How SyncLocal AI Ltd collects, uses, and protects your information – and the information of your customers.
SyncLocal AI Ltd (“SyncLocal”, “we”, “us”, or “our”) is a company registered in England and Wales. We provide an operating system for UK local businesses – specifically trades & services businesses and restaurants & takeaways – helping them manage customer communications, reviews, payments, and marketing.
This Privacy Policy explains how we collect, use, and protect personal data in connection with our website (synclocal.ai) and the services we provide to our clients.
For the purposes of UK data protection law, SyncLocal AI Ltd is the data controller for personal data we collect about our clients (the businesses that subscribe to our services) and our website visitors. Where we process personal data on behalf of our clients – specifically data belonging to their own customers – we act as a data processor. This distinction is explained in more detail in Section 2.
Under the UK General Data Protection Regulation (UK GDPR), organisations that handle personal data are classified as either a data controller (who determines why and how data is used) or a data processor (who processes data on a controller’s instructions). SyncLocal acts in both capacities depending on whose data is involved.
When we collect data directly from our clients (businesses subscribing to SyncLocal) or from visitors to synclocal.ai, we are the data controller. We determine how and why this data is used.
When our systems process data belonging to our clients’ end customers (e.g. names, phone numbers, order history, WhatsApp conversations), we act as a data processor on our clients’ behalf. Our clients are the data controllers of their own customers’ data.
If you are a customer of a business that uses SyncLocal (for example, you ordered food via WhatsApp from a restaurant that uses our platform), your data is held and controlled by that business, not by SyncLocal. Please contact that business directly to exercise your data rights. We process your data solely to provide services to that business, under their instructions.
By subscribing to SyncLocal, our clients accept responsibility for their own compliance with UK GDPR in respect of their customers’ data. This includes ensuring they have a lawful basis for collecting customer data and that their own privacy notices are accurate and up to date.
When you sign up to SyncLocal or use our services, we collect the following categories of personal and business data:
In delivering our services, our systems process data belonging to our clients’ customers. This may include:
We process this data solely to provide and operate the services our clients have subscribed to. We do not use this data for our own purposes, and we do not sell it to any third party.
Under UK GDPR, we rely on the following legal bases for processing personal data about our clients:
For data we process on behalf of our clients (their customers’ data), we process it under the instructions of our clients, who are responsible for establishing their own lawful basis.
We use the data we collect about our clients to:
We do not use your data or your customers’ data to train any models, build any products for third parties, or sell to any external organisations.
Our service involves connecting to and managing a number of third-party platforms on behalf of our clients. All accounts on these platforms are owned by the client. SyncLocal is granted management access to operate these accounts as part of the service. Ownership, contractual responsibility, and compliance with each platform’s own terms of service remain entirely with the client.
Used for customer messaging and transactional order notifications. Operated via the WhatsApp Business Cloud API (Meta Platforms Inc.).
When a restaurant client connects their WhatsApp Business Account (WABA) to SyncLocal via our onboarding flow, we receive and securely store their WABA ID, phone number ID, and a system user access token. We use this to send automated transactional messages to the restaurant’s customers on their behalf – specifically order confirmations, preparation updates, ready-for-collection alerts, delivery notifications, and cancellation notices. All messages are triggered by a customer-initiated order event. We do not send unsolicited or bulk marketing messages through this integration.
We collect and process the following data via WhatsApp on behalf of our restaurant clients: customer WhatsApp phone numbers; transactional message content; message delivery and read status; message timestamps; and WABA account identifiers.
Message logs are retained for 90 days then permanently deleted. WABA credentials are retained for the duration of the restaurant’s active subscription and deleted within 30 days of account termination.
Meta Platforms Inc. acts as a sub-processor for this data under Meta’s Data Processing Terms.
Connected for restaurant clients who require an on-demand delivery service. The Uber Direct account is held and owned by the client restaurant. SyncLocal connects the client’s ordering system to their Uber Direct account to automate delivery dispatch.
When a delivery is requested, SyncLocal shares with Uber the minimum data necessary to fulfil the delivery: the customer’s name, delivery address, and phone number. This data is shared solely for the purpose of completing the delivery and is not used by SyncLocal for any other purpose.
Uber sends real-time delivery status updates (e.g. driver assigned, en route, delivered) to SyncLocal via webhook; these status events are stored in our database and displayed to the restaurant in their order management dashboard.
Delivery address and status data is retained for 90 days then deleted.
Uber Technologies Inc. acts as a sub-processor for delivery fulfilment data. Uber’s privacy policy governs how Uber processes data on its own systems.
We do not sell your data or your customers’ data to any third party. We share data only in the following circumstances:
Some of the third-party platforms and sub-processors we use (including GoHighLevel and Meta) are based in the United States. Where personal data is transferred outside the UK or European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved for use under UK law.
If you would like more information about the safeguards in place for any specific transfer, please contact us at [email protected].
Under UK GDPR, you have the following rights in relation to personal data we hold about you as a client or website visitor:
Request a copy of the personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request deletion of your data, subject to any legal retention obligations.
Ask us to limit how we use your data in certain circumstances.
Receive your data in a structured, machine-readable format.
Object to processing based on legitimate interests, including direct marketing.
To exercise any of these rights, contact us at [email protected]. We will respond within one calendar month. If you are unhappy with how we handle your request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
We retain client data for as long as your account is active and for a period afterwards as required by law. In practice:
We take reasonable technical and organisational measures to protect personal data from unauthorised access, loss, or disclosure. These include encrypted connections (SSL/TLS), restricted access controls, and regular security reviews of our platform and third-party sub-processors.
No system is entirely without risk. In the event of a data breach that is likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours and, where required, affected individuals without undue delay.
We may update this Privacy Policy from time to time. When we do, we will update the “last updated” date at the top of the page. For material changes, we will notify active clients by email. Continued use of our services after any update constitutes acceptance of the revised policy.
For any questions about this Privacy Policy, to exercise your data rights, or to raise a concern, please contact us:
SyncLocal AI Ltd
Data enquiries: [email protected]
Governing law: England & Wales
If you are not satisfied with our response, you can contact the Information Commissioner’s Office (ICO) – the UK’s independent data protection authority – at ico.org.uk or by calling 0303 123 1113.
If you have connected a Facebook account or WhatsApp Business Account to SyncLocal and wish to request deletion of your associated data from our systems, you can do so in either of the following ways:
We will process your request within 30 days and provide a confirmation reference. This process covers data held by SyncLocal AI Ltd. For data held by Meta on their own systems, please refer to Meta’s own data deletion tools at facebook.com/help/delete_account.
This section also serves as SyncLocal’s Data Deletion Instructions URL as required by the Meta for Developers platform.