Effective date: 11 September 2025
Last reviewed: 11 September 2025

This Privacy Policy explains how AdsumoAI Ltd (trading as "AssumeAI") collects, uses, discloses and protects personal data. It applies when you visit our websites, contact us, receive our marketing, use our products and services (including AI agents, voice assistants and related integrations), or otherwise interact with us.

1) Who we are and how to contact us

Controller: AdsumoAI Ltd ("we", "us", "our") trading as AssumeAI.
Company number: 16276829
Registered office: Peasebrook House, Little Buckland, Broadway, Worcestershire, United Kingdom, WR12 7JH
Trading/Service names: AssumeAI and related brand variations
Primary email (privacy): [email protected]
Postal contact: Data Protection Lead, AdsumoAI Ltd, Peasebrook House, Little Buckland, Broadway, WR12 7JH, UK

Unless we say otherwise, we act as the controller of the personal data described in this notice. When we provide services to our business customers and process personal data on their instructions (for example, running an AI receptionist for a client), we act as their processor. See Section 14 for our processor terms summary.

ICO registration: We are required to pay the data protection fee to the UK Information Commissioner's Office (ICO) unless exempt. Our registration details will be published on the ICO register of fee payers; we will update this notice with the registration number when issued.
EU representative (if applicable): If we start targeting individuals in the EEA in a way that requires an EU representative, we will appoint one and update this notice accordingly.

2) What data we collect

We collect and process the following categories of personal data, depending on your relationship with us:

Identity & contact data: name, job title, employer, business address, email, phone.

Account & profile data: login credentials, role/permissions, preferences, support requests.

Communications data: emails, messages, live-chat and call metadata, call recordings and voicemails handled by AI agents (where enabled), transcriptions and summaries.

Customer content: prompts, messages, uploaded documents or knowledge-base content you provide for use with our AI agents; configuration files and metadata.

Transactional & billing data: purchase history, invoices, payment status, limited cardholder details processed by our payment processors (we do not store full card numbers).

Technical & usage data: IP address, device identifiers, browser type, time zone, cookies, analytics identifiers, event logs, product usage (features clicked, error reports, performance data).

Marketing data: your marketing preferences, lead source, campaign interactions, and opt-in/opt-out status.

Third‑party/enrichment data: information from publicly available sources (e.g. company websites, LinkedIn), licensed data providers, and prospecting tools where permitted by law.

Special category data: we do not intentionally collect special category data (e.g. health data) about our own users or prospects. If a client instructs us to process such data via an AI workflow, we act as processor and require appropriate safeguards and a valid legal basis determined by the client controller.

3) How we obtain data

Directly from you when you enquire, sign up, book a call, use our services, or communicate with us.

From your employer if your organisation is our customer and creates user accounts for you.

Automatically through cookies, SDKs and similar technologies when you use our websites and products.

From third parties such as CRM/marketing platforms, lead-generation partners, referrals, data enrichment providers, or publicly available sources.

4) Purposes & lawful bases for processing

We process personal data under the UK GDPR and the Data Protection Act 2018 on one or more of the following legal bases: contract, legitimate interests, consent, and legal obligation. Examples are set out below.

PurposeData categoriesLawful basisProvide our services (set-up, configure, and operate AI agents; maintain accounts; deliver support)Identity, contact, account, communications, customer content, technicalPerformance of a contract with you/your organisation; legitimate interests (to run and improve our services)Transcribe/record calls and messages handled by AI agents where enabledCommunications, customer contentLegitimate interests (quality, training, audit, dispute resolution); consent where required by lawBilling and account administrationIdentity, contact, transactionalContract; legal obligation (tax/record-keeping)Product analytics, diagnostics and securityTechnical & usage data, limited account dataLegitimate interests (to secure and improve our services)Marketing to business contacts (email, SMS, phone)Identity, contact, marketing dataLegitimate interests (B2B marketing) in line with PECR; consent where required; you can opt out at any timeSales prospecting and lead enrichmentIdentity, contact, third‑party/enrichmentLegitimate interests (growing our business) balanced with your rights; you can object at any timeCompliance, legal claims & fraud preventionAny relevant categoryLegal obligation; legitimate interests

Your right to object: where we rely on legitimate interests, you have the right to object at any time. Where we rely on consent, you can withdraw it at any time.

5) Cookies and similar technologies

We use necessary cookies to operate our sites and optional cookies/SDKs for analytics and (where used) advertising. You can manage preferences via our cookie banner or your browser settings. For detailed information, see our Cookie Policy(linked from our website footer). Essential cookies are set on the basis of our legitimate interests; analytics/advertising cookies are set with your consent (where required by law).

6) Disclosures of your personal data

We share personal data with the following categories of recipients where appropriate:

Hosting & infrastructure: cloud hosting, CDN and data storage providers.

Product vendors used to deliver services: e.g. telephony/voice providers, AI model providers, transcription, vector databases, workflow/orchestration and integration platforms.

Business operations: CRM, billing and payments, email and SMS delivery, analytics, error monitoring, ticketing and support, project management.

Professional advisers & insurers and other service providers under contract.

Corporate transactions: if we undergo a merger, acquisition, or asset sale.

Authorities and regulators where required by law or to protect our legal rights.

Where we act as processor for a client, disclosures to sub‑processors are governed by our Data Processing Addendum (see Section 14).

7) International transfers

Some recipients are located outside the UK/EEA. Where we transfer personal data internationally we use one or more of the following safeguards:

Adequacy regulations/orders recognising the destination as providing an adequate level of protection;

The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs);

Additional technical and organisational measures where appropriate (e.g. encryption in transit and at rest, access controls, data minimisation).

You can contact us for more information about specific transfer mechanisms for your data.

8) Data security

We implement appropriate technical and organisational measures designed to protect personal data, including: access controls and least‑privilege, encryption in transit and at rest (where supported), environment segregation, audit logging, secure software development practices, vendor due diligence, incident response procedures and regular reviews of our security posture. No system is perfectly secure; if we become aware of a personal data breach, we will assess the risk and notify the ICO and affected individuals where required by law.

9) Data retention

We keep personal data only for as long as necessary for the purposes described above or to comply with legal, accounting or reporting requirements. Typical retention periods are:

Account records & contracts: 7 years from end of contract.

Support tickets & operational logs: up to 24 months.

Call recordings/transcripts handled by AI agents: default 24 months (or as agreed with the client controller).

Marketing/contact data: up to 24 months from last meaningful interaction or until you opt out (whichever is sooner).

Cookies/analytics identifiers: per our Cookie Policy and browser settings.

We may anonymise data for statistical purposes (anonymised data is not personal data).

10) Your rights

Under the UK GDPR you have the following rights (subject to conditions/exemptions):

Access your personal data and obtain a copy.

Rectification of inaccurate or incomplete data.

Erasure ("right to be forgotten").

Restriction of processing.

Data portability in a structured, commonly used and machine‑readable format.

Object to processing based on our legitimate interests, including direct marketing (you can opt out of marketing at any time).

Withdraw consent where processing is based on consent.

To exercise your rights, email [email protected]. We may need to verify your identity. If your data is processed on behalf of a client (we are a processor), please contact that client (the controller) directly; we will assist them with your request.

Complaints: You can complain to the UK ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone 0303 123 1113; www.ico.org.uk. We would appreciate the chance to deal with your concerns before you approach the ICO, so please contact us first.

11) Marketing communications

We send B2B marketing to corporate subscribers under legitimate interests and in line with the Privacy and Electronic Communications Regulations (PECR). We obtain consent where required (e.g. some SMS/individual subscriber scenarios). You can opt out of marketing at any time via the link provided in communications or by contacting us.

12) Automated decision‑making and profiling

Our AI agents profile inputs to generate responses and route tasks. We do not make decisions producing legal or similarly significant effects solely by automated means without meaningful human involvement. You may request human review of any automated outputs that materially affect you, express your point of view, and contest the decision.

13) Children

Our services are designed for business users and are not intended for children under 18. We do not knowingly collect personal data from children.

14) When we act as processor (summary of controller–processor terms)

Where a customer is the controller and we are their processor, the following will apply (in addition to the main contract):

Instructions: we process personal data only on the documented instructions of the controller.

Confidentiality: all personnel are bound by confidentiality obligations.

Security: we implement appropriate technical and organisational measures (Section 8).

Sub‑processors: we may engage vetted sub‑processors under written contracts with data protection terms no less protective than these; we remain responsible for their acts/omissions. We maintain a sub‑processor list and will notify customers of material changes per our contract.

International transfers: safeguarded under adequacy/IDTA/SCCs as applicable.

Assistance: we assist the controller with data subjects' rights, DPIAs and consultations with supervisory authorities, taking into account the nature of processing and information available to us.

Breach notification: without undue delay after becoming aware of a personal data breach relating to the service.

Return/Deletion: at the end of the provision of services to the controller, we will delete or return personal data as directed, unless retention is required by law.

Audits: we make available information and, where appropriate, allow audits/inspections under agreed procedures to demonstrate compliance.

A full Data Processing Addendum (DPA) can be provided on request or incorporated into your Master Services Agreement.

15) Third‑party services and links

Our websites and services may include links to or integrations with third‑party services. Those services have their own privacy notices and terms. We encourage you to review them.

16) Changes to this notice

We may update this Privacy Policy from time to time. We will post the updated version on our website with a new "Effective date" and, where appropriate, notify you by email or in‑product notice. Continued use of our services after the effective date means you acknowledge the updated policy.

17) Key definitions

"UK GDPR" means the retained EU GDPR as incorporated into UK law under the Data Protection Act 2018.

"personal data" means any information relating to an identified or identifiable natural person.

"controller" determines the purposes and means of processing; "processor" processes personal data on behalf of the controller.

"processing" means any operation performed on personal data (e.g. collection, storage, use, disclosure).

Contact

If you have questions about this Privacy Policy or our data practices, contact [email protected] or write to the Data Protection Lead at the address above.