Privacy Policy for Clients

Last Updated: December 2025

1. Introduction

This Privacy Policy ("Policy") describes how our company ("we," "us," "our," or "Company") collects, uses, stores, and protects personal data and business information from our clients ("you," "Client," or "your"). This policy applies to client companies that use our AI-powered messaging integration service.

For information about how end-users' data is handled (people who send messages to your business accounts), please refer to your own privacy policy or ours as provided separately.

2. Applicable Law

This Privacy Policy is governed by the laws of the Republic of Kazakhstan, including the Law "On Personal Data and Its Protection" (No. 1488-VI ZRK dated December 21, 2013). If your operations extend to the European Union, our service also complies with the General Data Protection Regulation (GDPR).

3. What Data We Collect

3.1 Account and Authentication Data

When you register for our Service, we collect:

  • Company Information: Company name, contact email, phone number
  • Account Credentials: Username, encrypted password
  • Billing Information: Invoice address, payment details (processed securely)
  • Contact Person: Name and email of authorized representatives

3.2 Messaging Platform Connection Data

To integrate your messaging platforms, we collect and store:

  • WhatsApp Web Session: Connection data from WhatsApp Web QR code authentication (session tokens, phone number associated with the account)
  • Instagram OAuth Data: Access tokens obtained through Facebook's OAuth login flow when you authenticate your Instagram business account
  • Platform Metadata: Information about connected messaging accounts (account IDs, usernames, profile information visible on the platform)

Important: We do NOT collect API credentials or keys directly. Connection is handled through secure OAuth protocols and WhatsApp Web sessions.

3.3 Business Data

We collect and store:

  • Chat History: Conversation threads and message content from connected messaging platforms
  • Contact Information: Phone numbers, names, and profile information of your business contacts as stored in the connected platforms
  • Configuration Data: Automation rules, response templates, AI settings, and workflow configurations you set up
  • Usage Data: Logs of API calls, message counts, and service usage metrics for billing purposes

3.4 What We Do NOT Collect

We do not actively collect:

  • Your internal business data beyond what's necessary for the Service
  • Financial information beyond billing (we don't store full credit card details)
  • Location data or device information
  • Browser cookies or tracking pixels for client tracking

4. How We Use Your Data

4.1 Primary Purposes

We process your personal data for:

  1. Service Delivery: To provide, maintain, and improve the AI messaging integration service
  2. Account Management: To manage your account, authentication, and access
  3. Billing and Invoicing: To process payments and maintain financial records
  4. Technical Support: To assist you with setup, troubleshooting, and maintenance
  5. Legal Compliance: To comply with applicable laws and regulations in Kazakhstan
  6. Security: To protect against fraud, abuse, and unauthorized access

4.2 What We Do NOT Use Your Data For

We do not use your data for:

  • Marketing or advertising purposes without your explicit consent
  • Profiling or behavioral analysis
  • Selling or sharing your data with third parties
  • Creating secondary products or services based on your data
  • Any purpose beyond providing the Service to you

5. Data Storage and Security

5.1 Storage Location

All client data is stored on our own servers located in Kazakhstan. We do not store your data in multiple geographic locations unless you specifically request otherwise.

5.2 Data Retention

We retain your data for as long as necessary to:

  1. Provide the Service (while your account is active)
  2. Fulfill contractual obligations
  3. Comply with legal requirements

Upon account termination, we retain your data for 90 days before deletion, unless legal obligations require longer retention.

5.3 Security Measures

We implement the following security measures:

  • Encryption: Data is transmitted using HTTPS/TLS encryption
  • Access Control: Only authorized company personnel (myself and company employees) have access to your data
  • Server Security: Firewalls, intrusion detection, and regular security monitoring
  • Authentication: Secure login mechanisms and session management
  • Regular Audits: Periodic security reviews and vulnerability assessments

5.4 Limitations

While we employ industry-standard security measures, no system is completely secure. We cannot guarantee absolute protection against all threats.

6. Data Sharing

6.1 Who Has Access to Your Data

Your data is accessible only to:

  • You (the client account owner)
  • Authorized representatives you designate
  • Authorized employees of our Company with strict confidentiality obligations
  • Our support team (only when necessary to assist you)

6.2 Third-Party Services

We do NOT share your data with third parties, except:

  • OpenAI: Message content is transmitted to OpenAI's API for AI processing (as necessary to provide the Service). See our separate notice regarding OpenAI processing.
  • Messaging Platforms: Your authentication sessions connect directly to WhatsApp and Instagram's servers for message routing
  • ChatWoot: Message data is processed through ChatWoot's systems as part of the Service delivery
  • Legal Requirements: If required by law, court order, or governmental authority in Kazakhstan

6.3 No Data Sales

We do not sell, rent, or trade your personal or business data under any circumstances.

7. Your Rights

Under Kazakhstan law and GDPR (if applicable), you have the following rights:

7.1 Right to Access

You have the right to request and receive a copy of all personal data we hold about you and your company.

7.2 Right to Rectification

You have the right to correct inaccurate, incomplete, or outdated personal data.

7.3 Right to Erasure

You have the right to request deletion of your personal data, subject to legal retention requirements and active service obligations.

7.4 Right to Restrict Processing

You have the right to request that we limit how we process your data for specific purposes.

7.5 Right to Data Portability

You have the right to receive your data in a structured, machine-readable format and to transmit it to another service provider.

7.6 Right to Object

You have the right to object to certain types of data processing.

7.7 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

We will respond to requests within 30 days.

8. Data Processing Agreement

If your operations are subject to GDPR or other data protection regulations, we can provide a separate Data Processing Agreement (DPA) that defines our roles and obligations as a data processor. Please request this separately.

9. International Data Transfers

Your data may be transferred to and processed outside of Kazakhstan only when:

  • Necessary for service delivery (e.g., OpenAI API processing in the US)
  • You have explicitly authorized such transfer
  • Appropriate safeguards are in place

We ensure that transfers comply with applicable data protection laws.

10. Children and Minors

Our Service is intended for business use by adults. We do not knowingly collect personal information from individuals under 18. If we become aware that we have collected such information, we will take immediate steps to delete it.

11. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. The "Last Updated" date at the top indicates the last revision.

Significant changes will be communicated to you via email at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance of the updated policy.

12. Contact Information

For questions, requests, or concerns regarding this Privacy Policy or our data handling practices:

Data Protection Contact:

13. Dispute Resolution

If you have a complaint regarding our handling of your personal data, you have the right to lodge a complaint with the competent data protection authority in Kazakhstan or your country of residence.

We encourage you to contact us first to attempt to resolve the issue informally.

This Privacy Policy is provided for informational purposes. For legal implementation, we recommend having this reviewed by legal counsel in Kazakhstan.