Dotty & Dash - Client Terms, Privacy Policy & Data Processing Agreement

Source: live onboarding flow at dottyanddash.ai

greetAI Ltd (trading as Dotty & Dash / dottyanddash.ai)

Registered in England & Wales, Company No. 16393572

59b Halliford Street, Islington, N1 3EQ

Part 1 - Client Terms & Conditions

Version 2.0 - Effective Date: 08 May 2026

Replaces all previous versions. Includes Schedule 1: Data Processing Agreement.

Legal Notices: These Terms explain how the dottyanddash.ai Service works, what you are agreeing to when you subscribe, and how data and security are handled. Schedule 1 below constitutes the Data Processing Agreement between the parties and forms an integral part of these Terms.

1. About the Service

dottyanddash.ai provides an AI-driven property enquiry response system that:

Responds instantly to incoming property enquiries from portals, web forms, or messaging channels.
Captures key details (e.g., lead contact info, property of interest).
Qualifies buyers/sellers with pre-configured questions.
Suggests availability and supports booking viewings or valuations.
Routes leads to your team when ready, so your agents spend more time closing deals and less time chasing replies.

The Service works 24/7 and is designed to help your agency respond faster than competitors, increasing viewings, conversations, and instructions.

2. Costs & Billing

Monthly plan. Your subscription is rolling month-to-month. Billing begins from the date agreed at sign-up. You may cancel at any time with 30 days' written notice. Cancellation takes effect at the end of the billing period following the 30-day notice window.

Annual plan. Annual subscribers commit to an initial 12-month term, billed annually from the agreed start date. After the initial 12-month term, the subscription continues on a rolling annual basis and may be cancelled with 90 days' written notice. Cancellation takes effect at the end of the annual billing period following the 90-day notice window.

Pricing Notes: The standard subscription fee applies regardless of a reduced feature scope. In good faith we may offer promotional discounts, but pricing is fixed once agreed.

3. Client Responsibilities (Connecting Channels & Data)

You are responsible for connecting and providing access to your email account and social channels used with the Service, including but not limited to:

Email inboxes (e.g., Gmail, Outlook)
WhatsApp Business
Any other channels used for receiving leads

You are also responsible for ensuring:

You have valid consent or lawful basis under UK GDPR and UK data protection laws before collecting, storing, processing, or messaging any personal contact data.
All individuals whose data is processed via the Service have opted-in or otherwise have lawful basis for automated responses and messaging.

We act as a data processor for data you supply; you are the data controller. We do not accept responsibility for compliance or consent issues arising from your data. The formal allocation of responsibilities between the parties as controller and processor is set out in Schedule 1 (Data Processing Agreement) below.

4. Data Sub-Processors & Third-Party Tools

To deliver the Service, greetAI Ltd engages third-party sub-processors who may access, store, or process personal data on our behalf. By agreeing to these Terms you provide general written authorisation for us to engage these sub-processors, in accordance with Schedule 1, Clause 5. We will give you 30 days' written notice before adding any new sub-processor that processes personal data relating to your clients or leads.

Sub-Processor	Purpose	Transfer Mechanism
High Level (GoHighLevel)	CRM, automated messaging, pipeline management, and workflow automation used to manage leads and communications on your behalf.	UK Addendum to EU SCCs
Cloudflare (Pages, Workers, KV)	Content delivery network, edge computing (Workers), key-value storage (KV), and application hosting infrastructure. Processes traffic including personal data in transit.	UK IDTA; EU adequacy where applicable
Anthropic (Claude)	AI language model powering intelligent conversation, lead qualification, and automated response generation within the Service.	UK IDTA
AI voice provider	AI voice synthesis used to generate natural-sounding voice responses for voice agent interactions. Processes conversation content including caller details where voice channels are active.	UK IDTA
Application hosting (Replit)	Cloud application platform used to host and run the dottyanddash.ai application and securely store associated data.	UK IDTA
Property data extraction	Automated property data extraction from agency websites and email. Used to parse and import property listings and enquiry data into the Service.	EU adequacy decision (UK-EU)
Rightmove extraction	Automated extraction of property listings from Rightmove. Used to sync live property data from Rightmove into the Service on your behalf.	EU adequacy decision (UK-EU)
Lead email parser	Automated parsing of incoming lead notification emails. Used to extract structured lead data from property portal and agency email notifications.	EU adequacy decision (UK-EU)

We ensure that all sub-processors operate under appropriate data processing agreements and comply with UK GDPR requirements. A full sub-processor list including location, purpose, and transfer mechanism is maintained in Annex B to Schedule 1 below.

5. GDPR Compliance & Data Protection

greetAI Ltd is committed to protecting the privacy of our clients and the individuals whose data flows through the Service. The full terms of our data processing obligations are set out in Schedule 1 (Data Processing Agreement) below, which forms a binding part of these Terms. The following is a summary of key principles. You should read this section alongside Schedule 1 and our Privacy Policy, and seek independent legal advice if you require further guidance on your own obligations.

What is the UK GDPR? The UK GDPR is the retained version of Regulation (EU) 2016/679 as incorporated into UK law following Brexit. It applies to the processing of personal data and gives individuals greater control over how their data is used. UK businesses must comply with its provisions, supplemented by the Data Protection Act 2018.

Controller & Processor Roles.

You are the controller. You decide what data to collect, why you collect it, and what you do with it. You are responsible for ensuring you have a valid lawful basis to process data and for complying with all controller obligations under UK GDPR.
greetAI Ltd is the processor. We store and manage the data you have collected, strictly in accordance with your instructions and Schedule 1 below. We will never use any personal data you upload to the Service for our own purposes or outside of your instructions.

Data Retention & Deletion (Data Retention Schedule):

While your subscription is active: All account data, contact records, conversation history, AI agent configuration, property listings, and lead data are retained for as long as your subscription is active.
30 days after cancellation - export window: Following termination, your data remains accessible for 30 days so you can request an export of contacts, conversation history, and property data.
90 days after cancellation - full deletion: All personal data held within the Service is permanently deleted within 90 days of your subscription ending. We will also instruct our sub-processors to delete data processed on your behalf.
Financial & billing records - 6 years: Invoices, payment records, and subscription history are retained for 6 years in accordance with HMRC requirements. These records do not contain personal lead or contact data.
Erasure requests - within 30 days: Valid erasure requests under UK GDPR will be actioned within 30 days of receiving a verified request, unless a legal obligation requires retention.
Anonymised analytics - indefinitely: Aggregated, anonymised usage statistics that cannot be linked to any individual may be retained indefinitely for service improvement.

To request a data export or erasure, contact us. We will respond within 5 business days.

International Data Transfers. Some sub-processors operate infrastructure outside the UK, including in the United States. Where such transfers occur, we utilise the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable. Full details are set out in Annex B to Schedule 1.

Data Security.

Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
Strict access controls, role-based permissions, and authentication requirements.
Regular security testing and vulnerability assessments.
Automated back-up and data recovery systems.
Full technical and organisational security measures are documented in Annex A to Schedule 1.

6. Security of Your Data

We implement reasonable technical and organisational measures to protect your data against accidental loss, unauthorised access, destruction, or disclosure. However:

No system is completely secure.
We are not liable for breaches caused by third-party systems, integrations, or your own account access control.
You must ensure secure access management (e.g., passwords, user controls) for your own users.

7. Phone Numbers, Messaging Channels & PECR

We may allocate phone numbers, messaging channels, or other identifiers to help the Service work. You agree that:

We are not responsible for the performance, quality, reliability, or compliance of any third-party telephony or messaging service.
You are the sender for the purposes of the Privacy and Electronic Communications Regulations 2003 (PECR).
All SMS, WhatsApp, and voice messages sent via the Service are sent on your behalf, under your instructions, and you are solely responsible for ensuring valid consent or other lawful basis exists for each recipient before any automated message is sent.
Any regulatory responsibilities under PECR, including consent management, opt-out handling, and record-keeping, remain entirely with you as the agency sending the communications.
You indemnify greetAI Ltd against any claims, fines, or enforcement action arising from your failure to comply with PECR or equivalent messaging regulations.

8. Subscription Length & Cancellation

Cancellation Notice Periods:

Monthly plan - 30 days' written notice.
Annual plan - initial 12-month term: Your initial term is 12 months from the agreed start date. You may not cancel mid-term without liability for the remaining contract value.
Annual plan - after initial term - 90 days' written notice: After the initial 12-month term, the subscription continues on a rolling annual basis. You may cancel by giving 90 days' written notice. Cancellation takes effect at the end of the annual billing period following the notice window.

All cancellation notices must be submitted in writing by email. Verbal or in-app cancellations are not accepted. We will confirm receipt of your notice in writing within 5 business days.

9. Intellectual Property

We (and our licensors) own all rights to the dottyanddash.ai technology, software, and platform. You retain all rights to your data and content but grant us a limited licence to use it solely for the purpose of delivering the Service. Neither party may use the other's intellectual property outside of this agreement without prior written consent.

10. Liability & Limitation

To the maximum extent permitted by law:

Our total aggregate liability to you for any loss or damage arising from or related to the Service (whether in contract, tort, breach of statutory duty, or otherwise) shall be limited to the total fees you have paid in the 12 months immediately preceding the event giving rise to the claim.
We are not liable for indirect, special, or consequential losses (including lost revenue, lost leads, or lost business opportunities).

Carve-outs - the 12-month cap does not apply to:

Any liability arising from a personal data breach caused by our negligence, wilful misconduct, or failure to comply with our obligations under Schedule 1 (Data Processing Agreement) or UK GDPR.
Any liability arising from a breach of confidentiality obligations.
Any liability arising from an intellectual property indemnity claim.
Liability for death or personal injury caused by our negligence.
Liability for fraud or fraudulent misrepresentation.
Any other liability that cannot be limited or excluded under applicable law (including the Consumer Rights Act 2015 where applicable).

11. Governing Law & Jurisdiction

These Terms (including Schedule 1) are governed by the laws of England and Wales and disputes shall be resolved exclusively in the courts of England and Wales.

12. Updates to These Terms

We may update these Terms (including Schedule 1) to reflect changes in law, our services, or our data processing practices. We will notify you of material changes in writing with at least 30 days' notice before the changes take effect. Where changes are required to comply with applicable law, shorter notice may be given. Continued use of the Service after the effective date of any updated version constitutes acceptance of the new terms.

For general questions about these Terms or the Service, or for data & privacy queries, contact us.

Address: 59b Halliford Street, Islington, N1 3EQ

Part 2 - Schedule 1: Data Processing Agreement

Version 1.0 - Effective Date: 08 May 2026

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between greetAI Ltd ("Processor") and the subscribing agency ("Controller") and governs the processing of personal data by the Processor on behalf of the Controller in connection with the dottyanddash.ai Service. It is intended to satisfy the requirements of Article 28 of the UK General Data Protection Regulation ("UK GDPR").

DPA Clause 1 - Definitions

In this DPA, the following terms have the meanings given below. Terms not defined here have the meanings given to them in the UK GDPR and the Data Protection Act 2018.

Controller means the subscribing estate agency that determines the purposes and means of processing personal data through the Service, as defined in Article 4(7) UK GDPR.
Processor means greetAI Ltd (trading as dottyanddash.ai), which processes personal data on behalf of the Controller, as defined in Article 4(8) UK GDPR.
Personal Data means any information relating to an identified or identifiable natural person (data subject), as defined in Article 4(1) UK GDPR.
Processing means any operation or set of operations performed on personal data, as defined in Article 4(2) UK GDPR.
Data Subject means an identified or identifiable natural person to whom the personal data relates.
Sub-Processor means any third party engaged by the Processor to carry out processing activities in respect of the Controller's personal data.
Data Protection Laws means the UK GDPR, the Data Protection Act 2018, and any successor legislation, as amended from time to time.
DSAR means a data subject access request made under Article 15 UK GDPR or any equivalent request by a data subject to exercise their rights under Data Protection Laws.
Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined in Article 4(12) UK GDPR.
TOMs means the technical and organisational security measures implemented by the Processor, as set out in Annex A.
UK IDTA means the International Data Transfer Agreement approved by the UK Information Commissioner's Office for restricted transfers of personal data from the UK to third countries.
UK Addendum means the UK Addendum to the EU Standard Contractual Clauses issued by the ICO under S119A(1) of the Data Protection Act 2018.

DPA Clause 2 - Subject Matter and Duration

2.1 Subject matter. The Processor shall process personal data on behalf of the Controller for the purpose of providing the dottyanddash.ai Service as described in these Terms and further detailed in Annex C.

2.2 Duration. This DPA commences on the date the Controller accepts these Terms and continues for the duration of the Service subscription. Upon termination or expiry of the subscription, the Processor shall continue to hold personal data for the retention periods set out in Section 5 of the main Terms, after which it shall delete or return personal data in accordance with Clause 8 of this DPA.

2.3 Nature of processing. The processing activities are further described in Annex C (Description of Processing).

DPA Clause 3 - Types of Personal Data and Categories of Data Subjects

3.1 Types of personal data processed include:

Full name and salutation
Email address
Telephone and mobile number
Property preferences (location, type, number of bedrooms)
Budget range and financial signals (e.g., whether cash buyer, mortgage in principle)
Rental or purchase intent
Conversation content (including AI-generated and human-authored messages)
Viewing and appointment history
Lead source and channel (e.g., Rightmove, WhatsApp, web form)
Any other personal data voluntarily provided by the data subject during enquiry

3.2 Categories of data subjects include:

Prospective buyers of residential property
Prospective sellers or vendors of residential property
Prospective tenants seeking residential lettings
Landlords seeking lettings management or valuations
Staff and contacts of the Controller's agency

DPA Clause 4 - Processor Obligations

The Processor shall comply with all obligations imposed on a processor under Article 28(3) UK GDPR. In particular:

4(a) - Documented Instructions. The Processor shall process personal data only on documented instructions from the Controller, as set out in these Terms and any written instructions provided by the Controller during the term. If the Processor is required to process personal data by applicable law, it shall notify the Controller before carrying out that processing unless prohibited by law. The Processor shall promptly notify the Controller if, in its opinion, any instruction infringes Data Protection Laws.

4(b) - Confidentiality. The Processor shall ensure that persons authorised to process the Controller's personal data are subject to binding written confidentiality obligations (whether under their employment contract or a separate agreement) and are made aware of the confidential nature of the data. The Processor shall limit access to personal data to those personnel who need access to carry out their duties in connection with the Service.

4(c) - Security. The Processor shall implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to individuals. The Processor's current TOMs are set out in Annex A to this DPA.

4(d) - Sub-Processors. The Processor shall not engage any new sub-processor without giving the Controller at least 30 days' prior written notice, identifying the sub-processor and the nature of the processing. The Controller may object to the engagement of a new sub-processor on reasonable, documented grounds relating to Data Protection Laws by notifying the Processor in writing within the 30-day notice period. Where the Controller objects and the parties cannot resolve the objection within a further 30 days, either party may terminate the affected portion of the Service on written notice without penalty. The Processor shall impose equivalent data protection obligations on all sub-processors by way of written contract and shall remain fully liable to the Controller for the performance of any sub-processor's obligations. The current list of sub-processors is maintained in Annex B to this DPA.

4(e) - Assistance with Data Subject Rights. The Processor shall provide reasonable assistance to the Controller in responding to DSARs and other data subject rights requests (including rights of access, rectification, erasure, restriction, portability, and objection), taking into account the nature of the processing. Where the Processor receives a DSAR directly from a data subject relating to personal data processed under this DPA, it shall: (i) notify the Controller within 5 business days; and (ii) not respond to the data subject directly without the Controller's written authorisation, unless required to do so by law. The Processor shall action the Controller's instructions in relation to any DSAR within the timeframes required by applicable law.

4(f) - Assistance with Security, Breaches, DPIAs, and Prior Consultation. The Processor shall provide reasonable assistance to the Controller in ensuring compliance with its obligations under Articles 32-36 UK GDPR, including in relation to: (i) security of processing; (ii) notification of personal data breaches to the ICO and affected data subjects; (iii) data protection impact assessments; and (iv) prior consultation with the ICO where required. In the event of a Personal Data Breach affecting personal data processed under this DPA, the Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of the breach. The notification shall include, to the extent available: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences of the breach, and the measures taken or proposed to address it.

4(g) - Deletion or Return at End of Contract. Upon termination or expiry of the subscription, and at the Controller's choice, the Processor shall either: (i) return all personal data processed under this DPA to the Controller in a commonly used machine-readable format; or (ii) securely delete all personal data processed under this DPA, in each case within the timescales set out in Section 5 of the main Terms. The Processor shall also instruct its sub-processors to delete or return personal data in accordance with this clause. The Processor shall provide the Controller with written confirmation of deletion upon request. This obligation does not apply to personal data that the Processor is required to retain by applicable law.

4(h) - Audit Rights. The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor, subject to the following conditions: (i) the Controller shall give the Processor at least reasonable prior written notice of an intended audit; (ii) audits shall be conducted no more than once per calendar year unless there has been a confirmed Personal Data Breach or a regulatory requirement for more frequent inspection; (iii) audits shall be conducted during normal business hours and in a manner that minimises disruption to the Processor's operations; and (iv) the Controller's right to audit may, at the Processor's option, be satisfied by the Processor providing its current TOMs document (Annex A) together with written responses to reasonable compliance questions from the Controller or its auditor.

DPA Clause 5 - Sub-Processor Authorisation

The Controller provides general written authorisation for the Processor to engage the sub-processors listed in Annex B as at the effective date of this DPA. The Processor may not add new sub-processors that process personal data relating to the Controller's clients or leads without complying with the 30-day notice requirement in Clause 4(d). The Processor shall impose data processing terms on all sub-processors that are no less protective than those set out in this DPA and shall remain liable for any breach of this DPA caused by a sub-processor's acts or omissions.

DPA Clause 6 - International Transfers

Where the processing of personal data involves a transfer of that data outside the UK to a country not benefiting from a UK adequacy regulation, the Processor shall ensure such transfer is made under an appropriate transfer mechanism as set out in Part 3 of the UK GDPR and the Data Protection Act 2018. The Processor shall use, where applicable, the UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses (as updated by the ICO from time to time). The specific transfer mechanism applicable to each sub-processor is identified in Annex B to this DPA. Transfers within the EEA or to countries benefiting from an EU or UK adequacy decision are governed by the applicable adequacy framework.

DPA Clause 7 - Breach Notification

In the event of a confirmed or suspected Personal Data Breach, the Processor shall:

Notify the Controller without undue delay and in any event within 48 hours of the Processor becoming aware of the breach.
Include in the notification (to the extent then known): the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to contain and mitigate the breach.
Cooperate with the Controller in complying with any obligation the Controller has to notify the ICO or affected data subjects.
Not communicate to any data subject or third party (other than the Controller or as required by law) about the breach without the Controller's prior written consent.

The Controller is responsible for notifying the ICO within 72 hours of becoming aware of a notifiable breach, where required by Article 33 UK GDPR. The Processor's breach notification is intended to give the Controller sufficient time to assess and, where necessary, notify the ICO within the required window.

DPA Clause 8 - Governing Law & Disputes

This DPA is governed by the laws of England and Wales. Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales. In the event of any conflict between this DPA and the main Terms, the provisions of this DPA shall prevail in relation to the processing of personal data.

Annex A - Technical and Organisational Measures (TOMs)

As referenced in DPA Clause 4(c) and 4(h). These measures represent the Processor's current security posture as at the effective date of this DPA.

A.1 Access Control

Role-based access controls (RBAC) restricting access to personal data to authorised personnel only.
Unique user credentials required for all system access; shared accounts are prohibited.
Multi-factor authentication (MFA) enforced for administrative and privileged access.
Access rights reviewed and updated when staff roles change or employment ends.

A.2 Encryption

All data in transit encrypted using TLS 1.2 or higher.
All data at rest encrypted using AES-256 or equivalent.
Database connections secured via encrypted channels.

A.3 Network & Infrastructure Security

Application hosted on enterprise-grade cloud infrastructure (Replit / Cloudflare) with built-in DDoS mitigation.
Cloudflare edge network used to filter and inspect traffic before it reaches application servers.
Network-level firewalls and web application firewall (WAF) rules in place.
Regular vulnerability scanning and penetration testing of application endpoints.

A.4 Data Integrity & Availability

Automated database backups taken daily with retention for 30 days.
Disaster recovery procedures documented and tested periodically.
Monitoring and alerting in place for service availability and anomalous access patterns.

A.5 Personnel Measures

All staff with access to personal data subject to binding confidentiality obligations.
Data protection awareness training provided to all staff prior to accessing personal data.
Background checks conducted on staff with privileged data access, where lawfully permissible.

A.6 Incident Management

Documented internal breach detection and response procedure.
Controller notification target: within 48 hours of confirmed breach awareness.
Post-incident review process to identify root cause and implement preventive measures.

A.7 Physical Security

No personal data stored on physical on-premise servers operated by greetAI Ltd; all data is held within contracted cloud infrastructure.
Physical access to offices where administrative access to systems may occur is restricted to authorised personnel.
Clean desk policy enforced; no printing of personal data unless strictly necessary.

Annex B - Sub-Processor List

As referenced in DPA Clauses 4(d) and 5. Current as at 08 May 2026. The Controller will be given 30 days' written notice of any additions or material changes.

Sub-Processor	Purpose	Personal Data Accessed	Transfer Mechanism
High Level (GoHighLevel)	CRM, pipeline management, automated messaging, and workflow automation	Name, email, phone, conversation content, lead status	UK Addendum to EU SCCs
Cloudflare (Pages, Workers, KV)	CDN, edge computing, key-value storage, and application delivery infrastructure	IP address, request metadata, data in transit through edge network	UK IDTA; EU adequacy for EEA processing
Anthropic (Claude)	AI language model for conversation generation, lead qualification, and automated responses	Conversation content, property preferences, contact context	UK IDTA
AI voice provider	AI voice synthesis for voice agent interactions	Conversation content, caller context passed to voice synthesis engine	UK IDTA
Replit	Cloud application hosting and development platform	All personal data stored within the application database	UK IDTA
Property data extraction	Automated data extraction from agency emails and websites	Email content, property listing data, enquiry contact details	EU adequacy decision (UK-EU bridge)
Rightmove extraction	Automated extraction of property listings from Rightmove	Publicly listed property data (no lead personal data)	EU adequacy where applicable
Lead email parser	Automated parsing of lead notification emails from property portals	Lead email content including name, email, phone, enquiry details	EU adequacy where applicable

This list will be updated when sub-processors are added or removed. The most current version is always the one attached to these Terms.

Annex C - Description of Processing

As referenced in DPA Clause 2. This Annex provides a formal description of the processing carried out by the Processor on behalf of the Controller.

C.1 Subject Matter of Processing. The provision of an AI-powered lead capture, qualification, response, and routing service for the Controller's estate agency, operating across the channels selected by the Controller at signup and as activated from time to time during the subscription.

C.2 Duration of Processing. The duration of the Controller's subscription, plus the applicable retention period following termination as set out in Section 5 of the main Terms and DPA Clause 2.2.

C.3 Nature and Purpose of Processing. The Processor carries out the following processing activities on behalf of the Controller:

Automated lead capture: Receiving and logging incoming enquiries from property portals (Rightmove, Zoopla, OnTheMarket), web forms, SMS, WhatsApp, email, and social channels.
Automated lead qualification: Using AI to engage data subjects in structured conversations to capture property preferences, budget, timeline, and intent (buy, sell, rent, let).
Automated response generation: Using AI language models to generate and send personalised responses to data subject enquiries on behalf of the Controller.
Lead routing and notification: Forwarding qualified lead data and conversation summaries to the Controller's staff via CRM, email, or SMS notification.
Data storage and retrieval: Storing contact records, conversation history, property preferences, and lead status within the platform database for the Controller's access.
Viewing and appointment management: Capturing and recording preferred viewing dates and times expressed by data subjects during AI conversations.
Voice interaction (where activated): Processing inbound and outbound voice calls using AI-generated voice responses; call content may include personal data.

C.4 Types of Personal Data. As set out in DPA Clause 3.1 above.

C.5 Categories of Data Subjects. As set out in DPA Clause 3.2 above.

C.6 Special Categories of Personal Data. The Service is not designed or intended to collect special categories of personal data as defined in Article 9 UK GDPR. The Controller must not input or cause to be processed through the Service any special category data without prior written agreement from the Processor. Where special category data is inadvertently received, the Processor will notify the Controller and delete such data promptly.

C.7 Controller's Instructions. The Processor's documented instructions are: to receive, store, process, and transmit personal data solely for the purposes set out in C.3 above, in accordance with the configuration settings established by the Controller within the Service, and in compliance with Data Protection Laws. The Controller may issue further written instructions via email during the term of the subscription.

For questions about this DPA, Annex A, B, or C, or for legal notices or cancellations, contact greetAI Ltd.

greetAI Ltd, 59b Halliford Street, Islington, N1 3EQ, Company No. 16393572.

Part 3 - Privacy Policy

This Privacy Policy explains how greetAI Ltd ("we", "us") collects, uses, stores, and protects personal data when you use the dottyanddash.ai service (the "Service"). We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

When you sign up or use our Service, we may collect:

Contact information: Name, email address, phone number
Business information: Company name, company website, office locations
Account information: Login credentials, preferences, AI agent configuration
Usage data: How you interact with the Service, feature usage, conversation analytics
Payment information: Billing details processed securely via Stripe (we do not store card details)
Technical data: IP address, browser type, device information

2. How We Use Your Information

We use your personal data to:

Provide, maintain, and improve the Service
Set up and manage your account and AI agent
Process payments and manage subscriptions
Send service-related communications (onboarding, updates, support)
Provide analytics and reporting on AI agent performance
Respond to your enquiries and provide customer support
Comply with legal obligations

3. Lawful Basis for Processing

We process your data based on the following lawful grounds:

Contract: Processing necessary to perform our contract with you (providing the Service)
Legitimate interests: Improving our Service, analytics, and business operations
Consent: Where you have given explicit consent (e.g., marketing communications)
Legal obligation: Where we are required to process data by law

4. Data Processing Roles

When you use the Service to handle property enquiries:

You are the data controller for any personal data of your customers, leads, or contacts processed through the Service.
We act as a data processor, processing such data on your behalf and in accordance with your instructions.
You are responsible for ensuring you have a lawful basis (e.g., consent, legitimate interest) to process your customers' data through the Service.

5. Data Sharing

We may share your data with:

Service providers: Including Stripe (payments), Twilio (SMS/voice), Resend (email), and OpenAI (AI processing) - each operating under their own privacy policies and data processing agreements.
Legal authorities: Where required by law, regulation, or legal process.

We do not sell your personal data to third parties.

6. Data Retention

We retain your data for as long as:

Your account is active and you are using the Service
Required to fulfil the purposes outlined in this policy
Required by law (e.g., financial records retained for 6 years)

After account closure, we will delete or anonymise your data within a reasonable period, except where retention is required by law.

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

Encryption of data in transit (TLS/SSL)
Secure access controls and authentication
Regular security reviews

No system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials.

8. Your Rights

Under UK GDPR, you have the right to:

Request a copy of the personal data we hold about you
Request correction of inaccurate or incomplete data
Request deletion of your data (subject to legal obligations)
Request restriction of processing in certain circumstances
Request your data in a structured, machine-readable format
Object to processing based on legitimate interests

To exercise any of these rights, contact us. We will respond within 30 days.

9. Cookies

We use essential cookies to keep you logged in and to ensure the Service functions correctly. We do not use third-party tracking or advertising cookies.

10. International Transfers

Some of our service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place (such as the UK IDTA or UK Addendum to the EU Standard Contractual Clauses).

greetAI Ltd (trading as Dotty&Dash) • Company No. 16393572 • 59b Halliford Street, Islington, N1 3EQ