How we handle your data.

Assistrack AI is a productivity assistant operating on WhatsApp, built for users in Nigeria and the wider African market. It is provided by the entity operating the assistrack.com service.

For the purposes of the Nigeria Data Protection Act 2023 ("NDPA"), Assistrack is the "data controller" of the personal data described in this policy.

We collect the following categories of personal data, only what we need to provide and improve the service:

• Account information. Your WhatsApp phone number, your name (as provided), the email address you sign up with on the dashboard, your timezone, and your selected subscription plan.
• WhatsApp messages. The content of messages you exchange with the bot — text, voice notes, images, documents, and one-time location pins you manually share. Voice notes are transcribed to text by a third-party speech-to-text provider so the assistant can act on them.
• Productivity data. Reminders, tasks, notes, contacts, and knowledge items you ask the assistant to save, including any details you supply (titles, dates, descriptions, names, phone numbers, emails).
• Connected-account data.If you connect Google Calendar, Gmail, or Tasks, we receive an authorization token and the specific data the assistant needs to fulfil your requests (calendar events you schedule, drafts you ask us to send, etc.). We never read mail you didn't explicitly ask us to.
• Usage and metering data. Counts of messages exchanged, voice minutes used, voice replies generated, document pages processed, web searches run, and reminders sent. Used for plan limits and billing.
• Voice-call data. When you use voice features, we record call audio (for transcript and quality), call duration, the destination number, and the call outcome. Both inbound and outbound assisted calls are subject to this.
• Payment data. Subscription plan, the fact that a payment succeeded or failed, the payment reference, and the amount. We never see your card number or bank account; that goes directly to Paystack.
• Emergency data (only if you use Guardian features). Emergency contacts you save, the last location pin you manually shared (you must share it; we cannot pull live location from WhatsApp).
• Technical data. IP address, user-agent, device info from your dashboard sessions, and standard request logs.

We process your data for these specific purposes:

• To deliver the service. Receive your messages, route them through our AI models, and send you back useful replies; schedule and send your reminders; manage your tasks and notes; place voice calls you ask for; deliver daily briefings.
• AI processing.Send the relevant portion of your conversation to large-language-model providers (currently Anthropic's Claude) so the assistant can understand your intent and generate replies. We send only what is necessary for the current request and a short rolling context, not your entire history.
• Billing and metering. Track usage against your plan limits, charge subscription fees, debit credit purchases.
• Support, debugging, and fraud prevention. Investigate problems you report, detect abuse and fraud, and improve reliability. See section 6 for operator-access details.
• Security and abuse-prevention.Detect bursts, spam, and policy violations; comply with WhatsApp's Business Terms.
• Legal compliance.Tax records, responding to lawful requests from regulators, and cooperating with the Nigeria Data Protection Commission ("NDPC").

We do not sell your personal data, full stop. We do not run ads against you, profile you for advertising, or share your conversations with anyone except the processors listed in section 5.

Under the NDPA, we rely on these lawful bases:

• Performance of contract — for delivering the service you signed up for, processing payments, and meeting our subscription obligations.
• Consent — for sensitive optional features such as emergency alerts, voice-call escalations, connected-account integrations, and location sharing. You can withdraw consent at any time; see section 9.
• Legitimate interests — for security, fraud detection, abuse prevention, and the support and debugging activities described in section 6, balanced against your privacy rights.
• Legal obligation — for retaining financial records as required by Nigerian tax law and responding to lawful requests from authorities.

We share the minimum personal data necessary with these processors to operate the service. Each is bound by a data-processing agreement and processes data only on our instructions.

• Anthropic, PBC(United States) — large language models. Receives the relevant portion of your conversation to generate replies. Does not train its public models on your data per Anthropic's commercial terms.
• Vapi (Bucket Labs) (United States) — voice-agent platform. Receives call audio and transcripts when you use voice features.
• Deepgram (United States) — speech-to-text for transcribing your WhatsApp voice notes.
• Twilio (United States) — phone-call escalation when you use Guardian or callback-reminder features.
• Supabase (United States / European Union) — database hosting and authentication.
• Vercel (United States) — hosting for the user dashboard and admin app.
• Railway (United States) — hosting for our backend services.
• Paystack (Nigeria) — payment processing. Card details go directly to Paystack; we never see them.
• Resend (United States) — transactional email (welcome, payment receipts, password resets).
• Sentry (United States) — error monitoring. We strip phone numbers, emails, and payment references from events before they leave our server.
• Google LLC (United States) — only when you explicitly connect Google Calendar / Gmail / Tasks. Access is revocable from your Google account at any time.
• Meta Platforms / WhatsApp(United States) — the WhatsApp Business API itself. Your messages travel over WhatsApp's infrastructure.

Authorized Assistrack personnel (collectively, "Operators") may access your account information and conversation history through our internal admin dashboard for the following purposes only:

• investigating support tickets you have raised with us;
• debugging issues with the service (including reproducing bugs you report);
• detecting and responding to fraud, abuse, and violations of our Terms of Service;
• complying with lawful requests from authorities.

The following safeguards apply to all Operator access:

• Audit logging. Every read of conversation content is recorded in an append-only audit log (database-level immutability triggers prevent it from being modified or deleted). The log records who accessed what, when, and from which IP address.
• Authentication. Operator access is limited to accounts explicitly granted admin permissions by the founders, behind email + password (and, in production, multi-factor authentication).
• Minimum necessary. Operators access only what is needed for the stated purpose.
• Confidentiality. Operators are bound by confidentiality obligations and may not disclose personal data outside of those obligations.
• Mutating actions are reasoned. Any Operator action that changes your account (refund, plan adjustment, credit balance change, etc.) requires a written justification recorded in the audit log alongside the change.

Several of our processors are located outside Nigeria (mostly in the United States). Where personal data leaves Nigeria, we rely on adequacy mechanisms recognised by the NDPC, Standard Contractual Clauses, or equivalent contractual safeguards with each processor. You may request a copy of these safeguards by writing to us (section 14).

We keep personal data only as long as necessary:

• Conversation content.Full message bodies are kept for up to 12 months from the date of the message; AI-generated rolling summaries (without full content) may be kept longer to preserve continuity of the assistant's context. You can request earlier deletion at any time (section 9).
• Call recordings and transcripts. 12 months from the call date.
• Account information. While your account is active, plus 30 days after a deletion request to cover reversal windows. Some pseudonymised records may survive longer where required for fraud prevention.
• Payment records. 6 years from the transaction date, as required by Nigerian tax law.
• Audit log of Operator actions. 7 years, for compliance and incident-investigation purposes.
• Backups. Routine encrypted backups may contain otherwise-deleted data for up to 35 days before the backup itself is rotated out.

Under the NDPA you have the right to:

• Access a copy of the personal data we hold about you.
• Correct inaccurate or incomplete data.
• Delete your account and your data (subject to the retention periods above for records we are legally required to keep, e.g., tax).
• Port your data — receive a machine-readable export of what we hold about you.
• Object to processing based on legitimate interests.
• Withdraw consent for any processing based on consent, at any time, without affecting lawful processing carried out before the withdrawal.
• Lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe we have handled your data unlawfully.

To exercise any of these rights, email privacy@assistrack.com. We will respond within 30 days. If we cannot fulfil your request, we will tell you why.

We protect your data with practical and proportionate measures, including:

• TLS encryption for all data in transit (between your device, our backend, and our processors).
• Encryption at rest provided by our database and storage providers.
• Authentication and access control on all administrative tools, with the audit log described in section 6.
• Webhook signature verification on inbound traffic from WhatsApp, Paystack, and Vapi to prevent forged events.
• Automated rate limiting and abuse detection on the conversational interface.
• Regular dependency updates and security reviews.

No system is perfectly secure. If we ever discover a security incident affecting your personal data, we will notify you and the NDPC in line with our NDPA obligations.

Assistrack is not intended for users under 18. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us at the address in section 14 and we will delete the account.

Assistrack uses third-party large language models (currently Anthropic's Claude) to power its assistant features. The assistant is software, not a person, and does not always produce accurate output.

In line with Meta's WhatsApp policy (effective 15 January 2026), Assistrack is a purpose-specific productivity tool, not a general-purpose AI chatbot. The assistant will not provide medical, legal, or financial advice and is not a substitute for professional services in those areas. It will not act as a companion or therapist.

We may update this policy as our service or the law evolves. The effective date at the top of this page shows the current version. For material changes, we will give you at least 14 days' notice through the dashboard or via WhatsApp before the change takes effect.

For privacy questions, requests under section 9, or anything else covered by this policy, write to privacy@assistrack.com. You can also reach our support team at support@assistrack.com.

If you are not satisfied with our response, you can lodge a complaint with the Nigeria Data Protection Commission at ndpc.gov.ng.