Privacy Policy

1. Data Controller

The data controller responsible for your personal data is:

Where we process data on behalf of our Customers (e.g., End User messages), we act as a data processor. The Customer is the data controller for that data, and processing is governed by our Data Processing Agreement (DPA).

2. Information We Collect

2.1 Information You Provide Directly

• Account Information: Name, email address, phone number, company name, job title, and billing address when you register for an account.
• Payment Information: Credit card details, billing address, and tax identification numbers. Payment processing is handled by PCI DSS-compliant third-party providers; we do not store full credit card numbers.
• Communications: Content of emails, support tickets, live chat messages, and feedback you send to us.
• Profile Information: Avatar, timezone, language preferences, and notification settings.

2.2 Information Collected Automatically

• Usage Data: Pages visited, features used, clicks, session duration, referring URLs, and interaction patterns within the Platform.
• Device Information: IP address, browser type and version, operating system, device type, screen resolution, and language settings.
• Log Data: Server logs including access times, error logs, API call records, and security event logs.
• Cookies & Tracking Technologies: We use cookies, local storage, pixels, and similar technologies as described in our Cookie Policy.

2.3 Information from Third Parties

• Third-Party Channel Data: When you connect messaging channels (WhatsApp, Telegram, Instagram, Facebook Messenger, etc.), we receive profile information and message content from those platforms as authorized by you and in accordance with their respective APIs and terms.
• Integration Partners: Data from CRM, e-commerce, and other third-party tools you connect (e.g., Shopify, HubSpot, Salesforce, Zapier).
• Analytics Providers: Aggregated data from Google Analytics, Yandex Metrica, and similar services.

2.4 Customer Data (Processed on Behalf of Customers)

When Customers use the Platform to communicate with their End Users, we process:

• End User names, phone numbers, email addresses, and messaging identifiers.
• Message content, attachments, and conversation metadata.
• Chatbot interaction logs and automation workflow data.
• Broadcast campaign delivery and engagement data.

We process this data solely as instructed by the Customer (as data processor) and in accordance with our DPA.

3. How We Use Your Information

3.1 To Provide & Improve the Services

• Operate, maintain, and deliver the Platform features.
• Process transactions and send billing notifications.
• Provide customer support and respond to inquiries.
• Analyze usage patterns to improve product functionality and user experience.
• Develop new features and services.

3.2 To Communicate with You

• Send service-related notices (maintenance, security alerts, policy updates).
• Send marketing communications (with your consent, where required by law).
• Respond to your requests, questions, and feedback.

3.3 For Safety & Security

• Detect, prevent, and address fraud, abuse, and security threats.
• Enforce our Terms of Service and Acceptable Use Policy.
• Monitor for violations of Third-Party Channel policies.

3.4 For Legal Compliance

• Comply with applicable laws, regulations, and legal processes.
• Respond to lawful requests from government authorities.
• Establish, exercise, or defend legal claims.

4. Legal Bases for Processing (GDPR)

For individuals in the European Economic Area (EEA), United Kingdom, and similar jurisdictions, we rely on the following legal bases:

• Contract Performance: Processing necessary to provide the Services you requested (Article 6(1)(b) GDPR).
• Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, product improvement, and direct marketing to existing customers (Article 6(1)(f) GDPR).
• Consent: Where you have given explicit consent, such as for marketing emails or non-essential cookies (Article 6(1)(a) GDPR).
• Legal Obligation: Processing necessary to comply with legal requirements (Article 6(1)(c) GDPR).

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

5.1 Service Providers & Sub-Processors

We engage trusted third parties to perform services on our behalf, including:

• Cloud Infrastructure: Hosting, storage, and compute services.
• Payment Processing: Secure payment handling by PCI DSS-compliant providers.
• Analytics: Usage analytics and performance monitoring.
• Email Delivery: Transactional and marketing email services.
• Customer Support: Help desk and ticketing tools.

All sub-processors are bound by data processing agreements and are required to maintain appropriate security measures.

5.2 Third-Party Channel Providers

When you use channel integrations, we share data with the respective channel providers (e.g., Meta/Facebook, Telegram, etc.) as necessary to deliver messages and operate the integrations. This sharing is governed by each provider’s terms and privacy policies.

5.3 Legal Requirements

We may disclose personal data if required by law, subpoena, court order, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

6. International Data Transfers

Your data may be processed in countries other than your country of residence, including the United Arab Emirates, the European Union, and the United States. Where we transfer data outside the EEA/UK, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions where applicable.
• Other legally recognized transfer mechanisms.

You may request a copy of the relevant transfer safeguards by contacting [email protected].

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy:

• Account Data: Retained for the duration of your account plus 30 days after deletion to allow recovery.
• Customer Data (messages, contacts): Retained during the active subscription and deleted within 30 days of account termination, unless a longer retention period is requested by the Customer.
• Billing Records: Retained for 7 years as required by applicable tax and accounting laws.
• Log Data: Retained for up to 12 months for security and debugging purposes.
• Marketing Consent Records: Retained for 3 years after consent withdrawal for compliance documentation.

When data is no longer needed, it is securely deleted or anonymized.

8. Data Security

We implement comprehensive technical and organizational measures to protect your data:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest.
• Infrastructure: SOC 2 Type II compliant cloud hosting with redundancy across multiple availability zones.
• Access Controls: Role-based access, multi-factor authentication for internal systems, and least-privilege principles.
• Monitoring: 24/7 security monitoring, intrusion detection, and automated alerting.
• Testing: Regular penetration testing, vulnerability scanning, and code security reviews.
• Incident Response: Documented incident response procedures with notification to affected parties within 72 hours of discovering a breach (as required by GDPR).

More details are available in our Security Policy.

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR (EEA/UK)

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data (“right to be forgotten”).
• Restriction: Request restriction of processing in certain circumstances.
• Portability: Receive your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Withdraw previously given consent at any time.
• Complaint: Lodge a complaint with your local data protection authority.

9.2 Rights Under CCPA/CPRA (California)

• Right to know what personal information is collected and how it is used.
• Right to delete personal information.
• Right to opt-out of the sale or sharing of personal information (we do not sell personal data).
• Right to non-discrimination for exercising your rights.
• Right to correct inaccurate personal information.
• Right to limit use of sensitive personal information.

9.3 Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days (or the applicable statutory period). We may verify your identity before processing your request.

10. Cookies & Tracking Technologies

We use cookies and similar technologies to:

• Ensure the website functions correctly (essential cookies).
• Remember your preferences and settings (functional cookies).
• Analyze website traffic and usage patterns (analytics cookies).
• Deliver relevant marketing content (advertising cookies, with consent).

You can manage cookie preferences through your browser settings. For full details, please see our Cookie Policy.

11. Children’s Privacy

The Services are not directed to children under the age of 16 (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal data, please contact us at [email protected].

12. Third-Party Links & Integrations

The Services may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data. This includes, but is not limited to, messaging channel providers (Meta/WhatsApp, Telegram, etc.), CRM integrations, and analytics services.

13. Meta Platform Data

When you use our integrations with Meta products (WhatsApp Business API, Facebook Messenger, Instagram), the following applies:

• We access and process data from Meta platforms only as authorized by you and in compliance with Meta Platform Terms.
• Data received from Meta APIs is used solely to provide the messaging services you have configured.
• We do not use Meta platform data for independent advertising, data brokering, or purposes unrelated to the Services.
• We comply with Meta’s data deletion requirements and will delete Meta-sourced data upon request or when access is revoked.
• Our use of information received from Meta APIs adheres to the Meta Developer Policies.

14. Do Not Track Signals

Some browsers transmit “Do Not Track” (DNT) signals. There is currently no industry standard for responding to DNT signals. We do not currently alter our data collection practices in response to DNT signals, but we respect your cookie preferences as described in Section 10.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. Material changes will be communicated via email or an in-platform notification at least 30 days before they take effect. The “Last Updated” date at the top of this page indicates when the policy was last revised. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.

16. Contact Us