Your data, your control.
Plain-English explanation of what we collect, why, and how to delete it.
1) Who we are + contact
NippyAgent is a product operated by Nippy Agent Ltd (Company No. 16963969), registered in England and Wales at Suite 1-125, 39 Ludgate Hill, London EC4M 7JN. "NippyAgent" is a trading name. We are registered with the Information Commissioner’s Office (ICO) under registration number ZC091228.
Website: nippyagent.co.uk
Contact email: support@nippyagent.co.uk
Data protection contact: For any data protection queries, email support@nippyagent.co.uk. Nippy Agent Ltd is not required to appoint a Data Protection Officer under UK GDPR Article 37, as we do not carry out large-scale systematic monitoring or process special category data on a large scale.
2) What the product does (plain English)
NippyAgent helps self-employed trades create quotes and invoices via WhatsApp and generates PDF documents based on the information you provide. Tradespeople may also generate payment links that allow their customers to view document details and confirm payment via a web portal.
3) Data we collect
We collect the following categories of information when you use NippyAgent:
A. WhatsApp account and messaging data
- Your WhatsApp phone number / WhatsApp ID (sender ID).
- Message content you send to us (commands, customer details, invoice/quote lines, totals).
- Message metadata such as timestamps and WhatsApp message IDs (used for deduplication and reliability).
- Delivery status data: we do not intentionally store WhatsApp delivery status beyond what is necessary to operate the service.
B. Business profile data
- Business name and address.
- Business phone number and email address (if provided).
- VAT settings (VAT enabled, VAT rate) and VAT number (optional).
- Bank transfer details if you choose bank transfer (bank name, account name, sort code, account number).
C. Customer records entered by you
- Customer name.
- Customer postcode.
- Optional customer address and phone number (only if you enter it).
D. Document data
- Quotes/invoices you create: line items, quantities, pricing, totals, VAT rate, discounts/deposits (where applicable).
- Generated PDFs and related metadata (for example file paths or hashes where applicable).
E. Voice and audio data
- If you send a voice note, it is temporarily processed to extract document details (job descriptions, prices, customer names).
- Your voice note audio is sent to our AI providers to extract document details: to OpenAI for AI processing, and to Groq for transcription. Your data is not used to train their models. Under their API terms, content may be retained only briefly for abuse monitoring and is then deleted — it is not stored for any other purpose.
- We do not permanently store audio files. Once the document is created, the original voice data is discarded.
F. Billing data
- Subscription status (trial/active), plan name, and usage counters.
- Stripe identifiers (customer/subscription IDs) used to manage billing.
- We do not store full card details. Payment card data is handled by Stripe.
G. Voice intelligence and service improvement data
- If you send voice notes, we extract observations about your speech patterns (preferred terms, corrections, language) to improve transcription accuracy over time. This data is stored against your account and deleted if you delete your account or after 12 months of inactivity.
- We learn your common job types, typical working hours, and seasonal patterns from documents you create, to provide faster and more accurate service. This data does not identify your customers.
- For repeat customers, we track how many jobs you’ve done for them and when, so we can suggest follow-ups. This uses only the customer name and job dates you provide.
- We track quote acceptance and pricing patterns (by job type and price band) to provide optional pricing guidance. This is based on your own history and anonymised market data.
- When your customers view a payment portal, we may test different page layouts to improve the experience. No personal data is shared; only the layout variant and whether payment was completed is recorded.
- We calculate a quality score for your account based on factors like quote acceptance rate, payment speed, and consistency. This helps you understand your performance and does not affect your access to the service.
- We aggregate anonymous pricing data across all users (minimum 5 contributors, no individual identification possible) to provide optional market benchmarks. This data is fully anonymised and cannot be traced to any individual.
- We learn your customers’ device preferences and viewing behaviour on payment portals to improve document presentation. This is linked to the customer name you provide, not to any data the customer enters.
H. Operational and security data
- Operational logs (errors, troubleshooting signals) to keep the service reliable.
- Abuse prevention signals such as rate limiting and deduplication records.
- IP address information may be processed by our hosting providers for website delivery and security.
4) Why we collect it and how we use it
- Provide the service: create quotes/invoices and generate PDFs.
- Store customer details inside each document you create (so the PDF contains the required information) and keep document history so you can resend documents.
- Manage billing and account status (subscriptions, usage).
- Prevent fraud and abuse (rate limiting, spam/abuse detection, security monitoring).
- Support and troubleshooting (support tickets and operator replies).
- Improve service quality: learn your voice patterns to improve transcription accuracy, learn your common job types to speed up document creation, and provide optional pricing and quality insights based on your history.
- Provide anonymised market benchmarks by aggregating pricing data across users (minimum 5 contributors, never individually identifiable).
5) Legal basis (UK GDPR)
We process personal data under the following lawful bases (as applicable):
- Performance of a contract: to provide NippyAgent features you request.
- Legitimate interests: to keep the service secure, prevent fraud/abuse, and maintain reliability.
- Performance of a contract: voice intelligence (improving transcription accuracy for your account), pricing guidance, and customer preference learning are part of delivering the service you signed up for.
- Consent: for optional marketing communications. We ask for your consent during the WhatsApp onboarding process. If you are an active paid subscriber, we may also rely on the “soft opt-in” exception under PECR Regulation 22(3) to send you messages about similar products and services. You can withdraw consent at any time by replying STOP — see Section 13 below.
6) Who we share data with (sub-processors)
We use the following sub-processors to operate NippyAgent. Each has a Data Processing Agreement (DPA) or equivalent contractual safeguards in place:
- Meta / WhatsApp Business Platform — message transport. DPA: Meta Platform Terms, Data Processing Terms.
- OpenAI — AI processing of your voice notes and text to extract document and customer details. Your voice note audio is sent to OpenAI for AI processing (not only transcription). Under OpenAI’s API terms your data is not used to train their models, and content may be retained only briefly for abuse monitoring and then deleted. DPA: OpenAI Data Processing Addendum.
- Groq — voice note transcription (used for speed and accuracy). DPA: Groq Data Processing Agreement.
- Supabase — database and object storage (EU region, Ireland). DPA: Supabase Data Processing Agreement.
- Hetzner Online GmbH — application and website hosting, including our cache (Falkenstein, Germany). DPA: Hetzner Data Processing Agreement.
- Stripe — payments and billing (your subscription only; card details are entered directly into Stripe and never reach us). DPA: Stripe Data Processing Agreement.
- Google Analytics (GA4) — website analytics, loaded only after you accept cookies (Google Consent Mode, denied by default). DPA: Google Ads Data Processing Terms.
We will not engage new sub-processors without updating this list. If a sub-processor change materially affects how your data is processed, we will notify you via WhatsApp with at least 30 days’ notice.
6a) Cookies
NippyAgent itself runs entirely in WhatsApp and sets no cookies. Our marketing website (nippyagent.co.uk) uses cookies only for website analytics, and only after you agree:
- Essential: one cookie (
na_cookie_consent) that remembers your cookie choice. This is always set and needs no consent. - Analytics (Google Analytics 4): loaded only if you click “Accept” on the cookie banner. Until then, Google Consent Mode keeps analytics storage denied and no analytics cookies are set. If you accept, Google Analytics sets cookies (such as
_ga) to measure how the site is used. We set no advertising or cross-site tracking cookies.
You can change or withdraw your choice at any time using the “Cookie settings” link in the page footer.
7) Data retention
- Business profile, customers, and documents: retained while your account is active. When you delete your data, they are removed straight away (a minimal record confirming the deletion is kept, as below).
- Billing and subscription records: retained for 7 years after your last payment to meet HMRC and Companies Act obligations.
- Consent records: retained for 7 years after consent is withdrawn (ICO accountability requirement).
- Session state: active session data is retained while in use. Idle sessions are automatically purged after 90 days.
- Application logs: retained for 30 days, then automatically deleted.
- Automation logs: retained for 90 days for operational monitoring.
- Voice intelligence data (speech patterns, job type patterns, customer echoes, pricing history, quality scores, customer preferences): retained while your account is active, automatically deleted after 12 months of inactivity.
- Portal A/B test data and portal events: automatically deleted after 90 days.
- Market benchmark data: fully anonymised aggregates (no individual identification possible); retained indefinitely as statistical data.
- Deletion audit records: a minimal record confirming deletion occurred is retained for 7 years for legal compliance.
You can request deletion at any time. See Data deletion instructions.
8) Deletion, subscription cancellation and refunds
If you request account deletion, we cancel any active subscription immediately and access ends immediately.
Deleting your data does not automatically issue a refund. If you believe you're eligible for a refund, we recommend submitting a refund request before deleting your data.
After deletion, we may retain a minimal billing ledger and a minimal account-deletion audit record to meet legal obligations and to resolve disputes, fraud investigations, and support requests.
9) Security measures
- TLS/HTTPS in transit.
- Access controls and least-privilege access for operational accounts.
- Encryption at rest where provided by our vendors.
- Security monitoring and logging for operational reliability.
- Payment card details are handled by Stripe and are not stored by us.
10) International transfers
Some of our service providers process data outside the UK:
Where a provider is outside the UK, an appropriate safeguard under UK GDPR is in place for every transfer. The safeguard is not the same for every provider:
- Supabase (database and storage, EU/Ireland) and Hetzner (hosting and cache, EU/Germany): covered by the UK’s adequacy regulations for the EEA.
- Stripe (payments, USA) and Google (website analytics, USA): certified under the EU-US Data Privacy Framework and the UK Extension to it (the “UK-US Data Bridge”), with Standard Contractual Clauses as a backstop.
- OpenAI and Groq (AI processing and transcription, USA): transfers are made under the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, as set out in each provider’s Data Processing Addendum. We do not rely on the UK-US Data Bridge for these providers.
- Meta / WhatsApp (messaging channel, USA): transfers are made under the WhatsApp Business UK Data Transfer Addendum, which incorporates the EU Standard Contractual Clauses and the UK International Data Transfer Addendum. We do not rely on the UK-US Data Bridge for this channel.
11) Your rights and how to exercise them
Under UK GDPR you have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectify inaccurate data (Art. 16).
- Erase your data (Art. 17) -- see our Data deletion page.
- Restrict processing (Art. 18).
- Data portability (Art. 20).
- Object to processing based on legitimate interests (Art. 21).
- Withdraw consent at any time where processing is based on consent.
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
To make a request, email support@nippyagent.co.uk or follow the steps on our Data deletion instructions page. We aim to respond within 30 days.
11a) Data protection complaints
If you are unhappy with how we handle your personal data, please tell us first so we can put it right. Email support@nippyagent.co.uk with “Data protection complaint” in the subject line. We will acknowledge your complaint within 30 days of receiving it and respond as soon as we reasonably can.
You can also complain to the Information Commissioner’s Office (ICO) at any time, at ico.org.uk/make-a-complaint, although we would appreciate the chance to resolve it with you first.
12) Automated decision-making and profiling
We use automated tools to analyse how you use NippyAgent so that we can send you helpful, timely messages. We want to be upfront about what this involves.
What we mean by "profiling"
Profiling means we look at patterns in your account activity — things like how many documents you’ve created, which features you’ve used, and how recently you last logged in — to work out what kind of message might be useful to you. This is all done automatically by our software; no human sits and watches your account.
What we analyse and why
We carry out several types of automated analysis under the lawful bases of contract performance (improving the service we deliver to you) and legitimate interests (keeping our service useful and relevant to you):
Usage monitoring
- Data used: Documents created this month, your plan limits, feature usage.
- What happens: If you’re approaching your plan’s document limit, we send a message letting you know — and mention upgrade options if relevant.
Onboarding tracking
- Data used: Whether you’ve completed key setup steps (business details, first quote, first invoice).
- What happens: If you started setting up but didn’t finish, we send a friendly nudge after 24 hours to help you get going.
Activity scoring
- Data used: Days since your last activity, document creation trends (month-on-month), support tickets, payment status.
- What happens: We calculate an activity score to identify accounts that might be struggling. At-risk accounts get a check-in message; very high-risk accounts are flagged for human review by our team.
Behavioural messaging
- Data used: Streaks, engagement patterns, subscription renewal dates, invoice payment status.
- What happens: Our automated bots send messages based on your activity — for example, congratulating you on a streak of document creation, reminding you about an upcoming renewal, or chasing an unpaid customer invoice on your behalf.
Voice intelligence
- Data used: Speech patterns from voice notes (preferred terms, corrections, language preferences).
- What happens: We learn how you describe jobs so future transcriptions are faster and more accurate. We also learn your common job types and working hours to speed up document creation.
Pricing and quality insights
- Data used: Your quote acceptance rates, payment speeds, document edit frequency, pricing history.
- What happens: We calculate a quality score and provide optional pricing guidance based on your own history. We also provide anonymised market benchmarks (minimum 5 contributors, never individually identifiable). These insights are informational only and do not affect your access to or pricing of the service.
Customer preference learning
- Data used: How your customers interact with payment portals (device type, scroll depth, preferred layouts).
- What happens: We learn which document presentation works best for each of your customers to improve their experience. We may test different portal layouts (A/B testing) to find the most effective design. No customer personal data is used — only viewing behaviour linked to the customer name you provided.
What profiling does NOT do
None of these activities produce decisions that have a “legal or similarly significant effect” on you, as described in UK GDPR Article 22(1). Specifically:
- We do not use profiling to decide whether to give you access to the service, set your pricing, or alter your contractual terms.
- We do not use profiling to make credit decisions or assess your creditworthiness.
- We do not share profiling data with third parties for their own decision-making.
- The only outcome is that you may receive automated WhatsApp messages (tips, nudges, reminders, or check-ins). You can opt out of these at any time — see below.
Safeguards
- Quiet hours: No automated messages are sent between 9 PM and 7 AM UK time.
- Daily limits: No account receives more than two automated messages per day.
- Deduplication: Each type of message is sent at most once per account per period (typically once per month).
- Human escalation: Accounts flagged as very high risk are routed to a human team member.
- Opt-out respected: Every automated bot checks your opt-out preference before sending.
13) Your right to object to profiling
You have the right to object to profiling at any time, and we make it straightforward.
How to opt out
- Reply STOP to any automated message from NippyAgent. This immediately opts you out of all marketing and nudge messages.
- Send “STOP” as a regular message to NippyAgent on WhatsApp at any time — you don’t need to wait for an automated message first.
- Email us at support@nippyagent.co.uk and ask to be opted out.
What happens when you opt out
- You’ll stop receiving upgrade nudges, check-in messages, re-engagement reminders, streak notifications, and all other marketing-style automated messages.
- You will still receive essential service messages necessary to operate your account — for example, invoice payment reminders you’ve asked us to send on your behalf, subscription renewal notices, and payment failure alerts. These are part of the service, not marketing.
- Your profiling data is not deleted when you opt out — it simply isn’t used to send you messages. To delete your data entirely, see our Data deletion page.
How to opt back in
Reply START to NippyAgent on WhatsApp at any time. Your preference is updated immediately.
Further rights
Under UK GDPR Article 21, you have the right to object to any processing we carry out under legitimate interests. If you object and we cannot demonstrate compelling legitimate grounds that override your interests, we will stop the processing. To exercise this right, email support@nippyagent.co.uk.
If you’re unhappy with how we handle your request, you can lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
14) Children
NippyAgent is not intended for children under 16.
15) Updates to this policy
We may update this Privacy Policy from time to time. We will update the date at the top of this page and, where appropriate, provide notice through our website or WhatsApp.