Documentation

1Who We Are

GafferBot AI (“we”, “us”, “our”) is operated by Dopamean Limited, registered at 11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP. Our registered number is 12670329.

For data protection enquiries, contact us at info@gafferbot.ai.

2What We Do

GafferBot AI provides AI-powered customer service software for UK trade businesses. Our platform handles web chat, WhatsApp, and Instagram messaging — qualifying leads, booking appointments, generating quotes, collecting information, managing scheduling, and processing invoices on behalf of our business clients.

3Our Role: Data Controller and Data Processor

Depending on the context, GafferBot AI acts as either a data controller or a data processor under UK GDPR.

We act as a data controller when: we collect and process personal data for our own purposes — for example, managing business client accounts, processing subscription payments, handling demo bookings, and marketing our services. In these cases, we determine the purposes and means of processing and are directly responsible for compliance.

We act as a data processor when: we process end customer personal data on behalf of our business clients. When an end customer sends a message through one of our business client's chat channels, the business client is the data controller for that end customer's data, and we process it under their instructions to provide our services. Our business clients are responsible for ensuring they have a lawful basis to collect their end customers' data and for informing end customers about how their data is used.

A Data Processing Agreement (DPA) governs our processing of personal data on behalf of each business client. The DPA sets out the scope, nature, and purpose of processing, as well as obligations on both parties regarding data security, sub-processor use, data subject rights, and breach notification. Business clients can request a copy of our DPA by contacting info@gafferbot.ai.

4Information We Collect

From our business clients (account holders):

• ✓Name, email address, phone number
• ✓Business name, trade type, coverage areas
• ✓Services and pricing information
• ✓Working hours and scheduling preferences
• ✓Calendar data (via OAuth, for appointment syncing and availability checking)
• ✓Payment information (processed by Stripe — we do not store card details)
• ✓Accounting software connection data (for invoice and customer syncing)

From end customers (people who message our clients' businesses):

• ✓Name, phone number, email address
• ✓Address details (for job bookings)
• ✓Job descriptions and requirements
• ✓Photos uploaded during chat conversations or sent via messaging platforms
• ✓Chat message content across all channels (web, WhatsApp, Instagram)
• ✓Invoice and payment information when paying invoices issued by our clients

From prospective clients (demo bookings):

• ✓Name, email address, phone number
• ✓Company name and trade type
• ✓Any notes provided when booking a demo

Automatically collected:

• ✓AI usage data (token counts for billing purposes)
• ✓Conversation metadata (timestamps, channel type, status)

5How We Use Your Information

We use business client data to:

• ✓Provide and operate our AI customer service platform
• ✓Process bookings and sync appointments with your calendar
• ✓Manage your subscription and process payments
• ✓Send service-related notifications (new bookings, usage alerts, payment updates)
• ✓Monitor usage against plan limits
• ✓Sync invoice and customer data with connected accounting software
• ✓Improve our AI and services

We use end customer data to:

• ✓Respond to enquiries via AI-powered chat on behalf of our business clients
• ✓Qualify leads and assess job requirements
• ✓Create and manage bookings
• ✓Create and send invoices, and process payments on behalf of our business clients
• ✓Send calendar invitations and booking updates via email
• ✓Store photos related to job enquiries

We use demo booking data to:

• ✓Schedule and manage demonstration calls with prospective clients
• ✓Send calendar invitations for booked demos

6Legal Bases for Processing

Under UK GDPR, we must have a lawful basis for each type of processing we carry out. The legal bases we rely on are as follows:

Contract (Article 6(1)(b)): We process personal data where it is necessary to perform a contract with you or to take steps at your request before entering into a contract. This applies to:

• ✓Providing and operating the GafferBot AI platform for business clients
• ✓Managing business client accounts and subscriptions
• ✓Processing subscription payments via Stripe
• ✓Syncing calendar data and managing bookings
• ✓Sending service-related notifications

Legitimate interests (Article 6(1)(f)): We process personal data where it is necessary for our legitimate interests or those of our business clients, provided those interests are not overridden by your rights. This applies to:

• ✓Processing end customer messages via AI on behalf of business clients
• ✓Lead qualification and scoring to help business clients prioritise enquiries
• ✓Automated booking detection and creation from conversations
• ✓Improving and developing our AI models and services
• ✓Monitoring platform usage for billing and capacity planning
• ✓Ensuring platform security and preventing misuse

Legal obligation (Article 6(1)(c)): We process personal data where it is necessary to comply with a legal obligation. This applies to:

• ✓Retaining invoice and payment data for 6 years as required by HMRC
• ✓Responding to lawful requests from regulators or law enforcement

Consent (Article 6(1)(a)): In limited circumstances, we rely on your consent to process personal data. Where we do, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. This applies to:

• ✓Connecting third-party integrations such as calendar or accounting software (business clients grant consent via OAuth)
• ✓Receiving marketing communications about our services (prospective clients)

7Automated Decision-Making and Profiling

Our platform uses AI to analyse customer conversations and automatically assign lead scores (0–100) and statuses (e.g. hot, warm, cold) based on the content of the conversation. This profiling helps our business clients prioritise enquiries.

The AI also automatically detects when a booking has been confirmed during a conversation and extracts relevant details (name, address, date, time) to create the booking record.

These automated processes assist our business clients in managing their workload. No decisions with legal or similarly significant effects are made solely by automated means — business clients review and can override all AI-generated data.

8Consent: How We Obtain and Manage It

Business clients provide consent during account registration by agreeing to our Terms of Service and this Privacy Policy. For optional integrations (such as Google Calendar or accounting software), consent is granted through OAuth authorisation flows, which clearly describe the permissions being requested. Business clients can revoke integration consent at any time through their platform settings or through the third-party provider's account settings.

End customers interact with our platform when they message a business client's chat channels. End customers are informed that they are communicating with an AI-powered service through disclosure messages displayed at the start of chat conversations. The processing of end customer data is primarily carried out under the legitimate interests of the business client (the data controller), who is responsible for ensuring their own customers are appropriately informed. End customers can withdraw consent or request cessation of processing by contacting the business client directly or by emailing info@gafferbot.ai.

Prospective clients who book a demo provide their data voluntarily. Where we use this data for marketing follow-up, we do so only with consent and include an unsubscribe option in all marketing communications.

9Calendar Integration

We use the Google Calendar API to create, update, and delete calendar events on behalf of our business clients. When a booking is created, updated, or cancelled, we add the end customer's email address as an attendee so that they receive calendar invitations and updates directly from Google.

We also read calendar data to check availability and prevent double-bookings. We access only the calendar data necessary to operate the booking service. We do not access, store, or share any other Google account data.

Business clients can revoke calendar access at any time through their Google account settings or through our platform's Settings page.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

10Invoicing and Payments

Our platform enables business clients to create and send invoices to their end customers. Invoices are processed through Stripe, a PCI-compliant payment processor. Each business client has their own payment account — payments from end customers go directly to the business client, not through us.

We store invoice metadata (customer name, email, amounts, line items, status) to operate the invoicing feature. We do not store card details — all payment processing is handled by Stripe.

Business clients on eligible plans may connect accounting software to sync invoices and customer records. This data is transmitted to the connected accounting platform via secure OAuth-authenticated API connections.

11Third-Party Services and Sub-Processors

We share data with the following categories of third-party sub-processors as necessary to operate our platform:

• ✓AI processing provider — processes chat messages to generate AI responses
• ✓Payment processor — processes subscription payments and client invoicing
• ✓Calendar provider — syncs appointments and sends booking invitations
• ✓Messaging platforms — delivers WhatsApp and Instagram messages
• ✓Accounting software providers — syncs invoices and customer data when connected by client
• ✓Email delivery provider — sends transactional notification emails
• ✓Database and storage provider — hosts application data and uploaded files
• ✓Authentication provider — manages user sign-in and access control
• ✓Application and widget hosting providers — serves the platform and chat widget

Each sub-processor is bound by their own privacy policies and data processing terms, and we maintain data processing agreements with each where required. We only share the minimum data necessary for each service to function.

We maintain a list of our named sub-processors, including their locations and the services they provide. To request a copy of this list, or if you have questions about a specific sub-processor, please contact info@gafferbot.ai. Business clients will be notified of material changes to sub-processors that affect the processing of end customer data.

12Messaging Channels (WhatsApp and Instagram)

When end customers message a business via WhatsApp or Instagram, their messages (including text and images) are processed through our platform. Images sent via these channels are downloaded and stored securely to be associated with the relevant conversation.

Message content is processed by our AI to generate responses and detect bookings. The same data handling, lead qualification, and booking detection that applies to web chat also applies to WhatsApp and Instagram conversations.

13Data Retention

We retain data as follows:

• ✓Business client account data — retained for the duration of the active subscription
• ✓Conversation and message data — retained for the duration of the client's subscription
• ✓Booking and lead data — retained for the duration of the client's subscription
• ✓Invoice data — retained for 6 years from the date of the transaction, as required by HMRC
• ✓Demo booking data — retained for up to 12 months after the demo date
• ✓AI usage logs — retained for billing and audit purposes for the duration of the client's subscription
• ✓Uploaded photos — retained for the duration of the client's subscription

Upon account cancellation, general data (conversations, bookings, leads, uploaded photos, AI usage logs) is retained for 365 days before deletion. Invoice and payment data is retained for 6 years from the date of the transaction, as required by HMRC tax and accounting regulations. End customers may request deletion of their non-financial data at any time by contacting us.

Data on account termination: When a business client's account is cancelled or terminated, we follow the retention schedule above. During the 365-day post-cancellation period, business clients may request an export of their data. After the 365-day period, all non-financial data is permanently deleted. End customer data processed on behalf of the business client is included in this deletion. We do not notify end customers directly of a business client's account termination — the business client (as data controller) is responsible for informing their own customers of any changes to how their data is handled.

14Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• ✓Encryption in transit (HTTPS/TLS) across all communications
• ✓Secure authentication with role-based access controls
• ✓Encrypted database connections with row-level security policies
• ✓Server-side only access to database credentials (not exposed in browsers)
• ✓OAuth-based integrations with automatic token refresh (no passwords stored)
• ✓Webhook authentication between internal services

15Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of UK GDPR.

Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay, as required by Article 34 of UK GDPR.

Where we are acting as a data processor, we will notify the affected business client (as data controller) without undue delay upon becoming aware of a breach involving their end customers' data, so that they can fulfil their own notification obligations.

16Your Rights

Under UK GDPR, you have the right to:

• ✓Access the personal data we hold about you
• ✓Request correction of inaccurate data
• ✓Request deletion of your data
• ✓Object to processing of your data
• ✓Request restriction of processing
• ✓Request data portability
• ✓Object to automated profiling (including AI-generated lead scores)
• ✓Withdraw consent at any time
• ✓Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk

To exercise any of these rights, email info@gafferbot.ai. We will respond within one month.

How we verify your identity: Before fulfilling a data subject request, we need to confirm your identity to protect against unauthorised access. For business clients, we verify your identity using the email address associated with your account. For end customers and other individuals, we may ask you to provide your name, email address, and details of the business client you interacted with so we can locate your data. In some cases, we may request additional information to confirm your identity. We will never ask for payment card details or passwords as part of this process.

End customers: If we are processing your data as a data processor on behalf of a business client, we may need to refer your request to the relevant business client (the data controller) to action. We will inform you if this is the case and assist where we can.

17Cookies

We use essential cookies for authentication and site access. We do not use advertising, analytics, or third-party tracking cookies. The specific cookies we use are:

• ✓Session cookie — used to maintain your authenticated session while using the platform. This cookie expires when you close your browser or after a period of inactivity.
• ✓Site access cookie — used to remember that you have accessed the site. This cookie lasts for 30 days.

Because we use only strictly necessary cookies, we do not require cookie consent under the Privacy and Electronic Communications Regulations (PECR). No personal data is shared with third parties through our use of cookies.

18Children's Privacy

Our services are designed for use by businesses and their adult customers. We do not knowingly collect personal data from children under 16. If you believe we have collected data from a child, please contact us immediately.

19International Transfers

Several of our third-party sub-processors are based in the United States (see Section 11 for the full list). This means personal data — including end customer messages, account information, and payment data — may be transferred to and processed in the United States.

Where personal data is transferred outside the United Kingdom to a country that has not been granted an adequacy decision by the UK Secretary of State, we ensure appropriate safeguards are in place in compliance with UK GDPR, including:

• ✓UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable
• ✓Reliance on UK adequacy regulations where the destination country has been deemed to provide adequate protection
• ✓Contractual commitments from sub-processors to maintain equivalent data protection standards

You may request further details about the safeguards we have in place for specific transfers by contacting info@gafferbot.ai.

20Changes to This Policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. Where changes are material, we will notify business clients via email or through the platform dashboard. We encourage you to review this policy periodically.

21Contact

If you have any questions about this privacy policy, contact us at:
info@gafferbot.ai
Dopamean Limited
11 Brindley Place, Brunswick Square, Birmingham, England, B1 2LP

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.