Privacy Policy

§ 01Who we are

Zatio provides an AI-powered WhatsApp assistant for businesses (“Operators”) to handle inbound sales enquiries, qualify leads, and manage bookings.

• Data controller for website visitors: Zatio (the operator named above)
• Data processor for WhatsApp end-user conversations: Zatio acts on behalf of each Operator, who is the data controller of their own customers’ data

§ 02Information we collect

From website visitors

• Contact details you submit via forms (name, email, company, phone)
• Technical data (IP address, browser type, referrer) for security and analytics
• Cookies — see our Cookie Policy

From WhatsApp end users (on behalf of Operators)

When you message a business that uses Zatio via WhatsApp, we process:

• Your phone number and public WhatsApp profile (name, profile photo)
• The content of messages you send and receive
• Metadata (timestamps, delivery and read receipts)

§ 03How we use your information

Website visitors

• Respond to your enquiries
• Send you requested information about Zatio
• Improve our services and website
• Comply with legal obligations

WhatsApp end users

• Respond to enquiries on behalf of the Operator
• Manage bookings, quotes and follow-ups
• Escalate complex cases to the Operator’s human team
• Generate AI-assisted replies

§ 04Lawful basis (UK GDPR / EU GDPR)

We process personal data under the following bases:

• Performance of a contract (Art. 6(1)(b)) — to deliver services you or the Operator requested
• Legitimate interests (Art. 6(1)(f)) — to operate and improve our service, provided your rights don’t override ours
• Consent (Art. 6(1)(a)) — for marketing communications, where required
• Legal obligation (Art. 6(1)(c)) — to comply with tax, accounting, and regulatory requirements

§ 05Sub-processors

We use the following sub-processors to deliver our service:

A current list is available on request at privacy@zatio.io.

§ 06International transfers

Where data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission and the UK International Data Transfer Addendum.

§ 07Retention

• Website enquiry data: 24 months from last contact
• WhatsApp conversation data: 24 months, or until termination of the Operator’s service with Zatio — whichever is sooner
• Accounting records: as required by UK / Spanish tax law (typically 6 years)

§ 08Your rights

Under UK GDPR and EU GDPR, you have the right to:

• Access the personal data we hold about you
• Request rectification of inaccurate data
• Request erasure (“right to be forgotten”)
• Object to processing
• Request data portability
• Withdraw consent at any time
• Lodge a complaint with a supervisory authority (ICO in the UK, AEPD in Spain)

To exercise any of these rights, email privacy@zatio.io. We will respond within 30 days.

For WhatsApp conversations, you can also contact the Operator directly — they act as data controller for that data.

§ 09AI transparency

Zatio uses Large Language Models (OpenAI, Anthropic) to generate automated replies on WhatsApp. In line with the EU AI Act (Art. 50) and UK AI governance expectations:

• End users are clearly informed when they are interacting with an AI
• Sensitive or complex cases are escalated to human operators
• Messages are processed by AI providers under data processing agreements that prohibit training on our data

§ 10Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest, role-based access controls, and regular security reviews. See our Security Page for details.

§ 11Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the latest version. Material changes will be communicated via the website.

§ 12Contact

Privacy questions: privacy@zatio.io
General enquiries: hello@zatio.io

Legal entity under incorporation — this policy will be updated to reflect Almor Ventures Ltd once the company is registered.