Plausible AnalyticsCookieless aggregate page-view analytics (PECR-exempt; see Cookie Policy section 3.4)No personal data stored. IP address is hashed (one-way) and discarded the same day. No cross-site tracking, no user identifiers.EU

We will notify you of any changes to our sub-processors by updating this Policy. If you object to a new sub-processor, you may terminate your subscription in accordance with our Terms of Service.

5. International Data Transfers

Some of our sub-processors are located outside the United Kingdom. Where personal data is transferred to countries that have not been deemed to provide an adequate level of data protection by the UK Secretary of State, we ensure appropriate safeguards are in place:

  • UK Adequacy Decisions: Transfers to countries recognised by the UK as providing adequate data protection (including the EU/EEA under the UK adequacy regulations).
  • Standard Contractual Clauses (SCCs): For transfers to the United States and other countries without adequacy decisions, we rely on the International Data Transfer Agreement (IDTA) or the EU SCCs with the UK Addendum, as approved by the Information Commissioner's Office (ICO).
  • Supplementary Measures: Where necessary, we implement additional technical and organisational safeguards, such as encryption and pseudonymisation, to ensure the transferred data remains protected.

Specifically:

  • Supabase: Data may be stored in EU or US regions. Transfers to the US are covered by SCCs with the UK Addendum.
  • Stripe: Operates globally with data stored in the US and EU. Transfers are governed by SCCs and Stripe's Binding Corporate Rules.
  • Vercel: Uses a global edge network. Transfers outside the UK are covered by SCCs with the UK Addendum.
  • Resend: Data is processed in the US. Transfers are covered by SCCs with the UK Addendum.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are as follows:

  • Account data: Retained for the duration of your account plus 30 days after account deletion to allow for recovery.
  • Payment and transaction records: Retained for 7 years as required by UK tax law (HMRC requirements).
  • Service usage data: Retained for up to 24 months for analytics and service improvement, then anonymised or deleted.
  • Email communication logs: Retained for 12 months for delivery tracking and troubleshooting.
  • Support correspondence: Retained for 3 years after your last interaction.
  • Security and access logs: Retained for 12 months for security monitoring and incident investigation.

When personal data is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures.

7. Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

7.1 Technical Measures

  • Encryption at Rest: All personal data stored in our database is encrypted at rest using AES-256 encryption.
  • Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.
  • Access Controls: Role-based access controls (RBAC) limit access to personal data to authorised personnel only.
  • Row-Level Security: Database-level security ensures that users can only access their own data.
  • Secure Authentication: Passwords are hashed using bcrypt. Multi-factor authentication is available for all accounts.
  • PCI DSS Compliance: Payment processing is handled by Stripe, which is certified PCI DSS Level 1.

7.2 Organisational Measures

  • Staff with access to personal data receive data protection training
  • Access to production systems is restricted and logged
  • Regular security reviews and vulnerability assessments are conducted
  • Incident response procedures are documented and tested
  • Sub-processor security practices are reviewed as part of our due diligence process

8. Data Breach Notification

In the event of a personal data breach, we will follow the notification requirements set out in Articles 33 and 34 of the UK GDPR:

8.1 Notification to the ICO

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR. The notification will include:

  • The nature of the breach, including the categories and approximate number of individuals affected
  • The name and contact details of our Data Protection Officer
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

8.2 Notification to Affected Individuals

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, we will notify the affected individuals without undue delay, providing clear information about the breach and the steps they can take to protect themselves.

9. Data Subject Rights

We support the exercise of data subject rights as set out in the UK GDPR. Individuals whose personal data we process have the right to:

  • Access their personal data (Article 15)
  • Rectify inaccurate or incomplete data (Article 16)
  • Erase their personal data (Article 17)
  • Restrict processing of their data (Article 18)
  • Data portability — receive their data in a structured, machine-readable format (Article 20)
  • Object to processing based on legitimate interests or for direct marketing (Article 21)

To exercise any of these rights, please contact us at info@aiassistsmes.co.uk. We will respond within one month of receiving your request.

10. Changes to This Policy

We may update this Data Processing Policy from time to time to reflect changes in our processing activities, sub-processors, or applicable law. Material changes will be communicated by updating this page with a revised “Last updated” date. Where significant changes are made, we will also notify you by email.

11. Contact Us

For any questions about this Data Processing Policy or our data processing practices:

  • Data Protection Contact: info@aiassistsmes.co.uk
  • Address: AI-Assist for SMEs, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
    Operational team based in Birmingham, UK

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

← Back to HomePrivacy PolicyTerms of Service