Privacy Policy

1. INTRODUCTION

1.1 Who We Are

SalesRook Ltd ("SalesRook", "we", "us", or "our") is a UK-based PropTech company providing AI-powered WhatsApp automation for estate agents and mortgage brokers.

Company Registration: 14088341 (England and Wales)
ICO Registration: ZC045388
Registered Address: Unit A, Cottonworks House, 111 Seven Sisters Road, London N7 7FN, United Kingdom
Data Protection Contact: Max Hardy

1.2 What This Policy Covers

This Privacy Policy explains how we collect, use, share, and protect personal data when you:

1. Visit our website (salesrook.com) as a visitor or prospect
2. Use our Services as a customer with an account

This policy applies to both website visitors and SalesRook customers. However, it does not cover how we process personal data on behalf of our customers (such as end-user WhatsApp messages, property enquiries, and lead data).

For our customers: The processing of your end-users' personal data is covered by our Data Processing Agreement, which governs our role as a data processor handling data on your behalf.

How this policy relates to the DPA:

Not a SalesRook customer yet? This Privacy Policy explains how we handle your personal data when you visit our website or use our services as a customer.

Already a SalesRook customer? This Privacy Policy covers your account data (your name, email, company, billing info). The Data Processing Agreement covers your customers' data (their WhatsApp messages, property enquiries, lead information) that we process on your behalf.

1.3 Your Privacy Matters

We take your privacy seriously and are committed to protecting your personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)

If you have any questions about this Privacy Policy or how we handle your data, please contact us at [email protected].

2. DATA WE COLLECT

2.1 Website Visitors (Not Logged In)

When you visit salesrook.com, we may collect:

Information You Provide to Us:

• Contact forms: Name, email address, company name, phone number, message content
• Demo requests: Name, email, company name, phone number, preferred date/time, number of offices, current systems
• Newsletter sign-ups: Email address, name (optional)
• Event registrations: Name, email, company, job title
• Job applications: Name, email, CV/resume, cover letter, LinkedIn profile, employment history

Information Collected Automatically:

• Analytics data: Pages visited, time spent, referral sources, device type, browser type, operating system
• IP address: For security, analytics, and approximate location (city/region level)
• Cookies and similar technologies: See our Cookie Policy for full details

Third-Party Content:

When you interact with embedded content (YouTube videos, social media widgets), those providers may set their own cookies and collect data. See Section 5 for details.

2.2 SalesRook Customers (Logged In)

When you create an account and use our Services, we collect:

Account Information:

• Name, email address, company name
• Job title/role
• Phone number
• Billing address
• Number of offices/branches
• CRM system(s) in use

Usage Data:

• Login times and frequency
• Features and services used
• Number of WhatsApp messages processed
• AI persona configurations
• Performance metrics (response rates, engagement rates)
• Settings and preferences
• Integration configurations

Billing Information:

• Payment method details (processed by Stripe or GoCardless - see Section 6.2)
• Transaction history
• Invoices and payment records
• Subscription details

Support Communications:

• Support ticket content
• Email correspondence with [email protected]
• WhatsApp messages with our support team
• Phone call recordings (see Section 2.2.1 below)
• Screenshots or files you provide for troubleshooting

AI Training Data (Optional):

• Anonymised and aggregated usage patterns
• Performance metrics for model improvement
• You can opt out - see Section 3.2.5

2.2.1 Phone Call Recordings

We may record phone calls for training and quality assurance purposes. When you call our support or sales lines, you may hear a notification that the call may be recorded. If you do not wish to be recorded, please inform the agent at the start of the call.

Call recordings, when made, are retained for up to 12 months and may be used for:

• Training our team members
• Quality assurance and service improvement
• Resolving disputes about what was discussed
• Regulatory compliance (where applicable)

2.3 What We Don't Collect

To be clear, this Privacy Policy does not cover:

• ❌ End-user WhatsApp message content (processed on behalf of customers - see DPA)
• ❌ Property enquiry details from your customers (processed on behalf of customers - see DPA)
• ❌ Lead qualification data (processed on behalf of customers - see DPA)
• ❌ CRM data synced via integrations (processed on behalf of customers - see DPA)
• ❌ Payment card details (handled directly by Stripe/GoCardless, not stored by us)
• ❌ Sensitive personal data (unless you voluntarily provide it)

For information about how we process end-user data on behalf of our customers, see our Data Processing Agreement.

3. HOW WE USE YOUR DATA

3.1 Website Visitors

We use personal data from website visitors for:

Responding to Your Enquiries (Legal Basis: Contract/Legitimate Interests)

• Processing demo requests and booking calls
• Answering questions submitted via contact forms
• Responding to general enquiries
• Following up on event registrations

Marketing Communications (Legal Basis: Consent)

• Sending newsletters (only if you subscribed)
• Product updates and feature announcements
• Case studies and blog post notifications
• Event invitations and webinar announcements
• Industry insights and best practices

You can unsubscribe from marketing emails at any time using the link in every email or by contacting [email protected].

Website Analytics & Improvement (Legal Basis: Legitimate Interests)

• Understanding how visitors use our website
• Improving website design and user experience
• Testing new features and content
• Identifying technical issues
• Measuring marketing campaign effectiveness

Recruitment (Legal Basis: Contract/Legitimate Interests)

• Processing job applications
• Evaluating candidates for roles
• Conducting interviews and assessments
• Communicating with applicants

Advertising & Marketing Attribution (Legal Basis: Consent/Legitimate Interests)

• Measuring effectiveness of advertising campaigns
• Retargeting website visitors with relevant ads
• Understanding which marketing channels work best
• Optimising advertising spend

Note for Regulated Customers: If you are an FCA-authorised firm or otherwise regulated, you remain responsible for ensuring your own disclosures and communications (including any AI-generated content through our platform) comply with applicable regulations.

3.2 SalesRook Customers

We use personal data from customers for:

Providing the Services (Legal Basis: Contract)

• Creating and managing your account
• Processing your instructions and configurations
• Providing WhatsApp automation services
• Integrating with your CRM systems
• Delivering AI-powered lead qualification
• Enabling SalesRook Negotiator functionality
• Technical support and troubleshooting

Billing & Payment Processing (Legal Basis: Contract)

• Processing subscription payments
• Generating invoices
• Managing payment methods
• Handling refunds or credits
• Collecting overdue payments

Customer Support (Legal Basis: Contract)

• Responding to support requests
• Troubleshooting technical issues
• Providing guidance on using the Services
• Following up on reported problems
• Improving our support processes

Service Improvement & Analytics (Legal Basis: Legitimate Interests)

• Understanding how customers use the Services
• Identifying features that need improvement
• Detecting and preventing technical issues
• Measuring service performance and reliability
• Planning new features and enhancements

3.2.5 AI Model Improvement (Legal Basis: Legitimate Interests)

As described in our Terms of Service Section 10.3, we may use anonymised and aggregated data derived from Customer communications to improve our AI models, provided such data cannot be linked back to any individual Customer or Data Subject.

Important: This does not include your customers' WhatsApp message content or property enquiry data processed under the Data Processing Agreement. AI training under this Privacy Policy refers only to usage patterns, performance metrics, and aggregated platform data - not individual end-user conversations.

What this means:

• We analyse usage patterns to improve AI response quality
• All data is anonymised before use (no names, companies, or identifying details)
• Aggregated data helps train better qualification questions
• Improves overall platform effectiveness for all customers

You can opt out: Email [email protected] with "AI Training Opt-Out" in the subject line. We'll flag your account and exclude your data from any training processes.

Security & Fraud Prevention (Legal Basis: Legitimate Interests)

• Detecting and preventing unauthorised access
• Identifying unusual activity or potential security threats
• Protecting against fraud and abuse
• Maintaining system security and integrity
• Complying with legal obligations

Product Updates & Account Management (Legal Basis: Legitimate Interests/Soft Opt-In)

• Service announcements and important updates
• New features and enhancements
• Security notifications
• Billing notifications
• Renewal reminders

Existing customers receive service-related updates as part of our contract. You can opt out of non-essential communications via your account settings or by contacting [email protected].

Legal Compliance (Legal Basis: Legal Obligation)

• Complying with court orders or legal requirements
• Responding to lawful requests from authorities
• Maintaining records for tax and accounting purposes
• Meeting regulatory obligations
• Establishing, exercising, or defending legal claims

4. LEGAL BASIS FOR PROCESSING

Under UK GDPR Article 6, we must have a lawful basis for processing your personal data. Here's our legal basis for each type of processing:

What are "Legitimate Interests"?

Legitimate interests means we have a good business reason to process your data that doesn't override your rights and freedoms. For example:

• We have a legitimate interest in understanding how our website is used to improve it
• We have a legitimate interest in analysing usage patterns to improve service quality
• We have a legitimate interest in preventing fraud and maintaining security

You can object to processing based on legitimate interests. See Section 9 for information about your rights.

5. COOKIES & TRACKING TECHNOLOGIES

We use cookies and similar technologies to improve your experience, understand how you use our website, and measure marketing effectiveness.

5.1 What Technologies We Use

Essential Cookies (No Consent Required)

• Session management and authentication
• Security features (CSRF protection)
• Load balancing across servers
• Service functionality

Analytics Tools (Consent Required)

• Microsoft Clarity: Session recordings and heatmaps to understand user behaviour (Privacy Policy)
• Google Analytics 4: Website traffic and usage analytics (Privacy Policy, Opt-out)
• Plausible Analytics: Privacy-friendly analytics (no cookies, no personal data) (Privacy Policy)

Marketing & Advertising (Consent Required)

• Facebook Pixel: Facebook advertising measurement and retargeting (Privacy Policy)
• LinkedIn Insight Tag: LinkedIn advertising measurement (Privacy Policy)
• Google Ads: Google advertising conversion tracking (Privacy Policy)

Functional Tools

• Lead Connector LLC (GoHighLevel): Calendar bookings, form submissions, CRM functionality (Privacy Policy)
• WhatsApp Chat Widget: Live chat functionality (Privacy Policy)

Third-Party Embeds

• YouTube Videos: May set cookies when you play embedded videos (Privacy Policy)

Infrastructure

• Cloudflare: CDN and DDoS protection (minimal data processing) (Privacy Policy)

5.2 Managing Cookies

For detailed information about cookies we use and how to manage them, see our Cookie Policy.

Browser Controls:

Most browsers allow you to control cookies through settings. However, blocking certain cookies may impact your experience on our website.

• Chrome
• Firefox
• Safari
• Edge

Opt-Out Tools:

• Google Analytics: Browser Opt-Out Add-on
• Facebook: Ad Preferences
• Google Ads: Ad Settings

6. SHARING YOUR DATA

6.1 When We Share Data

We share personal data with third parties only when necessary to provide our Services, comply with legal obligations, or with your consent.

We share data with:

Service Providers (Data Processors)

• Cloud hosting: Google Cloud Platform (Belgium) for data storage and processing
• Payment processors: GoCardless (primary) and Stripe for handling payments
• Email delivery: For transactional and marketing emails
• Analytics providers: Microsoft Clarity, Google Analytics, Plausible for website analytics
• Marketing platforms: Facebook, LinkedIn, Google Ads for advertising
• CRM integrations: Reapit, Alto, LeadPro, AcquaintCRM (on your behalf as data processor)
• AI services: OpenAI, Google Gemini, Meta Llama for AI functionality (anonymised data only)
• Support tools: For customer support and communications

All service providers are contractually obligated to protect your data and use it only for the purposes we specify.

Business Transfers

If SalesRook is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We'll notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.

Legal Requirements

We may disclose personal data if required by law, court order, or government authority, or if necessary to:

• Comply with legal obligations
• Protect our rights or property
• Prevent fraud or other illegal activity
• Protect the safety of our users or others

6.2 Payment Processing

We use GoCardless (primary) and Stripe (backup) to process payments. These processors handle your payment details directly - we never see or store your full card numbers or bank account details.

What we store: Transaction history, payment status, invoice information
What processors store: Card/account numbers, expiry dates, billing addresses
Their privacy policies: GoCardless | Stripe

6.3 Customer End-User Data

When processing data on behalf of our customers (WhatsApp messages, lead data, etc.), we act as a data processor. Our customers are the data controllers who determine what data is collected and how it's used.

The sharing of customer end-user data is governed by our Data Processing Agreement, which includes:

• List of Sub-processors (DPA Section 5)
• Sub-processor notification procedures
• Security measures
• International transfer safeguards

7. INTERNATIONAL DATA TRANSFERS

7.1 Where We Store Data

Primary Location: All personal data is stored on Google Cloud Platform servers located in Belgium (europe-west1 region).

7.2 Transfers to the United States

Some of our service providers are based in the United States. We transfer data to the US under the UK-US Data Bridge, an adequacy framework that came into force on 12 October 2023.

US-based providers:

• Meta Platforms Inc. (WhatsApp Business API, Facebook Pixel)
• OpenAI Inc. (AI language models - anonymised data only)
• Google LLC (Google Analytics, Google Ads, Google Gemini AI)
• Microsoft Corporation (Clarity analytics)
• Stripe Inc. (payment processing)

These providers are certified under the EU-US Data Privacy Framework (where applicable and where certified at the time of transfer), which the UK recognises as providing adequate protection for personal data transferred under the UK-US Data Bridge.

7.3 Other International Transfers

For any transfers to countries without an adequacy decision, we use:

• Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
• UK International Data Transfer Agreement (IDTA) where appropriate

For detailed information about international transfers of customer end-user data, see our Data Processing Agreement Section 11.

8. DATA SECURITY

8.1 How We Protect Your Data

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction.

Technical Measures:

• Encryption in transit: TLS 1.3 for all data transmission
• Encryption at rest: AES-256 encryption for stored data
• Access controls: Role-based access with multi-factor authentication
• Network security: Firewalls, intrusion detection, DDoS protection
• Vulnerability management: Regular security testing and patching
• Monitoring: 24/7 security monitoring and logging

Organisational Measures:

• Background checks: For personnel with data access
• Security training: Regular training for all employees
• Confidentiality agreements: All personnel bound by confidentiality
• Incident response: Documented procedures for security incidents
• Access limitation: Least-privilege access principle
• Data segregation: Customer data logically separated

8.2 Your Responsibilities

To help protect your account:

• Use a strong, unique password
• Enable multi-factor authentication if available
• Don't share your login credentials
• Keep your contact information up to date
• Report suspicious activity immediately

8.3 Security Documentation

For customers requiring detailed security information (due diligence, compliance reviews), we maintain comprehensive Security Documentation including:

• Information Security Policy
• Data Classification Policy
• Secure Coding Standards
• Business Continuity Policy

These documents are available upon reasonable request to [email protected] subject to appropriate confidentiality undertakings.

For customer end-user data security measures, see our Data Processing Agreement Section 6.

9. YOUR RIGHTS

Under UK GDPR, you have the following rights regarding your personal data:

9.1 Right of Access

Request a copy of the personal data we hold about you.

9.2 Right to Rectification

Correct inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

Request deletion of your personal data in certain circumstances:

• The data is no longer necessary
• You withdraw consent (where consent was the legal basis)
• You object to processing based on legitimate interests
• The data was unlawfully processed

Note: We may retain certain data where required by law (e.g., 7 years for financial records under UK tax law).

9.4 Right to Restrict Processing

Request that we limit how we use your data in certain situations:

• You're questioning the accuracy of the data
• Processing is unlawful but you don't want deletion
• We no longer need the data but you need it for legal claims
• You've objected to processing pending verification

9.5 Right to Data Portability

Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller where:

• Processing is based on consent or contract
• Processing is carried out by automated means

9.6 Right to Object

Object to processing based on legitimate interests, including:

• Direct marketing (absolute right - we must stop)
• Profiling for marketing purposes
• Processing for research or statistical purposes

9.7 Rights Related to Automated Decision-Making

Not be subject to decisions based solely on automated processing that significantly affect you. Currently, we do not make automated decisions about website visitors or customers that would significantly affect you.

Note: AI-powered lead qualification for customer end-users is covered in the Data Processing Agreement, as customers are the data controllers for that processing.

9.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. This won't affect any processing that occurred before withdrawal.

9.9 How to Exercise Your Rights

Email: [email protected]
Subject Line: "Data Subject Request - [Your Right]"

Please include:

• Your full name
• Email address associated with your account or enquiry
• Description of the right you wish to exercise
• Any relevant details (e.g., specific data you want deleted)

Response Time: We'll respond within 30 days of receiving your request. If we need more time, we'll let you know why and when you can expect a response.

Verification: We may need to verify your identity before processing your request to protect your data from unauthorised access.

Free of Charge: Exercising your rights is free unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee.

For more detailed information about your rights, see our GDPR Compliance page.

10. DATA RETENTION

10.1 How Long We Keep Data

We retain personal data only as long as necessary for the purposes set out in this Privacy Policy or as required by law.

10.2 Website Visitors

"Complete inactivity" means no email opens, clicks, form submissions, or website visits for the specified period.

10.3 SalesRook Customers

For retention periods of customer end-user data (WhatsApp messages, lead data, etc.), see our Data Processing Agreement Section 9.5.

10.4 Legal Holds

We may retain data beyond the normal retention periods if:

• Required by law or regulation
• Necessary for legal proceedings
• Subject to a legal hold or preservation order
• Required to establish, exercise, or defend legal claims

Once the legal requirement ends, we'll delete the data in accordance with our normal retention schedule.

11. CHILDREN'S PRIVACY

11.1 Our Services Are Not for Children

Our Services are intended for business use by adults (18 years or older) and are not directed at children under 13 years of age.

We do not knowingly collect personal data from children under 13. If you believe we've inadvertently collected data from a child under 13, please contact us immediately at [email protected], and we'll delete it promptly.

11.2 Parental Rights

If you are a parent or guardian and become aware that your child has provided us with personal data, please contact us. We'll take steps to remove that information from our systems.

12. CHANGES TO THIS PRIVACY POLICY

12.1 How We Update This Policy

We may update this Privacy Policy from time to time to reflect:

• Changes in our data processing practices
• New legal or regulatory requirements
• Improvements to our Services
• Feedback from users or regulators

12.2 Notification of Changes

Material Changes: If we make material changes that significantly affect how we process your personal data or your rights, we'll notify you by:

• Email to your registered address (for customers)
• Prominent notice on our website (for all users)
• At least 30 days before the changes take effect

Non-Material Changes: For minor updates (clarifications, formatting, contact details), we'll update this page and note the revision date at the top.

12.3 Your Responsibility

Please review this Privacy Policy periodically. Your continued use of our website or Services after changes become effective constitutes acceptance of the updated policy.

If you disagree with material changes, you may:

• Stop using our website or Services
• Close your account (customers)
• Request deletion of your data

13. CONTACT & COMPLAINTS

13.1 Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data:

Email: [email protected]
Phone: +44 808 175 1795
Data Protection Contact: Max Hardy

Address:

SalesRook Ltd
Unit A, Cottonworks House
111 Seven Sisters Road
London N7 7FN
United Kingdom

13.2 Making a Complaint

We hope to resolve any concerns you have about our data processing. However, if you're not satisfied with our response, you have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Report online: ico.org.uk/make-a-complaint

The ICO is the UK's independent authority for data protection and privacy rights.