Lawful Basis, Purposes & Data Categories
This page sets out Handlet's lawful bases for processing your personal data under UK GDPR, the purposes we use it for, and the categories of data we process. It complements our Privacy Policy and our summary How we process personal data.
1. Lawful Bases for Processing
Handlet processes personal data under the following lawful bases defined in Article 6 of the UK GDPR.
Account creation, login and service delivery
- Lawful basis: Contract (Article 6(1)(b))
- Reason: Processing is necessary to provide the Handlet service to the user.
Inbox and message ingestion and display
- Lawful basis: Contract (Article 6(1)(b)) for account users and platform delivery. For customer communication data processed on behalf of a business customer, Handlet acts as processor and the business customer is responsible for its own lawful basis.
- Reason: Processing is required for the core inbox functionality and is performed under the customer's instructions for customer communication data.
AI-assisted features
- Lawful basis: Contract (Article 6(1)(b)) for platform users and service delivery. For customer communication data processed on behalf of a business customer, Handlet acts as processor and the business customer is responsible for its own lawful basis.
- Reason: Processing is required for current AI-assisted features such as intent and confidence classification and, where enabled, social post content generation. Future or optional message, quote, summary, recommendation, or Auto-Send features will apply only where those features are enabled. Users retain control over content they use, publish, or send, except where they explicitly enable automation settings.
Personalised intelligence, benchmarks and optimisation recommendations
- Lawful basis: Contract (Article 6(1)(b)) where processing is needed to provide account-specific intelligence features requested by the customer. Legitimate Interests (Article 6(1)(f)) may apply to proportionate service improvement, model improvement, quality evaluation, benchmark development, and aggregated or anonymised insight creation. Consent or explicit authorisation may apply where required by law or product settings.
- Reason: Processing helps Handlet provide recommendations, improve automation, compare performance against privacy-protected benchmarks, and develop aggregated or anonymised commercial intelligence products.
Call-agent and voice features
- Lawful basis: Contract (Article 6(1)(b)) for platform users and service delivery. For caller or customer data processed on behalf of a business customer, Handlet acts as processor and the business customer is responsible for its own lawful basis, AI voice-assistant notices, and call-recording notices.
- Reason: Processing is required to provide call routing, call assistance, transcripts, recordings, summaries, analytics, and follow-up workflows where the feature is enabled.
Storage of customer contact and message data (on behalf of the user)
- Lawful basis: The business customer determines the Article 6 lawful basis for its own customers' data. Handlet processes that data as processor under the customer's instructions and our data processing terms.
- Reason: Processing is necessary to deliver the assistant functionality and message management features requested by the business customer.
Security, fraud prevention and abuse detection
- Lawful basis: Legitimate Interests (Article 6(1)(f))
- Reason: Processing is necessary to protect the platform, users and system integrity.
Product reliability, diagnostics and performance monitoring
- Lawful basis: Legitimate Interests (Article 6(1)(f))
- Reason: Required to maintain service quality, stability and performance.
Marketing emails (e.g. product updates)
- Lawful basis: Legitimate Interests (Article 6(1)(f)) or Consent (Article 6(1)(a))
- Reason: Non-essential marketing communications will normally rely on user consent.
Connecting third-party communication channels (e.g. Gmail, WhatsApp, Messenger)
- Lawful basis: Contract (Article 6(1)(b)) for providing the requested connection, with user authorisation/consent where required by the relevant provider or law.
- Reason: Users explicitly authorise connections between Handlet and third-party services and can revoke those connections in account settings.
Compliance with legal obligations
- Lawful basis: Legal Obligation (Article 6(1)(c))
- Reason: Processing necessary to meet legal or regulatory requirements (e.g. tax, regulatory compliance).
Handling data deletion requests and data subject rights
- Lawful basis: Legal Obligation (Article 6(1)(c))
- Reason: Required to comply with data subject rights under UK GDPR.
2. Purposes of Processing (Plain Language)
Handlet processes personal data for the following purposes.
| Purpose | Description |
|---|---|
| Providing the Handlet service | To allow users to manage messages in one inbox, generate AI-assisted replies and quotes, and manage customer communications. |
| Account authentication and management | To ensure that only authorised users can access their accounts and associated data. |
| Channel connections and synchronisation | To ingest and send messages through connected services such as email, messaging platforms and social media (with user consent). |
| Operating and improving the product | To maintain reliability, security and performance, including diagnosing and resolving technical issues. |
| Providing personalised intelligence and benchmarking | To analyse conversation, operational, usage and outcome patterns so Handlet can provide account-specific recommendations, benchmarks, optimisation suggestions and privacy-protected insight products. |
| Communicating with users | To send service communications relating to account activity, security alerts and, where lawful, product updates. |
| Legal and regulatory compliance | To meet legal obligations such as responding to data subject requests and maintaining necessary records. |
Handlet does not sell personal data.
Handlet does not use customer message content to train AI models for unrelated purposes.
Handlet may commercialise aggregated, anonymised, transformed, or synthetic intelligence outputs that are not designed to identify individual users, customers, businesses, accounts, messages, or calls.
3. Categories of Data Processed
3.1 Account and Identity Data
Examples: Name, email address, password (stored in hashed form).
- Lawful basis: Contract
- Retention: Retained while the account is active and thereafter only as required by legal obligations and retention policies.
3.2 Business and Profile Data
Examples: Business name, trade or service type, user configuration settings (such as tone preferences and working hours).
- Lawful basis: Contract
- Retention: Retained while the account remains active.
3.3 Customer and Communication Data (processed on behalf of the user)
Examples: Customer names, customer contact details, message content, message metadata (timestamps, channels, identifiers), call transcripts, call recordings, call summaries, call outcomes and call metadata where call-agent features are enabled.
- Lawful basis: Determined by the business customer as controller. Handlet processes this data as processor under customer instructions.
- Retention: Retained while the workspace uses the service or until deletion is requested and completed, subject to backup, audit, legal, security and provider retention limits. Call recordings default to 30 days unless the workspace configures another valid period or disables recording.
3.4 Technical and Usage Data
Examples: IP address, device type, log data, feature usage information (non-content analytics).
- Lawful basis: Legitimate Interests
- Purpose: Security, diagnostics and service reliability.
- Retention: Stored for limited operational and security periods. Security or incident records may be retained longer where needed to investigate abuse, fraud, reliability, or legal claims.
3.5 Data Subject Requests and Audit Data
Examples: Records of access or deletion requests you make, and logs we keep to meet legal and record-keeping obligations.
- Lawful basis: Legal Obligation or Legitimate Interests
- Retention: Kept only as long as required by law or to protect the security of the service.
3.6 CRM and Integration Metadata
Examples: CRM connection metadata, credential audit records, import runs, import rows, matching metadata, participant indexes, mapping profiles and manual-resolution audit records.
- Lawful basis: Contract, Legitimate Interests, Legal Obligation, or the customer's controller lawful basis depending on context.
- Retention: Credential secrets are deleted immediately when revoked or disconnected. Import rows and external references are typically retained for 30 days after cleanup triggers. Matching metadata and participant indexes are typically retained for 90 days. Connection and mapping metadata is typically retained for up to 365 days. Audit and manual-resolution records are typically retained for up to 730 days.
3.7 Derived Intelligence and Benchmark Data
Examples: intent labels, objection labels, sentiment labels, persuasion-pattern labels, quote bands, response-time bands, funnel-stage labels, channel/source labels, broad-area labels, outcome labels, aggregated benchmarks, transformed examples, paraphrased examples and synthetic examples.
- Lawful basis: Contract, Legitimate Interests, Consent, or customer controller lawful basis depending on the processing context.
- Purpose: Account-specific recommendations, product and model improvement, benchmark creation, insight products, quality evaluation and commercial intelligence.
- Retention: Retained only while useful for the relevant service, benchmark, model, audit, legal, security or commercial intelligence purpose. Aggregated or anonymised outputs may be retained separately from the source data where they are no longer designed to identify a person, business, account, message or call.
4. When We Rely on Legitimate Interests
Under UK GDPR we can process data where we have a "legitimate interest" that is not overridden by your rights. Where Handlet uses this basis, we apply the following.
| Element | Description |
|---|---|
| Interest | Running a secure, reliable platform and protecting users, their businesses and the integrity of the service. |
| Necessity | Processing such as logging, monitoring and abuse detection is necessary to operate the service safely and effectively. |
| Balance | We keep data to a minimum, restrict who can access it, and do not use it for unrelated marketing or to train AI. Your rights and interests are protected through our privacy controls and the information we publish here. |
We review this whenever we change how we process data or introduce new processing activities.
5. Special Category and Criminal Data
Handlet does not intentionally process special category personal data (such as health data, race or religion) or criminal offence data as part of its standard product functionality.
If such information appears within message content provided by users, it is processed only to the extent necessary to provide the service (for example displaying messages, classifying intent, or supporting enabled AI features) and in accordance with Handlet's Privacy Policy and applicable data protection law.
HANDLET LIMITED (Company No. 16962053)