Privacy Policy
Last updated: 18 June 2026
1. Who we are
MyDeskly ("MyDeskly", "we", "us", "our") is the operator of the MyDeskly platform available at mydeskly.com and the MyDeskly mobile application.
For the purposes of UK data protection law, MyDeskly is the data controller in respect of the personal data of business owners and subscribers who use our platform.
When we process personal data about the callers or customers of a business that subscribes to MyDeskly, we do so as a data processor acting on that business's instructions. The subscribing business is the data controller for their callers' data.
ICO registration: pending registration — to be completed before commercial launch. Most organisations that process personal data in the UK must register with the Information Commissioner's Office (ICO).
For any data protection query, contact us at: support@mydeskly.com
2. What this policy covers
This policy explains how we handle:
- Personal data we collect from you as a subscribing business owner when you sign up and use MyDeskly.
- Personal data we process about your callers on your behalf (in our capacity as your data processor).
- Data collected when you visit mydeskly.com.
3. Data we collect from business owners (subscribers)
At sign-up
- Your full name, email address, and password (stored in encrypted form — we never store your password in plaintext).
- The date and version of your consent to our Terms of Service and this Privacy Policy.
During onboarding
- Your business name and trade type (e.g. Driveways, Roofing, Solar).
- Your personal mobile number — used solely to send you push and SMS notifications when a new missed call arrives.
- Your booking page URL (your Cal.com or Calendly link).
- Your business hours and timezone.
- Optionally: a custom AI greeting, after-hours message, tone preference, and up to 500 characters of free-text instructions for how the AI should communicate on your behalf.
Website knowledge ingestion (optional)
If you use the "import from my website" setup step, we scrape and process text content from your website (up to 15,000 characters). This is summarised by our AI and stored as a knowledge snapshot used to personalise AI replies. The original scraped text is not retained after processing.
Billing
We link your account to a record in our payment processor's system (Stripe). Your payment card details are entered directly into Stripe's hosted checkout and never reach our servers. We store your Stripe customer ID, subscription status, and billing period dates.
Device and technical data
- Push notification device tokens (to alert you to new missed calls on your phone).
- Log and event data generated when you use the service (used for security, error investigation, and reliability monitoring).
4. Data we process about your callers (on your behalf)
When a call to your MyDeskly number is missed, our system processes the following on your behalf:
- The caller's phone number (received via our SMS provider's webhook).
- The full SMS conversation between the caller and our AI system.
- The caller's first name and a description of their job or enquiry (extracted by the AI from the conversation).
- Appointment booking confirmation details, if the caller books a survey or quote via Cal.com or Calendly.
- Any notes you add to the lead manually within the app.
As the subscribing business, you are the data controller for your callers' data. MyDeskly processes this data as your data processor in accordance with Article 28 UK GDPR. Your obligations as a data controller are set out in the Terms of Service. Callers who wish to exercise their data rights should contact you directly; however, they may also contact us and we will assist.
5. Legal bases for processing
Where MyDeskly is the data controller (business owner data):
| Data category | Legal basis |
|---|---|
| Account data (name, email, business information) | Performance of a contract with you — Article 6(1)(b) UK GDPR |
| Payment and billing records | Performance of a contract; legal obligation (tax and accounting) — Articles 6(1)(b) and 6(1)(c) |
| Push notifications | Consent — Article 6(1)(a), granted when you enable notifications on your device |
| Operational and security logs | Legitimate interests — fraud prevention and service security — Article 6(1)(f) |
| Weekly email digest | Legitimate interests — communicating useful service information to existing customers — Article 6(1)(f) |
Where MyDeskly acts as data processor (caller data): you, as the subscribing business, are responsible for identifying and documenting your own legal basis for processing your callers' data. The most likely basis is legitimate interests (Article 6(1)(f) UK GDPR) — responding promptly to a missed call from a potential customer who voluntarily called the business. We recommend taking legal advice to confirm this applies to your circumstances.
6. AI processing
MyDeskly uses AI (powered by Anthropic's Claude language model) to:
- Generate SMS replies to callers on your behalf.
- Extract structured information from conversations (caller name, job type, lead status).
- Summarise your website content during onboarding setup.
When generating a reply, the AI is provided with your business details, tone preferences, and the most recent 40 messages in the caller's conversation history. This data is transmitted to Anthropic's API servers in the United States (see section 7 for the transfer mechanism). Anthropic's API terms of service state that API inputs and outputs are not used to train their models by default.
The AI is designed to be helpful and honest. It will not volunteer that it is an AI system, but will acknowledge this truthfully if a caller sincerely asks. You remain responsible for monitoring your inbox and intervening where the AI's response requires human follow-up.
7. Sub-processors and international data transfers
We rely on the following sub-processors to operate the service. Where data is transferred outside the UK, we state the transfer mechanism we rely on.
| Sub-processor | Purpose | Country | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication, and backend function hosting | Ireland (AWS eu-west-1, EEA) | UK adequacy regulations for EEA countries |
| Twilio | SMS message delivery and UK phone number provisioning | United States | Twilio's UK GDPR Data Processing Addendum / Standard Contractual Clauses |
| Anthropic | AI reply generation and website content summarisation | United States | Anthropic's API Data Processing Addendum / Standard Contractual Clauses |
| Stripe | Payment processing and subscription management | US / EU (Stripe Payments Europe Ltd) | Standard Contractual Clauses; Stripe is PCI DSS Level 1 certified |
| Cal.com / Calendly | Booking webhook processing and calendar integration | United States | Provider Data Processing Addendum / Standard Contractual Clauses |
| Expo / Apple APNs / Google FCM | Push notification delivery to your device | United States | Provider terms; push notifications contain masked caller phone numbers only |
| Resend | Weekly email digest delivery to your inbox | United States | Resend Data Processing Agreement |
| Google Fonts | Web font delivery on the sign-up and legal pages | United States | Google DPA / Standard Contractual Clauses |
We do not sell your personal data or your callers' personal data to any third party, and we do not use personal data for advertising purposes.
8. Data retention
| Data category | Retention period |
|---|---|
| Business owner account data (name, email, business settings) | Retained for the duration of your subscription, plus 12 months after account closure for accounting and dispute resolution purposes |
| Caller lead records and SMS conversation history | Retained for as long as your account is active. You can delete individual leads at any time from the app. All caller data is permanently deleted when your account is deleted. |
| Billing records | Retained for 7 years as required by UK tax and accounting law |
| Push notification device tokens | Deleted when you delete your account or uninstall the app |
| Operational and security logs | Typically 30–90 days, as determined by the policies of Supabase and Twilio |
When you delete your account via Settings in the app, your data — and all associated caller data — is permanently and immediately deleted from our database, including all SMS conversation history, lead records, and your business profile. This action is not reversible.
9. Your rights
Under UK GDPR, as a MyDeskly subscriber, you have the following rights in relation to your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure: Delete your account in-app (Settings → Delete Account), which permanently removes all your data. You can also contact us to request manual deletion.
- Right to data portability: Request your data in a structured, machine-readable format.
- Right to restrict processing: Ask us to pause processing of your data in certain circumstances.
- Right to object: Object to processing based on legitimate interests.
To exercise any of these rights, email us at support@mydeskly.com. We will respond within one calendar month.
If you are a caller who received an automated SMS via a MyDeskly-powered business and you wish to exercise your data rights, please contact that business directly (as they are the data controller for your data). You can also contact us at support@mydeskly.com and we will direct your request appropriately.
SMS opt-out: If you received an automated SMS and wish to stop further messages from that business, reply STOP to the message. We will immediately add you to the opt-out list for that business and you will receive no further automated messages from them via MyDeskly.
10. Cookies and tracking
Our main website (mydeskly.com) does not use cookies, analytics scripts, tracking pixels, or any other tracking technology. We do not track visitors across sessions or devices.
The sign-up page and these legal pages load web fonts from Google Fonts (fonts.googleapis.com and fonts.gstatic.com). This involves your browser making a direct request to Google's servers, which shares your IP address and browser information with Google. Google's privacy policy governs their use of this data. We are evaluating self-hosting our fonts to eliminate this request entirely.
11. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- All data transmitted over encrypted connections (HTTPS/TLS).
- Database encrypted at rest.
- Row Level Security on all database tables — each business can access only its own data.
- Cryptographic signature verification on all third-party webhooks (SMS provider, booking platforms, payment processor).
- Caller phone numbers masked in push notifications and application logs.
- Rate limiting on all automated messaging and AI functions.
- API secrets and credentials stored in an encrypted secrets store — never embedded in the mobile app.
- Staff access to personal data limited to what is necessary to operate and support the service.
No security measure is infallible. In the event of a personal data breach that is likely to result in risk to individuals, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email and by an in-app notice before the changes take effect. The date at the top of this page reflects the most recent update. Continued use of the service after a material update constitutes acceptance of the revised policy.
When we make material changes, we update the consent version number recorded at sign-up and may ask existing users to review and re-accept the updated policy.
13. Complaints
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would welcome the opportunity to address your concerns before you contact the ICO — please email us first at support@mydeskly.com.
Contact
Email: support@mydeskly.com