Danson Marketing Ltd (“Danson”, “we”, “us”, or “our”) takes the privacy of our website visitors, product users, and their end-customers seriously. This policy explains what personal data we collect, why we collect it, how we use it, and what rights you have over it.

This policy is issued under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

1. Who we are

The data controller is Danson Marketing Ltd, registered in England & Wales. For data protection queries, email [email protected] with the subject line “Data protection request”.

2. What we collect

2.1 When you visit this website

We collect minimal technical information automatically: anonymised IP, browser type, approximate geographic location, pages viewed, and referring URL. This is used for analytics and security only.

2.2 When you contact us

When you submit a form, email us, or book a call, we collect the information you provide: name, email, company, phone (optional), and message content. We use this to respond to your enquiry.

2.3 When you use Danson AI as an end-customer

If you are a customer of a business using Danson AI, the business you are interacting with is the data controller. Danson acts as a data processor on their behalf. We process message content, phone/handle, name if provided, timestamps, and routing metadata. We do not sell this data, do not use it to train third-party AI models, and do not share it outside the client business unless required by law.

2.4 When you use Danson AI as a client business

We collect company information, billing details (via payment processors), hashed authentication credentials, configuration data, and usage metrics.

3. Lawful basis for processing (UK GDPR Art. 6)

  • Contract — processing necessary to deliver services.
  • Legitimate interests — replying to enquiries, security, service improvement.
  • Consent — for non-essential cookies and marketing emails.
  • Legal obligation — tax, AML, or other statutory requirements.

4. Meta platform integrations (WhatsApp, Messenger, Instagram)

Danson AI connects to the WhatsApp Business API, Facebook Messenger Platform, and Instagram Messaging API on behalf of our client businesses. We comply with Meta’s WhatsApp Business Solution Terms, Messenger Platform Policies, and Instagram Platform Policies.

4.1 WhatsApp Business API

  • Messages are received via Meta’s official WhatsApp Business Platform (Cloud API) or, where authorised, via Evolution API as a self-hosted gateway.
  • We process only messages sent to or from the business’s registered WhatsApp Business number.
  • Message content is retained 90 days active, 12 months archive (unless client configures a shorter period).
  • End-customers can opt out by sending “STOP” or equivalent.

4.2 Facebook Messenger & Instagram Messaging

  • We connect via Meta’s Graph API with tokens granted by the client’s authorised Facebook page or Instagram business account.
  • We request only permissions necessary to receive, process, and respond to messages.
  • Profile info accessed is limited to public profile fields and message contents. We do not scrape posts, friend lists, or ad engagement data.
  • End-customers can revoke permissions via their Meta account settings.

4.3 Meta data deletion

Per Meta Platform requirements, end-customers can request deletion by emailing [email protected] with the subject “Meta data deletion request”. We process within 30 days.

5. Google Calendar and Google API integrations

Danson AI may connect to Google Calendar and related Google APIs when a client business explicitly authorises the integration through Google’s OAuth consent flow. We use this access only to provide scheduling and AI receptionist features requested by the client business.

5.1 Google Calendar data we may access

  • Calendar list and calendar identifiers needed to connect the selected calendar.
  • Free/busy availability and event details required to check appointment availability.
  • Event information required to create, update, or cancel appointments requested through Danson AI.
  • Attendee details provided for an appointment, such as name, email address, phone number where supplied, appointment time, and service notes.

5.2 How we use Google user data

Google Calendar data is used only to check availability, schedule appointments, prevent double bookings, send booking confirmations, update appointment records, and support the AI receptionist workflow configured by the client business.

We do not sell Google user data. We do not use Google Workspace API data to develop, improve, or train generalized AI or machine learning models. We do not allow humans to read Google user data unless required to provide support, investigate abuse or security issues, comply with law, or where the client business has given explicit permission.

Danson AI’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.3 Revoking Google access and deletion

Client businesses can disconnect Google Calendar from within Danson AI where available, revoke access from their Google Account permissions page, or request removal by emailing [email protected] with the subject “Google data deletion request”. We process deletion requests within 30 days, subject to legal, security, and accounting retention requirements.

5.4 Data protection mechanisms for Google Calendar data

We protect Google Calendar data and OAuth credentials using appropriate technical and organisational security measures, including:

  • HTTPS/TLS encryption for data transmitted between users, Danson AI, and Google APIs.
  • Secure server-side storage of OAuth access tokens, refresh tokens, calendar identifiers, and appointment data.
  • Access controls that restrict Google Calendar data to authorised application systems and authorised personnel only where necessary for support, security, legal compliance, or service operation.
  • Environment-based secret management so OAuth client secrets, access tokens, and refresh tokens are not stored in public repositories or exposed in client-side code.
  • Data minimisation, meaning we request and process only the Google Calendar data required to provide appointment scheduling, calendar synchronisation, availability checking, event creation, event updates, and cancellation features.
  • Logging and monitoring to help detect errors, abuse, unauthorised access attempts, and service misuse.
  • Retention controls so Google Calendar data is kept only for as long as needed to provide the service, maintain appointment records, meet legal or accounting obligations, resolve disputes, or maintain security logs.
  • Deletion and revocation controls allowing client businesses to disconnect Google Calendar, revoke OAuth access from their Google Account, or request deletion of Google Calendar-related data.

We do not expose Google Calendar OAuth tokens to end-customers or unauthorised third parties. We do not sell Google Calendar data, use it for advertising, or use it to train generalized AI or machine learning models.

6. Third-party processors

  • Anthropic and OpenAI — LLM inference. Neither trains on our API traffic by default.
  • Meta Platforms — WhatsApp, Messenger, Instagram connectivity.
  • Google APIs — Google Calendar connectivity and scheduling automation, only when explicitly authorised by the client business.
  • Stripe and PayPal — payment processing.
  • UK/EU hosting — primary data residency within the UK/EU.
  • HubSpot, Zoho, Pipedrive — CRM integrations, only when explicitly configured.

7. International data transfers

Some processors are US-based. Transfers rely on the UK/EU–US Data Privacy Framework, Standard Contractual Clauses approved by the UK ICO, and supplementary technical measures (encryption in transit and at rest).

8. Retention

  • Website contact enquiries: 24 months from last interaction.
  • Active conversation data (Danson AI): 90 days active, 12 months archive, then deleted.
  • Client account data: subscription duration + 7 years (tax/accounting).
  • Financial records: 7 years (UK statutory).
  • Logs (security, access): 90 days.
  • Google Calendar data: retained only while the Google Calendar integration is active and as needed for appointment history, legal, security, or accounting purposes. OAuth tokens are deleted when the integration is disconnected or access is revoked, unless temporary retention is required for security or legal reasons.

9. Your rights

Under UK GDPR you have the right to access, rectification, erasure, restrict processing, data portability, object, withdraw consent, and lodge complaints with the UK Information Commissioner’s Office (ico.org.uk). Email [email protected] to exercise these rights — we respond within 30 days.

10. Cookies

See our Cookie Policy.

11. Children’s privacy

Our services are intended for businesses and individuals aged 18 or over. We do not knowingly collect data from children under 13.

12. Changes to this policy

Material changes will be communicated via our website and, where contact details are held, by email.

13. Contact

[email protected]
Danson Marketing Ltd, United Kingdom