Privacy Policy

Last updated: 18 June 2026

1. Who we are

MyDeskly ("MyDeskly", "we", "us", "our") is the operator of the MyDeskly platform available at mydeskly.com and the MyDeskly mobile application.

For the purposes of UK data protection law, MyDeskly is the data controller in respect of the personal data of business owners and subscribers who use our platform.

When we process personal data about the callers or customers of a business that subscribes to MyDeskly, we do so as a data processor acting on that business's instructions. The subscribing business is the data controller for their callers' data.

ICO registration: pending registration — to be completed before commercial launch. Most organisations that process personal data in the UK must register with the Information Commissioner's Office (ICO).

For any data protection query, contact us at: support@mydeskly.com

2. What this policy covers

This policy explains how we handle:

3. Data we collect from business owners (subscribers)

At sign-up

During onboarding

Website knowledge ingestion (optional)

If you use the "import from my website" setup step, we scrape and process text content from your website (up to 15,000 characters). This is summarised by our AI and stored as a knowledge snapshot used to personalise AI replies. The original scraped text is not retained after processing.

Billing

We link your account to a record in our payment processor's system (Stripe). Your payment card details are entered directly into Stripe's hosted checkout and never reach our servers. We store your Stripe customer ID, subscription status, and billing period dates.

Device and technical data

4. Data we process about your callers (on your behalf)

When a call to your MyDeskly number is missed, our system processes the following on your behalf:

As the subscribing business, you are the data controller for your callers' data. MyDeskly processes this data as your data processor in accordance with Article 28 UK GDPR. Your obligations as a data controller are set out in the Terms of Service. Callers who wish to exercise their data rights should contact you directly; however, they may also contact us and we will assist.

5. Legal bases for processing

Where MyDeskly is the data controller (business owner data):

Data categoryLegal basis
Account data (name, email, business information)Performance of a contract with you — Article 6(1)(b) UK GDPR
Payment and billing recordsPerformance of a contract; legal obligation (tax and accounting) — Articles 6(1)(b) and 6(1)(c)
Push notificationsConsent — Article 6(1)(a), granted when you enable notifications on your device
Operational and security logsLegitimate interests — fraud prevention and service security — Article 6(1)(f)
Weekly email digestLegitimate interests — communicating useful service information to existing customers — Article 6(1)(f)

Where MyDeskly acts as data processor (caller data): you, as the subscribing business, are responsible for identifying and documenting your own legal basis for processing your callers' data. The most likely basis is legitimate interests (Article 6(1)(f) UK GDPR) — responding promptly to a missed call from a potential customer who voluntarily called the business. We recommend taking legal advice to confirm this applies to your circumstances.

6. AI processing

MyDeskly uses AI (powered by Anthropic's Claude language model) to:

When generating a reply, the AI is provided with your business details, tone preferences, and the most recent 40 messages in the caller's conversation history. This data is transmitted to Anthropic's API servers in the United States (see section 7 for the transfer mechanism). Anthropic's API terms of service state that API inputs and outputs are not used to train their models by default.

The AI is designed to be helpful and honest. It will not volunteer that it is an AI system, but will acknowledge this truthfully if a caller sincerely asks. You remain responsible for monitoring your inbox and intervening where the AI's response requires human follow-up.

7. Sub-processors and international data transfers

We rely on the following sub-processors to operate the service. Where data is transferred outside the UK, we state the transfer mechanism we rely on.

Sub-processorPurposeCountryTransfer mechanism
Supabase Database, authentication, and backend function hosting Ireland (AWS eu-west-1, EEA) UK adequacy regulations for EEA countries
Twilio SMS message delivery and UK phone number provisioning United States Twilio's UK GDPR Data Processing Addendum / Standard Contractual Clauses
Anthropic AI reply generation and website content summarisation United States Anthropic's API Data Processing Addendum / Standard Contractual Clauses
Stripe Payment processing and subscription management US / EU (Stripe Payments Europe Ltd) Standard Contractual Clauses; Stripe is PCI DSS Level 1 certified
Cal.com / Calendly Booking webhook processing and calendar integration United States Provider Data Processing Addendum / Standard Contractual Clauses
Expo / Apple APNs / Google FCM Push notification delivery to your device United States Provider terms; push notifications contain masked caller phone numbers only
Resend Weekly email digest delivery to your inbox United States Resend Data Processing Agreement
Google Fonts Web font delivery on the sign-up and legal pages United States Google DPA / Standard Contractual Clauses

We do not sell your personal data or your callers' personal data to any third party, and we do not use personal data for advertising purposes.

8. Data retention

Data categoryRetention period
Business owner account data (name, email, business settings) Retained for the duration of your subscription, plus 12 months after account closure for accounting and dispute resolution purposes
Caller lead records and SMS conversation history Retained for as long as your account is active. You can delete individual leads at any time from the app. All caller data is permanently deleted when your account is deleted.
Billing records Retained for 7 years as required by UK tax and accounting law
Push notification device tokens Deleted when you delete your account or uninstall the app
Operational and security logs Typically 30–90 days, as determined by the policies of Supabase and Twilio

When you delete your account via Settings in the app, your data — and all associated caller data — is permanently and immediately deleted from our database, including all SMS conversation history, lead records, and your business profile. This action is not reversible.

9. Your rights

Under UK GDPR, as a MyDeskly subscriber, you have the following rights in relation to your personal data:

To exercise any of these rights, email us at support@mydeskly.com. We will respond within one calendar month.

If you are a caller who received an automated SMS via a MyDeskly-powered business and you wish to exercise your data rights, please contact that business directly (as they are the data controller for your data). You can also contact us at support@mydeskly.com and we will direct your request appropriately.

SMS opt-out: If you received an automated SMS and wish to stop further messages from that business, reply STOP to the message. We will immediately add you to the opt-out list for that business and you will receive no further automated messages from them via MyDeskly.

10. Cookies and tracking

Our main website (mydeskly.com) does not use cookies, analytics scripts, tracking pixels, or any other tracking technology. We do not track visitors across sessions or devices.

The sign-up page and these legal pages load web fonts from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). This involves your browser making a direct request to Google's servers, which shares your IP address and browser information with Google. Google's privacy policy governs their use of this data. We are evaluating self-hosting our fonts to eliminate this request entirely.

11. Security

We implement appropriate technical and organisational measures to protect personal data, including:

No security measure is infallible. In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email and by an in-app notice before the changes take effect. The date at the top of this page reflects the most recent update. Continued use of the service after a material update constitutes acceptance of the revised policy.

When we make material changes, we update the consent version number recorded at sign-up and may ask existing users to review and re-accept the updated policy.

13. Complaints

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:

We would welcome the opportunity to address your concerns before you contact the ICO — please email us first at support@mydeskly.com.

Contact

Email: support@mydeskly.com