Privacy Policy

Last updated: April 2026

1. What We Collect

We collect and process the following data to provide the Service:

  • Account data: email address and hashed password for authentication
  • Organization data: organization name, member list, roles
  • Message data: inbound and outbound messages processed through connected channels, including text content, timestamps, and platform metadata
  • Contact data: phone numbers, social media IDs, and display names of people who message your organization
  • Knowledge base: documents you upload for AI retrieval (PDFs, text files)
  • Usage data: API token consumption, feature usage, analytics aggregates

2. How We Use Your Data

  • To process and deliver messages between your organization and your customers
  • To generate AI replies using your configured system prompt and knowledge base
  • To provide analytics, sentiment analysis, and conversation insights
  • To send notifications about new messages or escalations
  • To improve Service reliability and performance (aggregated, anonymized data only)

3. Data Storage and Security

All data is stored in your organization's Supabase project with the following protections:

  • Row Level Security (RLS): every database table is locked down so users can only access data belonging to their organization
  • Encryption at rest: API keys (OpenAI, Meta, Twilio) are encrypted using AES-256-GCM before storage. The encryption key is stored separately from the database
  • Encryption in transit: all connections use TLS 1.2+
  • Optional conversation encryption: per-conversation AES-256-GCM encryption with derived keys for sensitive industries
  • Webhook signature verification: all inbound webhooks from Meta are verified via HMAC-SHA256

4. Third-Party Services

The Service integrates with the following third-party providers. Your data may be processed by them according to their respective privacy policies:

  • Supabase: database hosting, authentication, file storage
  • OpenAI: AI reply generation and embeddings (using your BYOK API key)
  • Meta (WhatsApp, Instagram, Messenger): message delivery
  • Twilio: SMS delivery (if configured)
  • Vercel: application hosting

5. Data Retention

Message data is retained for as long as your organization exists on the platform. You can delete individual contacts and their messages at any time using the GDPR tools in your organization settings. When an organization is deleted, all associated data is permanently removed within 30 days.

6. Your Rights (GDPR)

If you or your contacts are in the EU/EEA, you have the right to:

  • Access: request a copy of all data we hold about a contact
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of a contact's data (right to be forgotten)
  • Portability: export data in CSV format
  • Restriction: limit how we process specific data

These rights can be exercised through the GDPR tools at Settings → GDPR & Privacy in your organization dashboard. Export and deletion requests are processed immediately.

7. Cookies

We use essential cookies only for authentication session management (Supabase Auth). We do not use tracking cookies, analytics cookies, or advertising cookies.

8. Children's Privacy

The Service is not directed at individuals under 16. We do not knowingly collect personal data from children.

9. Changes to This Policy

We may update this policy to reflect changes in our practices or legal requirements. We will notify you of material changes via the Service.

10. Contact

For privacy-related questions or requests, contact the platform administrator of your organization or reach out to us through the support channels listed in your dashboard.