This page explains what personal data Handlet processes, why we process it, and the lawful basis for doing so under the UK General Data Protection Regulation (UK GDPR).
Our goal is to be transparent about how data is used when you use Handlet.
1. Why We Process Personal Data
Handlet processes personal data so we can:
- Provide the Handlet service
- Allow you to connect and manage communication channels
- Classify message intent and confidence
- Support AI-assisted social post content generation where enabled
- Support future or optional AI-assisted message drafts, quote text, summaries, or recommendations where those features are enabled
- Provide call-agent features where enabled, including call routing, transcripts, recordings, summaries, and follow-ups
- Provide personalised intelligence, benchmarks, and optimisation recommendations
- Improve Handlet models, classifiers, quality, reliability, safety, and default recommendations
- Create aggregated, anonymised, transformed, or synthetic benchmark and insight products
- Maintain a secure and reliable platform
- Communicate with you about your account
- Comply with legal obligations
We do not sell personal data.
We also do not use your messages or your customers' messages to train AI models for unrelated purposes.
We may use derived patterns, outcomes, quality signals, and privacy-protected examples to improve Handlet and create aggregated or anonymised intelligence products as described in our Intelligence & Benchmarking Policy.
2. Our Lawful Bases for Processing
Under UK GDPR, organisations must have a lawful basis for processing personal data.
Handlet relies on the following lawful bases depending on the activity.
Contract
Most data processing is necessary to provide the service you signed up for.
Examples include:
- Creating and managing your account
- Displaying and storing messages
- Classifying message intent and confidence
- Supporting AI-assisted social post content generation where enabled
- Supporting future or optional AI-assisted message drafts, quote text, summaries, or recommendations where those features are enabled
- Managing connected communication channels
Without this processing, the service would not function.
For customer communication data that you bring into Handlet, you are typically the controller and Handlet acts as your processor. In that case, you are responsible for identifying your lawful basis for processing your customers' data, and Handlet processes that data on your instructions under our data processing terms.
Consent
We rely on consent where consent is the appropriate lawful basis or where a third-party provider requires explicit authorisation for a connection.
Examples include:
- Connecting Gmail, Outlook or other email providers
- Connecting messaging platforms such as WhatsApp or Messenger
You can revoke these connections at any time from your account settings.
Legitimate Interests
Some processing is necessary to operate a secure and reliable service.
Examples include:
- Security monitoring
- Fraud prevention
- Error logging and diagnostics
- Improving reliability and performance
- Improving models, classifiers, recommendations, quality, and service defaults
- Creating aggregated or anonymised benchmark and insight outputs
We ensure this processing is proportionate and respects user privacy.
Legal Obligations
In some cases we must process data to comply with the law.
Examples include:
- Responding to data subject access requests
- Complying with regulatory obligations
- Maintaining certain records required by law
- Keeping records of privacy and data subject requests (for example access or deletion requests) where needed for accountability and compliance
3. Types of Data We Process
Account Information
Examples:
- Name
- Email address
- Login credentials (stored securely)
Purpose:
- Account creation
- Authentication
- Service access
Business Profile Information
Examples:
- Business name
- Trade or service type
- User preferences and settings
Purpose:
- Configuring the service
- Personalising AI suggestions
Customer Communication Data
When you use Handlet to manage communications, we process the data necessary to provide that service.
Examples:
- Customer names
- Contact details
- Message content
- Message timestamps and channel metadata
- Call transcripts, recordings, summaries, outcomes, and metadata where call-agent features are enabled
Purpose:
- Displaying messages
- Drafting AI responses
- Managing communication history
Handlet processes this data on your behalf as part of delivering the service.
Intelligence and Benchmarking Data
Examples:
- response speed
- follow-up timing
- quote value and outcome
- booking, cancellation and repeat-customer signals
- lead source, channel, broad area, service type and funnel stage
- objection, sentiment, intent and persuasion-pattern labels
- transformed, paraphrased, summarised, or synthetic message-pattern examples
Purpose:
- providing account-specific intelligence and recommendations
- improving Handlet's models, classifiers and automation defaults
- creating aggregated or anonymised benchmarks, reports, dashboards, APIs and insight products
Handlet does not sell raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.
Technical and Usage Data
Examples:
- IP address
- Device type
- Log data
- Feature usage statistics
Purpose:
- Security monitoring
- Service reliability
- Diagnosing technical issues
4. Data Retention
We retain personal data only for as long as necessary to provide the service and comply with legal obligations.
Current retention criteria are:
| Data category | Typical retention |
|---|---|
| Account and workspace data | While the account is active, then deleted or anonymised after account deletion unless retention is required for legal, security, tax, accounting, or dispute purposes. |
| Customer messages, conversations, drafts, attachments, quotes, and related message metadata | While the workspace uses the service or until deletion is requested and completed, subject to backup, audit, legal, security, and provider retention limits. |
| Call recordings | Controlled by the workspace recording policy where call-agent features are enabled. The default recording retention period is 30 days unless the workspace configures another valid period or recording is disabled. |
| Call transcripts, call summaries, call outcomes, and call metadata | Retained while needed for call-agent service continuity, analytics, audit, support, or until account/workspace deletion is completed, subject to legal, security, backup, and provider retention limits. |
| Technical, diagnostic, and security logs | Retained for limited operational and security periods. Security or incident records may be retained longer where needed to investigate abuse, fraud, reliability, or legal claims. |
| CRM connection secrets | Deleted immediately when credentials are revoked or the connection is removed. |
| CRM import rows and external reference data | Typically retained for 30 days after relevant cleanup triggers. |
| CRM matching and participant index metadata | Typically retained for 90 days after relevant cleanup triggers. |
| CRM connection and mapping metadata | Typically retained for up to 365 days after relevant cleanup triggers. |
| CRM audit and manual-resolution records | Typically retained for up to 730 days for accountability and dispute handling. |
| Billing, invoice, dispute, tax, and accounting records | Retained where required for tax, accounting, legal, and dispute purposes. |
| Data subject request, privacy, security, and audit records | Retained as needed for accountability, legal claims, security, and compliance. |
When an account is deleted, we delete or anonymise personal data in accordance with our retention policies.
The UK GDPR deletion flow deletes the workspace message corpus from primary stores, including canonical messages and conversations, outbound drafts, attachment metadata, attachment files in the message-attachments storage area, and derived metadata used by exports, AI, and workflow integrations. Backups and third-party provider systems follow their own retention and deletion cycles.
For a detailed breakdown of our lawful bases, purposes and data categories (Article 6 UK GDPR), see Lawful basis & data categories.
5. Special Category Data
Handlet does not intentionally collect or process special category personal data (such as health data, racial or ethnic origin, or religious beliefs).
If such information appears within messages sent through connected communication channels, it is processed only as necessary to provide the service.
You should avoid adding special category or criminal offence data to Handlet unless it is genuinely necessary for your business communication and lawful for you to process.
6. Your Rights
Under UK GDPR you have several rights relating to your personal data, including the right to:
- Access your personal data
- Request correction of inaccurate data
- Request deletion of personal data
- Object to certain processing
- Request data portability
If you would like to exercise any of these rights, please contact us at:
7. Changes to This Page
We may update this page if our processing activities change or if required by law.
When updates are made, the "Last updated" date at the top of this page will be revised.