Privacy Policy
This Privacy Policy explains how August AI (“we”, “us”, “our”) collects, uses, stores, and protects your information when you use our services.
Last updated: 10 March 2026
1. Overview
August AI provides a WhatsApp-based CRM automation service that helps sales teams keep their pipelines clean through smart nudges, slash commands, and confirm-to-write updates. We integrate with CRM platforms (HubSpot, Zoho CRM) and the WhatsApp Business API to deliver this service.
This policy applies to our website (augusttech.io), our dashboard, and all related services. By using August AI, you agree to the collection and use of information as described here.
2. Data Controller and Processor Roles
Under GDPR and similar data protection legislation:
- Your organisation (our customer) is the Data Controller for the CRM data, contact information, and WhatsApp messages processed through August AI.
- August AI acts as a Data Processor, processing personal data on behalf of and under the instructions of the Data Controller.
- For data relating to our website visitors and account holders (e.g. login credentials, billing information), August AI is the Data Controller.
We offer a Data Processing Agreement (DPA) to formalise this relationship. See our DPA page for details.
3. What Data We Collect
3.1 Account Information
When you sign up for August AI, we collect:
- Name, work email address, and company name
- Google account information (if using Google OAuth for login)
- Billing information (processed by Stripe; we do not store card details)
3.2 CRM Data
When you connect your CRM, we access:
- Contact records (names, email addresses, phone numbers, custom fields)
- Deal/opportunity records (names, amounts, stages, close dates)
- Account/company records
- Owner/rep assignments and team structure
We access this data through OAuth-authorised API connections. You can revoke access at any time from your CRM's settings.
3.3 WhatsApp Messages
We process:
- Inbound messages from sales reps to the August AI bot
- Outbound messages (nudges, confirmations, and replies) sent by August AI
- Message metadata (timestamps, delivery status, message IDs)
We do not read or process messages between reps and their contacts/customers. We only process messages sent directly to the August AI bot number.
3.4 Usage Data
- Feature usage and interaction logs
- Admin panel activity
- Error logs and diagnostics
- IP addresses and browser information for security purposes
4. How We Use Your Data
We use collected data to:
- Deliver the service — Send CRM nudges, process slash commands, update CRM records as instructed by reps
- Run scheduled jobs — Identify stale deals, missing contact fields, and overdue accounts for nudge delivery
- Manage billing — Per-seat subscription management through Stripe
- Provide support — Diagnose issues, respond to support requests
- Improve the service — Analyse usage patterns (in aggregate) to improve features
- Ensure security — Audit logging, fraud prevention, and abuse detection
- Send transactional emails — Account notifications, billing receipts, and service updates
We do not sell your data. We do not use your CRM data to train AI models.
5. Legal Bases for Processing
Where applicable under GDPR or UK data protection law, we rely on:
- Performance of a contract — Processing necessary to deliver the August AI service you subscribed to
- Legitimate interests — Service improvement, security monitoring, and analytics (balanced against your rights)
- Consent — Where specifically required (e.g. marketing communications)
- Legal obligation — Where processing is required by law (e.g. tax records)
6. Subprocessors and Third Parties
We share data with the following categories of subprocessors to deliver our service. Each subprocessor is bound by contractual obligations to protect your data.
| Subprocessor | Purpose | Location |
|---|---|---|
| Cloudflare | Application hosting, CDN, edge compute | Global |
| Neon | PostgreSQL database hosting | US-East |
| Meta (WhatsApp) | WhatsApp Business API messaging | US |
| HubSpot | CRM integration (when selected by customer) | US |
| Zoho | CRM integration (when selected by customer) | US/EU |
| Stripe | Payment processing and subscription billing | US |
| Resend | Transactional email delivery | US |
| Vercel | Website and dashboard hosting | Global |
For a full, maintained list, see our Subprocessors page.
7. Data Retention
We retain data according to the following schedule:
| Data Type | Retention Period |
|---|---|
| Active account data (CRM records, rep mappings, settings) | Duration of your subscription |
| WhatsApp message logs | 90 days |
| Audit logs | 12 months |
| Billing records | As required by tax law (typically 6-7 years) |
| Deleted/cancelled accounts | 30-day grace period, then permanently purged |
After cancellation, your data enters a 30-day grace period during which you can reactivate your account. After 30 days, all tenant data is permanently deleted.
8. International Data Transfers
Your data may be processed in the United States and the European Union, depending on the Cloudflare edge location serving your request and the location of our database (Neon, US-East).
Where data is transferred outside the UK/EEA, we rely on:
- Standard Contractual Clauses (SCCs) with our subprocessors
- Adequacy decisions where available
- Supplementary measures as appropriate
9. Security
We implement industry-standard security measures including:
- Encryption at rest — AES-256-GCM for OAuth tokens and sensitive credentials; Neon database encryption via AWS KMS
- Encryption in transit — TLS on all connections
- Multi-tenant isolation — PostgreSQL Row-Level Security (RLS) prevents cross-tenant data access
- Webhook validation — HMAC-SHA256 signature verification on all inbound webhooks
- Access controls — PBKDF2-hashed passwords, signed session cookies, login lockout
- Security headers — HSTS, CSP, X-Frame-Options on all responses
- Audit logging — All significant actions logged with actor, IP, and timestamp
No system is 100% secure. If you discover a vulnerability, please report it to support@augustai.com.
10. Cookies
August AI uses only essential session cookies:
- Authentication cookies — HttpOnly, Secure, SameSite=Strict; used to maintain your logged-in session
- Theme preference — Stored in localStorage (not a cookie); remembers your light/dark mode choice
We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under GDPR/ePrivacy.
11. Your Rights (GDPR)
If you are in the UK or European Economic Area, you have the right to:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data (“right to be forgotten”)
- Portability — Request your data in a structured, machine-readable format
- Restriction — Request that we limit processing of your data
- Objection — Object to processing based on legitimate interests
- Withdraw consent — Where processing is based on consent
To exercise these rights, contact us at support@augustai.com. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK).
12. Your Rights (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know — Request what personal information we collect, use, and disclose
- Delete — Request deletion of your personal information
- Correct — Request correction of inaccurate personal information
- Opt-out of sale — We do not sell personal information
- Non-discrimination — We will not discriminate against you for exercising your rights
We do not sell personal information. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the service.
13. Children's Privacy
August AI is a business-to-business service not directed at children under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version on this page with a new “Last updated” date. For material changes, we will notify you by email or through a notice in the dashboard.
15. Contact Us
For privacy-related questions, data requests, or concerns:
- Email: support@augustai.com
- Website: augusttech.io/contact
For UK/EU data protection enquiries, you may also contact your local supervisory authority.