Privacy Policy

This Privacy Policy explains how ASTROX TECHNOLOGIES LTD collects, uses, and protects personal data in connection with the Astroxtech platform and website, in compliance with UK GDPR and the Data Protection Act 2018.

1. Who we are

Astroxtech is a trading name of ASTROX TECHNOLOGIES LTD (Company No. 16584933), registered at 72 Glenthorne Close, Sutton, Greater London, United Kingdom, SM3 9NN.

We are the data controller for personal data collected through our website and platform account management. For personal data your end-customers share through your AI agent (e.g., your shoppers' messages), we act as a data processor on your behalf — see our Data Processing Agreement.

We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is available on request at support@astroxtech.com. We have not appointed a formal Data Protection Officer (DPO) but have designated support@astroxtech.com as our data protection contact for all privacy-related enquiries.

Contact our data team: support@astroxtech.com

2. What data we collect and why

We collect personal data in the following contexts:

a) Website enquiries and contact forms

• Data: Name, email address, company name, message content.
• Legal basis: Legitimate interests (responding to your enquiry and operating our business).

b) Account registration and management

• Data: Name, business email, company name, billing address, password (hashed).
• Legal basis: Performance of a contract (to provide you with access to the service).

c) Billing and payment

• Data: Billing name, email, company, country. Payment card details are handled directly by Stripe — we do not store full card numbers.
• Legal basis: Performance of a contract; legal obligation (financial record-keeping).

d) Service usage and platform activity

• Data: Login timestamps, feature usage, AI agent configuration, conversation logs, integration data (e.g., Shopify store data, WhatsApp contact identifiers).
• Legal basis: Performance of a contract; legitimate interests (maintaining service quality and security).

e) Technical and analytics data

• Data: IP address, browser type, pages visited, error logs.
• Legal basis: Legitimate interests (security, performance monitoring, fraud prevention).

3. Cookies

Our website uses cookies in the following categories:

• Strictly necessary: Session authentication, CSRF protection. These cannot be disabled.
• Analytics: Aggregate usage statistics to improve the website. We use privacy-respecting analytics that do not track individuals across sites.
• Preferences: Remembering your settings and choices.

We currently use only strictly necessary cookies. No analytics, tracking, or marketing cookies are set. A cookie consent banner is displayed on your first visit to any page on our website, giving you the option to accept all cookies or confirm essential-only. Your choice is stored in your browser's local storage so you are not asked again on subsequent visits. You can reset your cookie preferences at any time by clearing your browser's local storage or site data. We will update this policy and the banner options before introducing any non-essential cookies.

4. How we share data

We do not sell personal data. We share data with the following categories of service providers (“subprocessors”) solely to operate the service:

• Cloud hosting: Server infrastructure (data stored in EU/UK regions where possible).
• Payment processing: Stripe, Inc. (PCI-DSS compliant).
• AI model services: OpenAI (for generating AI agent responses). Under OpenAI's standard API terms for business customers, your data (inputs and outputs) is not used to train OpenAI's models and is not retained by OpenAI beyond the processing request, except as required for safety or legal purposes. Your end-customers' conversation data remains your data and is not shared with OpenAI for training.
• Messaging channels: Bird (WhatsApp Business API delivery).
• Email delivery: Transactional email providers for account notifications.
• eCommerce integrations: Shopify (data accessed under your authorisation).
• Website delivery & security: Cloudflare, Inc. (CDN, DDoS protection, DNS — USA/Global).
• Cookie consent management: CookieYes (consent banner and consent log storage).

We require all subprocessors to maintain appropriate data protection and security standards. The list of subprocessors above may be updated from time to time as our infrastructure evolves. The latest version will always be available on this page.

5. International data transfers

Some of our subprocessors are based outside the UK and EEA, which means your personal data may be transferred internationally. The most significant transfer is described below:

• OpenAI (USA): When you or your end-customers interact with an AI agent on our platform, the message content (the text of the conversation) is sent to OpenAI's servers in the United States to generate a response. This is a core part of how the AI service works. OpenAI processes this data solely to return an AI-generated reply and does not retain it to train its models. We rely on Standard Contractual Clauses (SCCs) as the transfer mechanism for this transfer.
• Cloudflare (USA/Global): Web traffic to our website passes through Cloudflare's network for delivery and security purposes. Cloudflare may process limited request metadata (such as IP addresses) internationally. We rely on SCCs for this transfer.
• Stripe (USA): Payment card data is processed by Stripe in the USA. Stripe is PCI-DSS compliant and relies on UK IDTA / SCCs.

For all international transfers, we have verified that appropriate safeguards are in place under UK GDPR, including the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) where applicable. You can request a copy of the relevant transfer mechanisms by contacting support@astroxtech.com.

6. Data retention

We retain personal data for as long as necessary to provide the service and meet our legal obligations:

• Account data: Retained while your account is active and for 12 months after closure, to handle any outstanding matters.
• Billing records: Retained for 6 years from the end of the relevant accounting period, as required by HMRC (VAT Notice 700/21 and Corporation Tax rules).
• Conversation and agent handoff logs: Retained according to your subscription plan:
  • Starter: 7 days
  • Growth: 30 days
  • Scale: 180 days
  • Enterprise: up to 1 year, or as extended by written agreement in your Data Processing Agreement
  Logs may be retained longer where required for an active dispute or legal obligation, but will not be kept indefinitely.
• Order and customer history data: Retained according to your subscription plan — 30 days (Starter/Growth), 180 days (Scale), up to 12 months (Enterprise).
• Contact/enquiry data: Retained for 12 months from last contact.

On account closure, all conversation and end-customer data (which we hold as data processor on your behalf) is deleted within 30 days, except where a longer retention period applies under your plan or applicable law.

Important distinction: The 30-day post-closure deletion applies to processor data (your end-customers' messages and contact details). It does not apply to controller data we hold in our own right — such as your account registration details, billing records, payment history, and security logs — which we retain for as long as required by law (e.g. 6 years for financial records under HMRC rules). Encrypted backup copies may also persist for up to 30 days after a deletion event before being fully purged.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (subject to legal obligations).
• Restriction: Ask us to limit how we use your data in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any right, email support@astroxtech.com with the subject line Privacy Request. We will respond within 30 days.

8. Marketing communications

We will only send you marketing emails if you have opted in. You can unsubscribe at any time by clicking the “Unsubscribe” link in any marketing email or by emailing support@astroxtech.com. Opting out of marketing does not affect transactional and account-related communications.

9. Data deletion request

To request deletion of your account and associated data, email support@astroxtech.com with the subject line Data Deletion Request and include your account email or company name. We will process your request within 30 days, subject to any legal retention obligations.

10. Right to complain

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the UK's data protection authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

We would appreciate the opportunity to address your concerns directly before you contact the ICO, so please reach out to us first.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by updating the “Last updated” date at the top of this page. Continued use of the service after the effective date constitutes acceptance of the updated policy.

12. Contact

For any privacy-related questions: support@astroxtech.com
ASTROX TECHNOLOGIES LTD, 72 Glenthorne Close, Sutton, Greater London, SM3 9NN, UK.

Document History