Privacy Policy

Version 1.0 · Last updated 31 May 2026

This policy explains how OVER THE EEM SERVICES LTD (company number 17225231), trading as Vcents(“we”, “us”), collects, uses, shares and protects personal data when you use the Vcents WhatsApp service or visit our website.

We are the data controllerfor the data described below, except where this policy says otherwise. We are registered with the UK Information Commissioner's Office (ICO) under registration [ICO_REGISTRATION_NUMBER].

1. Contents

2. Who we are and how to contact us

Vcents is operated by OVER THE EEM SERVICES LTD, a private limited company registered in England and Wales. Our registered office is at 58 Southstand Apartments, Highbury Stadium Square, London, England, N5 1EY.

For any privacy-related question, request, or complaint, write to privacy@vcents.app. We aim to respond to all substantive requests within one month, in line with the UK GDPR.

3. Scope and our roles

This policy covers personal data we process when:

  • a business signs up to use Vcents and chats with our WhatsApp bot;
  • that business's customers receive a Vcents payment link, authorise a payment, or receive a receipt; and
  • anyone visits a Vcents website or receipt URL.

We act in different roles depending on the data in question:

  • Controller— for business-user account data (the merchant's business name, WhatsApp number, login credentials), our internal logs of WhatsApp messages exchanged with the bot, AI prompts and outputs, and receipt metadata.
  • Processor on the merchant's behalf— for the contact details and payment references that a merchant enters about their own customers. The merchant is the controller of that data; we process it under their instructions to deliver payment requests and receipts.
  • Not the controller— for personal data that flows through the authorised Payment Initiation Service Providers (PISPs) we integrate with (TrueLayer Limited and Yapily Connect Limited) when a customer authorises a payment in their bank app. Those PISPs are independently regulated and have their own privacy notices, which we encourage you to read. Vcents itself is a pass-through technology provider and sits outside the FCA perimeter.

4. Data we collect

We collect the categories below. We've grouped them by the person they relate to.

4.1 Business users (the merchant using Vcents)

  • Business name, WhatsApp phone number, WhatsApp display name.
  • Authentication data: a hashed personal identification number (PIN) used to authorise high-value payouts. We never store the raw PIN.
  • Bank details used to receive payments: sort code, account number, account holder name. These are stored in our database to populate payment requests.
  • Optional default payment provider preferences.

4.2 Customers of business users (the payer)

  • Name and phone number, as entered by the merchant.
  • Payment metadata: invoice reference, amount, currency, status (pending, paid, failed), timestamps.

4.3 Conversation data

  • The full text of WhatsApp messages exchanged between the merchant and our bot, inbound and outbound, including any media (images, voice notes) the merchant sends.
  • For voice notes: a text transcription generated by our speech-to-text provider.
  • The prompts we send to our AI provider and the responses we receive back.

4.4 Technical data

  • IP address, browser type, device type, approximate location (city-level) for visitors to vcents.vercel.app and to receipt URLs.
  • Log data: timestamps, status codes, request/response sizes — the standard server-log shape held by our hosting provider.

4.5 Sensitive data

We do notdeliberately collect special category data under Article 9 UK GDPR (such as health data, biometric data, or data on political views). If such data appears in a WhatsApp message you send us, we'll handle it under the same security controls as the rest of your conversation history; please avoid sharing it.

5. Why we use it and our lawful basis

Under UK GDPR Article 6 we must identify a lawful basis for each purpose. The table below sets this out.

PurposeLawful basis
Provide the Vcents service to the merchant: create payment requests, send links, relay status updates, generate receipts.Performance of a contract (Art. 6(1)(b))
Send a payment link or receipt to the merchant's customer via WhatsApp.Legitimate interests of the merchant in collecting payment from their own customer (Art. 6(1)(f)), processed by us on the merchant's behalf.
Use an AI model (Anthropic Claude) to interpret merchant messages and draft replies.Performance of a contract (Art. 6(1)(b)) and our legitimate interest in providing a natural-language interface (Art. 6(1)(f)).
Detect, investigate and prevent fraud, abuse, or misuse of the service.Legitimate interest in operating a safe service (Art. 6(1)(f)); compliance with a legal obligation where applicable (Art. 6(1)(c)).
Comply with our record-keeping obligations under the Payment Services Regulations 2017 and Money Laundering Regulations 2017.Legal obligation (Art. 6(1)(c)).
Send transactional notifications and respond to support requests.Performance of a contract (Art. 6(1)(b)).
Send marketing about Vcents (if and when we do so).Your consent (Art. 6(1)(a)) and PECR Regulation 22. You can withdraw consent at any time.
Maintain and improve the service; debugging; aggregated analytics.Legitimate interest (Art. 6(1)(f)).

6. Where the data comes from

  • Directly from the merchant— when they message the bot, complete setup, or save customer details.
  • From the merchant about their customer— the merchant types in their customer's name and phone number. Under UK GDPR Article 14, the merchant must have a lawful basis to share this and must have informed their customer.
  • From the regulated PISP— TrueLayer or Yapily send us webhook events about payment status (e.g. completed, failed) so we can update our records and fire the receipt.
  • From Meta (WhatsApp Cloud API)— inbound message events, delivery confirmations, the sender's WhatsApp number.

7. Who we share it with

We share data only with the third parties listed below, each acting either as our processor or as an independent controller. We don't sell personal data.

RecipientPurposeRole
Meta Platforms Ireland Ltd (WhatsApp Cloud API)Send and receive WhatsApp messages.Processor (for transactional messages) — see Meta's WhatsApp Business Data Processing Terms.
TrueLayer Limited (FCA FRN 793171)Open Banking payment initiation when the merchant uses TrueLayer.Independent controller for the regulated payment data.
Yapily Connect Limited (FCA FRN 827001)Open Banking payment initiation when the merchant uses Yapily.Independent controller for the regulated payment data.
Anthropic, PBCNatural-language understanding of merchant messages via the Claude API.Processor.
OpenAI, L.L.C.Speech-to-text transcription of merchant voice notes (Whisper).Processor.
Supabase Inc. (Postgres database)Storage of merchant accounts, customer records, message logs, payment metadata.Processor.
Vercel Inc.Hosting of our website, application backend, and receipt-image endpoint.Processor.

We will also disclose personal data where we are legally required to (e.g. a court order), or where necessary to investigate suspected fraud, abuse, or threats to the safety of any person.

8. International transfers

Some of our processors are based outside the UK. Where personal data is transferred internationally, we rely on the following safeguards under the UK GDPR:

  • Anthropic (United States)— UK International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses with the UK Addendum.
  • OpenAI (United States) — same as above.
  • Meta Platforms Ireland— UK adequacy decision for the EU/EEA; onward transfers to Meta's US affiliates rely on the EU–US Data Privacy Framework and SCCs with the UK Addendum.
  • Supabase— we use a region within the EU/EEA where supported, and rely on UK adequacy for that transfer. Onward US transfers (where unavoidable) are covered by the UK IDTA.
  • Vercel— we deploy our application primarily to EU regions; any US transfer is covered by the EU–US DPF and UK IDTA.

You can request a copy of the safeguards in place for any specific transfer by writing to privacy@vcents.app.

9. How long we keep it

DataRetention
Merchant account dataFor the life of the account, plus 6 years after closure (PSRs 2017 / MLR 2017 record-keeping).
Payment metadata (invoice/payout records, status history)6 years from the date of the transaction.
WhatsApp message logs (inbound and outbound)24 months, then deleted or anonymised.
AI prompts and outputs stored by us24 months, in line with message logs.
Voice-note audio (after transcription)Deleted from our systems immediately after transcription; the transcript is kept under the message-log retention above.
Receipt images / receipt URLsWhile the underlying payment is retained (6 years).
Marketing dataUntil you withdraw consent, then deleted within 30 days.
Web server / access logs30 days.

10. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erasepersonal data in certain circumstances (the “right to be forgotten”).
  • Restrict our processing in certain circumstances.
  • Object to processing based on legitimate interests.
  • Data portability— receive a copy of your data in a portable format.
  • Withdraw consent at any time, where we rely on consent.
  • Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (see Section 11 below).

To exercise any of these, email privacy@vcents.app. We may need to verify your identity before responding. We will respond within one month; for complex or numerous requests we may extend this by up to two further months and will tell you if so.

11. AI and automated decision-making

The Vcents bot uses a large language model (Anthropic's Claude) to interpret what the merchant says in WhatsApp and to draft replies or fill in payment forms. Specifically:

  • Inbound messages from the merchant are sent to Claude along with a short system prompt that defines the bot's tools.
  • Claude returns either a text reply or a structured call to one of our internal tools (e.g. request_payment, get_invoice_status).
  • For any payment-related action, the merchant must explicitly confirm via a button tap before money moves. No payment is initiated solely by the AI without a human decision in the loop.

Accordingly, we do not believe Article 22 UK GDPR (decisions based solely on automated processing producing legal or similarly significant effects) applies to our processing. If you disagree or want to discuss how we use AI on your data, write to privacy@vcents.app.

Anthropic does not use API inputs or outputs to train its models by default; the same applies to OpenAI for voice-note transcription. We have configured both services to that effect.

12. Messaging via WhatsApp

Vcents messages are delivered through the WhatsApp Cloud API operated by Meta Platforms Ireland Ltd. WhatsApp messages between you and the bot are encrypted in transit between your device and WhatsApp's service. Meta processes message content as our processor under its WhatsApp Business Data Processing Terms.

After receipt, we store inbound and outbound message content in our own database as set out above. Please bear that in mind before sending sensitive information you would not normally type into a chat.

13. Cookies and similar technologies

Our public website and receipt pages use only strictly-necessary cookies for routing and security. We do not currently use analytics, advertising, or tracking cookies. If that changes we will update this policy and, where required by PECR, display a consent banner before any non-essential cookie is set.

14. Marketing

We do not currently send marketing messages. If we begin to, we will only do so where we have your prior opt-in consent under PECR Regulation 22, and you will be able to unsubscribe at any time without giving a reason.

15. Children

Vcents is a service for UK businesses and is not directed at children. We do not knowingly collect personal data from anyone under the age of 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

16. Security

We take appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure or destruction. These include: encryption of data in transit (TLS) and at rest, access controls and least-privilege permissions on our database, hashing of merchant PINs with bcrypt, idempotent webhook handling to prevent duplicate processing, and audit logging. No system is 100% secure; we cannot guarantee absolute security but we work to a level reasonable for a service of this kind.

17. Changes to this policy

We may update this policy from time to time. The version number and last-updated date at the top will change with each material revision. Where the change is material we will notify active merchants via WhatsApp at least 14 days before it takes effect.

18. Complaints and the Information Commissioner's Office

If you're unhappy with how we have handled your personal data, please write to us first at privacy@vcents.appso we can try to put it right. You also have the right to complain to the UK Information Commissioner's Office:

  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113
  • Website: ico.org.uk

OVER THE EEM SERVICES LTD · Company number 17225231 · Registered office: 58 Southstand Apartments, Highbury Stadium Square, London, England, N5 1EY · ICO registration: [ICO_REGISTRATION_NUMBER]