Thrones.Ai

AI agents for business. No code. No developers.

Channels

  • Telegram
  • WhatsApp
  • Web widget
  • Voice calls
  • Video calls

Platform

  • Features
  • Pricing

Company

  • About
  • Blog
  • Privacy policy
  • Terms of service
  • Cookie policy
  • Data Processing Agreement
  • Acceptable Use Policy

© 2026 Thrones.Ai. All rights reserved.

|
|
|
|

Privacy Policy

Last updated: 2026-04-27

This Privacy Policy explains how Thrones AI Limited ("Thrones", "we", "us", "our") collects, uses, discloses and protects personal data when you visit thrones.ai or use our platform at panel.thrones.ai (together, the "Service"). We are committed to processing personal data in accordance with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, the EU General Data Protection Regulation ("EU GDPR") where applicable, and other applicable data protection laws.

The English version of this document is the legally binding version. In case of any discrepancy between translations, the English text prevails.

1. Who we are and how to contact us

Thrones AI Limited is a private limited company registered in England and Wales under company number 17183864, with its registered office at 128, City Road, London, EC1V 2NX, United Kingdom.

For any questions relating to data protection, or to exercise your rights, please contact privacy@thrones.ai. For general enquiries: hello@thrones.ai. Telegram: @thronesai.

We act as the data controller of the data described in this Policy, except where we act as a processor on behalf of our business customers (see section 2).

2. Scope and Thrones' two roles

Thrones is a B2B SaaS platform on which our customers (businesses) build and operate AI agents to communicate with their end users across channels including Telegram, WhatsApp, a web widget, and voice calls. Due to this architecture, we process personal data in two distinct roles.

A. Thrones as a controller

We are the controller of personal data we collect directly and whose use we determine. This covers data about visitors to thrones.ai and account owners of panel.thrones.ai (see section 3).

B. Thrones as a processor

When our business customers use the Service to communicate with their end users, they decide what data to collect, why, and for how long. Thrones processes such data strictly on their instructions. Our business customer is the controller; Thrones is the processor.

If you are an end user who interacted with an AI agent operated by a Thrones customer and you wish to exercise data protection rights (for example, to access or delete your data), please contact that customer directly: they are responsible for your data and have the tools to fulfil your request. We will assist the customer where necessary under our Data Processing Agreement.

3. Personal data we collect (as a controller)

The categories of data we collect depend on how you interact with us.

A. Website visitors (thrones.ai)

  • Technical data: IP address, device and browser type, operating system, referrer URL, pages viewed, timestamps.
  • Cookie-related data: your consent choices; where consented, analytics identifiers and interaction events; where consented, advertising identifiers. See the Cookie Policy for the full list.
  • Correspondence: if you contact us by email or on Telegram, we process your name, contact details, and the content of your message.

B. Account owners (panel.thrones.ai)

  • Account data: full name, business name, email, password hash, language and time zone.
  • Billing data: billing name and address, tax/VAT number (if provided), plan, and billing history. Full payment card details are handled directly by Stripe and are never stored in Thrones systems. Monobank payments are handled by our Ukrainian payment partner; we only receive confirmation of successful payment.
  • Credentials and tokens for third-party services you connect: WhatsApp Business API credentials, Telegram bot tokens, Google OAuth refresh tokens (Sheets and Calendar scopes), Twilio credentials for voice channels. Stored encrypted.
  • Usage data: sign-ins, workspace activity, panel actions, configuration changes, support interactions.

C. Prospects and marketing contacts

  • If you subscribe to product updates, news, or marketing emails, we process your email, name (if provided), and your preferences.
  • The legal basis is your consent, which you can withdraw at any time via the unsubscribe link in every email or by writing to privacy@thrones.ai.

4. Personal data processed on behalf of customers (as a processor)

When our business customers operate AI agents through the Service, the following categories of data flow through our platform or are stored on it on their behalf. For these data, the business customer is the controller; the legal basis, purposes and retention periods are determined by the customer's own privacy policy.

  • Conversation content: text messages, voice messages, voice call recordings, AI transcriptions, images and files exchanged between end users and AI agents (or human operators during hand-off).
  • End-user identifiers: Telegram username or user ID, WhatsApp phone number, web widget visitor ID, caller ID for voice channels, and any contact attributes the customer stores.
  • Conversation metadata: timestamps, channel type, session identifiers, customer tags, hand-off events, AI conversation summaries.

To provide the messaging, booking and callback features, contact details such as phone numbers and email addresses are necessarily processed and shared with the relevant service providers: with our AI provider (OpenAI) to understand the request and generate a reply, and with Google when you book a calendar event. We share only the data needed to deliver the feature you requested. Our AI provider does not use this content to train its models and does not retain it beyond what is needed to provide the service. We do not sell this data or use it for advertising.

WhatsApp / Meta data

For business customers using the WhatsApp channel, we process — as a processor on the customer's behalf — the content and metadata of messages exchanged between the business and the people who contact it via the WhatsApp Business Cloud API. This may include the end user's phone number, WhatsApp profile name, message text, and media they send (images, audio, documents), together with delivery metadata (timestamps, message and delivery status).

We use this data only to operate the messaging service the business configured: routing inbound messages, generating AI-assistant replies, and sending outbound messages. Message content may be sent to our AI sub-processor (OpenAI) to generate replies and, for audio, to transcribe it. We do not use WhatsApp data for advertising or to train generalised AI models, and WhatsApp access tokens are stored encrypted at rest.

Data deletion. A business can delete conversations and contacts directly from the panel, and can request full deletion of all data for its workspace by emailing privacy@thrones.ai (completed within 30 days). End users who wish to have their data deleted should contact the business they messaged (the data controller); we will assist that business in fulfilling the request.

5. How we use data and legal bases

We use personal data for the purposes listed below, relying on the legal bases shown in brackets (Article 6 UK GDPR, and EU GDPR where applicable).

  • Providing the Service to account owners: authentication, billing, support, service notifications [performance of a contract].
  • Operating and protecting thrones.ai: fraud prevention, abuse detection, network security [legitimate interests: protecting the Service and its users].
  • Improving the Service: aggregated and de-identified analysis of how the Service and our system prompts perform. Such analysis does not require identifying individual end users [legitimate interests].
  • Analytics and measuring the effectiveness of advertising on thrones.ai [your consent via the cookie banner].
  • Marketing emails and product updates for prospects [your consent; you may withdraw it at any time].
  • Transactional and service messages to account owners: invoices, Trial conversion notices, functionality changes, security alerts [performance of a contract / legitimate interests].
  • Complying with legal obligations, responding to lawful requests from authorities, and enforcing our Terms of Service [legal obligation / legitimate interests].

6. Recipients and sub-processors

We do not sell personal data. We share it only with the categories of recipients listed below, subject to appropriate contractual safeguards.

  • Cloud infrastructure — Hetzner Online GmbH (Germany): hosting of the Service. The platform's production infrastructure is in Helsinki (Finland); the thrones.ai website is in Nuremberg (Germany).
  • AI inference and voice processing — OpenAI, L.L.C. (United States): prompt processing, voice transcription via Whisper, speech synthesis and real-time voice via the OpenAI API. By default, OpenAI does not use API inputs and outputs to train its models.
  • Messaging — Meta Platforms Ireland Limited (Ireland) and/or Meta Platforms, Inc. (United States): delivery of WhatsApp Business messages via the official Cloud API.
  • Telephony — Twilio Inc. (United States) and Twilio Ireland Limited (Ireland): provisioning of numbers and routing of voice calls.
  • Productivity integrations — Google LLC / Google Ireland Limited: when Google Sheets, Google Calendar or Google Drive (file picker) integrations are enabled, data flows through Google APIs under Google's terms.
  • Payment processing — Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (United States): card payment processing and subscription management.
  • Alternative payments — our Ukrainian payment partner handling the Monobank integration: processes payments for customers choosing that method.
  • Analytics and advertising — Google (Ireland / United States): Google Analytics, Google Ads, Google Tag Manager — only where you consent via the cookie banner.
  • Transactional email infrastructure and support tooling — providers we use for service emails and ticket management. The current list is available on request.
  • Professional advisers, auditors and competent authorities — where necessary for legal, accounting or compliance purposes, or to respond to a lawful request.

We enter into appropriate data processing agreements with our sub-processors. The current list of sub-processors is published below and kept up to date; we give customers under a current contract advance notice of material changes. You can also request a copy at privacy@thrones.ai.

Google user data — Limited Use

When you connect Google Sheets or Google Calendar, Thrones accesses only the specific files and calendars you explicitly select (via the Google Picker) or authorise. Thrones' use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

  • We use Google user data only to provide and improve the user-facing features you enabled — i.e. letting your AI assistant read your selected spreadsheet content to answer questions, and create and manage calendar events for bookings.
  • We do not use Google user data for advertising.
  • We do not use Google user data to develop, improve or train generalised AI/ML models. Selected spreadsheet content is converted into vector embeddings solely to power your own assistant and is not used to train any third-party model.
  • We do not transfer Google user data to others except as necessary to provide these features, with your consent, for security, or to comply with applicable law.
  • We do not allow humans to read your Google user data unless we have your consent for specific files, it is necessary for security or to comply with law, or the data has been aggregated and anonymised.

Google scopes and token handling

Scopes we request: spreadsheets, calendar, drive.file (file-level access to files you pick), and your basic profile (email, name) for account linking. Google OAuth tokens are encrypted at rest (AES-256-GCM). When you disconnect an integration, we revoke the token with Google and delete the associated data.

Current list of sub-processors

  • Hetzner Online GmbH (EEA — Germany / Finland) — hosting of all Service data at rest.
  • OpenAI, L.L.C. (United States) — AI replies, transcription, real-time voice and embeddings; processes message text, images, audio and conversation history.
  • Meta Platforms Ireland Limited / Meta Platforms, Inc. (Ireland / United States) — WhatsApp Cloud API; processes phone number, messages and media.
  • Twilio Inc. / Twilio Ireland Limited (United States / Ireland) — SMS and voice calls, including recordings; processes phone number, SMS, call audio and recordings.
  • Google LLC / Google Ireland Limited (United States / Ireland) — Sheets, Calendar, Drive (file picker), Analytics / Ads; processes selected spreadsheet content and calendar events.
  • Stripe Payments Europe, Ltd. / Stripe, Inc. (Ireland / United States) — payments; processes email and payment metadata.
  • Our Ukrainian payment partner (Monobank integration) (Ukraine) — payments in UAH; processes payment metadata.
  • SMTP / Google Workspace (United States / EEA) — transactional email; processes email address, subject and body.

7. International data transfers

Personal data relating to the Service is primarily stored within the European Economic Area (Finland and Germany). Some sub-processors (see section 6) are located in the United States or otherwise transfer data outside the EEA and the United Kingdom during the provision of their services.

For such transfers we rely on appropriate safeguards recognised by UK and EU data protection law, including the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and — where applicable — the EU-US Data Privacy Framework and its UK Extension. Where those mechanisms are not available, another lawful transfer mechanism under Chapter V of the UK/EU GDPR applies.

A copy of the relevant safeguards can be requested at privacy@thrones.ai.

8. Retention periods

We retain personal data no longer than necessary for the purposes for which it was collected. The periods below apply to data for which Thrones acts as a controller; the retention of data processed on behalf of customers is determined by their configuration and instructions.

  • Active account data: for the lifetime of the account. Following account deletion, core data is deleted without delay; limited records may be retained for as long as required by tax, accounting or other law.
  • Invoices and payment records: for the period required by applicable tax and accounting law (typically up to 7 years).
  • Marketing contacts: until unsubscribe or objection, or up to 3 years of inactivity, whichever is sooner.
  • Website analytics: per the retention configured in the analytics tool (default up to 14 months).
  • Support tickets and email correspondence: up to 3 years from last contact, unless a longer period is required to resolve a dispute or claim.
  • Server and security logs: short period (typically 30–90 days) for diagnostics and security.

Retention periods for data processed on behalf of customers (for reference):

  • Active session cache: up to 5 minutes of active conversation + up to 5 minutes of buffer; the cache is then destroyed.
  • Voice call recordings in 'Recent calls' (downloadable): 3 days, after which they are automatically deleted from that panel.
  • Voice call recordings in the main history: per the period configured by the customer (default 30 days; configurable up or down), after which they are permanently deleted.
  • Conversation history in the customer's database: per the period configured by the customer, with automatic rolling deletion of older data and retention of a 'tail' for personalisation.

9. Your rights

Under the UK GDPR and EU GDPR, you have the following rights. To exercise a right, write to privacy@thrones.ai. We may ask for information to verify your identity. The response deadline is one month; for complex or bulk requests we may extend it by a further two months, notifying you within the first month.

  • Right of access — to receive confirmation that we process your personal data and obtain a copy of that data.
  • Right to rectification — to correct inaccurate data and complete incomplete data.
  • Right to erasure ("right to be forgotten") — in the cases provided for by law.
  • Right to restriction of processing — in the cases provided for by law.
  • Right to data portability — to receive your data in a structured, commonly used, machine-readable format (within 30 days of the request).
  • Right to object — to object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
  • Right not to be subject to automated decision-making that produces legal or similarly significant effects without meaningful human involvement. Thrones does not make such decisions.

Account deletion on request. Account owners can delete workspaces, contacts, conversations and call recordings directly from the panel. For full deletion of an owner account, write to privacy@thrones.ai; we process the request within 30 days, after which all account data is deleted irretrievably, except for records the retention of which is required by law.

Complaints to supervisory authorities. If you consider that we have infringed your rights, you have the right to lodge a complaint with a supervisory authority. In the United Kingdom this is the Information Commissioner's Office (ICO) — ico.org.uk. In the EU, you may complain to the supervisory authority of your place of residence, work or alleged infringement. We would be grateful for the opportunity to address your concern first — please write to privacy@thrones.ai.

10. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, the "CCPA") grants you the following rights in respect of personal information we process as a business: the right to know what personal information we collect and how we use it; the right to access and receive a copy; the right to correct inaccurate personal information; the right to delete; the right to opt out of "sale" or "sharing" of personal information; the right not to be discriminated against for exercising your rights.

We do not sell personal information and do not share it for cross-context behavioural advertising within the meaning given to those terms by the CCPA. To exercise your rights, write to privacy@thrones.ai. We will verify your identity through reasonably available means and respond within the timeframes set by the CCPA.

11. Security

We implement technical and organisational measures appropriate to the risks, including: encryption in transit (TLS) and at rest; access control and a role model in the panel (Owner, Admin, Agent, Channel Agent); password hashing; encryption of third-party integration tokens; data minimisation when sharing content with our AI provider and other sub-processors (we share only the data needed to deliver the requested feature); network isolation of production systems; monitoring and logging; and regular backups.

No security measure is perfect. Where we detect a personal data incident likely to result in a risk to your rights and freedoms, we will notify the supervisory authority within 72 hours where required by law, and where the risk is high, notify affected individuals without undue delay.

12. Children

The Service is not intended for individuals under 18 and we do not knowingly collect personal data of such individuals. Account owners must be at least 18 to register on panel.thrones.ai. If you become aware that we hold data of a minor, please write to privacy@thrones.ai — we will take steps to delete it.

Business customers using the Service are responsible for ensuring that communications with minors comply with applicable child protection law (including parental consent requirements). The Service is not intended for direct communications with children below the age of consent without an appropriate legal basis.

13. Cookies and similar technologies

thrones.ai uses cookies and similar technologies to operate the site, measure performance and — with your consent — for analytics and advertising. Details and preference management are covered in the Cookie Policy and via the "Cookie settings" link in the footer.

14. Changes to this Policy

We may update this Policy to reflect changes to the Service, our practices, or law. For material changes, we update the "Last updated" date at the top of the Policy and, where appropriate, notify account owners by email or in the panel. Please review this Policy periodically.

15. Contact

  • Data protection questions: privacy@thrones.ai
  • Legal and contractual matters: legal@thrones.ai
  • General enquiries: hello@thrones.ai
  • Postal address: Thrones AI Limited, 128, City Road, London, EC1V 2NX, United Kingdom.