1. Data Controller
Ariona Online, registered in the United Kingdom, is the Data Controller in respect of personal data collected through the Ariona platform. Where Ariona processes personal data on behalf of a business customer, that business is the Data Controller and Ariona acts as Data Processor.
Contact: hello@ariona.online
2. What Data We Collect
Business Account Holders
- Name and email address (provided at registration)
- Business name and contact details
- Billing information (processed by our payment provider)
- Usage data and logs relating to your use of the dashboard
End Customers (via WhatsApp)
- Phone number (provided when messaging the business WhatsApp line)
- Name (if provided during conversation)
- Conversation history — messages sent to and received from the AI assistant
- Booking details (service, date, time, staff member)
3. Lawful Basis for Processing
- Contract (Article 6(1)(b) GDPR) — processing your account data to provide the Ariona service you have subscribed to.
- Legitimate interests (Article 6(1)(f) GDPR) — when an end customer first messages a business, we store their phone number to manage the conversation flow (e.g. to avoid repeated prompting). This is limited to the minimum data necessary before consent is obtained. We also rely on legitimate interests for fraud prevention, platform security, and service improvement.
- Consent (Article 6(1)(a) GDPR) — before any AI-assisted booking processing begins, end customers are presented with a clear opt-in prompt. Full conversation history and booking data are only processed after the customer confirms they wish to proceed. Customers may withdraw consent at any time by replying DELETE MY DATA, which permanently erases all their personal data. Withdrawal is as easy as granting consent.
4. How We Use Your Data
- To provide the booking assistant and dashboard functionality.
- To send booking confirmations, reminders and follow-up messages via WhatsApp.
- To improve the AI model's understanding of booking-related queries.
- To respond to support requests and investigate complaints.
- To comply with legal obligations.
5. Sub-processors & Third Parties
We share data with the following trusted sub-processors:
| Provider | Purpose | Location |
|---|
| OpenAI | AI response generation | USA (SCCs in place) |
| Green API | WhatsApp message delivery | EU (GDPR-compliant) |
| Google | Calendar integration (optional) | EU/USA (SCCs in place) |
SCCs = Standard Contractual Clauses under GDPR Article 46(2)(c).
6. Data Retention
- WhatsApp messages — retained for 365 days by default. Business owners can configure a shorter retention period in their dashboard settings. Messages older than the retention period are automatically deleted nightly.
- Booking records — retained for the duration of the account plus 12 months for legal/accounting purposes.
- Account data — retained for the life of the account and deleted within 30 days of account closure.
7. Your Rights
Under GDPR you have the following rights:
- Right of access — request a copy of your personal data.
- Right to withdraw consent (Article 7(3) GDPR) — end customers can withdraw consent at any time by replying DELETE MY DATA. This stops all further processing and triggers immediate erasure. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right to erasure (Article 17 GDPR) — end customers can text DELETE MY DATA to instantly delete all their personal data and conversation history. Account holders can contact us at hello@ariona.online.
- Right to rectification — correct inaccurate data.
- Right to portability (Article 20 GDPR) — receive your data in a machine-readable format. Business owners can export individual customer records from the dashboard.
- Right to restrict processing — request we limit how we use your data.
- Right to object — object to processing based on legitimate interests.
To exercise any right, contact us at hello@ariona.online. We will respond within 30 days.
8. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration or destruction. This includes encryption at rest and in transit, access controls, and regular security reviews. However, no system is completely secure — please notify us immediately at hello@ariona.online if you suspect a security issue.
9. Cookies
The Ariona dashboard uses essential session cookies required for authentication. We do not use tracking or advertising cookies. No third-party analytics cookies are set.
10. Children
The Ariona service is not directed at children under the age of 18. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify account holders by email at least 14 days before material changes take effect.