Back to Ashra AI
TermsPrivacyRefund
Legal

Privacy Policy

How Ashra AI collects, uses, and protects your information.

Last updated: May 29, 2026

1. Overview

This Privacy Policy explains how Ashra AI (“we”, “us”, “our”) collects, uses, shares and protects information when you visit ashraai.com, create an account, or use our Service. We are committed to handling your data lawfully, fairly, and transparently.

By using the Service, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data We Collect

2.1 Account & profile data

  • Name, email address, password (stored as a bcrypt hash, never plaintext)
  • Workspace and business profile information you provide
  • Authentication tokens and session identifiers

2.2 Customer & contact data you upload

  • Leads, contacts, customer profiles, conversations, notes, tags
  • Email lists imported into the Service

2.3 Usage & technical data

  • IP address, browser type, device information, operating system
  • Pages visited, features used, AI conversation counts, timestamps
  • Performance metrics, error logs, application telemetry

2.4 Payment data

We do not store your payment card details. All payments are processed by Paddle (see Section 6). We receive only billing-related metadata: customer ID, subscription status, last 4 digits of payment method, country, and invoice references.

2.5 Communications

  • Emails, support messages and chat transcripts you send to us
  • Survey responses, feedback, in-product comments

3. How We Use Data

We process personal data for the following purposes:

  • Provide the Service — authenticate you, deliver features, run AI agents on your behalf;
  • Billing & subscriptions — manage your plan, renewals, invoices and refunds (via Paddle);
  • Communications — send transactional emails (welcome, login codes, purchase confirmations, password resets) and, with your consent, marketing emails;
  • Improve the Service — analytics, debugging, performance optimization, security monitoring;
  • Comply with the law — respond to legal requests, prevent fraud, enforce our Terms.

Legal basis (GDPR): performance of the contract with you, our legitimate interests in operating and improving the Service, your consent (for marketing communications), and compliance with legal obligations.

4. Cookies & Analytics

We use cookies and similar technologies to keep you logged in, remember preferences, and understand how the Service is used. Cookie categories:

  • Strictly necessary — session cookies for authentication. Always enabled.
  • Functional — UI preferences (theme, layout).
  • Analytics — aggregated usage data; never sold to third parties.

You can disable non-essential cookies in your browser settings. Disabling essential cookies will prevent the Service from functioning correctly.

5. AI Data Handling

When you use AI features (Hunter, Closer, Recovery, Strategist, Forge), your prompts and the relevant workspace context are sent to third-party AI model providers (currently OpenAI, with future expansion to Anthropic and Google) for processing.

  • Outputs are returned to your workspace and stored alongside the original prompt.
  • We do not use your customer data to train third-party AI models.
  • OpenAI's API terms confirm that API content is not used to train their models.
  • Anonymous, aggregated usage statistics may be used to improve the Service.

6. Payments (Paddle)

Subscriptions are processed by Paddle.com Market Ltd(“Paddle”), our Merchant of Record. Paddle is responsible for:

  • collecting and storing your payment information (card, PayPal, etc.);
  • calculating and remitting sales tax, VAT, GST in your jurisdiction;
  • issuing invoices and processing refunds;
  • fraud prevention and PCI-DSS compliance.

We share only the minimum information required to set up your subscription (email, plan, workspace ID). For Paddle's data handling, see Paddle's Privacy Policy.

7. Emails (Resend)

Transactional and marketing emails are delivered through Resend (Resend Inc.). Resend processes recipient email addresses, subject lines, message bodies and delivery metadata (delivered, opened, bounced, complained) to send and report on emails on our behalf.

You may unsubscribe from marketing emails at any time using the unsubscribe link in any message footer or by emailing privacy@ashraai.com. Transactional messages (login codes, purchase receipts, password resets) are necessary to operate the Service and cannot be turned off while you remain a subscriber.

8. Data Sharing & Sub-processors

We share personal data only with the following categories of recipients:

  • Sub-processors who operate the Service on our behalf — Paddle (payments), Resend (email), OpenAI (AI inference), MongoDB Atlas (database hosting), our cloud infrastructure provider.
  • Legal authorities when required by law, court order, or to protect our rights or the safety of users.
  • Successors in the event of a merger, acquisition, or asset sale — your data may transfer subject to this Policy.

We do not sell, rent or trade your personal data.

9. Security

We implement administrative, technical and physical safeguards designed to protect your data, including:

  • Encrypted connections (HTTPS/TLS) for all traffic;
  • Passwords stored as bcrypt hashes;
  • JWT-based session management with short expiry;
  • Database access restricted to authorized personnel and services;
  • Per-workspace data isolation in all queries;
  • Regular security audits and dependency updates.

No method of transmission or storage is 100% secure. You are responsible for keeping your account credentials safe.

10. Data Retention

  • Account data: retained while your account is active.
  • Customer / contact data: retained for as long as your account exists; deleted within 30 days of account closure unless legally required to retain.
  • Email logs & audit logs: retained 90 days (TTL).
  • Billing records (Paddle): retained per Paddle's policy and applicable tax law (typically 7 years).
  • Backups: rolling 30-day window, then permanently deleted.

11. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate or incomplete data;
  • Delete your data (subject to legal retention requirements);
  • Export a copy of your data in a portable format;
  • Restrict or object to certain processing;
  • Withdraw consent for marketing communications at any time;
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact privacy@ashraai.com. We respond within 30 days.

11.1 California residents (CCPA/CPRA)

California residents have the right to know what categories of personal information we collect, the right to delete, the right to opt out of the “sale” or “sharing” of personal information (we do neither), and the right not to be discriminated against for exercising these rights.

12. International Data Transfers

Ashra AI is operated from the United States. By using the Service, you consent to your data being transferred to and processed in the United States and other jurisdictions where our sub-processors operate. We rely on Standard Contractual Clauses (SCCs) and equivalent safeguards for transfers from the European Economic Area, United Kingdom and Switzerland.

13. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact privacy@ashraai.com and we will delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when the latest version was published. For material changes we will provide at least thirty (30) days' notice before changes take effect.

15. Contact

Questions about this Privacy Policy or your data: