Privacy Policy
Version 2.0 - Effective 2026-07-08 - Change log Template document: review by a qualified data-protection lawyer or DPO before commercial reliance. Not legal advice.
This policy explains how Amaigo ("we", "us") handles personal data under the EU GDPR and UK GDPR. It covers two situations, and the difference matters:
- Visitors to amaigo.com. Amaigo decides why and how your data is used, so Amaigo is the controller.
- The Whistle widget on a client's website. The law firm (or other business) whose site you are visiting decides why your data is collected. That client is the controller, and their privacy policy governs the processing. Amaigo is the processor: we handle the data only on the client's documented instructions, and we refer requests about your rights back to the client. This section explains what we do as processor so you can see how your data is handled in practice.
Who we are
Amaigo, the business operating the Whistle product. Privacy contact: Privacy Lead, [email protected].
We have assessed that a statutory Data Protection Officer is not currently required under Article 37 of the EU GDPR and UK GDPR: we are a small processor and our core activities do not involve large-scale processing of special-category data or large-scale systematic monitoring. If that changes, we will appoint a DPO and publish their details here.
What we collect and why (lawful bases)
On amaigo.com (Amaigo as controller):
| Purpose | Data | Lawful basis (EU GDPR and UK GDPR) |
|---|---|---|
| Responding to your enquiry and arranging a demo | Name, email, phone, what you tell us in the widget | Art. 6(1)(b) steps prior to a contract, and Art. 6(1)(f) legitimate interest in responding to enquiries |
| Storing contact details you submit via the widget | Name, email, phone | Art. 6(1)(a) consent (the widget's consent steps) |
| Optional marketing updates | Art. 6(1)(a) consent (separate, unticked opt-in), withdrawable at any time | |
| Aggregate, cookieless site analytics | Anonymous page and event counts (no identifiers) | Art. 6(1)(f) legitimate interest; no cookies or profiling, see Cookie Notice |
| Security, audit and abuse prevention | Technical metadata (no chat content) | Art. 6(1)(f) legitimate interest in securing the service |
Through Whistle on a client's site (Amaigo as processor): we process prospective clients' enquiry and booking data strictly on the client's instructions, to qualify enquiries and book meetings. The client's typical lawful bases are legitimate interests and, for a booking, steps prior to a contract; special-category data (for example health details volunteered in a legal enquiry) is handled by the client under Art. 9(2)(f) (establishment, exercise or defence of legal claims) or the visitor's explicit consent, as set out in the client's own privacy policy. Amaigo does not decide these bases; the client does.
How Whistle handles personal data (privacy by design)
- Contact details (name, email, phone) are captured through structured form fields that post directly to our EU backend. They do not pass through the AI.
- Best-effort redaction before AI. Because the chat is a free-text box, we cannot promise nothing personal ever reaches the AI. Emails, phone numbers and long digit sequences in user messages are redacted before any message is sent to our AI sub-processor. This is defence in depth, not a guarantee, so the further safeguards below apply to the whole channel.
- No transcripts by default. We do not store raw chat transcripts unless the client expressly enables it. We keep the structured answers, a summary and the outcome.
- No chat content in logs. Our application logs record metadata only, never message content.
AI processing
Whistle uses Anthropic's Claude models to run the conversation. Under our commercial terms with Anthropic:
- Anthropic does not train models on customer content.
- Message data is subject to short, bounded retention by Anthropic for trust and safety purposes; a zero-data-retention arrangement is on our roadmap and we will update this policy when it is in place.
- Messages are best-effort redacted before they reach Anthropic, as described above.
See the AI Transparency Notice for how the assistant identifies itself and what it will and will not do.
Recipients / sub-processors
We use a small number of sub-processors (AI, hosting, database, booking, email). The Sub-processors list names each one with its location, function and transfer mechanism, and explains how to subscribe to change notices.
International transfers
Personal data is stored in the EU. Where a sub-processor (currently our AI provider) processes data in the US, transfers rely on the EU-US Data Privacy Framework and its UK Extension as the primary mechanism, with EU Standard Contractual Clauses (Module 3, processor to processor) and the UK Addendum executed as an automatic fallback, supported by a transfer risk assessment that we review annually and on trigger events.
Retention
We keep personal data only as long as needed. For Whistle, each controller configures a retention period (default 365 days), after which an automated purge deletes the data; erasure requests override the schedule. Full details, including our recommendation that firms handling sensitive intake configure shorter periods, are in the Data Retention Policy.
Your rights
Under the EU GDPR and UK GDPR you can ask to access, rectify, erase, restrict and port your personal data, object to processing, and withdraw consent at any time.
- amaigo.com data: contact [email protected].
- Data collected through a client's Whistle widget: contact that client (the controller); we assist them in fulfilling requests.
How requests are verified and handled is described in the Data Subject Requests procedure.
Cookies and local storage
We set no tracking cookies. The widget uses functional first-party local storage only, described key by key in the Cookie Notice.
Complaints
You can complain to a supervisory authority at any time:
- UK: the Information Commissioner's Office (ICO), ico.org.uk.
- EU: the supervisory authority of the member state where you live, work, or where the issue occurred (for example the Irish Data Protection Commission or French CNIL, depending on your location).
We would appreciate the chance to resolve your concern first via [email protected], but you are not required to contact us before complaining.
This document is a GDPR-aligned template and must be reviewed by a qualified data-protection lawyer or DPO before commercial reliance. It is not legal advice.