Privacy Policy

1. Who we are

CodeE Office is a trading name of CODEE OFFICE LTD, a company registered in England and Wales. Company number 17135187. Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.

In this policy, “we,” “us,” and “our” refer to CODEE OFFICE LTD. CODEE OFFICE LTD is the data controller for any personal data collected through our website and services.

Our website address is https://codeeoffice.com. For any privacy-related enquiries, contact us at [email protected].

2. What data we collect

We collect the following types of personal data:

Information you provide directly: When you request a call, submit a contact form, or sign up for a service, we collect your name, email address, phone number, business name, and any other information you choose to provide.

Payment information: Payments are processed by Stripe. We do not store your credit or debit card details on our servers. Stripe handles all payment data in accordance with PCI-DSS standards. See Stripe’s privacy policy at https://stripe.com/privacy.

Service-related data: If you use our products, we may collect data necessary to deliver the service, including calendar availability, WhatsApp group message content (for Interceptor clients only), call recordings and transcripts (for AI Calls clients), and business information needed to configure your AI receptionist or local SEO service.

3. WhatsApp Interceptor — data processing and privacy safeguards

This section applies specifically to clients using our WhatsApp Interceptor Service. Given the nature of WhatsApp Web integration, we want to be fully transparent about how data is handled.

3.1 How Interceptor connects to WhatsApp. The Interceptor Service operates via WhatsApp Web, the same interface you use when accessing WhatsApp from a desktop browser. You authenticate the connection by scanning a QR code with your phone. This grants our system the same access to your WhatsApp messages that WhatsApp Web would have — including group chats, private messages, and media.

3.2 Hard technical privacy boundary. Although the WhatsApp Web connection receives all messages, our system enforces a hard technical filter at the point of arrival. Every incoming message is checked before any processing, logging, or storage occurs. Only messages originating from group chats are processed. Private messages, personal conversations, photos, videos, voice notes, and any other non-group content are immediately and permanently discarded. They are not read, not processed, not logged, not stored, and not sent to any AI model or third party. This is enforced at the code level, not by policy. Private messages physically cannot enter our processing pipeline.

3.3 What happens to group messages. Group messages that pass the privacy filter are processed as follows: the message text is sent to an AI model to determine whether it is a job posting. If the message is not a job posting (general chat, greetings, disputes, off-topic), it is immediately discarded. If the message is identified as a job posting, the relevant job details are extracted (pickup location, destination, date, time, vehicle class, price) and compared against your calendar, location, and preferences. Only the structured job data is retained — the original raw message text is discarded after processing. Retained job data is stored in your Google Calendar entry if the job is claimed.

3.4 Third-party messages in groups. WhatsApp groups contain messages from other people — operators, other drivers, and group administrators. Under UK GDPR, we process these messages under the lawful basis of legitimate interest. The messages are semi-public (visible to all group members, which may number in the hundreds), we process them for a limited and specific purpose (job identification), we do not store the raw messages or any personal data beyond the poster’s display name in extracted job details, and the processing is necessary to deliver the service you have contracted us to provide. We do not build profiles of other group members, do not track their activity across groups, and do not use their messages for any purpose other than identifying job postings for our clients.

3.5 Future capability: operator direct messages. In a future update, we may offer the ability for Interceptor to read direct messages from specific WhatsApp contacts (such as dispatch operators who send job details privately). This feature will only be activated with your explicit opt-in, will only apply to contacts you specifically whitelist, and will process those messages under the same principles described above (extract job details, discard raw content). This feature will never be enabled by default.

3.6 Session security. Your WhatsApp Web session runs on a secured virtual private server. Each client has an isolated session. We do not access your WhatsApp account for any purpose other than delivering the Interceptor Service. If your session disconnects (for example, if you log out of WhatsApp Web on another device), we will notify you and request re-authentication.

Website analytics: We use Independent Analytics, a privacy-focused analytics tool that runs locally on our server. It does not use cookies, does not track users across websites, and does not share data with third parties. We collect anonymised data about page views, referral sources, and general usage patterns to improve our website.

Search performance data: We use Google Search Console (connected via RankMath) to understand how our website performs in Google search results. Google Search Console collects data about search queries, click-through rates, and indexing status. This data is processed by Google in accordance with their privacy policy at https://policies.google.com/privacy.

4. How we use your data

We use the data we collect to deliver and improve our services, process payments and manage your account, communicate with you about your service, respond to enquiries and support requests, improve our website and marketing, and comply with legal obligations.

We will never sell your personal data to third parties. We will never use your data for purposes unrelated to the services you have engaged us to provide.

5. Lawful basis for processing

Under the UK General Data Protection Regulation (UK GDPR), we process your data on the following bases:

Contract: Processing necessary to deliver the services you have signed up for.

Legitimate interest: Processing necessary for our legitimate business interests, such as improving our services and website, and processing WhatsApp group messages to identify job postings for Interceptor clients (see Section 3.4), provided this does not override the rights of any data subject.

Consent: Where you have given explicit consent, such as when submitting a contact form or requesting a call back.

Legal obligation: Processing necessary to comply with our legal obligations, including tax and accounting record-keeping.

6. Third-party services

We use carefully selected third-party services to deliver our products. Each processes data in accordance with their own privacy policies. We review our providers regularly to ensure they maintain appropriate data protection standards.

Payment processing: Payments are handled by a PCI-DSS compliant payment processor. We do not store your card details on our servers. Your payment data is processed securely by the payment provider in accordance with their privacy policy.

AI voice and telephony: Our AI Calls & Calendar service uses third-party voice AI and telephony providers to answer calls, route communications, and send SMS confirmations. Call data (including recordings where applicable) is processed only for the purpose of delivering the service. Call recordings are retained for up to 90 days for quality assurance, then automatically deleted.

AI language models: We use AI language models for message classification (Interceptor), content generation (Local SEO blog posts), and other automated tasks. Data sent to AI providers is limited to what is necessary for the specific task. We use providers whose terms confirm that customer data is not used to train their models.

Calendar and mapping: We use Google Calendar API for diary management and Google Maps API for location and distance calculations. Data is processed in accordance with Google’s privacy policy at https://policies.google.com/privacy.

Messaging and notifications: Interceptor driver notifications are delivered via a secure messaging platform. Your notification preferences and contact details are shared only for the purpose of delivering service alerts.

Local SEO tools: Citation building, rank tracking, and directory management are handled by specialist SEO platforms. Your business information (name, address, phone number) is shared with these platforms for the purpose of building and maintaining your local directory presence — this is the core function of the service.

Customer relationship management: Contact form submissions, callback requests, and client data are managed using CRM software hosted on our own infrastructure. This data is not stored on third-party CRM servers.

Transactional email: Service notifications, booking confirmations, and account communications are sent via a third-party email delivery service. Only the minimum data necessary for email delivery (recipient address, message content) is shared with this provider.

If you would like to know the specific providers we use for any category, please contact us at [email protected] and we will be happy to provide that information.

7. Cookies

Our website uses minimal cookies:

Essential cookies: WordPress session cookies required for the website to function correctly. These are strictly necessary and do not require consent.

Analytics: We use Independent Analytics which does not set any cookies or use any tracking technologies that require consent under UK GDPR or the Privacy and Electronic Communications Regulations (PECR).

We do not use Google Analytics, Facebook Pixel, or any third-party advertising or tracking cookies.

If you make a payment via Stripe, that service may set its own cookies when you interact with its hosted checkout page. Please refer to Stripe’s privacy policy for details.

8. Data retention

We retain your personal data only for as long as necessary to provide our services and fulfil the purposes described in this policy. Specifically:

Account and service data: Retained for the duration of your subscription and for up to 12 months after cancellation, after which it is deleted.

WhatsApp message data (Interceptor): All private messages are discarded immediately upon receipt and are never processed or stored. Group messages that are not job postings are discarded immediately after classification. Group messages identified as job postings are processed to extract structured job data (location, time, price, vehicle class), after which the raw message text is discarded. Only the structured job data is retained, stored in your Google Calendar if the job is claimed. No raw WhatsApp message content is stored on our servers beyond the processing window (typically less than 5 seconds).

Call recordings (AI Calls): Retained for up to 90 days for quality assurance and service improvement, then automatically deleted unless you request otherwise.

Contact form submissions: Retained for up to 12 months.

Payment records: Retained for 7 years as required by HMRC for tax and accounting purposes.

9. Your rights

Under UK GDPR, you have the following rights:

Right of access: You can request a copy of the personal data we hold about you.

Right to rectification: You can ask us to correct inaccurate or incomplete data.

Right to erasure: You can ask us to delete your data, subject to legal retention requirements.

Right to restrict processing: You can ask us to limit how we use your data.

Right to data portability: You can request your data in a structured, commonly used format.

Right to object: You can object to processing based on legitimate interest.

Right to withdraw consent: Where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

10. Data security

We take reasonable technical and organisational measures to protect your personal data, including encrypted connections (SSL/TLS) on our website and all data transfers, secure hosting with daily backups, access controls limiting data access to authorised personnel only, and regular security reviews of our systems and third-party providers.

No system is 100% secure. While we take all reasonable precautions, we cannot guarantee absolute security of your data. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner’s Office within 72 hours and, where required, notify affected individuals without undue delay.

11. Children’s data

Our services are designed for businesses and are not directed at individuals under 18. We do not knowingly collect personal data from children.

12. International transfers

Some of our third-party service providers operate outside the UK. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses or equivalent protections as required by UK GDPR.

13. Changes to this policy

We may update this privacy policy from time to time. Any changes will be posted on this page with an updated “last updated” date. We encourage you to review this policy periodically.

14. Contact and complaints

If you have any questions about this privacy policy or how we handle your data, contact us at:

CODEE OFFICE LTD
71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
Email: [email protected]

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Their website is https://ico.org.uk and their helpline is 0303 123 1113.