AskWhizAskWhiz

Privacy Policy

Last updated: May 2026

AskWhiz (“we”, “our”, “us”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information about you when you use our service.

Information We Collect

We collect the following categories of personal data:

  • Account information — your name and email address, collected via Clerk during sign-up and authentication.
  • Phone number — collected via Twilio Verify when you verify your phone for WhatsApp bot access.
  • Payment information — processed by Stripe. AskWhiz does not store payment card details directly.
  • Usage data — anonymous analytics data collected via Google Analytics 4 only when you grant analytics consent.
  • WhatsApp messages — messages sent to and received from your subscribed bots, processed by our AI systems to generate responses.

Lawful Basis for Processing

Under Article 6 of the GDPR, every processing operation must rest on a lawful basis. The table below labels each AskWhiz processing purpose with its specific basis:

  • Account creation — performance of a contract (Art 6(1)(b))
  • Subscription billing — performance of a contract (Art 6(1)(b))
  • WhatsApp message delivery — performance of a contract (Art 6(1)(b))
  • Phone verification — performance of a contract and compliance with a legal obligation (Art 6(1)(b) and 6(1)(c))
  • Analytics — consent (Art 6(1)(a)); you may withdraw consent at any time via the cookie banner
  • Marketing emails — consent (Art 6(1)(a)); opt-out via the unsubscribe link in every email
  • Audit log retention — legitimate interest (Art 6(1)(f)) in preserving the integrity of administrator-initiated communications for compliance, support, and dispute resolution

International Transfers

AskWhiz transfers personal data to processors located in the United States, including Clerk, Stripe, Resend, Meta (WhatsApp), Midbrain, Twilio, and Google Analytics. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, executed with each processor in accordance with Articles 44–49 of the GDPR.

Age

AskWhiz is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact privacy@askwhiz.io and we will delete it promptly.

Data Protection Officer

We have not appointed a Data Protection Officer. Privacy inquiries are handled by our data controller — please contact privacy@askwhiz.io for any data-protection matter.

California Residents (CCPA / CPRA)

AskWhiz does not sell or share personal information for cross-context behavioural advertising as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). California residents have the same access, correction, and deletion rights enumerated above. To exercise these rights, contact privacy@askwhiz.io.

Security

We protect your data with the following technical and organisational measures:

  • HTTPS / TLS 1.2+ encrypts all data in transit
  • Stripe (PCI-DSS Level 1 compliant) processes payment data — AskWhiz never sees your card details
  • Clerk (SOC 2 Type 2 certified) handles authentication and password storage
  • Application data is stored in PostgreSQL with encryption at rest
  • We notify supervisory authorities and affected users within 72 hours of becoming aware of a personal-data breach, in line with GDPR Art 33

How We Use Your Information

  • To create and manage your account
  • To process subscription payments
  • To deliver WhatsApp bot services you have subscribed to
  • To verify your phone number and identity
  • To generate AI-powered responses through our WhatsApp bots
  • To improve and understand usage of our platform (with consent)
  • To comply with legal obligations

Data Sharing

We do not sell your personal data. We share data only with the third-party services necessary to deliver AskWhiz:

  • Clerk — authentication and user management
  • Stripe — subscription billing and payment processing
  • Twilio — SMS phone verification
  • Meta (WhatsApp) — WhatsApp Cloud API for bot message delivery
  • Midbrain — LLM-based message processing and knowledge retrieval
  • Resend — transactional email delivery (account, billing, and migration notifications)
  • Google Analytics 4 via Google Tag Manager — anonymous usage analytics (consent required)

Each of these providers operates under their own privacy policy and is subject to applicable data protection laws.

Your Rights (GDPR)

If you are based in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):

  • Right of access — request a copy of the personal data we hold about you
  • Right to rectification — request correction of inaccurate or incomplete data
  • Right to erasure — request deletion of your personal data (“right to be forgotten”)
  • Right to restriction — object to or restrict certain processing of your data
  • Right to data portability — receive your data in a structured, machine-readable format
  • Right to withdraw consent — withdraw consent at any time where processing is consent-based (e.g., analytics)

To exercise any of these rights, contact us at privacy@askwhiz.io. We will respond within 30 days.

Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. When you close your account, we delete or anonymise your personal data within 90 days, unless we are required by law to retain it for longer.

WhatsApp message logs are retained for operational and debugging purposes for as long as your account is active. Logs are deleted when your account is closed.

Administrative audit trail. When an AskWhiz administrator sends a WhatsApp template message to you from the admin panel (for example, to reply to a support request outside the standard 24-hour session window), we retain a record of that send — including the template variables supplied (which may contain your name, order or error reference, and any diagnostic notes) — in an internaladmin_template_sends audit log. This record exists to reconstruct the exact content of administrator-initiated communications for compliance, support, and dispute-resolution purposes. Access is restricted to AskWhiz administrators. The audit record is kept separately from your conversation history and is preserved even if your account is subsequently deleted, to maintain the integrity of the audit trail. You may request access to, or raise concerns about, these records via the contact details below.

Contact Us

For privacy-related inquiries, to exercise your rights, or to raise a concern, contact our data controller at:

Email: privacy@askwhiz.io

If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.