This page explains what personal data Handlet processes, why we process it, and the lawful basis for doing so under the UK General Data Protection Regulation (UK GDPR).
Our goal is to be transparent about how data is used when you use Handlet.
1. Why We Process Personal Data
Handlet processes personal data so we can:
- Provide the Handlet service
- Allow you to connect and manage communication channels
- Classify message intent and confidence
- Support AI-assisted social post content generation where enabled
- Support AI-assisted message drafts, quote text, complaint-response preparation, summaries, and recommendations where those features are enabled
- Provide call-agent features where enabled, including call routing, transcripts, recordings, summaries, and follow-ups
- Provide account-specific intelligence and optimisation recommendations
- Improve Handlet reliability, safety, and account-specific models, classifiers, and recommendations
- Where separately and explicitly authorised, create cross-customer benchmark and insight products subject to anonymisation and release controls
- Maintain a secure and reliable platform
- Communicate with you about your account
- Comply with legal obligations
We do not sell personal data.
We also do not use your messages or your customers' messages to train AI models for unrelated purposes.
We may use derived patterns, outcomes, and quality signals within an account to provide and improve that account's service. Cross-customer learning, benchmarking, partner products, and external examples using customer communication data require separate explicit customer authorisation as described in our Intelligence & Benchmarking Policy.
2. Our Lawful Bases for Processing
Under UK GDPR, organisations must have a lawful basis for processing personal data.
Handlet relies on the following lawful bases depending on the activity.
Contract
Most data processing is necessary to provide the service you signed up for.
Examples include:
- Creating and managing your account
- Displaying and storing messages
- Classifying message intent and confidence
- Supporting AI-assisted social post content generation where enabled
- Supporting AI-assisted message drafts, quote text, complaint-response preparation, summaries, or recommendations where those features are enabled
- Connecting and managing communication channels that you ask us to integrate
Without this processing, the service would not function.
For customer communication data that you bring into Handlet, you are typically the controller and Handlet acts as your processor. In that case, you are responsible for identifying your lawful basis for processing your customers' data, and Handlet processes that data on your instructions under our data processing terms.
Consent
We rely on consent where it is the appropriate lawful basis, including for optional storage, analytics, or marketing where consent is required.
Examples include:
- Enabling optional analytics or similar non-essential technologies
- Receiving non-essential electronic marketing where consent is required
Authorising Handlet with a third-party provider is a technical permission and can be revoked from your account settings. That provider authorisation does not by itself mean that UK GDPR consent is our lawful basis.
Legitimate Interests
Some processing is necessary to operate a secure and reliable service.
Examples include:
- Security monitoring
- Fraud prevention
- Error logging and diagnostics
- Improving reliability and performance
- Security, diagnostics, fraud prevention, and proportionate service reliability improvement
We ensure this processing is proportionate and respects user privacy.
Legal Obligations
In some cases we must process data to comply with the law.
Examples include:
- Responding to data subject access requests
- Complying with regulatory obligations
- Maintaining certain records required by law
- Keeping records of privacy and data subject requests (for example access or deletion requests) where needed for accountability and compliance
3. Types of Data We Process
Account Information
Examples:
- Name
- Email address
- Login credentials (stored securely)
Purpose:
- Account creation
- Authentication
- Service access
Business Profile Information
Examples:
- Business name
- Trade or service type
- User preferences and settings
Purpose:
- Configuring the service
- Personalising AI suggestions
Customer Communication Data
When you use Handlet to manage communications, we process the data necessary to provide that service.
Examples:
- Customer names
- Contact details
- Message content
- Message timestamps and channel metadata
- Call transcripts, recordings, summaries, outcomes, and metadata where call-agent features are enabled
Purpose:
- Displaying messages
- Drafting AI responses
- Managing communication history
Handlet processes this data on your behalf as part of delivering the service.
Intelligence and Benchmarking Data
Examples:
- response speed
- follow-up timing
- quote value and outcome
- booking, cancellation and repeat-customer signals
- lead source, channel, broad area, service type and funnel stage
- objection, sentiment, intent and persuasion-pattern labels
- transformed, paraphrased, summarised, or synthetic message-pattern examples
Purpose:
- providing account-specific intelligence and recommendations;
- improving account-specific models, classifiers, and automation defaults under customer instructions; and
- where separately authorised, creating cross-customer benchmarks, reports, dashboards, APIs, and insight products subject to anonymisation and release controls.
Handlet does not sell raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.
Technical and Usage Data
Examples:
- IP address
- Device type
- Log data
- Feature usage statistics
Purpose:
- Security monitoring
- Service reliability
- Diagnosing technical issues
4. Data Retention
We retain personal data only for as long as necessary to provide the service and comply with legal obligations.
Current retention criteria are:
| Data category | Typical retention |
|---|---|
| Account and workspace data | While the account is active, then deleted or anonymised after account deletion unless retention is required for legal, security, tax, accounting, or dispute purposes. |
| Customer messages, conversations, drafts, attachments, quotes, and related message metadata | While the workspace uses the service or until deletion is requested and completed, subject to backup, audit, legal, security, and provider retention limits. |
| Call recordings | Controlled by the workspace recording policy where call-agent features are enabled. The default recording retention period is 90 days unless the workspace configures another valid period, keeps a specific recording, or disables recording. |
| Call transcripts, call summaries, call outcomes, and related call metadata | Controlled by the workspace recording policy where call-agent features are enabled. The default transcript retention period is 24 months (730 days) unless the workspace configures another valid period or keeps a specific transcript. After the retention period, Handlet automatically redacts transcript text and related call insights from primary storage; recording audio may already have been removed under the separate recording retention period above. Subject to legal, security, backup, and provider retention limits. |
| Technical, diagnostic, and security logs | Retained for limited operational and security periods. Security or incident records may be retained longer where needed to investigate abuse, fraud, reliability, or legal claims. |
| CRM connection secrets | Deleted immediately when credentials are revoked or the connection is removed. |
| CRM import rows and external reference data | Typically retained for 30 days after relevant cleanup triggers. |
| CRM matching and participant index metadata | Typically retained for 90 days after relevant cleanup triggers. |
| CRM connection and mapping metadata | Typically retained for up to 365 days after relevant cleanup triggers. |
| CRM audit and manual-resolution records | Typically retained for up to 730 days for accountability and dispute handling. |
| Billing, invoice, dispute, tax, and accounting records | Retained where required for tax, accounting, legal, and dispute purposes. |
| Data subject request, privacy, security, and audit records | Retained as needed for accountability, legal claims, security, and compliance. |
When an account is deleted, we delete or anonymise personal data in accordance with our retention policies.
The UK GDPR deletion flow deletes the workspace message corpus from primary stores, including canonical messages and conversations, outbound drafts, attachment metadata, attachment files in the message-attachments storage area, and derived metadata used by exports, AI, and workflow integrations. Backups and third-party provider systems follow their own retention and deletion cycles. Call recording and transcript retention in primary storage follows the workspace schedule above; infrastructure backups (including Supabase point-in-time recovery and daily backups) may retain copies until those backup windows expire.
For a detailed breakdown of our lawful bases, purposes and data categories (Article 6 UK GDPR), see Lawful basis & data categories.
5. Special Category Data
Handlet does not intentionally collect or process special category personal data (such as health data, racial or ethnic origin, or religious beliefs).
If such information appears within messages sent through connected communication channels, it is processed only as necessary to provide the service.
You should avoid adding special category or criminal offence data to Handlet unless it is genuinely necessary for your business communication and lawful for you to process.
6. Your Rights
Under UK GDPR you have several rights relating to your personal data, including the right to:
- Access your personal data
- Request correction of inaccurate data
- Request deletion of personal data
- Object to certain processing
- Request data portability
If you would like to exercise any of these rights, please contact us at:
7. Changes to This Page
We may update this page if our processing activities change or if required by law.
When updates are made, the "Last updated" date at the top of this page will be revised.