Legal

Privacy Policy

Last updated: 9 May 2026

Who we are
Data we collect
How we use your data
Our legal bases
Third parties we share data with
Your callers' data (important)
How long we keep data
Your rights
International transfers
Cookies and tracking
Changes to this policy
Contact us

1. Who we are

Poppy is operated by Hey Poppy Ltd ("we", "us", "our"), a private limited company registered in England and Wales under company number 17218518. Founder, sole director, and Data Controller: Paul Rose. We're registered with the UK Information Commissioner's Office (ICO) as a data controller under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

Registered office: Hey Poppy Ltd, 66 Paul Street, London, EC2A 4NA, United Kingdom.
Contact: hello@heypoppy.co.uk

2. Data we collect

From you (our customer)

Account details: email address, business name, owner name, mobile number, business address (where required for telecoms regulation)
Service configuration: services you offer, service areas, opening hours, FAQs, custom greetings, transfer preferences
VIP List (Pro tier): phone numbers, names and handling notes for contacts you upload to your priority caller list. You are the data controller for this data; we're the processor. Retained 30 days after subscription cancellation, then permanently deleted.
Payment information: handled by Stripe (we do not store card details)
Communications: any messages you send us via email or in-app
Usage data: pages you visit in your dashboard, features you use, error logs

From your callers

Phone number (the number that called your business)
Audio recording and transcript of the call
Any details the caller provides during the conversation (name, address, nature of the enquiry)
Call metadata: time, duration, outcome

3. How we use your data

Provide the service: answer your business calls, deliver call summaries to your inbox/SMS, show calls in your dashboard.
Account management: billing, support, sending you product updates that affect your service.
Improve the service: we may review aggregated, anonymised call data to improve Poppy's ability to handle UK trade enquiries. We will never use individual recordings to train third-party AI models without your explicit consent.
Legal obligations: tax records, fraud prevention, responding to lawful information requests.

4. Our legal bases

Under UK GDPR we rely on the following legal bases:

Contract: processing your data is necessary to deliver Poppy to you.
Legitimate interests: running our business, securing our systems, improving the product (balanced against your privacy).
Legal obligation: tax, accounting, fraud and AML checks.
Consent: for any optional marketing emails (you can withdraw at any time).

5. Third parties we share data with

To run Poppy we use a small set of trusted vendors. Each is bound by a Data Processing Agreement that meets UK GDPR standards.

Stripe (payment processing) — Ireland / United States
Vapi (voice AI orchestration) — United States
Twilio (telephony, SMS) — United States
Supabase (database, authentication) — data hosted in EU region
Vercel (web hosting) — United States with EU edge
Resend (transactional email) — United States
OpenAI / Anthropic / equivalent (large language models that power conversation) — United States. Recordings and transcripts are sent to these providers only to handle the live call. Providers we use have committed via API to not use this data to train their models.
Calendly / Google Calendar (booking integration, Pro tier only) — if you connect your calendar, the bookings Poppy creates are sent there.

We never sell your data, and we never share it with advertisers.

6. Your callers' data (important)

When someone rings your business and Poppy answers, we record and transcribe that call. You are the data controller for that caller's data — we're the data processor. That means:

You should disclose to your callers, where reasonable, that calls may be recorded for quality and record-keeping. Poppy's default greeting includes an AI disclosure ("Just so you know, I'm an AI receptionist") which you can edit but we recommend keeping.
If a caller asks for a copy of their recording, transcript, or for it to be deleted, you must comply within one calendar month under UK GDPR. Tell us at hello@heypoppy.co.uk and we'll help you action it.
You must have a lawful basis (usually legitimate interests) for using Poppy to answer customer calls. For most UK service businesses this is straightforward.

7. How long we keep data

Call recordings & transcripts: 12 months from the date of the call, then permanently deleted, unless you ask us to delete sooner or retain longer.
Account data: for as long as you have an active subscription, plus 6 years afterwards (HMRC tax requirement).
Marketing email subscriptions: until you unsubscribe.
Web analytics: aggregated only, retained 26 months.

8. Your rights

Under UK GDPR you have the right to:

Access the personal data we hold about you
Correct inaccurate data
Delete your data (the "right to be forgotten"), subject to legal exceptions like tax retention
Restrict or object to certain processing
Receive your data in a portable format
Withdraw consent for any processing based on consent
Lodge a complaint with the Information Commissioner's Office (ICO)

To exercise any of these rights, email hello@heypoppy.co.uk. We'll respond within 30 days, usually faster.

9. International transfers

Some of our vendors are based in the United States. Where data leaves the UK, we rely on the UK's adequacy decision (where one exists), Standard Contractual Clauses, or the EU–US Data Privacy Framework as the legal mechanism for that transfer. We pick vendors that take this seriously and won't use any vendor that doesn't.

10. Cookies and tracking

Our marketing site (heypoppy.co.uk) uses minimal cookies: a session cookie for if you sign in, and basic analytics to count page views (no personal profiling). We do not use advertising trackers, retargeting pixels, or cross-site tracking. Our app (app.heypoppy.co.uk) uses session cookies to keep you logged in; that's it.

11. Changes to this policy

If we change this policy materially, we'll email all active customers at least 14 days before the change takes effect. Minor wording fixes won't trigger an email but will be reflected in the "Last updated" date at the top of this page.

12. Contact us

Any questions, concerns, or requests, email hello@heypoppy.co.uk. I read every email myself.

— Paul Rose, Founder and Director, Hey Poppy Ltd