1. Introduction
AI-Assist for SMEs (“we”, “us”, “our”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI automation platform and related services (the “Service”).
We are registered in England and Wales. Our registered address is Birmingham, United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), we are the data controller.
If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer at privacy@aiassistsmes.co.uk.
2. Information We Collect
We collect and process the following categories of personal data:
2.1 Information You Provide Directly
- Account Information: Full name, email address, company name, phone number, and password when you register for an account.
- Payment Information: Billing details processed securely via Stripe. We do not store your full card number on our servers.
- Communications: Messages, support requests, and any information you provide when contacting us.
- Service Data: Business data you input into our AI tools, chatbot conversations, and automation configurations.
2.2 Information Collected Automatically
- Technical Data: IP address, browser type and version, operating system, device information.
- Usage Data: Pages visited, features used, time spent on the Service, clickstream data.
- Cookie Data: Information collected through cookies and similar technologies (see our Cookie Policy).
3. Lawful Basis for Processing
Under UK GDPR, we process your personal data on the following legal bases:
- Contract (Article 6(1)(b)): Processing necessary to perform our contract with you, including providing the Service, managing your account, and processing payments.
- Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as improving our Service, preventing fraud, and ensuring platform security, where those interests are not overridden by your rights.
- Consent (Article 6(1)(a)): Where you have given clear consent for us to process your personal data for specific purposes, such as marketing communications and non-essential cookies.
- Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, such as tax and accounting requirements.
4. How We Use Your Information
We use your personal data for the following purposes:
- To create and manage your account
- To provide, maintain, and improve our AI automation services
- To process subscription payments and manage billing
- To send you service-related communications (e.g. account verification, security alerts, subscription updates)
- To provide customer support and respond to your enquiries
- To analyse usage patterns and improve user experience
- To detect, prevent, and address fraud, abuse, and security issues
- To send marketing communications (only with your explicit consent)
- To comply with legal obligations
5. Data Sharing and Third Parties
We do not sell your personal data. We share your information only with the following categories of third-party service providers who process data on our behalf:
- Supabase (Database & Authentication): Stores your account data and handles authentication. Data is hosted in the EU/UK.
- Stripe (Payment Processing): Processes subscription payments securely. Stripe is PCI DSS Level 1 certified.
- Vercel (Hosting): Hosts our web application. May process technical data such as IP addresses.
- OpenAI (AI Processing): Powers our AI chatbot features. Business data you submit may be processed by OpenAI's API.
All third-party processors are bound by data processing agreements and are required to process your data in accordance with UK GDPR.
6. International Data Transfers
Some of our third-party service providers are located outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the ICO
- UK adequacy regulations where the destination country has been deemed to provide adequate data protection
- Binding Corporate Rules where applicable
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected:
- Account data: Retained for the duration of your account, plus 30 days after deletion to allow for account recovery.
- Payment records: Retained for 7 years as required by UK tax law (HMRC requirements).
- Usage data: Retained for up to 24 months for analytics purposes, then anonymised or deleted.
- Support correspondence: Retained for 3 years after your last interaction with us.
- Marketing consent records: Retained for as long as consent is active, plus 3 years after withdrawal.
8. Your Rights Under UK GDPR
Under the UK GDPR and DPA 2018, you have the following rights regarding your personal data:
- Right of Access (Article 15): You can request a copy of all personal data we hold about you.
- Right to Rectification (Article 16): You can ask us to correct inaccurate or incomplete data.
- Right to Erasure (Article 17): You can request deletion of your personal data (“right to be forgotten”).
- Right to Restrict Processing (Article 18): You can ask us to limit how we use your data.
- Right to Data Portability (Article 20): You can request your data in a machine-readable format (JSON).
- Right to Object (Article 21): You can object to processing based on legitimate interests or direct marketing.
- Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects.
To exercise any of these rights, please visit your account settings (for data export and deletion) or email us at privacy@aiassistsmes.co.uk. We will respond within one month of receiving your request, as required by law.
9. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- Encryption of data in transit (TLS 1.2+) and at rest
- Secure password hashing (bcrypt)
- Role-based access controls
- Regular security reviews and updates
- PCI DSS Level 1 compliant payment processing via Stripe
- Row-level security on all database tables
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected individuals without undue delay.
10. Cookies
We use cookies and similar technologies on our Service. For full details about the cookies we use, why we use them, and how you can control them, please see our Cookie Policy.
11. Children's Privacy
Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised “Last updated” date, and where appropriate, by email notification. We encourage you to review this Privacy Policy periodically.
13. Complaints
If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at privacy@aiassistsmes.co.uk.
14. Contact Us
For any questions about this Privacy Policy or to exercise your data protection rights: