Privacy policy — Future Assistants
Controller: Future Assistants Ltd Company number: 17123132 Registered address: 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB Website / app: https://futureassistants.co.uk Privacy contact: privacy@futureassistants.co.uk Effective date: 27 April 2026
1. About this service
Future Assistants is a web application (built with Next.js) that provides a personal dashboard, profiles, messaging, optional live voice/video rooms, marketplace and automation hooks, and AI-assisted experiences. The service is operated by Future Assistants Ltd (“we”, “us”).
This policy explains what personal data we process, why, how long, and your rights.
2. Data we collect
2.1 Account and identity
- Authentication: email, password hash (managed by our auth provider), session tokens, security logs.
- Profile: display name, handle, lane/profile mode, preferences stored in your account (including theme, typography, cadence, and similar dashboard settings).
- Public profile (optional): if you publish a public Nexus Link (
/u/<your-handle>), we process the fields you choose to expose (e.g. bio, links, theme) as described at publish time.
2.2 Product usage and content
- Dashboard activity: interactions with features (e.g. settings, achievements, dock) may generate usage or telemetry consistent with your in-app privacy / personalisation choices.
- Messaging: when you use Messages, message content and metadata (conversation id, sender, timestamps) are stored in our database so the product can deliver and sync threads. Voice and video in supported flows use WebRTC peer-to-peer for media where implemented; signalling and metadata may pass through our infrastructure.
- Transit security: text messages are protected in transit (TLS) to our providers and stored on our systems. Client-side end-to-end encryption for text is not currently shipped.
- Files, media, library: content you upload or generate is stored in our object storage and database according to the feature you are using (e.g. avatars, generated images, voice samples).
- Support and safety: if you contact support, report abuse, or use crisis/safety flows, we process the information you submit for those purposes.
2.3 Payments and billing
- If you purchase digital goods (e.g. theme packs, credits), Stripe Payments UK Limited processes card and payment data. We receive limited billing metadata (e.g. transaction references, line items as configured) — not full card numbers.
2.4 Automation and integrations
- n8n (or similar workflow host) may process data you route through webhooks or server-side automations you enable (e.g. marketplace checkout). Scope depends on which workflows you activate and what you send to them.
- Optional telephony (Twilio): if you enable SMS/voice/WhatsApp integrations described in the repository’s phone-system workflows, message/call metadata and content may be processed by Twilio under their terms.
2.5 Diagnostics
- If enabled in your deployment, Sentry (or similar) may collect error reports, stack traces, and limited device/session context to fix bugs.
2.6 Technical data
- IP address, user agent, approximate location from IP, cookies or similar storage for sessions and preferences (see Cookie policy).
3. Purposes and lawful bases (UK / EEA)
| Purpose | Typical lawful basis |
|---|---|
| Provide and secure the service | Contract; legitimate interests (security) |
| Messaging delivery | Contract |
| Billing and fraud prevention | Contract; legal obligation (where applicable) |
| Product improvement and analytics | Legitimate interests and/or consent depending on implementation |
| Marketing emails | Consent where required |
| Legal claims and regulatory requests | Legal obligation / legitimate interests |
4. Recipients and subprocessors
We use infrastructure and software providers, including but not limited to:
| Provider | Role |
|---|---|
| Supabase | Authentication, PostgreSQL database, Realtime subscriptions, file storage as configured |
| Your application host (e.g. Railway, Vercel) | Hosting and execution of the Next.js application |
| Stripe | Payment processing for paid features |
| Twilio | Optional SMS/voice/WhatsApp if you wire those flows |
| Sentry | Optional error monitoring |
| n8n host (e.g. Railway) | Optional workflow automation you operate |
| OpenRouter / Anthropic / OpenAI / Google | AI inference (live model responses). Zero-retention / no-training agreements where supported. |
| Inworld | Voice synthesis where enabled. |
| Replicate | Avatar / 3D model generation pipelines. |
A living list with links to vendor DPAs should be published at https://futureassistants.co.uk/legal/subprocessors.
4a. AI training — separate from inference
Sending a prompt to an AI provider so it can reply ("inference") is not the same as using your data to train a model ("training"). Training is off by default on every account, in every category. If we ever ship a Future Assistants–trained model, you'll get a clear notification before each training run and a category-by-category opt-in toggle in Settings → Privacy → AI training (revocable any time).
Some categories — content authored by children, crisis events, support / DV / dating, anything you marked do-not-train — are permanently off-limits with no consent path that unlocks them. Everything else is opt-in only, and stays off unless you actively turn it on. Full policy: /legal/ai-training.
5. International transfers
Data is processed in the United Kingdom and EEA primarily; some AI inference vendors are US-based — see Subprocessors. Where required, transfers rely on the UK International Data Transfer Agreement and/or the EU Standard Contractual Clauses with vendor-side technical and organisational measures.
6. Retention
- Account data: while the account exists and for 30 days after deletion request, subject to legal holds.
- Messages and content: Messages retained for the active account lifetime and deleted within 30 days of account deletion (subject to legal-hold exceptions) unless deleted earlier by feature or user action.
- Logs and backups: Application and audit logs retained for 90 days; security-relevant logs retained for 12 months.
7. Your rights
Subject to applicable law, you may have rights of access, rectification, erasure, restriction, objection, portability, and to withdraw consent for consent-based processing. Contact privacy@futureassistants.co.uk. You may lodge a complaint with Information Commissioner's Office (ICO), United Kingdom.
8. Children
The minimum age to create an account is 16 (or the age of digital consent in your country, if higher). Family lane: a parent account creates and governs child sub-accounts. No direct child sign-up. Child accounts run with kid-safe content routing and receive no marketing communications.
9. Security
We implement technical and organisational measures appropriate to the risk. No online service is perfectly secure.
10. Changes
We will update this policy when our practices change. by email and in-app banner.
11. Contact
Future Assistants Ltd · 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London W1T 6EB · privacy@futureassistants.co.uk