Privacy Policy & Terms of Service

Last updated: March 2026

Part 1 — Privacy Policy

1. Data Controller

SCYA AI LTD ("Scya", "we", "us", "our") is a company registered in England and Wales (Company No. 16704713), with its registered office at 128 City Road, London, EC1V 2NX, United Kingdom. We act as the data processor on behalf of our business customers (the data controllers) when handling end-user data through our services. For data collected directly through our website (scya.ai), we act as the data controller.

Email: info@scya.ai | Phone: +39 0422 169 7583

2. Services Overview

Scya provides two AI-powered services to businesses:

  • Scya Voice — AI-powered phone calls and WhatsApp messaging for customer management, including proactive outreach, appointment booking, customer lifecycle management, marketing campaigns, and support escalation.
  • Scya Pilot — AI-powered website navigation widget that assists visitors by scrolling, highlighting content, filling forms, and booking appointments directly on the business's website.

These services are provided to businesses ("Business Customers") who in turn serve their own clients ("End Users"). This privacy policy addresses both relationships.

3. Data We Collect

3.1 Business Customer Data

When a business subscribes to Scya services, we collect and process:

  • Business legal name, trading name, and registration details
  • Contact information: email address, phone number, business address
  • Dashboard login credentials (encrypted)
  • Service configuration: AI behaviour presets, custom categories, proactive messaging rules, return cycle settings, promotion templates, batch processing schedules
  • Billing information and usage metrics
  • System memory and custom instructions for AI behaviour
  • Booking system settings and availability schedules

3.2 End User Data (Scya Voice)

When end users interact with a business through Scya Voice (phone calls or WhatsApp), the following data is collected and processed:

  • Phone number — used as the primary unique identifier to recognise returning customers across both voice and WhatsApp channels
  • Voice call recordings — full audio recordings of all phone conversations handled by the AI are stored and accessible to the Business Customer via their dashboard
  • Voice call transcriptions — AI-generated transcripts of all voice conversations
  • WhatsApp message history — complete text-based conversation history, including messages sent by the AI, the end user, and any template messages
  • Voice notes — audio messages sent by end users via WhatsApp, which are processed and "listened to" by the AI
  • AI-generated customer notes — after each interaction (call or chat), a dedicated AI analyser reads the entire conversation and generates/updates structured notes (up to 500 words) containing: customer preferences, booking history, interaction patterns, personal details shared during conversation, order history, and other relevant information
  • Customer tags — automatically assigned by the AI after each interaction (e.g., lifecycle stage, marketing preferences, service categories)
  • GDPR consent record — timestamp of when the end user was informed about AI processing and consented to the service terms
  • Marketing consent status — whether the end user has opted in or out of proactive marketing messages and campaigns
  • Personal dates — birthdays, anniversaries, or other dates voluntarily shared or provided by the Business Customer for personalised promotions
  • Booking and appointment data — dates, times, services booked, cancellations, reschedules
  • Feedback and ratings — any feedback provided by end users during or after interactions
  • Lifecycle status — the customer's current stage in the engagement lifecycle (First Contact, Active, Ready, Standby, Sleeping, Archived)
  • Proactive vault entries — scheduled proactive actions and messages queued for future delivery
  • Escalation tickets — when the AI cannot answer a question, it creates a support ticket containing the conversation context, the question, and a suggested answer, which is stored and accessible to the Business Customer

3.3 End User Data (Scya Pilot)

When website visitors interact with the Scya Pilot widget:

  • Text queries submitted through the chat interface
  • Session interaction data (pages navigated, elements highlighted)
  • Form data voluntarily entered during AI-assisted form completion
  • Booking selections made through the widget

Scya Pilot does not collect personal data unless voluntarily provided by the visitor during the conversation. No cookies are set by the widget; session state is maintained via browser session storage only.

4. How We Use Data

4.1 Service Delivery

  • Recognising returning customers by phone number across voice and WhatsApp channels
  • Maintaining conversation continuity — if a customer calls first and later writes on WhatsApp (or vice versa), the AI has access to the full interaction history across both channels
  • Generating and updating AI customer notes after each interaction to provide increasingly personalised service
  • Executing the Dynamic Smart Flow lifecycle: automatically managing customer engagement from first contact through active, ready, standby, sleeping, and archived stages
  • Running proactive outreach: the system analyses all customers with expired engagement countdowns every 6 hours, decides whether to reach out, generates personalised messages, and schedules the next check-in
  • Sending WhatsApp template messages (required by WhatsApp after 24 hours of inactivity) for reminders, feedback requests, marketing, and re-engagement
  • Processing appointment bookings, verifying availability against the business dashboard to prevent double bookings, and sending pre-appointment reminders (via WhatsApp and/or voice call)
  • Handling smart escalation: when the AI cannot answer a question, creating a ticket with full conversation context for the Business Customer to respond to, then re-contacting the end user with the answer
  • Executing mass marketing campaigns based on AI-generated customer tags selected by the Business Customer
  • Triggering personalised promotions based on personal dates (birthdays, anniversaries)
  • Navigating websites for visitors (Scya Pilot): scrolling, highlighting, form filling, and booking based on the visitor's queries

4.2 Analytics and Reporting

  • Providing Business Customers with AI-generated analytics statements (available weekly), including trend analysis compared to previous periods
  • Tracking new customer acquisition, interaction volumes, booking rates, common questions, and engagement patterns
  • Aggregating anonymised usage data to improve our AI models and service quality

4.3 What We Do NOT Do

  • We do not sell end user data to third parties
  • We do not use end user data for purposes unrelated to the service provided to the Business Customer
  • We do not share end user data between different Business Customers — all data is strictly isolated per business (multi-tenant architecture)
  • The AI is instructed to deflect conversations about topics unrelated to the business's services

5. Data Visibility and Access

5.1 Business Customer Access

Business Customers have full access to all data related to their end users through the Scya dashboard. This includes:

  • Complete WhatsApp conversation histories for every customer
  • Full voice call recordings (playable from the dashboard)
  • Voice call transcriptions
  • AI-generated customer notes and all updates
  • Customer tags and lifecycle status
  • Booking history and upcoming appointments
  • Escalation tickets with AI-suggested responses
  • Feedback received from end users
  • Marketing campaign delivery status and responses
  • Analytics and trend reports

Business Customers are responsible for their own compliance with applicable data protection laws when accessing and using this data. By subscribing to Scya, Business Customers agree to process end user data in accordance with applicable law and their own privacy obligations.

5.2 Scya (Our Access)

As the platform provider and data processor, Scya has technical access to all data stored on the platform. This access is used solely for:

  • Providing and maintaining the service
  • Technical support and troubleshooting
  • System monitoring and security
  • Service improvement through anonymised, aggregated analysis

6. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Consent — End users are informed at first interaction that they are communicating with an AI assistant. By continuing the conversation, they consent to the processing of their data. This consent is recorded with a timestamp. End users are informed that they can request deletion of their data at any time by stating so during any interaction.
  • Legitimate Interest — Proactive re-engagement and marketing messages are sent based on the legitimate interest of the Business Customer in maintaining customer relationships. End users can opt out of marketing communications at any time.
  • Contract Performance — Processing necessary for appointment bookings, service delivery, and customer support.
  • Legal Obligation — Where required by applicable law.

7. Consent and Marketing

7.1 First Interaction Consent

At the very first interaction with an end user (whether via phone call or WhatsApp), Scya:

  • Identifies itself as an AI assistant operating on behalf of the business
  • Informs the end user that by responding, they accept the terms of use
  • Informs the end user that they can request deletion of their personal data at any time by communicating this during any interaction
  • Informs the end user that they can opt out of marketing notifications by stating so
  • Records a consent timestamp in the system

7.2 Marketing Opt-Out

End users can opt out of proactive marketing messages and campaigns at any time by:

  • Stating during any voice call or WhatsApp conversation that they do not wish to receive marketing messages
  • The AI will immediately tag the customer as "Marketing Off" and cease all proactive marketing outreach
  • Service-related communications (appointment reminders, booking confirmations, direct responses to enquiries) are not affected by marketing opt-out

7.3 WhatsApp Template Messages

Due to WhatsApp Business API requirements, template messages (pre-approved message formats) must be used to initiate conversations after 24 hours of inactivity. These templates may include: appointment reminders, feedback requests, general updates, marketing offers, and custom messages configured by the Business Customer. Template categories and content are subject to WhatsApp's approval process.

8. Proactive AI Behaviour

Scya Voice operates a proactive engagement system. It is important that end users understand how this works:

  • Every 6 hours, the system analyses all customers whose engagement countdown has expired
  • The AI reads each customer's full history (notes, interactions, booking patterns) and decides whether a proactive action is appropriate
  • If appropriate, the AI generates a personalised message and sends it via WhatsApp (using a template if required) or initiates a voice call
  • The system sets a new countdown for the next check-in based on the customer's lifecycle stage and interaction patterns
  • Customers who have opted out of marketing ("Marketing Off" tag) are excluded from proactive marketing campaigns but may still receive service-related proactive messages (e.g., appointment reminders) if configured by the Business Customer
  • Customers in the "Archived" stage (no contact after maximum lifecycle cycles) receive zero proactive communications
  • If the proactive batch process fails, it checkpoints its progress and resumes from where it stopped in the next cycle

9. Voice Call Recording and Processing

  • All phone calls handled by Scya Voice are recorded in their entirety
  • Recordings are stored securely and are accessible to the Business Customer via the dashboard
  • After each call, a dedicated AI module reads and analyses the full recording/transcript and updates the customer's AI notes accordingly
  • End users are informed at first interaction that calls are handled by AI; the nature of AI processing implies recording for service delivery purposes
  • Business Customers are responsible for any additional call recording disclosures required by their local jurisdiction

10. Data Storage and Security

  • All data is stored on Supabase (PostgreSQL) infrastructure with encryption at rest and in transit
  • Application services run on Google Cloud Run with automatic scaling and isolation
  • Multi-tenant architecture ensures complete data isolation between Business Customers — no data is shared or accessible across tenants
  • Customer identification is performed via phone number verification at each interaction
  • AI models (Google Gemini) process data in real-time and do not retain conversation data beyond the immediate API request
  • Embeddings and semantic search data (for Scya Pilot) are stored in vector databases isolated per business
  • Access to the dashboard is protected by authentication; Business Customers are responsible for maintaining the security of their credentials

11. Data Retention and Deletion

11.1 End User Data Deletion

End users can request deletion of their data at any time by communicating this during any interaction with Scya (voice call or WhatsApp message). Upon such request:

  • The AI acknowledges the request immediately
  • All personal data associated with the end user's phone number is permanently deleted within 30 days
  • This includes: conversation histories, call recordings, AI-generated notes, tags, booking history, personal dates, and any other associated data
  • Deletion is irreversible

11.2 Automatic Archiving

Customers who have had no contact or bookings after a defined number of lifecycle cycles (configured per business) are automatically tagged as "Archived". Archived profiles receive zero proactive communications. If an archived customer contacts the business again, their identity is re-verified and their profile may be reactivated or a new profile created.

11.3 Business Customer Data

Upon termination of a Business Customer's subscription, all associated data (including all end user data processed on their behalf) is available for export for 30 days, after which it is permanently and irreversibly deleted from all systems.

12. International Data Transfers

Data may be processed in the European Economic Area (EEA) and in other regions where our infrastructure providers (Google Cloud Platform, Supabase) operate data centres. Where data is transferred outside the EEA, we rely on adequacy decisions, standard contractual clauses, or other approved transfer mechanisms as required by applicable law.

13. Third-Party Services

We use the following third-party services to provide our platform:

  • Google Cloud Platform — hosting, computing (Cloud Run), and infrastructure
  • Google Gemini API — AI language model for conversation handling, customer analysis, note generation, and proactive message creation
  • Google Vertex AI — text embeddings for semantic search (Scya Pilot)
  • WhatsApp Business API (Meta) — messaging delivery and template management
  • Supabase — database (PostgreSQL) and vector storage
  • Playwright — web crawling for Scya Pilot knowledge base generation (crawls business customer websites only)

Each third-party service has its own privacy policy and data processing terms. We select providers that comply with applicable data protection standards.

14. End User Rights

Under the UK GDPR and EU GDPR, end users have the following rights:

  • Right of Access — request a copy of the personal data we hold about you
  • Right to Rectification — request correction of inaccurate data
  • Right to Erasure — request deletion of your data (can be done verbally during any interaction)
  • Right to Restrict Processing — request limitation of how your data is processed
  • Right to Data Portability — request your data in a machine-readable format
  • Right to Object — object to processing based on legitimate interest, including marketing
  • Right to Withdraw Consent — withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal

To exercise any of these rights, end users can communicate their request during any interaction with Scya, or contact us directly at info@scya.ai.

Part 2 — Terms of Service

15. Definitions

  • "Service" refers to Scya Voice, Scya Pilot, and any related features provided by SCYA AI LTD
  • "Business Customer" refers to the business entity subscribing to and using Scya services
  • "End User" refers to the customer of a Business Customer who interacts with Scya via phone, WhatsApp, or website widget
  • "Dashboard" refers to the web-based management interface provided to Business Customers
  • "AI Notes" refers to the AI-generated customer profiles and notes maintained by the system

16. Service Description

16.1 Scya Voice

Scya Voice provides AI-powered customer communication through two channels:

  • Voice Calls — AI handles inbound and outbound phone calls on behalf of the Business Customer. Calls are recorded and transcribed. The AI manages bookings, answers queries, escalates issues, and conducts proactive outreach.
  • WhatsApp Messaging — AI handles WhatsApp conversations on behalf of the Business Customer. Conversations are stored in full. Template messages are used where required by WhatsApp's policies.

Both channels share a unified customer memory. A customer identified by phone number can seamlessly transition between voice and WhatsApp with full conversation context preserved.

16.2 Scya Pilot

Scya Pilot provides an AI-powered website assistant widget. It is installed via a JavaScript snippet on the Business Customer's website. The widget crawls the website content, builds a knowledge base, and assists visitors by answering questions, navigating between pages, scrolling to relevant content, highlighting elements, and assisting with form completion and bookings. All responses are grounded in the actual website content — the AI does not generate information that is not present on the site.

16.3 Nature of AI Service

Scya is an artificial intelligence service. While designed to provide accurate and helpful responses, it may occasionally produce imperfect outputs. Business Customers acknowledge that:

  • AI responses are generated algorithmically and may not always be perfect
  • The Business Customer is responsible for configuring AI behaviour presets and instructions appropriately
  • The smart escalation feature should be relied upon for questions the AI cannot confidently answer
  • Scya is not a substitute for professional human judgement in critical or regulated matters

17. Business Customer Obligations

  • Ensure that your use of Scya complies with all applicable laws and regulations in your jurisdiction, including data protection, consumer protection, telecommunications, and marketing laws
  • Provide accurate and up-to-date business information and instructions for AI configuration
  • Comply with WhatsApp Business API policies and terms when using WhatsApp features
  • Where required by local law, provide additional notice to end users about AI interaction, call recording, or data processing beyond what Scya provides by default
  • Not use Scya to send spam, make unsolicited marketing calls, or engage in any unlawful activity
  • Maintain the security of dashboard credentials and promptly notify us of any suspected unauthorised access
  • Not attempt to reverse-engineer, copy, or misuse Scya's AI technology or proprietary systems
  • Respond to escalation tickets in a timely manner to maintain service quality for end users

18. Prohibited Uses

You may not use Scya to:

  • Violate any applicable law, regulation, or third-party rights
  • Send unsolicited bulk messages or make unsolicited bulk calls (spam)
  • Impersonate any person, business, or entity
  • Process data of minors (under 16) without verifiable parental consent
  • Handle sensitive categories of data (health, political, religious, biometric) unless explicitly agreed in writing
  • Attempt to manipulate, exploit, or circumvent the AI's safety mechanisms
  • Use the service for surveillance or monitoring without appropriate legal basis and consent
  • Resell or sublicence the service without written agreement

19. Pricing and Payment

  • Services are billed on a pay-per-use basis with monthly minimum thresholds
  • Specific rates for voice calls (per minute), WhatsApp messages (per message), and Pilot queries (per query) are communicated during onboarding and detailed in the service agreement
  • Monthly minimum fees apply per active channel and are non-refundable
  • We reserve the right to adjust pricing with a minimum of 30 days written notice
  • Invoices are issued monthly and payment is due within the terms specified in the service agreement
  • Failure to pay may result in service suspension after a reasonable notice period

20. Service Availability

  • Scya aims to provide 24/7 service availability but does not guarantee uninterrupted service
  • Scheduled maintenance will be communicated in advance where possible
  • We are not liable for downtime caused by third-party service providers (Google Cloud, WhatsApp, Supabase), force majeure events, or circumstances beyond our reasonable control
  • The proactive batch processing system includes checkpoint and recovery mechanisms: if a batch fails, it resumes from the last checkpoint in the next cycle

21. Intellectual Property

  • All Scya technology, software, AI models (excluding third-party models), branding, and proprietary systems remain the exclusive property of SCYA AI LTD
  • Business Customers retain ownership of their business data and content
  • AI-generated customer notes and analytics are created for the benefit of the Business Customer and may be exported or deleted at any time
  • The Business Customer grants Scya a licence to process their content and data solely for the purpose of providing the service

22. Limitation of Liability

  • Scya provides services "as is" and "as available" without warranties of any kind, whether express or implied
  • We do not warrant that the AI will be error-free, always available, or suitable for any particular purpose
  • We are not liable for any indirect, incidental, special, consequential, or punitive damages arising from or related to the use of our services
  • Our total aggregate liability for any claims arising from the service shall not exceed the total amount paid by the Business Customer in the 12 months preceding the claim
  • We are not liable for actions taken by end users based on AI-generated responses or for any business decisions made in reliance on AI analytics
  • We are not liable for data loss or damage caused by circumstances beyond our reasonable control, including third-party service failures

23. Indemnification

The Business Customer agrees to indemnify and hold harmless SCYA AI LTD, its directors, employees, and agents from any claims, damages, losses, or expenses (including legal fees) arising from:

  • The Business Customer's violation of these terms
  • The Business Customer's violation of applicable laws or third-party rights
  • End user claims arising from the Business Customer's use or configuration of the service
  • Content, instructions, or data provided by the Business Customer to configure the AI

24. Termination

  • Either party may terminate the service agreement at any time with written notice (email is sufficient)
  • We may suspend or terminate service immediately if the Business Customer violates these terms, engages in prohibited uses, or fails to pay after reasonable notice
  • Upon termination, the Business Customer may export their data within 30 days
  • After the 30-day export period, all data (including all end user data processed on behalf of the Business Customer) is permanently and irreversibly deleted
  • Sections relating to limitation of liability, indemnification, and intellectual property survive termination

25. Modifications to Terms

We may update these terms from time to time. Material changes will be communicated via email to Business Customers at least 30 days before taking effect. Continued use of the service after the effective date constitutes acceptance of the updated terms. If you do not agree with the changes, you may terminate the service before the effective date.

Part 3 — Cookie Policy

26. Cookies on scya.ai

  • Essential cookies — required for basic site functionality (WordPress session management). Cannot be disabled.
  • Analytics — Google Site Kit may set analytics cookies to help us understand site traffic. These are subject to your consent via the cookie banner (managed by WPConsent).
  • Scya Pilot widget — uses browser session storage (not cookies) to maintain conversation state during a visit. Session storage is automatically cleared when the browser tab is closed. No persistent cookies are set by the widget.

We do not set any third-party advertising or tracking cookies.

27. Governing Law

These terms and this privacy policy are governed by and construed in accordance with the laws of England and Wales. Any disputes arising from these terms shall be subject to the exclusive jurisdiction of the courts of England and Wales.

28. Contact

For any questions, requests, or complaints regarding this policy, your data, or our services:

We aim to respond to all data-related requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the United Kingdom (our ICO registration number is ZC065781) or the supervisory authority in your country of residence.