Privacy Policy

1. Controller

The data controller responsible for your personal data is:

2. Data We Collect and Why

2.1 Account data

When you register, we collect your name, company name, and email address. Legal basis: Art. 6(1)(b) GDPR — necessary to perform the contract (subscription agreement).

2.2 WhatsApp conversation data

To provide the AI assistant service, we process WhatsApp messages between your guests and the assistant. This includes guest phone numbers and message content. Legal basis: Art. 6(1)(b) GDPR — necessary to provide the service you contracted for. Retention: 90 days from receipt, then automatically deleted.

2.3 Usage and analytics data

We use PostHog (EU-hosted, Frankfurt) to collect product analytics — page views, button clicks, and feature usage — to operate and improve the Service. PostHog is configured in cookieless mode: no cookies or localStorage are written, and your IP address is anonymised before processing. Logged-in users are linked to their account using their user ID, email address, and company name so that usage can be attributed to a subscription. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in maintaining and improving the Service.

2.4 Billing data

Payment processing is handled by Stripe. We do not store full payment card details. We retain billing records (invoices, subscription history) for the statutory period required by Lithuanian accounting law (10 years). Legal basis: Art. 6(1)(c) GDPR — legal obligation.

3. Sub-processors

We use a limited number of sub-processors to deliver the Service, including cloud hosting providers, AI model providers, messaging infrastructure, payment processors, analytics tools, and error monitoring services. The complete sub-processor list with data shared and transfer mechanisms is available to customers in the portal.

4. Retention

• WhatsApp conversation content: 90 days from receipt, then automatically purged.
• Account data: for the duration of the subscription plus any period required by law.
• Billing and accounting records: 10 years as required by Lithuanian accounting law.
• Error logs (Sentry): anonymised; no identifiable PII retained beyond 30 days.

5. Your Rights

Under the GDPR you have the right to:

• Access — obtain a copy of your personal data.
• Rectification — correct inaccurate data.
• Erasure — request deletion of your data (subject to legal retention obligations).
• Restriction — restrict processing in certain circumstances.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.

To exercise any right, contact us at [email protected]. We respond within 30 days.

6. Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection authority. In Lithuania, the supervisory authority is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija — vdai.lrv.lt).

7. Cookies

The portal uses a single session cookie for authentication (Supabase Auth). No advertising cookies are set. For analytics, we use PostHog in cookieless mode — it stores no cookies or localStorage data on your device. PostHog processes only anonymised event data (page views, feature interactions) using memory-only persistence.

8. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.

9. Contact

Privacy enquiries: [email protected]