AskWhiz (“we”, “our”, “us”) is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information about you when you use our service.
Information We Collect
We collect the following categories of personal data:
- Account information — your name and email address, collected via Clerk during sign-up and authentication.
- Phone number — collected via Twilio Verify when you verify your phone for WhatsApp bot access.
- Payment information — processed by Stripe. AskWhiz does not store payment card details directly.
- Usage data — anonymous analytics data collected via Google Analytics 4 only when you grant analytics consent.
- WhatsApp messages — messages sent to and received from your subscribed bots, processed by our AI systems to generate responses.
Lawful Basis for Processing
Under Article 6 of the GDPR, every processing operation must rest on a lawful basis. The table below labels each AskWhiz processing purpose with its specific basis:
- Account creation — performance of a contract (Art 6(1)(b))
- Subscription billing — performance of a contract (Art 6(1)(b))
- WhatsApp message delivery — performance of a contract (Art 6(1)(b))
- Phone verification — performance of a contract and compliance with a legal obligation (Art 6(1)(b) and 6(1)(c))
- Analytics — consent (Art 6(1)(a)); you may withdraw consent at any time via the cookie banner
- Marketing emails — consent (Art 6(1)(a)); opt-out via the unsubscribe link in every email
- Audit log retention — legitimate interest (Art 6(1)(f)) in preserving the integrity of administrator-initiated communications for compliance, support, and dispute resolution
International Transfers
AskWhiz transfers personal data to processors located in the United States, including Clerk, Stripe, Resend, Meta (WhatsApp), Midbrain, Twilio, and Google Analytics. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, executed with each processor in accordance with Articles 44–49 of the GDPR.
Age
AskWhiz is intended for users aged 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us personal data, please contact privacy@askwhiz.io and we will delete it promptly.
Data Protection Officer
We have not appointed a Data Protection Officer. Privacy inquiries are handled by our data controller — please contact privacy@askwhiz.io for any data-protection matter.
California Residents (CCPA / CPRA)
AskWhiz does not sell or share personal information for cross-context behavioural advertising as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). California residents have the same access, correction, and deletion rights enumerated above. To exercise these rights, contact privacy@askwhiz.io.
Security
We protect your data with the following technical and organisational measures:
- HTTPS / TLS 1.2+ encrypts all data in transit
- Stripe (PCI-DSS Level 1 compliant) processes payment data — AskWhiz never sees your card details
- Clerk (SOC 2 Type 2 certified) handles authentication and password storage
- Application data is stored in PostgreSQL with encryption at rest
- We notify supervisory authorities and affected users within 72 hours of becoming aware of a personal-data breach, in line with GDPR Art 33
How We Use Your Information
- To create and manage your account
- To process subscription payments
- To deliver WhatsApp bot services you have subscribed to
- To verify your phone number and identity
- To generate AI-powered responses through our WhatsApp bots
- To improve and understand usage of our platform (with consent)
- To comply with legal obligations
Data Sharing
We do not sell your personal data. We share data only with the third-party services necessary to deliver AskWhiz:
- Clerk — authentication and user management
- Stripe — subscription billing and payment processing
- Twilio — SMS phone verification
- Meta (WhatsApp) — WhatsApp Cloud API for bot message delivery
- Midbrain — LLM-based message processing and knowledge retrieval
- Resend — transactional email delivery (account, billing, and migration notifications)
- Google Analytics 4 via Google Tag Manager — anonymous usage analytics (consent required)
Each of these providers operates under their own privacy policy and is subject to applicable data protection laws.
Your Rights (GDPR)
If you are based in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
- Right of access — request a copy of the personal data we hold about you
- Right to rectification — request correction of inaccurate or incomplete data
- Right to erasure — request deletion of your personal data (“right to be forgotten”)
- Right to restriction — object to or restrict certain processing of your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to withdraw consent — withdraw consent at any time where processing is consent-based (e.g., analytics)
To exercise any of these rights, contact us at privacy@askwhiz.io. We will respond within 30 days.
Data Retention
We retain your personal data for as long as your account is active or as needed to provide services. When you close your account, we delete or anonymise your personal data within 90 days, unless we are required by law to retain it for longer.
WhatsApp message logs are retained for operational and debugging purposes for as long as your account is active. Logs are deleted when your account is closed.
Administrative audit trail. When an AskWhiz administrator sends a WhatsApp template message to you from the admin panel (for example, to reply to a support request outside the standard 24-hour session window), we retain a record of that send — including the template variables supplied (which may contain your name, order or error reference, and any diagnostic notes) — in an internaladmin_template_sends audit log. This record exists to reconstruct the exact content of administrator-initiated communications for compliance, support, and dispute-resolution purposes. Access is restricted to AskWhiz administrators. The audit record is kept separately from your conversation history and is preserved even if your account is subsequently deleted, to maintain the integrity of the audit trail. You may request access to, or raise concerns about, these records via the contact details below.
Mentra Glasses (audio + photo data flow)
AskWhiz integrates with Mentra Live smart glasses. The audio and photo data flow differs depending on the mode you choose in Settings → Glasses.
Button-default mode (default)
When the AskWhiz Mentra app is active and the mic is not subscribed (the default), no audio is sent to Mentra Cloud or to AskWhiz. Audio is sent only during the 8-second window after you press the camera button. The transcript is sent to AskWhiz for processing the command, then discarded after 30 minutes (rolling conversation context window).
Hands-busy mode (opt-in)
If you opt into Hands-busy mode in settings, audio is continuously sent to Mentra Cloud for transcription while AskWhiz is the active app on your glasses. AskWhiz only receives and processes transcripts beginning with ‘Hey AskWhiz’. Transcripts that do not begin with the wake phrase are discarded by AskWhiz and never logged or stored.
Photo capture
Photos taken from the glasses (triggered when you say words like ‘this’, ‘that’, ‘look at’) are uploaded directly to AskWhiz servers via Mentra Cloud. Photos are retained for 30 days then automatically deleted (S3 lifecycle policy).
Third-party processors
Mentra Inc. processes raw audio and photo bytes on its infrastructure before forwarding to AskWhiz. See Mentra’s privacy policy at mentra.glass/privacy.
Contact Us
For privacy-related inquiries, to exercise your rights, or to raise a concern, contact our data controller at:
Email: privacy@askwhiz.io
If you are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority.