MaestroWay Privacy Policy

Effective date: 31st July 2025

This Privacy Policy explains how MaestroWay ("MaestroWay", "we", "us", or "our") collects, uses, shares, and protects personal data when you visit our websites, use our services, or interact with AI chatbots, forms, or other tools we provide to our clients.

Important role note: MaestroWay operates (1) as a controller for personal data we collect about our own prospects, customers, website visitors and marketing activities; and (2) as a processor (or service provider) for personal data we process on behalf of our business clients inside the MaestroWay platform (which is powered by trusted hosting and technology providers).

1) Who we are and how to contact us

• Legal entity: MAESTROWAY LTD, UK company Number 16619986

• Registered address: APARTMENT 103 9 SOLLY STREET, SHEFFIELD, ENGLAND S1 4DF

• Data Protection Officer / contact email: [email protected].

If you are in the EEA/UK and wish to exercise your data rights, contact us at the email above.

2) Scope

This Policy applies to:

• Visitors to maestroway.com and related pages.

• Our customers and trial users.

• End users who interact with MaestroWay-powered websites, chatbots, forms, email/SMS flows and other automations delivered to our clients.

If you are an end user of one of our clients, please also review that client’s privacy policy—they are typically the controller for your data; MaestroWay processes your data on their instructions.

3) Personal data we collect

We collect the following categories of data, depending on your relationship with us:

Website visitors

• Device/usage data: IP address, device/browser type, referring/exit pages, pages viewed, timestamps, language, approximate location.

• Cookies and similar technologies (see Section 12).

Prospects & customers

• Identity & contact data: name, company, role, email, phone, preferred language.

• Account data: login identifiers, organization/sub-account relationships.

• Transactional data: invoices, payments (processed by payment providers), plan level, support requests.

End users of client implementations

• Contact data submitted by you (e.g., name, phone, email) via forms/chat.

• Conversation content and metadata from AI chatbots and inboxes.

• Booking/lead details, files you upload, preferences.

• Technical data as above for visitors.

Special categories: We do not seek to collect sensitive data (e.g., health, biometric, precise location) unless explicitly provided by you and required by a client’s workflow; in such cases, we process only under the client’s documented instructions and applicable law.

4) How we use personal data (purposes & legal bases)

We use data to:

• Provide, operate and secure our services (GDPR: Art. 6(1)(b)/(f)).

• Set up and manage client accounts and sub-accounts (b).

• Process transactions and billing via payment processors (b).

• Communicate with you about service updates, support and security (b/f).

• Improve and develop features, including AI-assisted functionality (f/consent where required). We do not retain personal data to develop, improve, or train generalized AI or machine-learning models.

• Marketing communications (f/consent where required; you can opt out anytime).

• Comply with legal obligations and enforce terms (c/f).

Where required by law (e.g., e-privacy/cookie rules), we obtain consent before setting non-essential cookies or sending certain electronic marketing.

5) Our service providers (subprocessors)

To deliver the services, we rely on trusted hosting and technology providers that process data under contract. MaestroWay requires each provider to implement appropriate security and to process data only per our instructions. Subprocessors include, but are not limited to:

• Payment processors: Stripe, Wise, Paypal

• LeadConnector – integrations and API connections.

• AI/LLM providers: OpenAI, Anthropic, Google AI, (others if enabled).

• Messaging/communications: Twilio, Mailgun, SendGrid, WhatsApp Business Platform.

• Social & ad networks (as configured by clients): Facebook/Meta, Instagram, TikTok, Google Ads/YouTube, LinkedIn. Where YouTube/Google APIs are connected, Google’s API Services User Data Policy (Limited Use) applies; access can be revoked in Google security settings.

• Productivity & integrations: Google Workspace, Slack, Zapier, Make (Integromat), Zoho.

• Cloud/CDN & security: Cloudflare, Amazon Web Services (AWS).

• GoHighLevel (HighLevel, LLC) – Web host and platform infrastructure.

This list may evolve as we add or change vendors. A current list of subprocessors is available upon request by contacting [email protected].

6) International data transfers

Given our global operations (UK entity with infrastructure and vendors in multiple countries), personal data may be transferred internationally. Where required, we implement appropriate safeguards, such as the EU/UK Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms.

7) Data retention

We keep personal data only as long as necessary for the purposes in this Policy (e.g., contract duration plus a reasonable period) or as required by law. Clients may control retention for data processed on their behalf. We provide deletion upon request or at contract end, subject to legal holds and backups.

8) Security

We apply administrative, technical, and physical safeguards proportionate to risk, including encryption in transit, access controls, logging, role-based permissions, and vendor due diligence. Where we leverage hosting and technology providers, we also rely on their independently validated controls (e.g., network security, DDoS protection, infrastructure hardening). No system is 100% secure; we maintain incident response procedures and will notify clients/users as required by law.

9) Your rights

Depending on your location, you may have the right to request: access, correction, deletion, restriction/objection, and data portability. You may also withdraw consent at any time (where processing is based on consent). If we process your data on behalf of a client, we will forward your request to that client/controller.

• EU/EEA/UK (GDPR): Contact us using the details above. You may lodge a complaint with your local supervisory authority.

• California (CCPA/CPRA): If applicable, you may exercise access/deletion/correction/opt-out rights; we do not sell personal information. You can designate an authorized agent. We will verify your request as required by law.

10) Children’s data

Our services are not directed to children under the age of 16 (or a different minimum age where required by local law; e.g., 13 in the U.S.). We do not knowingly collect such data. If you believe a child provided data, contact us for deletion.

11) Marketing preferences

You can unsubscribe from marketing emails via the link in the message or by contacting us. Service and transactional emails will still be sent as needed.

12) Cookies & similar technologies

We use cookies and similar technologies for functionality, analytics, and (where applicable) advertising. Where legally required, we present a cookie banner/manager to obtain/record consent. You can manage preferences via your browser or our cookie settings. We currently do not respond to browser Do Not Track (DNT) signals.

13) Third-party links

Our websites and client implementations may link to third-party sites or apps. Their privacy practices are governed by their own policies.

14) Changes to this Policy

We may update this Policy from time to time. We will post the updated version with the “Effective date” above and, where appropriate, notify you via email or in-app.

15) Contact

For questions about this Policy or our data practices, contact: [email protected].

This document is provided for general informational purposes and does not constitute legal advice. We recommend independent legal review for your specific use cases and jurisdictions.