CostCare AI

Legal entity: CostCare AI Limited • Address: 2301, 23/F BAYFIELD BLDG 99
HENNESSY RD WAN CHAI
HONG KONG

Contact: support@costcare.ai • Privacy: privacy@costcare.ai

Last updated: January 9, 2026

This Privacy Policy explains how CostCare AI Limited (“CostCare”, “we”, “us”) collects, uses, shares, and protects information when you use CostCare AI (the “Service”).

This Service is designed for business users. If you are an end-customer contacting one of our business customers, your messages/calls are handled by that customer and processed by us on their behalf.

1. Scope

This Policy applies to information processed through:

Our web app and admin interface
Connected channels and integrations (including Instagram, WhatsApp Business Platform, and voice calling)
Support and sales communications with us

2. Roles: Controller vs Processor

Depending on the data, we act as:

Controller for account and business contact information we need to run our company and provide the Service (e.g., admin users, billing, security logs).
Processor for “Customer Content” (messages, call recordings, transcripts, CRM records) that our business customers upload to the Service or receive via integrations. In these cases, the business customer is the Controller.

We can provide a Data Processing Addendum (“DPA”) on request (and we publish a template at /dpa).

3. Information We Process

3.1 Account & business information (Controller)

Admin/user profile data (name, email, phone, role)
Authentication data (hashed credentials, SSO identifiers)
Billing and subscription data (plan, invoices, payment status). We do not intentionally store full payment card details; payments may be handled by third-party payment processors.
Security, audit, and usage logs (IP address, timestamps, device/browser info)

3.2 Customer Content (Processor)

Messages and related metadata from connected channels (e.g., Instagram DMs, WhatsApp messages), including attachments where provided
CRM records and notes entered by customer users
Voice call recordings and/or transcripts (when enabled by the customer)
Contact details of end-customers (e.g., phone numbers, usernames) as provided by integrations or customer input

3.3 Integration credentials

To keep integrations working, we store access tokens/credentials (e.g., Meta/WhatsApp/Instagram). We store tokens in our database today and plan to migrate to a dedicated secrets manager (e.g., Vault). Tokens are restricted and protected with access controls.

4. How We Use Information

We use information to:

Provide and operate the Service (route messages, show conversations, sync CRM data)
Enable AI-assisted messaging and automation (e.g., suggested replies, automated replies when customer enables it)
Support customers and troubleshoot issues
Secure the Service (fraud prevention, abuse monitoring, audits)
Comply with legal obligations

5. AI Processing

The Service uses AI to generate suggested or automated responses. AI outputs may be inaccurate or incomplete and should be reviewed when appropriate. Customers control configuration and are responsible for how the Service is used with their end-customers.

Training: We do not train our proprietary models on Customer Content unless a customer explicitly opts in (e.g., a separate agreement or setting).

6. Legal Bases (GDPR/EEA/UK where applicable)

When GDPR applies, we rely on the following legal bases (as Controller):

Contract — to provide the Service to our customers
Legitimate interests — security, service improvement, and support (balanced with user rights)
Consent — where required (e.g., certain cookies/analytics)
Legal obligation — compliance and lawful requests

For Customer Content (Processor), the customer determines the legal basis and provides instructions.

7. Sharing & Subprocessors

We share data only as needed to provide the Service:

AI providers for language/voice capabilities (e.g., OpenAI, Anthropic, Google/Gemini, ElevenLabs or similar)
Telephony/voice (e.g., Twilio; LiveKit)
Infrastructure (cloud hosting such as AWS and/or DigitalOcean)
Database (e.g., MongoDB Atlas)
Messaging platforms (Meta platforms including Instagram and WhatsApp Business Platform)

We may update subprocessors over time. We will maintain an up-to-date list upon request via privacy@costcare.ai.

8. International Transfers

We currently host primary infrastructure in the European Union (Frankfurt, Germany). Our team and subprocessors may access or process data from other countries (including Ukraine). Where required, we use appropriate safeguards for international transfers (such as standard contractual clauses or equivalent mechanisms).

9. Data Retention

Voice recordings/transcripts: by default, retained up to 6 months (unless the customer configures a different retention period or requests deletion sooner).
Customer Content: retained while the customer account is active and as configured by the customer. After account termination, we delete or anonymize Customer Content within a reasonable period, typically within 90 days, unless legally required to retain it longer.
Account and billing records: retained as required for accounting, security, and legal compliance.

10. Security

We use reasonable technical and organizational measures designed to protect data, including encryption in transit (TLS), access controls, and logging. No system is 100% secure; customers are responsible for maintaining the confidentiality of their credentials and enabling security features available in the Service.

11. Cookies & Analytics

We use essential cookies required to operate the Service (e.g., authentication). We do not currently use advertising cookies. If we add product analytics or session replay tools (for example, Hotjar), we will update this Policy and, where required, request consent.

12. Your Rights

Depending on your location, you may have rights to access, correct, delete, or export your personal data, and to object or restrict certain processing. To exercise rights related to account data, contact privacy@costcare.ai.

For rights related to Customer Content (end-customer messages/calls), please contact the business you interacted with (our customer). We will assist our customer as required under the DPA.

13. Children

The Service is not intended for children under 16 and should not be used to knowingly collect data from children.

14. Changes

We may update this Policy from time to time. We will post the updated version on this page and revise the “Last updated” date.

15. Contact

Privacy questions: privacy@costcare.ai • Support: support@costcare.ai