No matching sections found.
01
Plain-English summary
SIMCOAI processes account, billing, support, usage, call/chat and website data to provide the service, secure it, bill for it, improve it and meet legal obligations. We avoid asking for unnecessary sensitive data and encourage customers to configure human handoff for risky topics.
Your business is usually the controller for data about its own customers. SIMCOAI is usually a processor for those customer workflows, and an independent controller for account, billing, website, security and business-contact data.
02
Controller and processor roles
For dashboard users, billing contacts, website visitors, support requests and sales enquiries, SIMCOAI LTD normally acts as controller. For customer calls/chats handled on behalf of a business customer, SIMCOAI normally acts as processor and the business customer is the controller.
Some suppliers such as Stripe, Twilio or Supabase may act as processors or independent controllers depending on the specific processing activity and their own terms.
03
Personal data we may process
Account data: name, email, company, sign-in provider, user ID, role, legal acceptance and support history. Business profile data: business name, website, services, opening hours, policies, escalation contacts and configuration.
Customer workflow data: chat messages, call metadata, transcripts or summaries where enabled, bookings, refund/order details, escalation notes and audit logs. Billing/security data: Stripe references, invoices, plan status, IP-derived security data, device/browser metadata and request IDs.
04
Where data comes from
Data may come from you, authorised users, your customers, connected integrations, Stripe, Twilio, Supabase authentication, support communications, website forms, logs and security tools.
Do not upload data you do not have rights to use or data that is not needed for customer support, booking, refund, order, analytics or compliance workflows.
05
Why we process data
We process data to create and secure accounts, provide AI chat and phone workflows, maintain knowledge bases, route customer tasks, produce analytics, manage subscriptions, provide support, prevent abuse, troubleshoot providers and keep legal acceptance records.
We may also process limited data to improve reliability, user experience, prompts, safeguards, documentation and fraud/security controls.
06
Lawful bases under UK GDPR
Depending on the context, lawful bases may include contract, legitimate interests, legal obligation and consent. Consent is especially relevant for non-essential cookies or marketing communications where required.
For customer workflow data, the business customer must determine and document the lawful basis it relies on. SIMCOAI processes that data under customer instructions unless another legal requirement applies.
07
AI processing and automated decisions
SIMCOAI may send relevant prompts, business knowledge, conversation content or summaries to AI providers to generate responses, classifications or workflow suggestions. We configure the product to escalate sensitive or uncertain topics rather than making final regulated decisions.
SIMCOAI should not be used for solely automated legal, employment, credit, medical, housing, insurance, eligibility or similarly significant decisions without a separately reviewed contract and controls.
08
Calls, recordings, transcripts and disclosure
Phone features may process caller number, call time, duration, call status, routing events, recordings or transcripts where configured. Businesses must provide lawful disclosure and recording notices required for their use case and location.
Call logs and transcripts should be reviewed regularly. Payment card details, medical details and unnecessary sensitive information should be redirected to appropriate secure human or provider flows.
09
Cookies and similar technologies
We use essential cookies/storage for site and dashboard operation. Non-essential analytics or marketing technologies should only run where the user has been given appropriate information and choice.
Cookie choices may be stored locally or in backend legal acceptance records. See the Cookies page for categories, purpose, duration and preference controls.
10
Sharing and subprocessors
We may share data with suppliers that help us operate the service, such as Supabase for auth/database, Stripe for billing, Twilio for communications, OpenAI for AI features, Cloudflare for security/delivery and hosting or monitoring providers.
We do not sell personal data. We may disclose data if required by law, to protect rights and security, to complete a corporate transaction, or with your instruction/consent.
11
International transfers
Some suppliers may process data outside the UK or EEA. Where required, we use appropriate contractual, organisational or supplier safeguards for international transfers.
Business customers should assess whether their own use case requires additional transfer terms or a data processing agreement.
12
Retention
We keep data only as long as needed for service delivery, account administration, billing, legal compliance, security, support, audit, backups and dispute handling. Different records have different retention periods.
Customers should delete or export records they no longer need and avoid storing unnecessary sensitive data. Backup deletion can lag live deletion because backups are rotated for security and continuity.
13
Your rights
Depending on the role and context, individuals may have rights to be informed, access, rectification, erasure, restriction, portability, objection and complaint to the ICO. Some requests must be handled by the business customer as controller.
Contact hello@simcoai.co.uk with the account/business involved, the right you want to exercise and enough information to locate the record safely.
14
Security controls
SIMCOAI uses access controls, rate limits, HTTPS, provider credentials, audit records, legal gates and backend enforcement. No system is risk-free, so customers should use strong account hygiene and keep escalation processes available.
Supabase service credentials and Stripe secrets must remain server-side. Do not paste secrets, card numbers or unnecessary sensitive data into chat, voice prompts or support tickets.
15
Children and sensitive data
SIMCOAI is not directed at children. Do not configure workflows intentionally targeting children or collecting children data unless your contract, notices and controls specifically permit it.
Special category data should be avoided unless necessary, lawful and covered by your own controller obligations and written arrangements.
16
Contact and complaints
Email hello@simcoai.co.uk for privacy questions. You may also complain to the UK Information Commissioner if you believe your data protection rights have not been handled properly.
We may update this policy as the service, providers, law or guidance changes. Material changes may require dashboard acknowledgement.