Riley Back to riley
Legal

Privacy, terms, and how we handle your data.

Riley is a UK GDPR‑compliant service. This page covers our privacy policy, terms of service, the data processing agreement we offer to garages (controllers), and our cookie policy. In plain English where possible.

Last updated13 May 2026
Version2026.05
ControllerRiley Technologies Ltd
ICO registrationZA984221
Contactprivacy@rileyai.co.uk

01PrivacyPrivacy policy

This policy explains what personal data Riley Technologies Ltd (“Riley”, “we”) collects, why we collect it, and what we do with it. It applies to our website, dashboard, and the calls Riley handles on behalf of garages.

Who is the controller of whatFor garage account holders (you signed up to use Riley), we are the data controller. For callers ringing your garage, the garage is the controller and we are the processor — we only handle that data on the garage's instructions, governed by the Data Processing Agreement.

1.1 What we collect

CategoryExamplesLawful basis (UK GDPR Art. 6)
Account dataName, email, password hash, garage name & address, billing detailsContract (Art. 6(1)(b))
Call dataCaller phone number, call audio, transcript, structured booking outcomeLegitimate interests / Contract with the garage
Vehicle dataRegistration plate, make, model, year, MOT due date (via DVLA)Legitimate interests (operating the booking)
Booking dataBooking time, service type, vehicle, notes, status (in-app diary)Contract
Usage dataDashboard logins, page views, feature usage, IP, browserLegitimate interests (security & product improvement)
CommunicationsSupport emails, in-app messagesLegitimate interests / Consent (marketing only)

1.2 Where the data lives

All personal data is stored in the United Kingdom and the European Economic Area. Our primary infrastructure runs on Supabase (Frankfurt, EU) and Cloudflare (UK edge). Call audio is processed by Retell and Twilio in EU-West regions. We do not transfer personal data outside the UK/EEA except where stated below under subprocessors, and only ever under appropriate safeguards (UK IDTA or EU SCCs with the UK Addendum).

1.3 How long we keep it

  • Account data — for as long as you have a Riley account, plus 6 years for tax records (Companies Act).
  • Call audio recordings — 30 days by default. You can shorten this to 7 days, extend to 1 year, or disable recording entirely from your dashboard.
  • Call transcripts & bookings — 12 months (so you can resolve disputes).
  • Caller phone numbers — for as long as the linked booking exists in the workshop diary, then deleted within 30 days.
  • Logs & analytics — 90 days, then aggregated and anonymised.
  • Backups — encrypted, 35 days rolling, then overwritten.

1.4 Who we share with (subprocessors)

SubprocessorPurposeLocation
SupabaseDatabase, auth, object storageFrankfurt, DE (EEA)
RetellReal-time voice AI orchestrationEU-West / UK
Twilio Ireland LtdTelephony & SMSDublin, IE (EEA)
OpenAI Ireland LtdLanguage model inference (UK/EU endpoint, zero-retention)Dublin, IE (EEA)
CloudflareCDN, DDoS protectionUK / global edge
Stripe Payments UK LtdSubscription billingLondon, UK
SentryError monitoring (PII scrubbed)EU region

We don't sell your data. We don't share it with advertisers. We don't use call audio to train third-party AI models — our LLM provider is contracted on zero-retention terms.

1.5 How we secure it

  • TLS 1.3 in transit; AES-256 at rest.
  • OAuth refresh tokens encrypted in Supabase Vault — never stored in plaintext.
  • Row-Level Security on every multi-tenant table — provably tested in our CI pipeline.
  • Mandatory 2FA on all engineering accounts. SSO with hardware keys.
  • Annual penetration test by an external CHECK-certified firm.
  • Incident response: notification to affected controllers within 24 hours of becoming aware.

1.6 Call recording disclosure

Riley plays a short audio notice to every caller at the start of every call: “This call is being answered by an automated booking line and may be recorded for booking and training purposes.” Recording is enabled per-garage and can be disabled. Where a caller objects to recording, Riley will continue without storing audio (transcripts may still be retained — see retention above).

02TermsTerms of service

These terms form a contract between Riley Technologies Ltd (company no. 15904201, registered in England & Wales) and you, the garage subscribing to the service. By creating an account or clicking I agree, you accept them.

2.1 The service

Riley provides an AI-powered call-handling service that answers inbound phone calls, conducts a natural-language conversation with the caller, and (where appropriate) records bookings in the Riley dashboard's workshop diary. Service availability target: 99.5% monthly uptime, measured on a rolling 30-day window, excluding planned maintenance.

2.2 Your account

  • You must be 18+ and authorised to bind your business.
  • You're responsible for the accuracy of the configuration you provide (services, prices, working hours, exclusions).
  • You're responsible for keeping your login credentials secret.
  • You must not share an account between unrelated businesses — each garage location needs its own subscription.

2.3 Acceptable use

You agree not to:

  • Use Riley to handle calls for businesses other than the garage(s) listed on your account.
  • Use Riley to make outbound calls of any kind (the service is inbound-only).
  • Attempt to reverse-engineer, scrape transcripts in bulk, or extract our prompts/models.
  • Use Riley in a way that breaches Ofcom rules, PECR, or any other UK communications law.
  • Knowingly cause Riley to give callers misleading prices or commitments you cannot honour.

2.4 Pricing & payment

  • Billed monthly in advance via Stripe. First charge after the 14-day free trial unless cancelled.
  • Answered minutes over your plan allowance are billed in arrears at the per-minute rate shown on the pricing page at the time of use.
  • Prices exclude UK VAT, which is added where applicable.
  • We may change pricing with 30 days' notice; existing renewal cycles complete at the old price.

2.5 Cancellation & data export

You can cancel from your dashboard at any time. Your subscription ends at the close of the current billing period. For 30 days after cancellation you can export call transcripts, bookings, and audio recordings as CSV/JSON/MP3. After 30 days, all your data is permanently deleted from production systems within 14 days, and from encrypted backups within 35 days.

2.6 Liability

Riley is a booking assistant, not a replacement for human judgment on safety-critical advice. We don't accept liability for the diagnostic or repair decisions you make on the basis of a call Riley handled.

To the extent permitted by law, our total aggregate liability under these terms in any 12-month period is capped at the fees you paid in that period. Nothing in these terms limits liability for death or personal injury caused by negligence, fraud, or anything else that cannot lawfully be limited under UK law.

2.7 Termination by us

We may suspend or terminate the service immediately if you breach these terms (acceptable use, non-payment after 14 days' grace), or if continued provision would expose us to legal risk. We'll give you 30 days to export your data unless ordered otherwise by a court or regulator.

2.8 Governing law

These terms are governed by the laws of England & Wales and subject to the exclusive jurisdiction of the English courts.

03DPAData processing agreement

Where you (the garage) decide why and how Riley processes personal data about your callers, you are the controller and Riley is the processor. This DPA is incorporated into our Terms of Service and forms a contract between you and us under Article 28 of the UK GDPR.

3.1 Scope & duration

Subject matterProcessing call audio, transcripts, caller phone numbers, vehicle registration data and booking metadata to operate the Riley service for your garage.
DurationFor the duration of the subscription, plus the 30-day export window.
Nature & purposeReceiving calls, transcribing speech, generating responses, recording bookings in the workshop diary, sending SMS confirmations.
Data subjectsMembers of the public who telephone your garage.
Categories of dataIdentification (name, phone number), vehicle data, scheduling preferences. No special-category data is intentionally collected; if a caller volunteers health/disability information relevant to access, we treat it as ordinary personal data and rely on the garage's lawful basis.

3.2 Riley's processor obligations

We will:

  • Process personal data only on your documented instructions (the configuration you supply via the dashboard, and these terms).
  • Ensure persons authorised to process data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (TOMs) — see §1.5.
  • Assist you in responding to data subject rights requests (access, deletion, rectification, portability).
  • Notify you without undue delay (and in any event within 24 hours) on becoming aware of a personal data breach affecting your callers' data.
  • Delete or return all caller data at end of service, per §2.5.
  • Make available all information necessary to demonstrate compliance, and submit to audits on reasonable notice (we will provide our most recent independent audit report at no cost; on-site audits are at the requester's cost).

3.3 Subprocessors

You give general written authorisation for Riley to engage the subprocessors listed in §1.4. We will give you at least 30 days' notice of any addition or replacement via email and a banner in your dashboard. You may object on reasonable data-protection grounds; if we can't resolve the objection, you may terminate the subscription and receive a pro-rata refund.

3.4 International transfers

Where a subprocessor processes personal data outside the UK or EEA, that transfer is governed by the UK International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, and supplementary technical measures (encryption, pseudonymisation) where appropriate.

3.5 Liability under this DPA

Liability under this DPA is subject to the cap in §2.6, save for liability that cannot lawfully be limited (including liability to a data subject under UK GDPR Art. 82).

04CookiesCookie policy

Riley uses a deliberately small number of cookies. We don't run advertising trackers and we don't share cookie data with third parties for marketing purposes.

CookiePurposeTypeLifetime
riley_sessionKeeps you logged into the dashboard.Strictly necessary7 days
riley_csrfPrevents cross-site request forgery on form submissions.Strictly necessarySession
riley_prefsRemembers your dashboard layout preferences (e.g. dark mode).Functional1 year
_plausiblePrivacy-friendly page-view analytics. No personal data, no cross-site tracking.Analytics1 day

Strictly necessary cookies are set without consent (you can't use the dashboard without them). Functional and analytics cookies are only set if you consent via our cookie banner, which you can revisit at any time from the footer link.

05Your data rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your data (“right to be forgotten”), subject to legal retention obligations.
  • Restrict or object to processing based on legitimate interests.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, where consent is the basis.
  • Not be subject to fully automated decisions producing legal or similarly significant effects (Riley does not make such decisions; a booking is an offer, not a binding commitment, and any human in your garage can override it).

If you are a caller who spoke to Riley on a garage's line, please contact that garage in the first instance — they're the controller of your data. We'll help them respond within the statutory one-month window.

If you are a Riley account holder, email privacy@rileyai.co.uk or use the data-rights form in the dashboard. We aim to respond within 7 days.

Your right to complainYou have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you believe we've handled your data badly. We'd ask you to come to us first, but you don't have to.

06Contact & complaints

Riley Technologies Ltd
Registered in England & Wales · Company No. 15904201
Registered office: 8 Princess Street, Manchester M2 4DF
ICO registration: ZA984221

General enquiries: hello@rileyai.co.uk
Privacy & data: privacy@rileyai.co.uk
Security disclosures: security@rileyai.co.uk

We don't have a formal Data Protection Officer requirement (we don't conduct large-scale processing of special-category data), but our privacy contact above is the senior person accountable for data protection at Riley.