Handlet — Privacy Policy
Applies to: personal data processed by HANDLET LIMITED through handlet.ai, app.handlet.ai, communications, onboarding, integrations, AI-assisted features, and related services.
This Privacy Policy explains how HANDLET LIMITED collects, uses, stores, and protects personal data when you use Handlet.
MVP NOTICE
Handlet is rolling out in phases: private beta, then early access, then public availability. This policy is written to be clear, UK GDPR-aligned, and user-readable. It will continue to be reviewed and updated as product phases and processing activities evolve.
1. Who We Are
HANDLET LIMITED (trading as Handlet) is a company incorporated in England and Wales on 14 January 2026 under company number 16962053.
In this policy, Handlet, we, us, and our mean HANDLET LIMITED.
Under UK GDPR, Handlet acts as:
- Data controller for account registration data, platform usage data, operational logs, support communications, and billing-related customer data.
- Data processor where business customers use Handlet to manage communications with their own customers.
Contact:
Privacy email: privacy@handlet.ai
Website: https://handlet.ai
Registered office and postal address: 27 Wright Way, Sawtry, Huntingdon, Cambridgeshire, England, PE28 5WW.
ICO registration: Registered organisation name HANDLET LIMITED, registration reference ZC104918.
1a. Service Scope
Handlet is currently offered to businesses established in the United Kingdom. We do not intentionally offer the service to, or monitor, individuals located in the EEA, and account registration is limited accordingly. If our scope changes, we will appoint an EU representative under Article 27 EU GDPR and update this policy before offering the service in the EEA.
2. Relationship to Terms
This Privacy Policy should be read together with our Terms of Service.
Where the Terms explain how the service works, this policy explains how personal data is handled.
Where Handlet acts as a processor for customer communication data, our Data Processing Addendum also applies.
Our Intelligence & Benchmarking Policy explains how Handlet uses conversation, operational, usage, and outcome patterns to provide personalised intelligence, improve the service, and create privacy-protected benchmark and insight products.
3. Data We Process
Handlet processes data primarily so it can act as a digital office assistant for trades.
Personal data may also be processed on behalf of Handlet customers where they use the platform to manage communications with their own customers.
3.1 Data You Provide Directly
- Account information (name, email address)
- Business details (business name, trade type)
- Login and authentication details
- Billing and subscription information, where you become a paying customer
- Support, onboarding, and account communications you send to us
3.2 Customer and Communication Data (Provided by You)
When you connect inboxes or messaging channels, we may process:
- Emails and message content
- Customer names
- Customer contact details (email address, phone number, messaging handles)
- Message metadata (timestamps, channel source)
- Attachments or files included in connected conversations, where supported
- Job, quote, booking, complaint, review, and follow-up details contained in messages
- Call transcripts, call recordings, call summaries, call outcomes, and call metadata where call-agent features are enabled
This data belongs to you and your business. In relation to customer communication data processed through the platform, the business user is typically the data controller, and Handlet acts as a data processor on their behalf.
3.3 AI-Processed Data
To provide AI assistance, we process:
- Message content and metadata for intent and confidence classification
- Approved media, captions, hashtags, and social post context where social post support is enabled
- Call transcripts, recordings, summaries, outcomes, and metadata where call-agent or voice-assistant features are enabled
- Business profile, service, opening-hours, and call-handling settings used to configure AI-assisted voice features
- Message drafts, quote text, complaint or review responses, conversation summaries, and recommendations where those features are enabled
AI outputs are generated per request and are not treated as independent data sources.
3.3.1 Call Agent caller notices
Where a workspace enables Call Agent call recording retention, Handlet delivers an automated verbal disclosure at the start of the call before the AI assistant continues the conversation. The disclosure text is configured by the workspace or, if left blank, uses a Handlet default template that identifies the AI assistant and states that calls may be recorded.
The business customer remains responsible for its lawful basis for recording, sector-specific obligations, and privacy notices to its callers. Handlet acts as a processor for caller data handled on the customer's behalf.
3.4 PII Minimisation Before External Automation and AI
Where customer-originated message text may be used with external processors, workflow automation, or AI-assisted steps outside Handlet's core controlled pipeline, Handlet applies automated personal data detection and anonymisation where configured before that text is passed onward.
Depending on the message, our systems may detect and replace categories such as:
- names;
- email addresses;
- telephone numbers;
- locations and postal addresses, including UK postcodes where detected; and
- certain payment or banking identifiers, such as card or IBAN patterns.
Detected items are typically replaced with non-identifying placeholders, such as [PERSON], [EMAIL_ADDRESS], or [PHONE_NUMBER], so downstream processing receives minimised content. Dates and times may be left readable where retaining them is necessary for booking, scheduling, or intent-detection features.
Original messages may still be stored securely in Handlet for service delivery, such as inbox display, threading, support, audit, and customer-controlled workflows. The anonymisation step applies to what is sent onward for specific automation and AI-assisted flows, consistent with data minimisation.
We keep audit records of this anonymisation step where required for security, operational, and compliance purposes.
3.5 Technical and Usage Data
Technical and usage data may include IP address, device information, log records, and cookies used to maintain sessions or preferences. It may also include minimised error and performance events and feature usage signals (non-content). Handlet's current Sentry configuration does not enable session replay, browser or server profiling, console-log capture, Sentry log ingestion, or default collection of personal data.
3.6 Intelligence and Benchmarking Data
Handlet may process and derive structured intelligence from conversation, operational, usage, and outcome data, including:
- response speed and follow-up timing;
- message intent, sentiment, objections, urgency, and persuasion patterns;
- quote values, quote outcomes, bookings, cancellations, reviews, and repeat-customer signals;
- channel, lead source, funnel stage, service type, and broad geographic area;
- tone, preference, Brain memory, and automation feedback signals; and
- de-identified, aggregated, transformed, paraphrased, or synthetic message-pattern examples.
We use this to provide account-specific intelligence. Handlet will not process customer communication data for its own cross-customer model improvement, external benchmarking, partner insight products, or external message examples unless the customer has explicitly authorised that separate source processing. Anonymising data later is not treated as a substitute for that authorisation.
Where Handlet acts as a controller for separately-authorised, privacy-protected benchmarking derived from end-customer data, Handlet relies on the Article 14(5)(b) exemption (provision of information would be impossible or involve disproportionate effort), mitigated by: processing only de-identified, aggregated or transformed data; this public policy; and a contact route (privacy@handlet.ai) for end customers. Tradespeople are provided with a notice template to inform their own customers. This benchmarking remains disabled unless and until the customer has given separate explicit authorisation.
Handlet does not sell raw messages, raw call recordings or transcripts, customer contact details, CRM records, identifiable business profiles, identifiable end-customer profiles, account-level behavioural profiles, or pseudonymised datasets presented as anonymous data.
3.7 Data Sources
We collect personal data from:
- you and users you invite to your Handlet account;
- connected channels you authorise, such as email or messaging providers;
- your customers and contacts where their messages are imported into Handlet;
- service providers that support authentication, billing, hosting, messaging, analytics, support, or security; and
- technical logs generated when the service is used.
4. Purposes of Processing
We process personal data to:
- Provide and operate the Handlet service
- Deliver inbox, quote, and review assistance
- Classify message intent and confidence
- Support AI-assisted social post content generation where enabled
- Support AI-assisted drafts, summaries, quote text, complaint-response preparation, or recommendations where those features are enabled
- Maintain security and prevent misuse
- Improve reliability and performance
- Communicate with you about the service
We do not sell personal data.
Where the source processing has been separately authorised, we may commercialise aggregated, anonymised, transformed, or synthetic intelligence outputs that are not designed to identify individual users, customers, businesses, accounts, messages, or calls. See our Intelligence & Benchmarking Policy.
Handlet only processes personal data that is necessary to provide the service and avoids collecting unnecessary personal information.
For more detail on our lawful bases and data categories, see How we process personal data and Lawful basis and data categories.
5. Children's Data
Handlet is not intended for use by children under the age of 16, and we do not knowingly collect personal data from children.
6. Legal Bases
Depending on the context, we rely on:
- Contractual necessity — to provide the service you signed up for
- Legitimate interests — to operate, secure, diagnose, and improve the reliability of Handlet, subject to documented balancing assessments where required
- Consent — where required for optional analytics, storage, or non-essential electronic marketing
- Legal obligation — where required by law
When you authorise Handlet to connect with a third-party provider, that authorisation is a technical permission. It does not by itself mean that UK GDPR consent is our lawful basis for the underlying processing.
Special category data. Handlet does not ask for special category data (such as health information). Customer messages and call transcripts are free text and may incidentally contain it. Where Handlet acts as a processor, the business customer (controller) is responsible for establishing an Article 9 condition for any special category data in its customers' communications, and our Data Processing Addendum reflects this. Where Handlet acts as a controller, we rely on Article 9(2)(g)/(2)(e) as applicable and our PII-minimisation step reduces the likelihood of such data being processed by external providers.
7. AI Processing, Profiling, and Automated Decisions
Handlet uses AI to assist, not replace, human decision-making.
AI assistance and transparency. AI outputs are suggestions only, generated per request. Where our AI voice assistant (Call Agent) speaks with your customers, it identifies itself as an AI assistant at the start of the call and never claims to be a human. AI-assisted drafts (messages, quotes, review and complaint responses, social posts) require human review by default. You remain responsible for content you approve, publish, or send.
Profiling. To provide its features, Handlet analyses message and conversation data to derive structured signals — for example message intent, confidence scores, sentiment and urgency, response/lead-quality signals, quote and outcome patterns, and tone/preference ("Brain") memory. This analysis is profiling under data-protection law. It is used to assist you in running your business and does not produce decisions with legal or similarly significant effects on individuals.
Automated sending (optional). By default, AI-assisted replies are held for your review. Some workspaces may enable automated sending for narrowly-scoped, high-confidence message types. Where enabled, an AI-drafted reply may be sent to a customer without a human reviewing that specific message. You can disable this at any time, and recipients can ask to deal with a human; contact privacy@handlet.ai to request human review of, or to object to, automated sending that affects you.
Cross-customer learning requires separate, explicit customer authorisation, as described in our Intelligence & Benchmarking Policy.
8. Data Processors
Handlet uses trusted processors to deliver the service.
These may include:
- Hosting and databases (e.g. Supabase)
- Authentication providers (for example Google OAuth)
- AI service providers
- Email and messaging infrastructure
- Voice and telephony providers
- Monitoring, analytics, and support providers
- Security and abuse-prevention providers
Before a provider processes production personal data for Handlet, we require appropriate contractual data-protection obligations and limit access to what is needed for the relevant service.
A list of our current subprocessors is available at: Handlet Subprocessors.
9. International Transfers
Some processors may operate outside the UK or EEA.
Where this occurs, we rely on:
- Adequacy decisions
- the UK International Data Transfer Agreement or UK Addendum to EU Standard Contractual Clauses
- Standard Contractual Clauses where appropriate for EEA transfers
- Other lawful transfer mechanisms
You can contact privacy@handlet.ai for more information about the transfer safeguards relevant to your account.
10. Data Retention
We retain data only as long as necessary to provide the service and meet legal obligations.
Current retention criteria are:
| Data category | Typical retention |
|---|---|
| Account and workspace data | While the account is active, then deleted or anonymised after account deletion unless retention is required for legal, security, tax, accounting, or dispute purposes. |
| Customer messages, conversations, drafts, attachments, quotes, and related message metadata | While the workspace uses the service or until deletion is requested and completed, subject to backup, audit, legal, security, and provider retention limits. |
| Call recordings | Controlled by the workspace recording policy where call-agent features are enabled. Callers hear an automated verbal disclosure at call start when recording retention is enabled. The default recording retention period is 90 days unless the workspace configures another valid period, keeps a specific recording, or disables recording. |
| Call transcripts, call summaries, call outcomes, and related call metadata | Controlled by the workspace recording policy where call-agent features are enabled. The default transcript retention period is 24 months (730 days) unless the workspace configures another valid period or keeps a specific transcript. After the retention period, Handlet automatically redacts transcript text and related call insights from primary storage; recording audio may already have been removed under the separate recording retention period above. Subject to legal, security, backup, and provider retention limits. |
| Technical, diagnostic, and security logs | Retained for limited operational and security periods. Security or incident records may be retained longer where needed to investigate abuse, fraud, reliability, or legal claims. |
| CRM connection secrets | Deleted immediately when credentials are revoked or the connection is removed. |
| CRM import rows and external reference data | Typically retained for 30 days after relevant cleanup triggers. |
| CRM matching and participant index metadata | Typically retained for 90 days after relevant cleanup triggers. |
| CRM connection and mapping metadata | Typically retained for up to 365 days after relevant cleanup triggers. |
| CRM audit and manual-resolution records | Typically retained for up to 730 days for accountability and dispute handling. |
| Billing, invoice, dispute, tax, and accounting records | Retained where required for tax, accounting, legal, and dispute purposes. |
| Data subject request, privacy, security, and audit records | Retained as needed for accountability, legal claims, security, and compliance. |
| Privacy complaints | Normally retained for six years after closure where needed to demonstrate complaint handling, resolve disputes, establish or defend legal claims, and meet accountability obligations. Information that is no longer needed is deleted or minimised earlier where appropriate. |
Primary-store deletion or redaction of call recordings and transcripts is applied in Handlet's database when the applicable retention period expires or when deletion is requested. Copies may remain recoverable from infrastructure backups (including Supabase point-in-time recovery and daily backups) until those backup windows expire, as described in our Data Processing Addendum and operational retention records.
More detailed retention rules are set out in How we process personal data and Lawful basis and data categories.
11. Your Rights
You have the right to:
- Access your personal data
- Request correction of inaccurate data
- Request deletion (where applicable)
- Request restriction of processing
- Object to certain processing
- Request data portability
- Withdraw consent where we rely on consent
- Challenge or request human review of any automated decision if legally applicable
- Lodge a complaint with the UK Information Commissioner's Office (ICO)
You can contact the ICO at https://ico.org.uk/make-a-complaint/.
12. Privacy Complaints
You can complain about Handlet's handling of personal data using our privacy complaint form, by emailing privacy@handlet.ai, or by writing to our registered office.
We will:
- acknowledge your complaint promptly and no later than 30 days after receipt;
- take appropriate steps to investigate it without undue delay;
- tell you the outcome once our investigation is complete; and
- keep you informed of progress where an investigation is not completed promptly.
You may complain to the ICO at any time. You do not have to complete Handlet's complaint process first.
13. Exercising Rights
During MVP, requests for your data (including access, correction or deletion) are handled manually.
To make a request, email privacy@handlet.ai. We may need to verify your identity and, where a request relates to your customers' data, confirm whether we should handle it directly or support you as the controller.
We aim to respond within one month, as required by UK GDPR. If a request is complex or you make multiple requests, UK GDPR may allow extra time and we will tell you if that applies.
14. Security
We take reasonable technical and organisational measures to protect personal data. These may include secure hosting, access controls, encrypted connections (HTTPS), and monitoring systems.
However, no system is completely secure, and we cannot guarantee absolute security.
15. Changes
We may update this Privacy Policy from time to time.
If changes are material, we will notify users via email or in-app notice. The "Last updated" date at the top of this page will be revised when we make changes.
16. Cookies
We use strictly necessary cookies to maintain login sessions and remember interface preferences. We do not use cookies for advertising or to track you across other websites.
For detailed information about the cookies we use, please see our Cookie Policy.
17. Related Policies
- Terms of Service
- Privacy at a glance (short summary)
- Data Processing Addendum
- Intelligence & Benchmarking Policy
- Cookie Policy
- Refund Policy
For detailed processing purposes, lawful bases, and data categories under UK GDPR, see How we process personal data and Lawful basis and data categories.
18. Contact
For privacy questions or requests please contact: privacy@handlet.ai