Privacy Policy

Assisto is a WhatsApp-first CRM and AI-assisted business workflow service for small businesses. For privacy questions, contact privacy@assistocrm.com.

Where we decide why and how personal data is used, we act as controller. Where a business user uploads or sends personal data about its own customers, suppliers, workers, or contacts for us to process on its behalf, that business may be the controller and Assisto may act as processor.

Our Terms of Service include a data processing addendum for customer data, invoices, receipts, WhatsApp messages, payment data, and bank/Open Banking data processed through Assisto.

• Account data, such as email address, password hash, account status, and login/session information.
• Business profile data, such as business name, contact name, business type, company number, address, phone, country, currency, and language preferences.
• WhatsApp data, such as verified phone numbers, connection status, inbound and outbound messages, onboarding replies, and message metadata.
• CRM data, such as customers, suppliers, contact details, notes, quotes, invoices, tasks, reminders, contract schedules, and payment records.
• Document and receipt data, such as uploaded files, extracted text, OCR results, summaries, classifications, and accountant exports.
• Open Banking and payment data, such as bank connection records, transaction data, payment watch records, Stripe customer or subscription identifiers, and billing events.
• AI workflow data, such as prompts, tool results, assistant replies, translations, extracted fields, and limited context needed to complete your requested workflow.
• Legal consent records, such as the version of the terms or privacy policy accepted, timestamp, and related account identifiers.
• Technical and security data, such as IP address, user agent, rate-limit records, audit logs, errors, and service diagnostics.
• Support and communication data, such as messages you send to us and notes from support interactions.

We collect data directly from you, from your use of Assisto, from WhatsApp/Meta when you connect or message the service, from payment and billing providers, from Open Banking providers where you connect an account, and from files or messages you choose to upload or send.

When you connect or use WhatsApp features, WhatsApp phone numbers, message content, message metadata, verification messages, and delivery events pass through WhatsApp/Meta infrastructure so that WhatsApp messages can be sent, received, verified, and delivered.

When you use AI-assisted features, we may send the minimum relevant message, document, CRM, quote, invoice, payment, or task context to AI gateway, model, transcription, OCR, or document processing providers so they can process your request and return a result.

• To create, secure, and manage your account.
• To provide CRM, WhatsApp, AI, document, payment, billing, and reminder features.
• To process instructions you send through the web app or WhatsApp.
• To generate, classify, extract, summarise, and organise business records.
• To provide support, troubleshoot issues, and improve reliability.
• To prevent fraud, abuse, spam, unauthorised access, and misuse of paid or high-cost features.
• To comply with legal, tax, accounting, regulatory, and dispute obligations.
• To send service messages and, where permitted, product updates or marketing communications.

Depending on the context, we rely on one or more lawful bases under UK GDPR, including:

• Contract, where processing is needed to provide Assisto to you.
• Legitimate interests, such as service security, abuse prevention, product improvement, and business-to-business communications.
• Legal obligation, where we must keep or disclose information to comply with law.
• Consent, where we ask for consent for a specific activity, such as optional marketing or optional non-essential cookies.

Assisto uses AI to interpret messages, draft or suggest actions, extract information from documents, classify records, and assist with CRM workflows. AI outputs are not final professional advice and should be reviewed by you before use.

AI providers need to process the useful business facts in a prompt to produce an answer, so AI prompts cannot be fully encrypted from the model while still remaining useful. Instead, we use safeguards such as TLS in transit, encryption at rest where appropriate, access controls, prompt minimisation, and backend tools for sensitive matching or calculations where possible.

In production, OpenRouter requests are routed through a shared hardened client. That client is configured to request no provider data collection, zero data retention routing, and no provider fallbacks. Where EU routing is enabled for the account and environment, requests use OpenRouter's EU endpoint and restricted provider routing. These controls are designed to prevent prompts and completions from being retained or used to train third-party AI models, but the providers still process the content transiently to deliver the service and may handle limited metadata, security, abuse, or operational logs under their own terms.

We do not intentionally use your WhatsApp messages, CRM records, documents, bank data, or other customer content to create, train, or improve general-purpose AI models. We also do not permit WhatsApp Business Solution Data to be used to train or improve general AI models.

We minimise sensitive data sent to AI providers. For example, backend systems should handle bank tokens, raw Open Banking payloads, full account details, API keys, and sensitive reconciliation logic where possible, and the AI layer should receive only the summary or candidate information needed to complete the workflow.

We do not use AI to make solely automated decisions about you that produce legal or similarly significant effects without appropriate human involvement.

We share personal data only where needed to run, secure, support, or improve Assisto:

• Hosting, database, storage, and infrastructure providers.
• WhatsApp/Meta and communications providers needed to send, receive, verify, and deliver messages, including phone numbers and message data that pass through WhatsApp/Meta infrastructure.
• AI gateways, model providers, transcription providers, OCR providers, and document processing providers used to interpret messages and files.
• Payment, billing, and subscription providers such as Stripe.
• Open Banking providers where you choose to connect bank data.
• Professional advisers, insurers, auditors, and authorities where legally required or necessary to protect rights.

The subprocessor list below reflects providers Assisto may use where the relevant feature or infrastructure is enabled in production.

Some suppliers may process data outside the UK or European Economic Area. Where this happens, we use appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, or equivalent transfer mechanisms.

We keep personal data only for as long as needed for the purposes described in this policy. Account and CRM records are generally kept while your account is active, unless you delete them or ask us to delete them. Billing, tax, accounting, dispute, and security records may be kept for longer where required by law or legitimate business need.

Backups and logs may take additional time to expire from our systems. We may retain limited information where needed to prevent abuse, resolve disputes, enforce terms, or comply with legal obligations.

AI providers and connected services may retain limited request metadata, security logs, abuse monitoring logs, or operational records under their own terms. Our production AI routing is configured to reduce prompt and completion retention and to avoid providers that collect customer prompts for training.

Depending on the data and lawful basis, you may have rights to access, correct, delete, restrict, object to processing, and receive a copy of your personal data. Where we rely on consent, you may withdraw that consent at any time.

You can contact privacy@assistocrm.com to exercise these rights. You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint.

We use technical and organisational measures designed to protect personal data, including access controls, encryption where appropriate, private storage for sensitive files, rate-limits, and monitoring for abuse. No online service can be guaranteed completely secure, so you should also protect your devices, passwords, and WhatsApp account.

Assisto is intended for business users and is not directed at children under 18. Do not use Assisto to intentionally collect children's data unless you have a lawful basis and all required safeguards.

We may update this Privacy Policy as the product, suppliers, or legal requirements change. If we make material changes, we will take reasonable steps to bring them to your attention.