Handlet — Privacy Policy

Applies to: personal data processed by HANDLET LIMITED through handlet.ai, app.handlet.ai, communications, onboarding, integrations, AI-assisted features, and related services.

This Privacy Policy explains how HANDLET LIMITED collects, uses, stores, and protects personal data when you use Handlet.

MVP NOTICE
Handlet is rolling out in phases: private beta, then early access, then public availability. This policy is written to be clear, UK GDPR-aligned, and user-readable. It will continue to be reviewed and updated as product phases and processing activities evolve.

1. Who We Are

HANDLET LIMITED (trading as Handlet) is a company incorporated in England and Wales on 14 January 2026 under company number 16962053.

In this policy, Handlet, we, us, and our mean HANDLET LIMITED.

Under UK GDPR, Handlet acts as:

Data controller for account registration data, platform usage data, operational logs, support communications, and billing-related customer data.
Data processor where business customers use Handlet to manage communications with their own customers.

Contact:
Privacy email: privacy@handlet.ai
Website: https://handlet.ai

Registered office and postal contact details are available from the public Companies House register for HANDLET LIMITED. If you need to contact us about privacy by post, email privacy@handlet.ai and we will provide the appropriate postal address for your request.

ICO registration: Registered organisation name HANDLET LIMITED, registration reference ZC104918.

2. Relationship to Terms

This Privacy Policy should be read together with our Terms of Service.

Where the Terms explain how the service works, this policy explains how personal data is handled.

Where Handlet acts as a processor for customer communication data, our Data Processing Addendum also applies.

Our Intelligence & Benchmarking Policy explains how Handlet uses conversation, operational, usage, and outcome patterns to provide personalised intelligence, improve the service, and create privacy-protected benchmark and insight products.

3. Data We Process

Handlet processes data primarily so it can act as a digital office assistant for trades.

Personal data may also be processed on behalf of Handlet customers where they use the platform to manage communications with their own customers.

3.1 Data You Provide Directly

Account information (name, email address)
Business details (business name, trade type)
Login and authentication details
Billing and subscription information, where you become a paying customer
Support, onboarding, and account communications you send to us

3.2 Customer and Communication Data (Provided by You)

When you connect inboxes or messaging channels, we may process:

Emails and message content
Customer names
Customer contact details (email address, phone number, messaging handles)
Message metadata (timestamps, channel source)
Attachments or files included in connected conversations, where supported
Job, quote, booking, complaint, review, and follow-up details contained in messages
Call transcripts, call recordings, call summaries, call outcomes, and call metadata where call-agent features are enabled

This data belongs to you and your business. In relation to customer communication data processed through the platform, the business user is typically the data controller, and Handlet acts as a data processor on their behalf.

3.3 AI-Processed Data

To provide AI assistance, we process:

Message content and metadata for intent and confidence classification
Approved media, captions, hashtags, and social post context where social post support is enabled
Call transcripts, recordings, summaries, outcomes, and metadata where call-agent or voice-assistant features are enabled
Business profile, service, opening-hours, and call-handling settings used to configure AI-assisted voice features
Future or optional message drafts, quote text, review responses, or conversation summaries where those features are enabled

AI outputs are generated per request and are not treated as independent data sources.

3.4 PII Minimisation Before External Automation and AI

Where customer-originated message text may be used with external processors, workflow automation, or AI-assisted steps outside Handlet's core controlled pipeline, Handlet applies automated personal data detection and anonymisation where configured before that text is passed onward.

Depending on the message, our systems may detect and replace categories such as:

names;
email addresses;
telephone numbers;
locations and postal addresses, including UK postcodes where detected; and
certain payment or banking identifiers, such as card or IBAN patterns.

Detected items are typically replaced with non-identifying placeholders, such as [PERSON], [EMAIL_ADDRESS], or [PHONE_NUMBER], so downstream processing receives minimised content. Dates and times may be left readable where retaining them is necessary for booking, scheduling, or intent-detection features.

Original messages may still be stored securely in Handlet for service delivery, such as inbox display, threading, support, audit, and customer-controlled workflows. The anonymisation step applies to what is sent onward for specific automation and AI-assisted flows, consistent with data minimisation.

We keep audit records of this anonymisation step where required for security, operational, and compliance purposes.

3.5 Technical and Usage Data

Technical and usage data may include IP address, device information, log records, and cookies used to maintain sessions or preferences. It may also include error and performance logs and feature usage signals (non-content).

3.6 Intelligence and Benchmarking Data

Handlet may process and derive structured intelligence from conversation, operational, usage, and outcome data, including:

response speed and follow-up timing;
message intent, sentiment, objections, urgency, and persuasion patterns;
quote values, quote outcomes, bookings, cancellations, reviews, and repeat-customer signals;
channel, lead source, funnel stage, service type, and broad geographic area;
tone, preference, Brain memory, and automation feedback signals; and
de-identified, aggregated, transformed, paraphrased, or synthetic message-pattern examples.

We use this to provide account-specific intelligence, improve Handlet, develop and evaluate models, and create aggregated or anonymised benchmark and insight products.

Handlet does not sell raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.

3.7 Data Sources

We collect personal data from:

you and users you invite to your Handlet account;
connected channels you authorise, such as email or messaging providers;
your customers and contacts where their messages are imported into Handlet;
service providers that support authentication, billing, hosting, messaging, analytics, support, or security; and
technical logs generated when the service is used.

4. Purposes of Processing

We process personal data to:

Provide and operate the Handlet service
Deliver inbox, quote, and review assistance
Classify message intent and confidence
Support AI-assisted social post content generation where enabled
Support future or optional AI-assisted drafts, summaries, or recommendations where those features are enabled
Maintain security and prevent misuse
Improve reliability and performance
Communicate with you about the service

We do not sell personal data.

We may commercialise aggregated, anonymised, transformed, or synthetic intelligence outputs that are not designed to identify individual users, customers, businesses, accounts, messages, or calls. See our Intelligence & Benchmarking Policy.

Handlet only processes personal data that is necessary to provide the service and avoids collecting unnecessary personal information.

For more detail on our lawful bases and data categories, see How we process personal data and Lawful basis and data categories.

5. Children's Data

Handlet is not intended for use by children under the age of 16, and we do not knowingly collect personal data from children.

6. Legal Bases

Depending on the context, we rely on:

Contractual necessity — to provide the service you signed up for
Legitimate interests — to operate, secure, and improve Handlet
Consent — where required (e.g. connecting third-party accounts)
Legal obligation — where required by law

7. AI Processing

Handlet uses AI to assist, not replace, human decision-making.

Important points:

AI outputs are suggestions only
Current AI use includes intent recognition and, where enabled, social post support
Future or optional AI messaging features will require review unless you explicitly enable automation
You remain responsible for content you use, approve, publish, or send
No automated decisions are made that have legal or similarly significant effects on individuals

Handlet may use derived patterns, feedback, and outcome data to improve AI quality, classifiers, recommendations, automation defaults, and benchmark intelligence, subject to the safeguards described in this policy and our Intelligence & Benchmarking Policy.

8. Data Processors

Handlet uses trusted processors to deliver the service.

These may include:

Hosting and databases (e.g. Supabase)
Authentication providers (for example Google OAuth)
AI service providers
Email and messaging infrastructure
Voice and telephony providers
Monitoring, analytics, and support providers
Security and abuse-prevention providers

Processors only access data as needed to provide their services and are bound by appropriate data protection obligations.

A list of our current subprocessors is available at: Handlet Subprocessors.

9. International Transfers

Some processors may operate outside the UK or EEA.

Where this occurs, we rely on:

Adequacy decisions
the UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses
Standard Contractual Clauses where appropriate for EEA transfers
Other lawful transfer mechanisms

You can contact privacy@handlet.ai for more information about the transfer safeguards relevant to your account.

10. Data Retention

We retain data only as long as necessary to provide the service and meet legal obligations.

Current retention criteria are:

Data category	Typical retention
Account and workspace data	While the account is active, then deleted or anonymised after account deletion unless retention is required for legal, security, tax, accounting, or dispute purposes.
Customer messages, conversations, drafts, attachments, quotes, and related message metadata	While the workspace uses the service or until deletion is requested and completed, subject to backup, audit, legal, security, and provider retention limits.
Call recordings	Controlled by the workspace recording policy where call-agent features are enabled. The default recording retention period is 30 days unless the workspace configures another valid period or recording is disabled.
Call transcripts, call summaries, call outcomes, and call metadata	Retained while needed for call-agent service continuity, analytics, audit, support, or until account/workspace deletion is completed, subject to legal, security, backup, and provider retention limits.
Technical, diagnostic, and security logs	Retained for limited operational and security periods. Security or incident records may be retained longer where needed to investigate abuse, fraud, reliability, or legal claims.
CRM connection secrets	Deleted immediately when credentials are revoked or the connection is removed.
CRM import rows and external reference data	Typically retained for 30 days after relevant cleanup triggers.
CRM matching and participant index metadata	Typically retained for 90 days after relevant cleanup triggers.
CRM connection and mapping metadata	Typically retained for up to 365 days after relevant cleanup triggers.
CRM audit and manual-resolution records	Typically retained for up to 730 days for accountability and dispute handling.
Billing, invoice, dispute, tax, and accounting records	Retained where required for tax, accounting, legal, and dispute purposes.
Data subject request, privacy, security, and audit records	Retained as needed for accountability, legal claims, security, and compliance.

More detailed retention rules are set out in How we process personal data and Lawful basis and data categories.

11. Your Rights

You have the right to:

Access your personal data
Request correction of inaccurate data
Request deletion (where applicable)
Request restriction of processing
Object to certain processing
Request data portability
Withdraw consent where we rely on consent
Challenge or request human review of any automated decision if legally applicable
Lodge a complaint with the UK Information Commissioner's Office (ICO)

You can contact the ICO at https://ico.org.uk/make-a-complaint/.

12. Exercising Rights

During MVP, requests for your data (including access, correction or deletion) are handled manually.

To make a request, email privacy@handlet.ai. We may need to verify your identity and, where a request relates to your customers' data, confirm whether we should handle it directly or support you as the controller.

We aim to respond within one month, as required by UK GDPR. If a request is complex or you make multiple requests, UK GDPR may allow extra time and we will tell you if that applies.

13. Security

We take reasonable technical and organisational measures to protect personal data. These may include secure hosting, access controls, encrypted connections (HTTPS), and monitoring systems.

However, no system is completely secure, and we cannot guarantee absolute security.

14. Changes

We may update this Privacy Policy from time to time.

If changes are material, we will notify users via email or in-app notice. The "Last updated" date at the top of this page will be revised when we make changes.

15. Cookies

We use strictly necessary cookies to maintain login sessions and remember interface preferences. We do not use cookies for advertising or to track you across other websites.

For detailed information about the cookies we use, please see our Cookie Policy.

16. Related Policies

For detailed processing purposes, lawful bases, and data categories under UK GDPR, see How we process personal data and Lawful basis and data categories.

17. Contact

For privacy questions or requests please contact: privacy@handlet.ai

Privacy Policy

Our privacy policy and how we use your data