Legal
Privacy Policy
Last updated: January 2025
1. Introduction
Maxxo.ai ("Maxxo", "we", "our", "us") provides AI-powered enquiry management software for UK care homes. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our website (maxxo.ai) and services.
We are registered in England and Wales and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Our Role: Data Controller and Data Processor
Maxxo operates in two distinct capacities depending on the data involved:
As a Data Controller:
We are the data controller for personal data we collect directly from you, including account registration details, billing information, and marketing communications.
As a Data Processor:
When care homes use Maxxo to handle enquiries from prospective residents and their families, we process that data on behalf of the care home. In this context, the care home is the data controller and Maxxo is the data processor. Our processing is governed by our Data Processing Agreement with each care home client.
If you are a prospective resident or family member who has interacted with a care home through our platform, the care home's privacy policy governs how your data is used. Please contact the care home directly for information about their data practices.
3. What Data We Collect
3.1 Data We Collect as a Controller
Account and Billing Data:
Name, email address, phone number
Company/organisation name and role
Billing address and payment information
Account preferences and settings
Website and Marketing Data:
IP address, browser type, device information
Pages visited and interaction data
Marketing preferences and consent records
Demo request information
3.2 Data We Process on Behalf of Care Homes
When care homes use our services, we process enquiry data on their behalf, which may include:
Names and contact details of prospective residents and family members
Enquiry content and conversation transcripts
Care requirements and preferences discussed
Booking and tour scheduling information
Call recordings (Voice Assistant only, where enabled)
4. How We Use Your Data
4.1 As a Data Controller
We use data we control for:
Providing and maintaining your Maxxo account
Processing payments and managing billing
Responding to support requests and enquiries
Sending service updates and essential communications
Sending marketing communications (where you have consented)
Analysing usage to improve our services
Complying with legal obligations
4.2 As a Data Processor
We process enquiry data strictly in accordance with our care home clients' instructions and our Data Processing Agreement. This includes:
Operating AI assistants to respond to enquiries
Storing and displaying conversation data in the dashboard
Generating analytics and reports for care homes
Sending notifications to care home staff
Processing bookings and scheduling tours
5. Artificial Intelligence and Automated Processing
Our services use artificial intelligence to:
Respond to enquiries via chat, SMS/WhatsApp, and voice
Extract and summarise information from conversations
Generate follow-up messages and recommendations
Analyse conversation sentiment and topics
Important:
Our AI systems assist care home staff but do not make decisions with legal or similarly significant effects on individuals. All AI-assisted communications are clearly identifiable, and human staff can review and intervene at any time. Care homes control how AI is used in their enquiry handling.
Where our Voice Assistant is enabled, calls may be recorded for quality assurance and to provide transcripts. Callers are informed of this at the start of each call.
6. Legal Basis for Processing
6.1 Data We Control
We process personal data on the following legal bases:
Contract: Processing necessary to provide our services to you, including account management and billing.
Legitimate Interests: Processing necessary for our legitimate business interests, such as improving our services, preventing fraud, and ensuring security, where these do not override your rights.
Consent: Where you have given clear consent, such as for marketing communications. You can withdraw consent at any time.
Legal Obligation: Where we need to comply with legal requirements, such as tax and accounting obligations.
6.2 Data We Process for Care Homes
As a data processor, we process enquiry data based on the instructions of our care home clients. Care homes are responsible for ensuring they have a valid legal basis for collecting and processing enquiry data.
7. Data Sharing and Sub-processors
We do not sell personal data.
7.1 Sub-processors
We use the following sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (AWS) | Database hosting and authentication | EU (Frankfurt) |
| Vercel | Website and application hosting | Global (EU primary) |
| Anthropic | AI conversation processing | USA |
| OpenAI | AI embeddings and processing | USA |
| ElevenLabs | Voice AI and speech synthesis | USA |
| Twilio | SMS and WhatsApp messaging | USA |
| Resend | Transactional email delivery | USA |
| Stripe | Payment processing | USA |
For an always-current list, see /sub-processors.
7.2 Other Disclosures
We may also share data:
With professional advisors (lawyers, accountants) under confidentiality obligations
Where required by law, regulation, or court order
To protect our legal rights or the safety of others
In connection with a business transfer (merger, acquisition, or sale)
8. International Data Transfers
Some of our sub-processors are located in the United States. When we transfer personal data outside the UK, we ensure appropriate safeguards are in place:
Standard Contractual Clauses (SCCs): We use UK-approved International Data Transfer Agreements with US-based processors.
Supplementary Measures: We implement additional technical and organisational measures where appropriate, including encryption in transit and at rest.
You can request a copy of the relevant transfer mechanism by contacting us at legal@maxxo.ai.
9. Data Retention
We retain personal data only as long as necessary for the purposes described in this policy:
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account plus 6 years |
| Billing and invoices | 6 years (legal requirement) |
| Enquiry data (processor) | As instructed by care home client |
| Marketing contacts | Until consent withdrawn or 2 years of inactivity |
| Website analytics | 26 months |
| Support communications | 3 years from resolution |
When data is no longer needed, we securely delete or anonymise it.
10. Your Rights
Under UK GDPR, you have the following rights regarding personal data we control:
Right of Access: Request a copy of the data we hold about you.
Right to Rectification: Request correction of inaccurate or incomplete data.
Right to Erasure: Request deletion of your data in certain circumstances.
Right to Restrict Processing: Request that we limit how we use your data.
Right to Data Portability: Request your data in a portable format.
Right to Object: Object to processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
Rights Related to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our AI systems do not make such decisions.
10.1 Exercising Your Rights
To exercise any of these rights, contact us at legal@maxxo.ai. We will respond within one month. We may ask for verification of your identity before processing your request.
10.2 Erasure Requests and Contract Obligations
Please note that we may decline or delay erasure requests where:
Data retention is necessary for the performance of an active contract
We are required to retain data for legal or regulatory compliance
Data is needed to establish, exercise, or defend legal claims
In such cases, we will explain the reason and, where applicable, confirm when deletion will occur.
10.3 Enquiry Data
If you have interacted with a care home through our platform and wish to exercise your rights regarding that data, please contact the care home directly. As a data processor, we act on their instructions regarding enquiry data.
11. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls and authentication requirements
Regular security assessments and monitoring
Staff training on data protection
Incident response procedures
We are committed to maintaining industry-standard security practices and are working towards Cyber Essentials Plus certification.
12. Cookies
We use cookies and similar technologies to improve your experience on our website. For detailed information about the cookies we use and how to manage them, please see our Cookie Policy.
13. Children's Data
Our services are not directed at children under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders or through a prominent notice on our website. The "Last updated" date at the top indicates when the policy was last revised.
We encourage you to review this policy periodically.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact:
Email: legal@maxxo.ai
Data Protection Matters: For data protection specific queries, please include "Data Protection" in your email subject line.
16. Complaints
If you are unhappy with how we have handled your data, we encourage you to contact us first so we can try to resolve your concern.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
© 2025 Maxxo.ai. All rights reserved.