Privacy Policy
This Privacy Policy explains how August Tech Ltd (“we”, “us”, “our”) collects, uses, stores, and protects personal data when you use August AI (the “Service”). It applies to our website at augusttech.io, our dashboard, and all related services.
Last updated: 18 May 2026
1. Who we are
August AI is operated by August Tech Ltd, a company incorporated in England and Wales, Companies House registration number 16843633, incorporated on 10 November 2025. Our registered office is 112 Trent Gardens, London, England, N14 4QN (SIC 62090).
We are registered with the UK Information Commissioner's Office (ICO) as a data controller. Our ICO registration was submitted on 18 May 2026; the reference number will be published here once the certificate is issued.
Privacy contact: support@augusttech.io
Data protection enquiries (DPA, security review, DPIA): dpa@augusttech.io
Postal: August Tech Ltd, 112 Trent Gardens, London, England, N14 4QN
We have not appointed a Data Protection Officer (DPO) because our core activities do not require one under UK GDPR Article 37. Privacy enquiries are handled directly by the team at the addresses above.
2. Controller and processor roles
Under UK GDPR, EU GDPR, and equivalent laws, our role depends on whose data we are processing:
- Customer CRM data and WhatsApp messages. Your organisation is the data controller; August AI acts as a data processor and processes that personal data only on your documented instructions, in line with GDPR Article 28.
- Account holders and website visitors. For login credentials, billing information, and visitor analytics on augusttech.io, August Tech Ltd is the data controller.
The contractual basis for our processor role is set out in our Data Processing Agreement. A procurement-friendly one-page summary is at /legal/data-protection.
3. Personal data we collect
3.1 Account information
When you sign up for August AI, we collect:
- Name, work email address, and company name
- Google account profile data (where you sign in with Google OAuth: email, name, profile picture)
- Billing information processed by Stripe; we store only the customer ID, last four digits of the card, and the subscription metadata
3.2 CRM data (acting as processor on behalf of the customer)
When you connect your CRM, we access through OAuth-authorised API connections:
- Contact records (name, business email, business phone, custom fields)
- Deal or opportunity records (name, amount, stage, close date)
- Account or company records
- Owner or rep assignments and team structure
You can revoke this access at any time from your CRM provider's settings or from the August AI dashboard.
3.3 WhatsApp messages
We process:
- Inbound messages from sales reps to the August AI bot number
- Outbound messages (briefings, confirmations, and replies) sent by August AI
- Message metadata (timestamps, delivery status, message IDs)
We do not read or process messages between reps and their own contacts or customers. We only process messages sent directly to the August AI bot number.
3.4 Usage data
- Feature usage and interaction logs
- Admin panel activity
- Error logs and diagnostics
- IP address and browser fingerprint for security and rate-limiting purposes
4. How we use your data
We process personal data for the following purposes:
- Deliver the Service: Send CRM briefings, process slash commands, update CRM records as instructed by reps
- Run scheduled jobs: Identify stale deals, missing contact fields, and overdue accounts for briefing delivery
- Manage billing: Per-seat subscription management through Stripe
- Provide support: Diagnose issues and respond to support requests
- Improve the Service: Analyse aggregated usage patterns to improve features
- Secure the Service: Audit logging, fraud prevention, and abuse detection
- Send transactional emails: Account notifications, billing receipts, and service updates
We do not sell personal data. We do not use your CRM data to train AI models.
5. Legal bases for processing
Where applicable under UK GDPR or EU GDPR, we rely on:
- Performance of a contract (Article 6(1)(b)): Processing necessary to deliver the Service you subscribed to
- Legitimate interests (Article 6(1)(f)): Service improvement, security monitoring, and aggregated analytics, balanced against your rights
- Consent (Article 6(1)(a)): Where specifically required, for example optional analytics cookies and marketing emails
- Legal obligation (Article 6(1)(c)): Where processing is required by law, for example tax records
6. Sub-processors and recipients
We share data with the following sub-processors to deliver the Service. Each sub-processor is bound by a Data Processing Agreement (GDPR Article 28). For the full, maintained list with country, role, and Chapter V GDPR safeguard, see our Sub-processors page.
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare Workers Ltd (UK) | Application hosting, CDN, WAF, DDoS mitigation | UK + global edge |
| Neon Inc. | Operational Postgres database | DB: eu-west-2 (London). Control plane: US |
| WhatsApp Ireland Limited (Meta) | WhatsApp Business Cloud API | Ireland + Meta global |
| Anthropic, PBC | AI inference (briefing summarisation, reply parsing) | US |
| OpenAI, OpCo, LLC | AI inference (fallback surfaces) | US |
| HubSpot, Inc. | Customer's own CRM (where connected) | US or EU per customer selection |
| Zoho Corporation | Customer's own CRM (alternative) | India / EU / US per customer selection |
| Stripe Payments Europe Ltd | Subscription billing | Ireland |
| Resend, Inc. | Transactional email | US |
We do not sell personal data to third parties.
7. Data retention
| Data type | Retention period |
|---|---|
| Active account data (CRM records, rep mappings, settings) | For the duration of your subscription |
| WhatsApp message logs | 90 days |
| Audit logs | 12 months |
| Billing records | As required by UK tax law (currently 6 years) |
| Deleted or cancelled accounts | 30-day grace period, then permanent purge |
| Support tickets | 24 months from last contact |
| Marketing consent records | Until you withdraw consent, plus 3 years to evidence the consent |
After cancellation, your data enters a 30-day grace period during which you can reactivate your account. After 30 days, all tenant data is permanently deleted.
8. International transfers
Your operational data is stored on Neon Postgres in eu-west-2 (London) and served through Cloudflare's global edge network with a UK contracting entity. Some sub-processors (Anthropic, OpenAI, Stripe, Resend) operate in the United States.
Where data is transferred outside the UK or EEA, we rely on:
- UK or EU adequacy decisions where available
- Standard Contractual Clauses (SCCs) plus the UK International Data Transfer Addendum
- Transfer Impact Assessments and supplementary measures as appropriate
- Zero-retention API mode for AI sub-processors where supported
You can request a copy of the relevant SCCs by emailing dpa@augusttech.io.
9. Security
We implement technical and organisational measures appropriate to the risk, including:
- Encryption at rest: AES-256-GCM for OAuth tokens and sensitive credentials; Neon database encryption via AWS KMS
- Encryption in transit: TLS 1.2 or higher on all connections
- Multi-tenant isolation: Postgres Row-Level Security (RLS) prevents cross-tenant data access
- Webhook validation: HMAC-SHA256 signature verification on all inbound webhooks
- Access controls: PBKDF2-hashed passwords, signed session cookies, login lockout
- Security headers: HSTS, CSP, X-Frame-Options on all responses
- Audit logging: All significant actions logged with actor, IP, and timestamp
- Vendor security reviews: Sub-processors reviewed at onboarding and at material change
We notify affected customers and the relevant supervisory authority within 72 hours of becoming aware of a personal data breach likely to result in risk to your rights and freedoms (GDPR Article 33). Report a suspected vulnerability to support@augusttech.io.
10. Cookies and tracking
August AI uses three categories of cookies and similar technologies:
- Necessary (always on). Session authentication cookies (HttpOnly, Secure, SameSite), CSRF protection, and theme preference stored in localStorage. These are required to deliver the Service and do not require consent under UK GDPR / PECR.
- Analytics (opt-in). Aggregated usage analytics. Currently not set; the consent category is in place so that any future analytics provider requires your explicit opt-in.
- Marketing (opt-in). Retargeting and ad-measurement cookies. Currently not set; the consent category is in place so that any future marketing pixels require your explicit opt-in.
On first visit, our cookie banner asks for your choice across these categories. You can accept all, reject all, or pick a custom mix. Your choice is stored in a first-party cookie named cookie-consent-v2 and persists for one year. To change it, clear the cookie or the equivalent localStorage key and reload the page.
11. Your rights (UK / EU GDPR)
If you are in the UK or European Economic Area, you have the right to:
- Access: Request a copy of the personal data we hold about you (Article 15)
- Rectification: Request correction of inaccurate data (Article 16)
- Erasure: Request deletion of your data, the “right to be forgotten” (Article 17)
- Restriction: Request that we limit processing of your data (Article 18)
- Portability: Request your data in a structured, machine-readable format (Article 20)
- Objection: Object to processing based on legitimate interests (Article 21)
- Withdraw consent: Where processing is based on consent
- Lodge a complaint: With your local supervisory authority (UK: ICO; EU: your member-state authority)
To exercise these rights, email support@augusttech.io. We will respond within 30 days (extendable by 60 days for complex requests; we will inform you within 30 days if the extension applies).
12. California rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know: Request what personal information we collect, use, and disclose
- Delete: Request deletion of your personal information
- Correct: Request correction of inaccurate personal information
- Opt out of sale or sharing: We do not sell or “share” personal information as defined by CCPA
- Limit use of sensitive personal information: We do not use sensitive personal information beyond what is necessary to provide the Service
- Non-discrimination: We will not discriminate against you for exercising your rights
To submit a request, email support@augusttech.io. We honour the Global Privacy Control (GPC) browser signal as a valid opt-out.
13. Children
August AI is a business-to-business service not directed at children under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly. Email support@augusttech.io if you believe a child has provided us with personal data.
14. Changes to this Policy
We may update this Privacy Policy from time to time. We will post the updated version on this page with a new “Last updated” date. For material changes, we will notify you by email or through a notice in the dashboard at least 30 days before the change takes effect.
15. Contact
For privacy-related questions, data requests, or concerns:
- General privacy: support@augusttech.io
- Data Processing Agreement, security review, DPIA: dpa@augusttech.io
- Postal: August Tech Ltd, 112 Trent Gardens, London, England, N14 4QN
- Website: augusttech.io/contact
For UK or EU data-protection enquiries you may also contact your local supervisory authority. For the UK, that is the Information Commissioner's Office (ico.org.uk).
August Tech Ltd · Companies House 16843633 · Incorporated 10 November 2025 · Registered office: 112 Trent Gardens, London, England, N14 4QN · SIC 62090.