AscentaAI is an AI-powered customer messaging service designed for UK-based small businesses. We provide chatbot infrastructure that handles customer enquiries, appointment bookings, and automated reminder communications on behalf of our business clients.
| Trading name | AscentaAI |
| Website | ascentaai.co.uk |
| Data protection contact | privacy@ascentaai.co.uk |
| Jurisdiction | England and Wales |
AscentaAI acts as a data controller for personal data of our business clients, and as a data processor for personal data of end-customers on behalf of those clients. This distinction is explained in Section 4.
This Privacy Policy is drafted in compliance with:
When a business subscribes to AscentaAI:
End-customers are individuals who message a business via Instagram DM or website chat widget:
AscentaAI acts as an independent data controller for personal data of its business clients (account data, billing, support), relying on contract performance, legitimate interests, and legal obligation as its lawful bases.
For end-customer data, AscentaAI acts as a data processor on behalf of the business client (the controller). Our processing is governed by the Data Processing Agreement (DPA) incorporated into our Terms of Service, satisfying Article 28 UK GDPR. As processor, we process end-customer data only on the client's instructions, implement appropriate security measures, assist with data subject rights requests, and delete data at the end of the service relationship.
OAuth tokens from Google Calendar are stored encrypted and used solely to check availability and manage booking events. We do not read any other calendar content. Instagram DMs are received via Meta webhook and replied to via the Meta Messaging API. We do not access Instagram posts, stories, or follower data.
We do not sell, rent, or trade personal data. We engage the following sub-processors:
All sub-processors are contractually bound to equivalent data protection standards. We will notify business clients at least 14 days before adding or changing a sub-processor.
Our website and dashboard use strictly necessary cookies (session cookies, CSRF tokens) and optional functional cookies (preferences, layout settings). We may use privacy-respecting analytics cookies where consent is given via our cookie banner. You can manage cookies through your browser settings. We respect Do Not Track signals.
| Client account & contact data | Duration of subscription + 7 years (HMRC requirement) |
| Payment records / invoices | 7 years from transaction date (legal obligation) |
| Dashboard login logs | 12 months |
| End-customer conversation logs | 12 months from last message |
| Booking records | 24 months from appointment date |
| Reminder contact details | Deleted within 30 days of appointment |
| Partial booking state | Deleted automatically after 24 hours |
Deletion from live databases is followed by removal from backups within 90 days. End-customers may request deletion at any time by contacting the business, or directly at privacy@ascentaai.co.uk.
We implement technical and organisational measures in accordance with Article 32 UK GDPR, including:
Some sub-processors are US-based. Transfers are safeguarded via the UK-US Data Bridge, UK International Data Transfer Agreements (IDTAs), or EU Standard Contractual Clauses with a UK Addendum, as applicable. Full details of transfer mechanisms per sub-processor are available on request at privacy@ascentaai.co.uk.
Our service involves automated processing by Anthropic's Claude AI model. This includes intent classification, language detection, sentiment detection, and calendar availability checking. None of these produce legal or similarly significant effects — they are assistive functions that facilitate voluntary customer interactions.
We do not use end-customer conversation data to train AI models. API inputs and outputs are not used by Anthropic to train models without consent, per Anthropic's API data usage policy.
Request a copy of your personal data. We respond within one calendar month.
Correct inaccurate or incomplete data. Update most account info directly in your dashboard.
Request deletion of your data where it is no longer necessary or processing is unlawful.
Restrict processing while accuracy or objection is pending.
Receive your data in a structured, machine-readable format where processing is automated.
Object to processing based on legitimate interests, including direct marketing.
To exercise any right, email privacy@ascentaai.co.uk with subject line "Data Rights Request".
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
Business clients using AscentaAI are data controllers for their end-customers' data and are responsible for: providing an appropriate privacy notice to their customers; having a valid lawful basis for processing; responding to data subject rights requests; and ensuring they do not instruct us to process data unlawfully. Our Terms of Service incorporate a Data Processing Agreement satisfying Article 28 UK GDPR.
Our service is directed at business owners and adult customers. We do not knowingly collect data from individuals under 13. If you believe we have inadvertently collected a child's data, contact privacy@ascentaai.co.uk and we will delete it promptly.
We may contact business clients by email about new features or updates where you have given consent, or under the PECR soft opt-in for existing clients. You may unsubscribe at any time via the link in any email or by contacting privacy@ascentaai.co.uk. We do not send marketing to end-customers.
We may update this policy periodically. Material changes will be notified by email at least 14 days before they take effect. Previous versions are available on request.