Gasta AI — Terms of Service

Effective Date

January 2026

Jurisdiction

Northern Ireland / UK

Governing Law

England and Wales

Please read these Terms of Service carefully before using the Gasta AI mobile application and associated services (collectively, the "Service"). By creating an account or using the Service, you agree to be bound by these terms.

1. Who We Are

Gasta AI is operated by Gasta AI, based in Northern Ireland, United Kingdom. References to "we", "us", or "our" mean Gasta AI. References to "you" or "your" mean the business owner or individual using the Service.

2. Description of Service

The Gasta AI application provides the following services to small businesses and sole traders:

  • Tier 1 — Missed Call Auto-Text: Automatically sends a customisable SMS to callers when their call goes unanswered.
  • Tier 2 — AI SMS Chatbot: Uses artificial intelligence to respond to inbound text messages on behalf of your business.
  • Tier 3 — AI Voice Receptionist: Answers inbound calls using AI, conducts natural voice conversations, and books appointments into your calendar.

3. Eligibility

You must be at least 18 years of age to use the Service. By using the Service, you confirm that you are using it for legitimate business purposes and that you have the legal authority to enter into this agreement on behalf of yourself or your business.

4. Subscriptions and Payment

  • The Service is offered on a monthly subscription basis at the following rates: Tier 1 — £20/month; Tier 2 — £50/month; Tier 3 — £100/month.
  • All prices are inclusive of applicable VAT where required.
  • Payments are processed securely by Stripe. We do not store your payment card details.
  • Subscriptions renew automatically each month unless cancelled before the renewal date.
  • You may upgrade or downgrade your plan at any time. Changes take effect at the next billing cycle.
  • We reserve the right to change pricing with 30 days written notice to your registered email address.

5. Cancellation and Refunds

  • You may cancel your subscription at any time through the app. Cancellation takes effect at the end of the current billing period.
  • We do not offer refunds for partial months of service.
  • Upon cancellation, your account and data will be retained for 30 days before permanent deletion, giving you time to export any information you need.

6. Your Responsibilities

By using the Service, you agree that you will:

  • Comply with all applicable laws and regulations, including the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR.
  • Ensure that any use of the AI features complies with relevant telecommunications laws and regulations.
  • Not use the Service to send unsolicited marketing messages (spam).
  • Inform your customers that calls may be answered or recorded by an AI system where required by law.
  • Keep your account credentials secure and notify us immediately of any unauthorised access.
  • Ensure the information you provide about your business is accurate and up to date.

7. AI Behaviour and Limitations

  • Our AI is designed to act as a professional receptionist but may occasionally make errors or misunderstand callers.
  • The AI will not claim to be human if directly asked by a caller.
  • You are responsible for reviewing AI interactions and ensuring they meet your business standards.
  • We are not liable for any business loss resulting from AI errors, miscommunication, or incorrect information provided to callers.
  • We reserve the right to update the AI model at any time to improve performance.

8. Twilio Phone Numbers

  • Phone numbers provisioned through the Service are provided by Twilio Inc. and are subject to their terms of service.
  • Numbers are allocated to your account for use with this Service only.
  • We reserve the right to reclaim numbers that are not actively in use.
  • Number availability cannot be guaranteed in all regions.

9. Intellectual Property

All rights in the Gasta AI application, including code, design, branding, and content, are owned by Gasta AI. You are granted a limited, non-exclusive, non-transferable licence to use the Service for your business purposes only. You may not copy, modify, distribute, or reverse engineer any part of the Service.

10. Data and Privacy

Your use of the Service is also governed by our Privacy Policy, which is incorporated into these Terms by reference. By using the Service, you consent to the processing of data as described in the Privacy Policy.

11. Limitation of Liability

To the fullest extent permitted by law:

  • We provide the Service on an "as is" basis without warranties of any kind.
  • We are not liable for any indirect, incidental, or consequential losses arising from your use of the Service.
  • Our total liability to you in any 12-month period shall not exceed the total fees you paid to us in that period.
  • Nothing in these Terms excludes liability for death or personal injury caused by our negligence, or for fraud or fraudulent misrepresentation.

12. Termination

We reserve the right to suspend or terminate your account if you breach these Terms, engage in illegal activity, or use the Service in a way that could harm us, other users, or third parties. We will provide reasonable notice where possible, except in cases of serious breach.

13. Changes to These Terms

We may update these Terms from time to time. We will notify you of significant changes by email or in-app notification at least 14 days before they take effect. Continued use of the Service after that date constitutes acceptance of the updated Terms.

14. Governing Law and Disputes

These Terms are governed by the laws of England and Wales. Any disputes arising from these Terms shall be subject to the exclusive jurisdiction of the courts of England and Wales. If you are a consumer based in Northern Ireland, you may also have rights under Northern Irish law.

15. Contact Us

If you have any questions about these Terms, please contact us at:

Email: support@gasta.ai

Website: https://gasta.ai

Company: Gasta AI

Address: Northern Ireland, United Kingdom


16. Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Gasta AI ("we", "us", "our", or "Processor") and you, the business owner ("you", "your", or "Controller"). It sets out the terms on which we process personal data on your behalf, as required by Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where there is any conflict between this DPA and the remainder of these Terms, this DPA shall prevail in respect of data protection matters.

16.1 Nature and Purpose of Processing

Gasta AI acts as a data processor on your behalf for the following purposes:

  • Receiving and routing inbound telephone calls to your business telephone number provisioned through Twilio.
  • Automatically sending SMS replies to callers who reach you outside of business hours or when their call goes unanswered (Tier 1).
  • Conducting AI-powered SMS conversations with your customers in response to inbound text messages, including answering questions about your services and booking appointments (Tier 2).
  • Answering inbound calls using a voice AI, engaging callers in natural conversation, collecting booking details, and logging call outcomes (Tier 3).
  • Storing call logs, message records, and booking records in your account for your review and management.
  • Applying automated data retention rules to delete or redact personal data in accordance with our retention policy and your instructions.

The processing is carried out solely for the purpose of providing the Service to you and shall not be used for any other purpose without your prior written instruction.

16.2 Types of Personal Data Processed

The following categories of personal data belonging to your customers may be processed:

  • Caller telephone numbers (in E.164 format, e.g. +447700900123).
  • Caller names, where provided by the caller or inferred by the AI during a call.
  • The content of voice calls, including transcriptions and summaries generated by the AI.
  • The content of SMS messages sent to or from your Twilio number.
  • Booking details, including the caller's name, telephone number, requested service, preferred date and time, and any notes provided during the call.
  • Call metadata, including call timestamps, call duration, call status (answered, missed, busy), and whether an auto-reply was sent.
  • Session data created during Tier 3 voice calls, including the conversation history between the caller and the AI.

No special category data (as defined in Article 9 UK GDPR) is intentionally collected. You must not configure the Service in a way that causes callers to disclose special category data. If you become aware that such data has been collected, notify us immediately so that it can be deleted. The data subjects whose personal data is processed are your customers and other individuals who contact your business telephone number.

16.3 Obligations of Gasta AI as Data Processor

As data processor, Gasta AI shall:

  • Process personal data only on your documented instructions, including those set out in these Terms, and notify you if we believe any instruction infringes UK GDPR or other applicable data protection law.
  • Ensure that all personnel with access to personal data are bound by appropriate confidentiality obligations.
  • Implement and maintain appropriate technical and organisational security measures as described in clause 16.5.
  • Assist you in responding to data subject rights requests (see clause 16.8) within the timeframes required by UK GDPR.
  • Assist you in ensuring compliance with your obligations under Articles 32 to 36 UK GDPR, including in relation to security, data protection impact assessments (DPIAs), and prior consultation with the Information Commissioner's Office (ICO).
  • Notify you without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting data processed on your behalf, in accordance with clause 16.7.
  • At your election, delete or return all personal data at the end of the service relationship and delete existing copies, unless retention is required by applicable law.
  • Make available to you all information reasonably necessary to demonstrate compliance with this DPA and cooperate with any audits or inspections you or a regulator conduct, subject to reasonable advance notice.
  • Apply the automated data retention policy described in our Privacy Policy, which anonymises or deletes personal data after 90 days unless you instruct otherwise.

16.4 Obligations of the Business as Data Controller

As data controller, you are responsible for:

  • Ensuring that you have a valid lawful basis under UK GDPR for processing your customers' personal data via the Service (for example, legitimate interests or contractual necessity).
  • Providing all legally required privacy information to your customers — including that their calls may be answered or recorded by an AI system — in your own privacy notices and through appropriate disclosures before or at the time of the call.
  • Ensuring the Service is used only in accordance with applicable law, including the UK Privacy and Electronic Communications Regulations (PECR).
  • Not instructing us to process personal data in a way that would cause us to breach UK GDPR or any other applicable law.
  • Handling data subject rights requests (see clause 16.8) received directly from your customers.
  • Promptly forwarding to us any data subject rights request that requires us to retrieve, restrict, or delete data we hold on your behalf.
  • Carrying out a Data Protection Impact Assessment (DPIA) where required by UK GDPR before using the Service for any high-risk processing activities.
  • Registering with the Information Commissioner's Office (ICO) as a data controller where required and paying the applicable data protection fee.

16.5 Security Measures

Gasta AI implements appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, alteration, or disclosure. These include:

  • Encryption in transit: all data transmitted between the mobile app, the backend server, and third-party sub-processors is encrypted using TLS 1.2 or higher.
  • Encryption at rest: personal data stored in the database is held on Railway's managed infrastructure, which encrypts data at rest.
  • Access controls: access to the production database and admin dashboard is restricted to authorised personnel, protected by strong credentials and, where available, multi-factor authentication.
  • Least privilege: application components are granted only the minimum database permissions required for their function.
  • Data minimisation: the Service collects only the personal data necessary to provide the requested functionality.
  • Automated retention: voice transcripts are cleared, SMS message bodies are redacted, and caller names are anonymised after 90 days. Blocked calendar slots are deleted after one year. Applied automatically by a nightly scheduled job.
  • Phone number hashing: the compliance log for erasure requests stores a SHA-256 hash of the phone number rather than the number itself, ensuring the log cannot be used to re-identify a data subject.
  • Separation of customer data: each business account's data is logically separated in the database using business ID references.
  • Vulnerability management: dependencies are reviewed and updated regularly to address known security vulnerabilities.

16.6 Sub-Processors

You provide general written authorisation for Gasta AI to engage the sub-processors listed below. We will inform you of any intended changes to this list (additions or replacements) with at least 14 days' notice, giving you the opportunity to object before the change takes effect.

Twilio Inc. | Data centre location: United States

Purpose: Provision and management of UK telephone numbers; delivery and receipt of SMS messages; routing of inbound voice calls.

Privacy/DPA reference: twilio.com/legal/privacy

Anthropic, PBC | Data centre location: United States

Purpose: AI language model inference — processing call transcripts and SMS messages to generate natural language responses and extract booking details on your behalf.

Privacy/DPA reference: anthropic.com/privacy

Stripe, Inc. | Data centre location: United States

Purpose: Payment processing and subscription management. Stripe processes payment card data directly; we do not receive or store your customers' card details.

Privacy/DPA reference: stripe.com/gb/privacy

Railway Corporation | Data centre location: United States

Purpose: Managed cloud hosting of the Gasta AI backend server and PostgreSQL database, including encrypted-at-rest storage of all customer personal data.

Privacy/DPA reference: railway.app/legal/privacy

Each sub-processor is contractually bound by data protection obligations at least equivalent to those in this DPA. Where sub-processors are located outside the UK, appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses or equivalent mechanisms approved by the Information Commissioner's Office.

16.7 Data Breach Notification

In the event of a personal data breach affecting data processed on your behalf, Gasta AI will:

  • Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
  • Provide you with sufficient information to allow you to meet your own notification obligations to the ICO and, where required, to affected data subjects.
  • Include in our notification (to the extent known at the time): a description of the nature of the breach; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the breach and prevent recurrence.
  • Cooperate with you in investigating the breach and take all reasonable steps to mitigate its effects.
  • Not make any public statement or notify data subjects or regulators about the breach without your prior written consent, unless required to do so by law.

You are responsible for assessing whether a breach requires notification to the ICO (within 72 hours of becoming aware, where feasible) and to affected data subjects. Gasta AI will provide all reasonable assistance in making these assessments and in preparing required notifications.

16.8 Rights of Data Subjects and How to Handle Requests

Under UK GDPR, your customers have the following rights in respect of their personal data processed through the Service:

  • Right of access (Article 15): The right to obtain a copy of the personal data held about them.
  • Right to rectification (Article 16): The right to have inaccurate personal data corrected.
  • Right to erasure — "right to be forgotten" (Article 17): The right to have personal data permanently deleted where one of the Article 17 grounds applies.
  • Right to restriction of processing (Article 18): The right to request that processing is restricted while a complaint or challenge is pending.
  • Right to data portability (Article 20): The right to receive personal data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): The right to object to processing carried out on the basis of legitimate interests.
  • Rights in relation to automated decision-making (Article 22): The right not to be subject to solely automated decisions that produce significant legal or similarly significant effects.

Where a data subject contacts Gasta AI directly with a rights request, we will:

  • Forward the request to you within 5 business days, as you are the data controller responsible for responding.
  • Assist you in fulfilling the request by retrieving, restricting, correcting, or deleting the relevant data from our systems as you instruct.
  • Not respond to the data subject on your behalf without your written authorisation, unless required to do so by law.

Gasta AI provides a Data Subject Rights tool within the admin dashboard that enables you to search for all personal data held for a specific telephone number and permanently erase it across all data tables (calls, messages, bookings, and voice sessions). Each erasure is recorded in a compliance log that stores a cryptographic hash of the phone number — not the number itself — the date and time of erasure, the number of records deleted in each category, and any ticket reference you provide. This log is accessible at any time from the admin dashboard. You must respond to data subject rights requests within one calendar month of receipt. This may be extended by a further two months for complex or numerous requests, provided you inform the data subject of the extension and the reason within the first month.

16.9 Duration and Termination of this DPA

This DPA remains in force for the duration of the subscription and terminates automatically on the termination or expiry of the Terms of Service. On termination:

  • We will retain your account data for 30 days to allow you to export any information you require.
  • After 30 days, all personal data associated with your account will be permanently deleted from our systems and those of our sub-processors, except where retention is required by applicable law (for example, financial records required for tax or regulatory compliance).
  • On written request made within 6 months of termination, we will provide written confirmation that deletion has been completed.