Privacy Policy
This Privacy Policy explains how Zatio collects, uses, and protects personal data. Zatio is a trading name of Almor Ventures SL, a Spanish Sociedad Limitada, CIF B27691799. Contact: privacy@zatio.io.
§ 01Who we are
Zatio provides an AI-powered WhatsApp assistant for businesses (“Operators”) to handle inbound sales enquiries, qualify leads, and manage bookings.
- Data controller for website visitors: Zatio (the operator named above)
- Data processor for WhatsApp end-user conversations: Zatio acts on behalf of each Operator, who is the data controller of their own customers’ data
§ 02Information we collect
From website visitors
- Contact details you submit via forms (name, email, company, phone)
- Technical data (IP address, browser type, referrer) for security and analytics
- Cookies — see our Cookie Policy
From WhatsApp end users (on behalf of Operators)
When you message a business that uses Zatio via WhatsApp, we process:
- Your phone number and public WhatsApp profile (name, profile photo)
- The content of messages you send and receive
- Metadata (timestamps, delivery and read receipts)
§ 03How we use your information
Website visitors
- Respond to your enquiries
- Send you requested information about Zatio
- Improve our services and website
- Comply with legal obligations
WhatsApp end users
- Respond to enquiries on behalf of the Operator
- Manage bookings, quotes and follow-ups
- Escalate complex cases to the Operator’s human team
- Generate AI-assisted replies
§ 04Lawful basis (UK GDPR / EU GDPR)
We process personal data under the following bases:
- Performance of a contract (Art. 6(1)(b)) — to deliver services you or the Operator requested
- Legitimate interests (Art. 6(1)(f)) — to operate and improve our service, provided your rights don’t override ours
- Consent (Art. 6(1)(a)) — for marketing communications, where required
- Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements
§ 05Sub-processors
We use the following sub-processors to deliver our service:
| Provider | Purpose | Location |
|---|---|---|
| Twilio, Inc. | WhatsApp Business Solution Provider — relays inbound and outbound messages between the Operator’s WhatsApp number and our service. Officially-listed Meta Business Solution Provider. | EU (Frankfurt) with fallback to US |
| Meta Platforms Ireland Ltd | Underlying WhatsApp Business Platform infrastructure that Twilio relays through. Each Operator’s WhatsApp Business Account is registered with Meta directly. | EU / US |
| Anthropic, PBC | AI-generated replies (Claude) | US (with EU data processing terms; zero-retention, no training on our data) |
| Supabase, Inc. | Database, authentication and file storage hosting | EU (Frankfurt) |
| Vercel, Inc. | Website and application hosting | EU / US |
| Resend, Inc. | Transactional email (dashboard invites, digest emails, lead exports) | US (with EU data processing terms) |
| Sentry, Inc. (Functional Software) | Error monitoring and performance tracing | EU (Frankfurt) with fallback to US |
| Google LLC (Maps Platform, Solar API, Geocoding) | Lookup of roof photos and solar irradiance for AI tool calls (address-level only, no message content) | EU / US |
| Department for Energy Security & Net Zero (UK EPC Register) | Lookup of UK Energy Performance Certificates for AI tool calls (address-level only) | UK |
| Retool, Inc. | Internal dashboards | US |
| Google (Workspace) | Business email | EU / US |
A current list is available on request at privacy@zatio.io.
§ 06International transfers
Where data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum.
§ 07Retention
- Website enquiry data: 24 months from last contact
- WhatsApp conversation data: 24 months, or until termination of the Operator’s service with Zatio — whichever is sooner
- Accounting records: as required by UK / Spanish tax law (typically 6 years)
§ 08Your rights
Under UK GDPR and EU GDPR, you have the right to:
- Access the personal data we hold about you
- Request rectification of inaccurate data
- Request erasure (“right to be forgotten”)
- Object to processing
- Request data portability
- Withdraw consent at any time
- Lodge a complaint with a supervisory authority (ICO in the UK, AEPD in Spain)
To exercise any of these rights, email privacy@zatio.io. We will respond within 30 days.
For WhatsApp conversations, you can also contact the Operator directly — they act as data controller for that data.
§ 09AI transparency
Zatio uses Anthropic Claude (a Large Language Model) to generate automated replies on WhatsApp and website chat. In line with the EU AI Act (Art. 50) and UK AI governance expectations:
- End users are clearly informed when they are interacting with an AI
- Sensitive or complex cases are escalated to human operators
- Messages are processed by AI providers under data processing agreements that prohibit training on our data
§ 10Security
We use industry-standard security measures including TLS encryption in transit, encryption at rest, role-based access controls, and regular security reviews. See our Security Page for details.
§ 11Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top reflects the latest version. Material changes will be communicated via the website.
§ 12Contact
Almor Ventures SL (CIF B27691799), Spain. Registered address available on request at legal@zatio.io.
Privacy questions: privacy@zatio.io
General enquiries: hello@zatio.io
Questions?
Email us at privacy@zatio.io. We aim to respond within 48 hours.