Skip to content
SIMCOAIYour 24/7 Digital Front Desk
HomeFeaturesPricingAboutContact
DocsLoginStart free trial
Legal centre

Privacy Policy

This policy explains how SIMCOAI handles personal data for business accounts, dashboard users, website visitors and customer interactions processed through the platform. It is designed around UK GDPR transparency, data minimisation and clear controller/processor roles.

  • Effective: 11 July 2026
  • Last updated: 11 July 2026
  • Contact: hello@simcoai.co.uk
TermsPrivacyGDPRCookies

These pages are practical product policies, not legal advice for your business. Customers should take their own advice for regulated, sensitive or high-volume use cases.

ContentsPlain-English summaryController and processor rolesPersonal data we may processWhere data comes fromWhy we process dataLawful bases under UK GDPRAI processing and automated decisionsCalls, recordings, transcripts and disclosureCookies and similar technologiesSharing and subprocessorsInternational transfersRetentionYour rightsSecurity controlsChildren and sensitive dataContact and complaints
Guidance referencesUK data protection overviewICO lawful basis guidanceICO cookies and PECR guidance

No matching sections found.

01

Plain-English summary

SIMCOAI processes account, billing, support, usage, call/chat and website data to provide the service, secure it, bill for it, improve it and meet legal obligations. We avoid asking for unnecessary sensitive data and encourage customers to configure human handoff for risky topics.

Your business is usually the controller for data about its own customers. SIMCOAI is usually a processor for those customer workflows, and an independent controller for account, billing, website, security and business-contact data.

02

Controller and processor roles

For dashboard users, billing contacts, website visitors, support requests and sales enquiries, SIMCOAI LTD normally acts as controller. For customer calls/chats handled on behalf of a business customer, SIMCOAI normally acts as processor and the business customer is the controller.

Some suppliers such as Stripe, Twilio or Supabase may act as processors or independent controllers depending on the specific processing activity and their own terms.

03

Personal data we may process

Account data: name, email, company, sign-in provider, user ID, role, legal acceptance and support history. Business profile data: business name, website, services, opening hours, policies, escalation contacts and configuration.

Customer workflow data: chat messages, call metadata, transcripts or summaries where enabled, bookings, refund/order details, escalation notes and audit logs. Billing/security data: Stripe references, invoices, plan status, IP-derived security data, device/browser metadata and request IDs.

04

Where data comes from

Data may come from you, authorised users, your customers, connected integrations, Stripe, Twilio, Supabase authentication, support communications, website forms, logs and security tools.

Do not upload data you do not have rights to use or data that is not needed for customer support, booking, refund, order, analytics or compliance workflows.

05

Why we process data

We process data to create and secure accounts, provide AI chat and phone workflows, maintain knowledge bases, route customer tasks, produce analytics, manage subscriptions, provide support, prevent abuse, troubleshoot providers and keep legal acceptance records.

We may also process limited data to improve reliability, user experience, prompts, safeguards, documentation and fraud/security controls.

06

Lawful bases under UK GDPR

Depending on the context, lawful bases may include contract, legitimate interests, legal obligation and consent. Consent is especially relevant for non-essential cookies or marketing communications where required.

For customer workflow data, the business customer must determine and document the lawful basis it relies on. SIMCOAI processes that data under customer instructions unless another legal requirement applies.

07

AI processing and automated decisions

SIMCOAI may send relevant prompts, business knowledge, conversation content or summaries to AI providers to generate responses, classifications or workflow suggestions. We configure the product to escalate sensitive or uncertain topics rather than making final regulated decisions.

SIMCOAI should not be used for solely automated legal, employment, credit, medical, housing, insurance, eligibility or similarly significant decisions without a separately reviewed contract and controls.

08

Calls, recordings, transcripts and disclosure

Phone features may process caller number, call time, duration, call status, routing events, recordings or transcripts where configured. Businesses must provide lawful disclosure and recording notices required for their use case and location.

Call logs and transcripts should be reviewed regularly. Payment card details, medical details and unnecessary sensitive information should be redirected to appropriate secure human or provider flows.

09

Cookies and similar technologies

We use essential cookies/storage for site and dashboard operation. Non-essential analytics or marketing technologies should only run where the user has been given appropriate information and choice.

Cookie choices may be stored locally or in backend legal acceptance records. See the Cookies page for categories, purpose, duration and preference controls.

10

Sharing and subprocessors

We may share data with suppliers that help us operate the service, such as Supabase for auth/database, Stripe for billing, Twilio for communications, OpenAI for AI features, Cloudflare for security/delivery and hosting or monitoring providers.

We do not sell personal data. We may disclose data if required by law, to protect rights and security, to complete a corporate transaction, or with your instruction/consent.

11

International transfers

Some suppliers may process data outside the UK or EEA. Where required, we use appropriate contractual, organisational or supplier safeguards for international transfers.

Business customers should assess whether their own use case requires additional transfer terms or a data processing agreement.

12

Retention

We keep data only as long as needed for service delivery, account administration, billing, legal compliance, security, support, audit, backups and dispute handling. Different records have different retention periods.

Customers should delete or export records they no longer need and avoid storing unnecessary sensitive data. Backup deletion can lag live deletion because backups are rotated for security and continuity.

13

Your rights

Depending on the role and context, individuals may have rights to be informed, access, rectification, erasure, restriction, portability, objection and complaint to the ICO. Some requests must be handled by the business customer as controller.

Contact hello@simcoai.co.uk with the account/business involved, the right you want to exercise and enough information to locate the record safely.

14

Security controls

SIMCOAI uses access controls, rate limits, HTTPS, provider credentials, audit records, legal gates and backend enforcement. No system is risk-free, so customers should use strong account hygiene and keep escalation processes available.

Supabase service credentials and Stripe secrets must remain server-side. Do not paste secrets, card numbers or unnecessary sensitive data into chat, voice prompts or support tickets.

15

Children and sensitive data

SIMCOAI is not directed at children. Do not configure workflows intentionally targeting children or collecting children data unless your contract, notices and controls specifically permit it.

Special category data should be avoided unless necessary, lawful and covered by your own controller obligations and written arrangements.

16

Contact and complaints

Email hello@simcoai.co.uk for privacy questions. You may also complain to the UK Information Commissioner if you believe your data protection rights have not been handled properly.

We may update this policy as the service, providers, law or guidance changes. Material changes may require dashboard acknowledgement.

Supplier overview

Common service providers

Actual providers and roles can vary by feature, plan, region and contract.

ProviderTypical purposeRisk control
SupabaseAuthentication, database and server-side recordsService credentials kept server-side; role checks and legal gates
StripeCheckout, portal, invoices, payment methods and subscription stateHosted payment flows and webhook-based entitlement sync
TwilioVoice, phone numbers, call events and messaging where enabledNumber assignment, disclosure wording and compliance review
OpenAIAI responses, summaries, classifications and assistant featuresHuman handoff for sensitive, uncertain or regulated topics
CloudflareSecurity, performance and bot protectionTraffic filtering, HTTPS and abuse controls
SIMCOAIYour 24/7 Digital Front Desk

Smart Intelligent Management & Communications Operations.

Product

FeaturesPricingDashboard

Company

AboutContactDocs

Legal

TermsPrivacyGDPRCookies

Contact

Contact formFAQ
XYouTube
SIMCOAI LTD. Pricing is shown in GBP and may exclude applicable taxes.