Privacy Policy
Last updated: 24 February 2026
1. Introduction
AM:PM Media LTD (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect personal data when you use the : Impact platform (“Service”).
We are the data controller for the personal data we process in connection with the Service. For lead data you upload or capture through the Service, you are the data controller and we act as your data processor.
2. Data We Collect
2.1 Account Data
When your account is created, we collect:
- Full name
- Email address
- Phone number (optional)
- Business/organisation name
- Password (securely hashed)
2.2 Lead Data
Through your use of the Service, you may capture and store lead data including:
- Names, email addresses, and phone numbers of your leads/prospects
- Lead source and marketing attribution data (UTM parameters)
- Conversation history (SMS, email, WhatsApp, social media)
- Appointment and scheduling information
- Payment status and amounts
- AI-generated qualification scores and summaries
2.3 Usage Data
We automatically collect:
- IP address and browser information
- Pages visited and features used
- Timestamps of access and actions
2.4 Integration Data
When you connect third-party services (Meta Ads, Calendly, Cal.com, Stripe, Xero, etc.), we store OAuth access tokens (encrypted using AES-256-GCM) and account identifiers necessary to maintain the connection.
3. How We Use Your Data
We use personal data for the following purposes:
- Providing the Service — managing your account, processing leads, sending notifications
- AI Processing — qualifying leads using AI (Anthropic Claude). Lead data is sent to the AI model for scoring and summarisation. Anthropic does not use this data for model training.
- Communications — sending transactional emails (via Resend), SMS (via Twilio), and WhatsApp notifications (via Meta Cloud API)
- Reporting — generating performance reports and analytics for your organisation
- Security — detecting and preventing fraud, abuse, and unauthorised access
- Improvement — analysing usage patterns to improve the Service
4. Legal Basis for Processing
Under the UK GDPR, we process personal data on the following legal bases:
- Contract — processing necessary to perform our agreement with you
- Legitimate interests — improving our Service, preventing fraud, ensuring security
- Consent — where you have given explicit consent (e.g., connecting third-party integrations)
- Legal obligation — where processing is required by law
5. Third-Party Services
We share data with the following categories of third-party services to operate the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase (US/EU) | Database & authentication | All account and lead data |
| Vercel (US) | Hosting & deployment | Request logs, IP addresses |
| Anthropic (US) | AI lead qualification | Lead names, contact info, notes |
| Resend (US) | Email delivery | Email addresses, email content |
| Meta (US) | WhatsApp notifications, ad data | Phone numbers, lead names |
| Twilio (US) | SMS messaging | Phone numbers, message content |
| Trigger.dev (EU) | Background job processing | Lead IDs, task payloads |
| Stripe (US) | Payment processing | Payment amounts, customer references |
6. Data Retention
We retain your account data for as long as your account is active. Lead data is retained for the duration of your subscription. Upon account termination, we will delete or anonymise your data within 90 days, unless we are required to retain it by law.
You may request deletion of your data at any time by contacting us at hello@mediampm.com.
7. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS/HTTPS) and sensitive data at rest (AES-256-GCM for OAuth tokens)
- Row-Level Security (RLS) in our database to ensure organisation-level data isolation
- Authentication via Supabase Auth with secure session management
- HMAC signature verification on webhook endpoints
- Regular security reviews of our codebase
8. International Data Transfers
Some of our third-party providers are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions by the UK government.
9. Your Rights
Under the UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data (“right to be forgotten”)
- Restriction — request we limit processing of your data
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where processing is based on consent
To exercise any of these rights, contact us at hello@mediampm.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Cookies
The Service uses essential cookies for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use tracking or advertising cookies.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The “Last updated” date at the top indicates the most recent revision.
12. Contact Us
For any questions about this Privacy Policy or our data practices, please contact us:
AM:PM Media LTD
Email: hello@mediampm.com