This Privacy Policy explains how OzcenkLabs Ltd. ("we", "OzcenkLabs") processes personal data when you use our multi-sector AI assistant SaaS service (the "Service"). Prepared in accordance with UK GDPR and EU GDPR.
1. Definitions
- Customer: The business subscribing to the Service (healthcare practice, real estate office, retail, beauty centre, automotive dealership, and other service-sector businesses).
- End User: The individual interacting with the Customer's chatbot via WhatsApp or web (patient, lead, prospect, buyer, etc.).
- Controller: The party that decides how data is processed — the Customer for End User data, OzcenkLabs for Customer admin account data.
- Processor: OzcenkLabs (processes End User data on behalf of the Customer).
2. Data Controller
OzcenkLabs Ltd.
Companies House number: 17199856
Registered office: 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom
Data subject requests: privacy@ozcenklabs.com
General contact: arda@ozcenklabs.com
3. Data We Collect
- Customer admin account: Name, email, hashed password, business name, sector, billing details.
- End User contact data: Name, phone, email, sector-specific details (e.g. appointment date, listing ID, product preference) submitted to the chatbot. Processed on behalf of the Customer (Controller).
- Conversation content: Messages received via WhatsApp or web chat, AI replies, timestamps.
- Technical data: Hashed IP address, browser type, cookie ID — only for security and abuse prevention.
4. Special Provision for Healthcare Sector (Health Data)
Where the Service is used by healthcare-sector Customers (e.g. dental clinics, internal medicine), End Users may share health information (special category data — UK GDPR Article 9). In such cases:
- Lawful basis: Article 9(2)(h) — provision of healthcare services.
- The Customer (healthcare provider) operates under a duty of confidentiality.
- OzcenkLabs processes such data only to provide the Service and applies enhanced security.
- This clause does not apply to non-health sectors (real estate, retail, automotive, beauty).
5. Lawful Basis
- Performance of contract (Art. 6(1)(b)): Operations required for Customer subscription.
- Legitimate interest (Art. 6(1)(f)): System security, abuse prevention, service improvement.
- Consent (Art. 6(1)(a)): Marketing communications.
- Special category (Art. 9(2)(h)): Only for healthcare-sector Customers.
6. Retention Periods
- Active records: 12 months (visible in Customer admin panel).
- Archive: 24 additional months (in backups, not visible to admin).
- Maximum total retention: 36 months.
- Erasure on request: Completed within 30 days.
- Subscription cancellation: All data deleted or anonymised within 90 days.
7. Sub-processors
| Provider | Purpose | Location |
|---|---|---|
| OpenAI Inc. | AI chat generation (GPT-4o) | USA (SCC + UK addendum) |
| Meta Platforms Ireland Ltd. | WhatsApp Cloud API messaging | Ireland / EU |
| Twilio Inc. | SMS / WhatsApp legacy delivery | USA (SCC + UK addendum) |
| Vercel Inc. | Application hosting | USA (EU edge regions) |
| Supabase Inc. | Database + Auth | EU (eu-west-1) |
| Upstash Inc. | Cache (Redis) | EU |
| Cloudflare Inc. | DNS, email routing | Global edge |
| Sentry GmbH | Error monitoring | EU |
8. International Data Transfers
Some sub-processors are located outside the UK/EU (notably the USA). These transfers are protected by Standard Contractual Clauses (SCC) + UK International Data Transfer Addendum.
9. Your Rights
Under UK GDPR you have the rights of access, rectification, erasure, restriction, portability, objection, and to withdraw consent. You may lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.
To exercise rights, write to privacy@ozcenklabs.com. We respond within 30 days.
10. Cookies
We use only essential cookies (session ID, security token). No tracking, advertising, or analytics cookies. Exempt from consent under UK PECR "strictly necessary" category.
11. Security Measures
- TLS encryption (HTTPS for all traffic)
- Postgres Row Level Security — multi-tenant isolation
- Column-level access restriction on sensitive fields
- Passwords hashed with bcrypt
- Rate limiting and abuse prevention
- Sentry error monitoring (PII excluded)
12. Children
The Service is not intended for users under 16. If we have inadvertently collected such data, please notify privacy@ozcenklabs.com.
13. Data Breach Notification
Upon detection we notify the ICO within 72 hours. Affected End Users are notified by email if the breach is high-risk.
14. Changes
Material changes are announced at least 30 days in advance via email or in-app notification.
15. Contact
Data protection: privacy@ozcenklabs.com
General: arda@ozcenklabs.com
Post: OzcenkLabs Ltd, 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, UK