This Privacy Policy explains how Assistaffer collects, uses, stores, and protects information about you when you use our AI-powered appointment scheduling platform. By using Assistaffer, you agree to the practices described in this policy.
1. Who We Are
Assistaffer is a multitenant appointment scheduling platform for service-based organizations. We provide tools that allow businesses — such as medical clinics, hair salons, restaurants, and wellness centers — to manage resources, staff access, and customer appointments through a web dashboard and WhatsApp-based AI agent.
References to "Assistaffer", "we", "us", or "our" in this policy refer to the operator of the Assistaffer platform. References to "you" refer to any person who creates an account, belongs to an organization on the platform, or interacts with an Assistaffer-powered AI agent through a messaging channel such as WhatsApp.
2. Information We Collect
2.1 Account Information
When you register for an Assistaffer account, we collect:
- Your email address
- Your full name (optional during registration)
- Your chosen password (stored as a secure hash — never in plain text)
- Your preferred interface language
2.2 Organization Data
When you create or manage an organization, we collect and store the configuration you provide, including:
- Organization name, slug, and time zone
- WhatsApp Business Phone Number ID and Meta access token (for messaging integration)
- AI model configuration (LLM endpoint URL, model identifier, API key, and system prompt)
- A contact phone number for message forwarding when no AI agent is configured
- Member roles and invitations
API keys and access tokens are stored encrypted and are never exposed to other users or returned in API responses.
2.3 Customer Data
When customers interact with your organization — either through WhatsApp or via manual entry in the dashboard — we collect and store on your behalf:
- Customer name (optional)
- Customer phone number in international E.164 format (e.g., +15550101010)
- Customer email address (optional)
- Notes associated with the customer
Customer data belongs to the organization that collected it and is scoped exclusively to that organization.
2.4 Appointment Data
We store appointment records that link a customer to a specific resource and time slot, including start time, end time, booking source (messaging or dashboard), and status (scheduled or cancelled).
2.5 Conversational Data (Chat Sessions)
When a customer sends messages through WhatsApp and the organization has an AI agent configured, we store the conversation history as individual message records. Each message record includes the message type (customer, AI, or tool), message content, and token usage metadata. This conversation data is used to maintain booking context across multiple messages within a single booking interaction.
2.6 Usage and Technical Data
We may collect standard server-side logs when you use the platform, which may include your IP address, browser type, device type, and the pages or API endpoints you access. This information is used for security monitoring, abuse prevention, and service reliability.
2.7 Local Storage
The Assistaffer web application stores your preferred interface language in your browser's localStorage under the key i18nextLng. This data remains on your device and is not transmitted to our servers independently of other requests.
3. How We Use Your Information
We use the information we collect to:
- Provide the service — authenticate users, manage organizations, assign appointments, and deliver the AI booking agent experience.
- Process booking conversations — forward customer WhatsApp messages to the AI agent or to the organization's configured contact phone.
- Send appointment reminders — deliver scheduled WhatsApp reminder messages to customers at the organization's configured offset before each appointment.
- Improve reliability and security — monitor system health, detect abuse, and investigate technical incidents.
- Communicate with you — send transactional emails related to your account, such as email confirmation and password reset messages.
We do not use your data for advertising, and we do not sell personal data to third parties.
4. Third-Party Services
4.1 Supabase (Database and Authentication)
Assistaffer uses Supabase to store all application data and to manage user authentication. Data stored in Supabase is subject to Supabase's security controls, including row-level security policies that enforce tenant isolation.
4.2 Meta / WhatsApp Business API
Assistaffer integrates with the Meta WhatsApp Business API to receive and send messages on behalf of your organization. When a customer sends a WhatsApp message to a number connected to Assistaffer, Meta delivers the message to our platform via a webhook. Your organization's Meta access token is used solely to send messages and is stored encrypted. Interaction with WhatsApp is subject to Meta's Privacy Policy.
4.3 AI / LLM Providers
Each organization may configure its own external AI language model (LLM) endpoint. When a customer message triggers the AI agent, the conversation history and relevant booking context are sent to that endpoint to generate a response. The LLM provider is determined by the organization's configuration; Assistaffer does not dictate which provider is used. Organizations are responsible for reviewing the privacy practices of their chosen LLM provider.
4.4 Hosting Infrastructure
The Assistaffer platform is hosted on cloud infrastructure that may include Microsoft Azure and other reputable cloud providers. Infrastructure providers process data solely to operate and maintain the service and are bound by data processing agreements.
5. Data Retention
We retain your personal data for as long as your account remains active or as needed to provide the service. Specifically:
- Account data is retained until you delete your account.
- Organization data (including customer records, appointments, and chat sessions) is retained until the organization is deleted by its owner.
- Server logs are retained for a limited period for security and diagnostic purposes.
When an organization or account is deleted, associated personal data is removed from our active systems. Some data may be retained in encrypted backups for a limited additional period before being permanently deleted.
6. Data Security
We apply industry-standard security measures to protect your data:
- All data transmitted between your browser and our servers is encrypted using TLS.
- Passwords are stored as secure hashes and are never recoverable in plain text.
- Sensitive credentials (API keys, access tokens) are stored encrypted and are never returned to the client in API responses.
- Database access is governed by row-level security policies that ensure each organization's data is accessible only to its authenticated members.
- All public-facing functions require authentication before accessing any user or organization data.
Despite these measures, no system is completely secure. If you believe your account has been compromised, please contact us immediately.
7. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — Request a copy of the personal data we hold about you.
- Correction — Request correction of inaccurate or incomplete personal data.
- Deletion — Request deletion of your personal data, subject to our retention obligations.
- Portability — Request a machine-readable export of your personal data.
- Objection — Object to certain types of processing, including processing based on legitimate interests.
- Restriction — Request that we restrict processing of your data in certain circumstances.
To exercise any of these rights, please contact us using the information in Section 10 below. We will respond within the timeframe required by applicable law.
If you are located in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority.
8. Cookies and Local Storage
Assistaffer does not use advertising or tracking cookies. The platform uses browser localStorage solely to persist your selected interface language across sessions. No third-party tracking scripts are loaded on the Assistaffer dashboard or public pages.
Authentication sessions are managed by Supabase and may use secure, HTTP-only cookies or session tokens stored in memory. These are strictly necessary for the operation of the service.
9. Children's Privacy
Assistaffer is designed for business use and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data without appropriate consent, please contact us and we will take steps to remove that information.
10. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically. Continued use of the platform after changes are posted constitutes your acceptance of the updated policy.
11. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or need to report a privacy concern, please contact us:
Assistaffer
Email: privacy@assistaffer.com
We aim to respond to all privacy-related enquiries within 30 days.