Skip to content
⚠️ DRAFT — requires UK legal counsel review before launch. Not legal advice. Maps the platform's real data flows for counsel to finalise.

Privacy Policy

Last updated: 2026-06-21 · OpenSassy is operated by ANDUMA Intelligence Group Ltd

1. Who we are, and our two roles

OpenSassy is a product of ANDUMA Intelligence Group Ltd, a company registered in England and Wales. COUNSEL: confirm company number, registered office, and ICO registration status before publishing.

We hold two distinct roles, and which one applies depends on who you are:

  • Controller — for our own users: business owners and staff who sign up to OpenSassy, visitors and leads on the-sassy.com, and any data about the founder/platform itself. We decide why and how this data is processed, and this policy is about that role.
  • Processor — for a business customer's own clients. If a business (e.g. a salon) uses OpenSassy to manage its clients, that business is the controller of its clients' data; we process it on the business's behalf under our Data Processing Agreement. If you are an end-client of a business that uses OpenSassy, your business's own privacy notice governs, and you should look to them first — though the data-flow detail below (where it's stored, which AI providers see it) still describes how we, as their processor, handle it.

Contact: hello@the-sassy.com

2. What data we collect

Account data (business owners/staff):

Name, email, phone, password (hashed) or Supabase-managed authentication, business/organisation details. Collected at sign-up.

End-customer data (your business's clients, where we act as processor):

Name, email, phone, booking history, appointment notes, consent records, marketing preference. Collected when a client books, signs up for their own account, or is imported by the business.

Voice call data:

If a business enables the AI voice receptionist ("Ara"), inbound calls are answered, recorded, and transcribed to identify the caller's booking intent. This includes the caller's phone number and the audio/transcript of the call. COUNSEL: a call-recording notice is being added to Ara's greeting — confirm wording and whether prior written notice is also required.

Chat content:

Messages sent to our AI assistant ("Sassy"), by business owners/staff, by their clients, or by guests on the-sassy.com. This may incidentally contain personal data you mention in conversation (e.g. a client's name in a request).

Payment data:

Stripe is our payment processor (and Stripe Connect for businesses taking their own payments). We never see or store full card numbers — only Stripe-tokenised metadata, customer email/name for receipts, and transaction records.

Usage data:

Pages visited, features used, timestamps, IP address, browser type, collected via server logs. We do not use cookies or third-party analytics/advertising trackers — see our Cookie Policy for the full, code-audited list of what's actually stored in your browser (it's localStorage, not cookies).

Guest/lead data:

If you chat with Sassy on the public landing page before signing up, we keep the conversation and, if you give it, your email, to follow up.

Communications:

Emails and support messages you send us.

3. Lawful basis for processing

Contract performance: Running your account, providing bookings/CRM/payments, answering calls — the core service you (or your business) signed up for.

Consent: AI processing of your messages and business data is covered by a specific, versioned consent captured at sign-up (`ai_processing`); marketing communications are opt-in and can be withdrawn at any time.

Legitimate interests: Keeping the platform secure, detecting fraud/abuse, and personalising the AI assistant's memory of your business (minimised — see retention below). We've assessed that this doesn't override your rights; see our internal Legitimate Interests Assessment. COUNSEL: confirm this balancing test, especially for AI personalisation where OpenSassy is processor and the business's own basis should govern its clients.

Legal obligation: Retaining billing records as required by UK tax law.

4. The AI behind OpenSassy

OpenSassy's AI assistant ("Sassy") and voice receptionist ("Ara") are built on third-party large language model providers. To generate a response, the relevant message content (and necessary business context) is sent to one of these providers:

  • Anthropic (Claude) — our primary AI brain for chat, analysis, and building features. Located in the United States.
  • xAI (Grok) — AI fallback and the brain behind the voice receptionist. Located in the United States.
  • Google (Gemini) — image analysis and memory/embeddings. Located in the United States.
  • Moonshot (Kimi) — occasional fallback for long-context tasks. COUNSEL FLAG: this provider's jurisdiction needs confirming before launch; if it can receive UK/EU personal data we will either add the relevant transfer safeguard or disable it for those data paths.

Each of these providers' standard terms is that they do not train their models on data sent via their business APIs, but we have not yet completed a full verification/contractual confirmation of every provider's current stance. COUNSEL: sign-off needed once that verification is complete. Because these providers are based outside the UK/EEA, sending data to them is an international transfer — see §6.

5. Data storage and residency

Our database and application hosting run on Google Cloud Platform's europe-west1 region (Belgium), within the EEA. Our database itself is hosted by Supabase, also on an EEA-region project. Your data does not leave the UK/EEA for storage purposes — it only does so transiently when sent to an AI provider (§4) or a sub-processor based outside the EEA (§6) to deliver a specific feature (e.g. answering a chat message, transcribing a call, sending an SMS).

6. International transfers

The AI providers in §4, plus Twilio (our voice/SMS provider, used for the receptionist and text reminders), are based in the United States. Each of these transfers needs an appropriate safeguard under UK GDPR Chapter V — typically the UK International Data Transfer Addendum (IDTA) or Standard Contractual Clauses, backed by a transfer risk assessment.

COUNSEL: this is flagged internally as the single largest open compliance item before real/enterprise trading — IDTAs/SCCs need to be in place (or confirmed already in place via each provider's standard DPA) for Anthropic, xAI, Google, Twilio, and Moonshot (if retained) before this policy can be finalised and relied upon.

7. Data retention

Active accounts: Data is retained for as long as your subscription is active.

Booking/customer records: Proposed retention of the business relationship's duration plus 6 years (UK limitation period). COUNSEL to confirm final period.

Voice call recordings/transcripts: Proposed 30–90 days, then deleted. COUNSEL to confirm.

AI conversation memory: Our assistant's longer-term memory of facts decays automatically (90-day half-life) and is minimised by design; we are confirming a hard-delete backstop. COUNSEL to confirm.

Guest chat / leads: Proposed 12 months, then deleted. COUNSEL to confirm.

After account cancellation: Data is retained for 30 days to allow export, then deleted, except billing records (7 years, UK tax law).

You can request earlier deletion at any time — see Your Rights below.

8. Who we share data with

Supabase: our database host.

Google Cloud Platform: application hosting and infrastructure (europe-west1, Belgium).

Stripe: payment processing — PCI-DSS compliant, itself a controller for fraud/AML purposes.

Twilio: SMS and voice calling for the receptionist (US-based — see §6).

Anthropic, xAI, Google, Moonshot: AI processing as described in §4 (US-based — see §6).

Resend: sends our transactional emails (welcome, booking confirmations, one-time codes).

We do not sell your personal data to anyone, ever.

9. Automated processing

Our AI assistant can propose actions (like sending a message or rescheduling a booking), but anything involving money or an irreversible/destructive change requires a human to approve it before it happens — it is not a "solely automated decision" in the UK GDPR Article 22 sense. COUNSEL to confirm this characterisation holds for all current AI-driven features before relying on it.

10. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Access: Request a copy of all data we hold about you
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Receive your data in a machine-readable format
  • Restriction: Request we limit how we process your data
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: For any processing based on consent, including AI processing

If you are a business owner/staff member, you can also manage and erase your own data via your account. If you are a client of a business that uses OpenSassy, you can manage your bookings yourself via your business's booking page, and request erasure either from that business directly or from us. To exercise any right, email hello@the-sassy.com. We will respond within one month, as UK GDPR requires.

11. Children

OpenSassy is a business tool, not directed at children. You must be at least 18 to create a business account. COUNSEL: confirm appropriate wording if under-18 end-clients of a business may book through OpenSassy (e.g. a barber booking a haircut for a minor).

12. Complaints

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk or 0303 123 1113. We'd appreciate the chance to resolve any concerns directly first.

13. Changes to this policy

We will notify you by email and update the date above when we make material changes. Continued use of OpenSassy after notification constitutes acceptance.