Your data, your control.

1) Who we are + contact

NippyAgent is a product operated by Nippy Agent Ltd (Company No. 16963969), registered in England and Wales at Suite 1-125, 39 Ludgate Hill, London EC4M 7JN. "NippyAgent" is a trading name. We are registered with the Information Commissioner’s Office (ICO) under registration number ZC091228.

Website: nippyagent.co.uk

Contact email: support@nippyagent.co.uk

Data protection contact: For any data protection queries, email support@nippyagent.co.uk. Nippy Agent Ltd is not required to appoint a Data Protection Officer under UK GDPR Article 37, as we do not carry out large-scale systematic monitoring or process special category data on a large scale.

2) What the product does (plain English)

NippyAgent helps self-employed trades create quotes and invoices via WhatsApp and generates PDF documents based on the information you provide. Tradespeople may also generate payment links that allow their customers to view document details and confirm payment via a web portal.

3) Data we collect

We collect the following categories of information when you use NippyAgent:

A. WhatsApp account and messaging data

• Your WhatsApp phone number / WhatsApp ID (sender ID).
• Message content you send to us (commands, customer details, invoice/quote lines, totals).
• Message metadata such as timestamps and WhatsApp message IDs (used for deduplication and reliability).
• Delivery status data: we do not intentionally store WhatsApp delivery status beyond what is necessary to operate the service.

B. Business profile data

• Business name and address.
• Business phone number and email address (if provided).
• VAT settings (VAT enabled, VAT rate) and VAT number (optional).
• Bank transfer details if you choose bank transfer (bank name, account name, sort code, account number).

C. Customer records entered by you

• Customer name.
• Customer postcode.
• Optional customer address and phone number (only if you enter it).

D. Document data

• Quotes/invoices you create: line items, quantities, pricing, totals, VAT rate, discounts/deposits (where applicable).
• Generated PDFs and related metadata (for example file paths or hashes where applicable).

E. Voice and audio data

• If you send a voice note, it is temporarily processed to extract document details (job descriptions, prices, customer names).
• Voice notes are transcribed by Groq (Whisper-large-v3-turbo model) and the resulting transcript is processed by OpenAI (GPT-4.1) for structured extraction. Both providers operate under zero-retention API policies (data is not stored or used for training).
• We do not permanently store audio files. Once the document is created, the original voice data is discarded.

F. Billing data

• Subscription status (free/active), plan name, and usage counters.
• Stripe identifiers (customer/subscription IDs) used to manage billing.
• We do not store full card details. Payment card data is handled by Stripe.

G. Operational and security data

• Operational logs (errors, troubleshooting signals) to keep the service reliable.
• Abuse prevention signals such as rate limiting and deduplication records.
• IP address information may be processed by our hosting providers for website delivery and security.

4) Why we collect it and how we use it

• Provide the service: create quotes/invoices and generate PDFs.
• Store customer details inside each document you create (so the PDF contains the required information) and keep document history so you can resend documents.
• Manage billing and account status (subscriptions, usage).
• Prevent fraud and abuse (rate limiting, spam/abuse detection, security monitoring).
• Support and troubleshooting (support tickets and operator replies).

5) Legal basis (UK GDPR)

We process personal data under the following lawful bases (as applicable):

• Performance of a contract: to provide NippyAgent features you request.
• Legitimate interests: to keep the service secure, prevent fraud/abuse, and maintain reliability.
• Consent: for optional marketing communications. We ask for your consent during the WhatsApp onboarding process. If you are an active paid subscriber, we may also rely on the “soft opt-in” exception under PECR Regulation 22(3) to send you messages about similar products and services. You can withdraw consent at any time by replying STOP — see Section 13 below.

6) Who we share data with (sub-processors)

We use the following sub-processors to operate NippyAgent. Each has a Data Processing Agreement (DPA) or equivalent contractual safeguards in place:

• Meta / WhatsApp Business Platform — message transport. DPA: Meta Platform Terms, Data Processing Terms.
• OpenAI — AI-assisted document processing and voice note understanding (GPT-4.1). DPA: OpenAI Data Processing Addendum (zero-retention API).
• Groq — voice note transcription (Whisper-large-v3-turbo). DPA: Groq Data Processing Addendum (zero-retention API).
• Supabase — database and object storage (EU region). DPA: Supabase Data Processing Agreement.
• Hetzner Online GmbH — application and website hosting (Falkenstein, Germany). DPA: Hetzner Data Processing Agreement.
• Stripe — payments and billing. DPA: Stripe Data Processing Agreement.
• Upstash — Redis caching (EU region). DPA: Upstash Data Processing Addendum.
• Google Analytics — cookieless website analytics, with consent controls. DPA: Google Ads Data Processing Terms.

We will not engage new sub-processors without updating this list. If a sub-processor change materially affects how your data is processed, we will notify you via WhatsApp with at least 30 days’ notice.

7) Data retention

• Business profile, customers, and documents: retained while your account is active. After account closure or deletion, retained for up to 30 days for support and recovery, then permanently deleted.
• Billing and subscription records: retained for 7 years after your last payment to meet HMRC and Companies Act obligations.
• Consent records: retained for 7 years after consent is withdrawn (ICO accountability requirement).
• Session state: active session data is retained while in use. Idle sessions are automatically purged after 90 days.
• Application logs: retained for 30 days, extended to 90 days for security investigations.
• Conversation log (chat history): retained for 30 days then permanently deleted.
• Bug reports: retained for 90 days then permanently deleted.
• Automation logs: retained for 90 days for operational monitoring.
• Deletion audit records: a minimal record confirming deletion occurred is retained for 7 years for legal compliance.

You can request deletion at any time. See Data deletion instructions.

8) Deletion, subscription cancellation and refunds

If you request account deletion, we cancel any active subscription immediately and access ends immediately.

Deleting your data does not automatically issue a refund. If you believe you're eligible for a refund, we recommend submitting a refund request before deleting your data.

After deletion, we may retain a minimal billing ledger and a minimal account-deletion audit record to meet legal obligations and to resolve disputes, fraud investigations, and support requests.

9) Security measures

• TLS/HTTPS in transit.
• Access controls and least-privilege access for operational accounts.
• Encryption at rest where provided by our vendors.
• Security monitoring and logging for operational reliability.
• Payment card details are handled by Stripe and are not stored by us.

10) International transfers

Some of our service providers process data outside the UK:

• Supabase: EU region (covered by UK adequacy decision for EU).
• Hetzner: EU/Germany (covered by UK adequacy decision for EU).
• OpenAI, Groq, Stripe, Google, Meta: US-based (covered by UK-US Data Bridge under the UK Extension to the EU-US Data Privacy Framework).

11) Your rights and how to exercise them

Under UK GDPR you have the right to:

• Access the personal data we hold about you (Art. 15).
• Rectify inaccurate data (Art. 16).
• Erase your data (Art. 17) -- see our Data deletion page.
• Restrict processing (Art. 18).
• Data portability (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Withdraw consent at any time where processing is based on consent.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To make a request, email support@nippyagent.co.uk or follow the steps on our Data deletion instructions page. We aim to respond within 30 days.

12) Automated decision-making and profiling

We use automated tools to analyse how you use NippyAgent so that we can send you helpful, timely messages. We want to be upfront about what this involves.

What we mean by "profiling"

Profiling means we look at patterns in your account activity — things like how many documents you’ve created, which features you’ve used, and how recently you last logged in — to work out what kind of message might be useful to you. This is all done automatically by our software; no human sits and watches your account.

What we analyse and why

We carry out four types of automated analysis, all under the lawful basis of legitimate interests (keeping our service useful and relevant to you):

Usage monitoring

• Data used: Documents created this month, your plan limits, feature usage.
• What happens: If you’re approaching your plan’s document limit, we send a message letting you know — and mention upgrade options if relevant.

Onboarding tracking

• Data used: Whether you’ve completed key setup steps (business details, first quote, first invoice).
• What happens: If you started setting up but didn’t finish, we send a friendly nudge after 24 hours to help you get going.

Activity scoring

• Data used: Days since your last activity, document creation trends (month-on-month), support tickets, payment status.
• What happens: We calculate an activity score to identify accounts that might be struggling. At-risk accounts get a check-in message; very high-risk accounts are flagged for human review by our team.

Behavioural messaging

• Data used: Streaks, engagement patterns, subscription renewal dates, invoice payment status.
• What happens: Our automated bots send messages based on your activity — for example, congratulating you on a streak of document creation, reminding you about an upcoming renewal, or chasing an unpaid customer invoice on your behalf.

What profiling does NOT do

None of these activities produce decisions that have a “legal or similarly significant effect” on you, as described in UK GDPR Article 22(1). Specifically:

• We do not use profiling to decide whether to give you access to the service, set your pricing, or alter your contractual terms.
• We do not use profiling to make credit decisions or assess your creditworthiness.
• We do not share profiling data with third parties for their own decision-making.
• The only outcome is that you may receive automated WhatsApp messages (tips, nudges, reminders, or check-ins). You can opt out of these at any time — see below.

Safeguards

• Quiet hours: No automated messages are sent between 9 PM and 7 AM UK time.
• Daily limits: No account receives more than two automated messages per day.
• Deduplication: Each type of message is sent at most once per account per period (typically once per month).
• Human escalation: Accounts flagged as very high risk are routed to a human team member.
• Opt-out respected: Every automated bot checks your opt-out preference before sending.

13) Your right to object to profiling

You have the right to object to profiling at any time, and we make it straightforward.

How to opt out

• Reply STOP to any automated message from NippyAgent. This immediately opts you out of all marketing and nudge messages.
• Send “STOP” as a regular message to NippyAgent on WhatsApp at any time — you don’t need to wait for an automated message first.
• Email us at support@nippyagent.co.uk and ask to be opted out.

What happens when you opt out

• You’ll stop receiving upgrade nudges, check-in messages, re-engagement reminders, streak notifications, and all other marketing-style automated messages.
• You will still receive essential service messages necessary to operate your account — for example, invoice payment reminders you’ve asked us to send on your behalf, subscription renewal notices, and payment failure alerts. These are part of the service, not marketing.
• Your profiling data is not deleted when you opt out — it simply isn’t used to send you messages. To delete your data entirely, see our Data deletion page.

How to opt back in

Reply START to NippyAgent on WhatsApp at any time. Your preference is updated immediately.

Further rights

Under UK GDPR Article 21, you have the right to object to any processing we carry out under legitimate interests. If you object and we cannot demonstrate compelling legitimate grounds that override your interests, we will stop the processing. To exercise this right, email support@nippyagent.co.uk.

If you’re unhappy with how we handle your request, you can lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.

14) Children

NippyAgent is not intended for children under 16.

15) Updates to this policy

We may update this Privacy Policy from time to time. We will update the date at the top of this page and, where appropriate, provide notice through our website or WhatsApp.

16) Making Tax Digital (MTD) records

NippyAgent generates income records (PDF and XLSX exports) that you can give to your accountant or import into MTD-compatible software (Xero, QuickBooks, FreeAgent). NippyAgent does not file with HMRC on your behalf. You remain responsible for ensuring quarterly updates are submitted to HMRC by you, your accountant, or your MTD-compatible software. Each record is clearly labelled with this disclaimer in the PDF footer.

17) Use of AI

NippyAgent uses AI models from OpenAI (GPT-4.1) and Groq (Whisper-large-v3-turbo) to transcribe voice notes and extract document details such as customer names, job descriptions, and prices. Your voice notes and extracted data are processed for the sole purpose of generating your documents and improving extraction accuracy for your account.

Under the UK and EU AI Act classifications, this use is considered minimal-risk: the AI assists with structured data extraction from your own input. It is not used for biometric identification, credit scoring, employment decisions, or any other high-risk category. No automated decision is made that has a legal or similarly significant effect on you, your business, or your customers (see Section 12 above for more on profiling).

You can opt out of AI-assisted voice processing at any time by typing your documents instead of sending voice notes. The typed flow uses no AI transcription.