Privacy Policy

1. Information We Collect

Account information: Name, email address, and authentication credentials (or Google OAuth profile). Each user belongs to an organization (Tenant) with a role assignment.

Customer data: Messages, contact profiles (name, email, phone), conversation history, and metadata received through connected channels (LINE, Messenger, Instagram, WhatsApp, Email, Web Chat, Shopline).

Knowledge base: Articles and documents you upload for AI training, including generated text embeddings stored as vectors.

Configuration: AI settings (system prompts, skills, model preferences), channel credentials, integration tokens, and MCP server configurations.

2. How We Use Information

We use your information to: provide the Service (receiving, routing, and sending messages across channels); process AI auto-replies by sending conversation context and knowledge base content to your chosen LLM provider; manage your account and team access; generate text embeddings for knowledge base search; and improve the Service's reliability and performance.

3. Data Sharing with Third Parties

LLM providers (OpenAI, Anthropic): When AI auto-reply is enabled, conversation messages, system prompts, skill instructions, and relevant knowledge base articles are sent to your chosen provider via your own API key. We do not share your API key with any other party.

Messaging platforms: Messages are sent and received through LINE, Meta (Instagram, Messenger), WhatsApp, and other connected channels via their official APIs. Each platform processes data according to their own privacy policies.

E-commerce platforms: When Shopify or Shopline integrations are connected, order and customer data is accessed via their APIs to enable AI-assisted order inquiries.

Error monitoring: We use Sentry for error tracking, which may include technical context (stack traces, request metadata). User identification may be included in error reports to diagnose issues.

4. Data Isolation and Security

All data is isolated per organization (Tenant). Users in one organization cannot access data from another. This isolation is enforced at the application layer through middleware and query filtering. Data is stored in PostgreSQL with connections encrypted in transit. Session data is stored server-side in Redis. Webhook endpoints verify signatures to prevent unauthorized access.

5. Cookies and Sessions

We use essential cookies for authentication and session management. Session data (including language preferences and wizard state) is stored server-side in Redis, not in the browser. We use CSRF protection tokens to prevent cross-site request forgery. We do not use tracking cookies or third-party analytics.

6. AI Data Processing

When AI auto-reply is active, the following data is sent to your LLM provider: the customer's message and recent conversation history; your system prompt and applicable skill instructions; relevant knowledge base articles matched by semantic search. AI can be controlled at three levels: globally, per-channel, and per-conversation. You can disable AI processing at any level at any time. AI responses are stored as messages in your conversation history.

7. Data Retention

We retain your data for as long as your account is active. Conversations and contacts are retained indefinitely unless you delete them. Upon account termination, data is retained for 30 days for potential export, then permanently deleted. Knowledge base embeddings are deleted when their source articles are removed.

8. Your Rights

You have the right to: access all data stored about your organization through the dashboard; correct or update your personal and organization information; delete individual conversations, contacts, or knowledge articles; request complete account deletion by contacting support; withdraw consent for AI processing by disabling auto-reply.

9. Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify you of significant changes through the Service. Continued use after changes constitutes acceptance of the updated policy.

10. Contact

If you have questions about this policy or wish to exercise your data rights, please contact us through the platform or email us at [email protected].