Privacy Policy

1. Who We Are

AskKit is a trading name of Exchester Ltd, a company registered in England and Wales (Company No. 12601661). Our registered office is at 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE.

We are the data controller for the personal data we process through the AskKit service. If you have any questions about how we handle your data, please contact us at contact@exchester.com.

2. What Information We Collect

We collect the following categories of personal data when you use AskKit:

Account Information

• Your name and email address
• Password (stored as a secure hash — we never store your actual password)
• Business name, business type, and postcode
• Country and timezone

Business Data

• Social media account connections (Instagram, Facebook, TikTok, X) and associated usernames
• Google Business Profile information (if you choose to connect it)
• Content you create or approve through the service (social media posts, captions, images, videos)
• Competitor information you choose to track
• Client records you create within the service

Conversation Data

• Messages you send to and receive from AskKit via the web chat and mobile app
• These messages are processed by our AI system to provide you with responses and recommendations

Payment Information

• Billing details are collected and processed by our payment provider, Stripe. We do not store your full card details on our servers.
• We store your Stripe customer ID and subscription status to manage your plan.

Technical Data

• IP address, browser type, and device information
• Usage data and analytics (with your consent — see our Cookie Policy)

3. How We Use Your Information

We process your personal data on the following legal bases under the UK GDPR:

Contract Performance (Article 6(1)(b))

We need to process your data to provide the AskKit service you have signed up for. This includes:

• Creating and managing your account
• Processing your messages and generating AI-powered responses
• Publishing social media content on your behalf
• Managing your subscription and processing payments
• Sending service-related communications (e.g. password resets, billing notifications)

Legitimate Interests (Article 6(1)(f))

We process some data based on our legitimate interests, where these do not override your rights:

• Improving and developing the AskKit service
• Detecting and preventing fraud or abuse
• Ensuring the security of our systems

Consent (Article 6(1)(a))

Where we rely on your consent, you can withdraw it at any time:

• Analytics cookies (Google Analytics) — managed via our cookie preferences
• Marketing communications (if applicable)

4. AI Processing

AskKit uses artificial intelligence to process your messages and provide business recommendations. Here is how this works:

• How it works: When you send a message to AskKit, your message content is processed by an AI model hosted on Amazon Web Services (AWS) Bedrock in the EU (London region, eu-west-2). The AI processes your message and generates a response.
• What data is processed: Your message content, relevant business context (e.g. business name, type, recent activity), and conversation history are included to provide accurate responses.
• Data retention by AI providers: Messages processed through AWS Bedrock are not used to train AI models. AWS Bedrock does not store your prompts or completions.
• Automated decisions: AskKit generates suggestions and recommendations (such as social media post ideas, competitor insights, and review responses). These are always presented as suggestions — you retain full control over what gets published or acted upon. No automated decisions with legal or similarly significant effects are made without your review.
• Human oversight: You can contact us at any time to request human review of any AI-generated recommendation or to raise concerns about the service's output.

5. Third-Party Data Processors

We share your personal data with the following third-party processors who help us provide the AskKit service. We have appropriate data processing agreements in place with each.

Processor	Purpose	Data Shared	Location
Amazon Web Services (AWS)	Cloud hosting, infrastructure, and AI processing (Bedrock)	All service data including messages processed by AI	EU (eu-west-2, London)
Stripe	Payment processing	Billing details, email	US / EU
PostForMe	Social media publishing	Post content, media, social account IDs	UK
Serper	Web search (competitor and local intelligence)	Search queries (business names, locations)	US
fal.ai	AI video generation	Images, video prompts	US
Apify	Competitor tracking	Competitor profile URLs	EU
Google	OAuth, Analytics, Places API	Email (OAuth), usage data (Analytics), business lookup queries (Places)	US
AWS SES	Transactional email	Email address, message content	EU
AWS SNS	Push notifications	Device tokens, notification content	EU

6. Data Retention

We retain your personal data for as long as necessary to provide the service and fulfil our legal obligations:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Conversation history: Retained while your account is active. Older messages are automatically archived and summarised to maintain service quality.
• Published content: Social media posts and media are retained for 30 days after publication, then automatically removed from our systems.
• Competitor and local intelligence snapshots: Retained for 90 days, then automatically deleted.
• Payment records: Retained for 7 years as required by UK tax law (HMRC).
• Authentication tokens: Refresh tokens expire after 7 days. Recovery and magic link tokens expire within 15 minutes to 1 hour.

When you delete your account, we remove all your personal data from our active systems. Some data may persist in encrypted backups for up to 30 days before being permanently deleted.

7. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation, you have the following rights:

• Right of access: You can request a copy of all personal data we hold about you. You can do this through your account settings or by emailing us.
• Right to rectification: You can update your personal information through your account settings or by contacting us.
• Right to erasure: You can delete your account and all associated data through your account settings or by contacting us. We will process deletion requests within 30 days.
• Right to restrict processing: You can ask us to limit how we use your data in certain circumstances.
• Right to data portability: You can request your data in a machine-readable format (JSON). This is available through your account settings.
• Right to object: You can object to processing based on legitimate interests.
• Right to withdraw consent: Where we rely on consent (e.g. analytics cookies), you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please email contact@exchester.com. We will respond within one month.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113

8. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

• Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
• Encryption at rest: Data stored in our databases is encrypted at rest using AWS encryption services.
• Access controls: Access to personal data is restricted to authorised personnel on a need-to-know basis.
• Token security: Authentication tokens and sensitive credentials are encrypted using industry-standard methods (Fernet encryption, SHA-256 hashing, HMAC).
• Security headers: Our application implements strict Content Security Policy, HSTS, and other security headers.

9. International Data Transfers

Our core infrastructure and AI processing are hosted in the UK (AWS eu-west-2, London). Some of our third-party processors are based outside the UK (see the table above). Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

• Adequacy decisions: Where the UK government has determined that a country provides an adequate level of data protection.
• Standard Contractual Clauses (SCCs): We use UK International Data Transfer Agreements or EU SCCs (as adopted under UK law) with processors in countries without adequacy decisions.
• Processor commitments: Our key processors (AWS, Stripe, Google) maintain certifications and commitments relevant to international data transfers.

10. Children's Privacy

AskKit is a business management service and is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@exchester.com and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email or through the AskKit service for significant changes

We encourage you to review this policy periodically.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

• Email: contact@exchester.com
• Post: Exchester Ltd, 2nd Floor College House, 17 King Edwards Road, Ruislip, London, HA4 7AE