Privacy Policy

1. Introduction & Scope

Ashoon ("Ashoon," "we," "our," or "us") operates the Ashoon platform accessible at ashoon.com (the "Platform"). Ashoon is an AI-powered customer messaging automation platform that enables businesses to automate and manage customer conversations across Instagram Direct Messages, Facebook Messenger, and embeddable website chat widgets (collectively, the "Service").

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information when you:

• Visit our website or marketing pages
• Create an account and use the Ashoon platform as a business customer ("Customer" or "User")
• Interact with a website chat widget powered by Ashoon as an end user ("Widget Visitor")
• Send or receive messages through social media channels connected to Ashoon ("End User")
• Contact us for support or other inquiries

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use the Service.

2. Definitions

For the purposes of this Privacy Policy, the following terms have the meanings set out below:

• "Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, online identifiers, and any data that can be used directly or indirectly to identify an individual.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Data Controller.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is being processed.
• "Customer" means a business or individual who creates an Ashoon account and uses the Service to manage customer messaging.
• "End User" means any individual who communicates with a Customer through messaging channels (Instagram, Facebook, or website chat widgets) that are connected to the Ashoon platform.
• "Widget Visitor" means any individual who interacts with a website chat widget powered by Ashoon on a Customer's website.
• "Sub-processor" means any third-party Data Processor engaged by Ashoon to process Personal Data on behalf of the Customer.

3. Information We Collect

We collect information in several ways depending on how you interact with our Service. Below is a detailed breakdown of the categories of data we collect.

3.1 Account Information

When you create an account using Google OAuth, we collect:

• Full name
• Email address
• Profile picture URL
• Google account identifier
• Account creation and last login timestamps

3.2 Social Media Data

When you connect your Instagram Business Account or Facebook Page, we receive access to:

• Instagram and/or Facebook profile information (username, display name, profile picture, page ID)
• Direct messages and Messenger conversations (sent and received)
• Media files shared in conversations (images, videos, audio, stickers)
• Business account metadata (account type, follower count, category)
• Page access tokens (encrypted and stored securely)
• Conversation participant information (names, profile pictures, user IDs)
• Message timestamps, read receipts, and delivery status

This data is collected via Meta's Graph API and Webhooks in accordance with Meta's Platform Terms and Developer Policies. We only access the data necessary to provide the Service, and access is limited to the permissions you explicitly grant.

3.3 Website Chat Widget Data

When a visitor interacts with an Ashoon-powered chat widget embedded on a Customer's website, we may collect:

• Name and email address (if voluntarily provided by the visitor)
• Chat messages and conversation history
• IP address
• Browser type and version
• Operating system
• Referring URL and page URL where the widget is displayed
• Session identifiers and duration
• Device type (desktop, mobile, tablet)
• Language and locale preferences

3.4 Knowledge Base Data

Customers may upload content to train and customize AI responses, including:

• Documents (PDFs, Word documents, text files)
• Frequently asked questions and answers
• Product catalogs and pricing information
• Business descriptions, policies, and operational information
• Custom response templates and conversation flows
• Links to web pages for content extraction

3.5 Usage Data

We automatically collect certain information when you use the Service:

• Log data (access times, pages viewed, features used, actions taken)
• Device information (hardware model, operating system, unique device identifiers)
• IP address and approximate geolocation (city/country level)
• Browser type, version, and language preferences
• Referring and exit URLs
• Click-stream data and interaction patterns
• Error logs and performance data
• Feature usage statistics and preferences

3.6 Cookies and Tracking Technologies

We use cookies, web beacons, pixels, and similar tracking technologies to collect information about your browsing activity and to distinguish you from other users. See Section 15 (Cookies Policy) for detailed information.

3.7 Payment Information

Payment information (credit card numbers, billing addresses, and other financial data) is collected and processed directly by our third-party payment processor, Stripe. We do not store full credit card numbers or sensitive payment data on our servers. We may receive and store limited payment-related information such as the last four digits of your card number, card brand, billing country, expiration date, and transaction history for record-keeping and support purposes.

4. Legal Bases for Processing (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your Personal Data based on the following legal grounds under the General Data Protection Regulation (GDPR):

4.1 Performance of a Contract

Processing is necessary to perform our contractual obligations to you, including providing the Service, managing your account, processing payments, delivering AI-powered messaging automation, and providing customer support.

4.2 Consent

Where you have given us explicit consent to process your Personal Data for specific purposes, such as receiving marketing communications, enabling optional analytics, or connecting third-party social media accounts. You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

4.3 Legitimate Interests

Processing is necessary for our legitimate interests, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include:

• Improving and optimizing the Service
• Ensuring network and information security
• Preventing fraud and abuse
• Analyzing usage patterns to enhance user experience
• Conducting business analytics and reporting
• Enforcing our Terms of Service

4.4 Legal Obligation

Processing is necessary to comply with our legal obligations, including tax reporting, responding to lawful requests from public authorities (e.g., law enforcement or regulatory agencies), and complying with applicable data protection laws.

4.5 Legal Basis Mapped Per Data Category

The following table maps each category of data we process to its primary legal basis:

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Service Delivery

• Providing, operating, and maintaining the Ashoon platform
• Processing and routing messages between Customers and End Users
• Generating AI-powered responses to customer inquiries
• Managing social media integrations and webhook connections
• Storing and indexing knowledge base content for AI retrieval

5.2 Account Management

• Creating and managing your user account
• Authenticating your identity and managing sessions
• Processing subscription payments and billing
• Communicating service-related notifications (e.g., plan changes, downtime alerts)

5.3 Improvement & Analytics

• Analyzing usage patterns to improve features and user experience
• Monitoring Service performance, reliability, and uptime
• Conducting aggregate statistical analysis (non-identifying)
• Developing new features and capabilities

5.4 Security & Compliance

• Detecting, preventing, and investigating fraud, abuse, or security incidents
• Enforcing our Terms of Service and other policies
• Complying with applicable laws, regulations, and legal processes
• Responding to lawful requests from law enforcement or regulatory authorities

5.5 Communication

• Sending service notifications, updates, and administrative messages
• Providing customer support and responding to inquiries
• Sending marketing communications (only with your consent, with easy opt-out)

6. Sensitive and Special Category Data

Conversations processed through the Service may incidentally contain sensitive data, such as information about health, financial circumstances, religious beliefs, or other special categories of personal data as defined under GDPR Article 9.

Ashoon does not intentionally collect special category data under GDPR Article 9. We do not request, require, or prompt End Users or Widget Visitors to provide sensitive personal information through the Service.

Customers are responsible for ensuring they have an appropriate legal basis for any sensitive data that may be processed through the Service, including obtaining explicit consent from Data Subjects where required by applicable law.

Ashoon processes such data only as a Data Processor acting on the Customer's instructions and in accordance with our Data Processing Agreement. We recommend that Customers implement appropriate safeguards and provide clear notice to their End Users regarding the handling of sensitive information.

7. AI Data Processing

Ashoon uses artificial intelligence to generate automated responses to customer messages. This section provides transparency about how AI processes data within the Service.

7.1 How AI Processes Messages

When a message is received from an End User, the following data may be sent to our AI providers (currently OpenAI and/or Anthropic) via their APIs to generate a response:

• The content of the incoming message
• Relevant conversation history for context
• Relevant knowledge base content retrieved for the query
• System instructions and conversation parameters set by the Customer

7.2 AI Provider Data Usage

We use AI provider APIs with data privacy protections enabled. Specifically:

• Your data is NOT used to train OpenAI's or Anthropic's general-purpose models
• We use OpenAI and Anthropic API endpoints configured with zero-data-retention. Conversation data sent to AI providers is processed in real-time and is not stored by the AI provider beyond the duration of the API request. AI providers may retain data for up to 30 days solely for abuse and safety monitoring, as described in their respective data processing agreements.
• We have Data Processing Agreements in place with our AI sub-processors

7.3 AI Processing Logs Retention

AI processing logs, including prompts and completions, are deleted within 30 days from our systems. AI provider retention of request data is limited to up to 30 days for abuse monitoring purposes, in accordance with provider terms and our Data Processing Agreements.

7.4 Automated Decision-Making and Profiling

The Service uses automated processing to generate responses to End User messages. While our AI features assist in generating responses, Customers retain full control over their automated messaging configuration and are responsible for ensuring that automated responses do not produce unintended legal effects or significantly affect End Users. We recommend that Customers configure human escalation rules for sensitive topics including refunds, complaints, legal matters, and health-related inquiries.

• Automated messaging is limited to customer service conversation automation
• Can be overridden by the Customer through manual intervention (live takeover) at any time
• Is subject to the Customer's configured rules, boundaries, and instructions

Under GDPR Article 22, Data Subjects have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect them. If you believe an automated decision has significantly affected you, please contact us or the relevant Customer.

7.5 AI Hallucinations and Data Accuracy

AI systems may occasionally generate inaccurate information, including incorrect statements about real individuals (commonly known as "hallucinations"). Under GDPR Article 5(1)(d), we are committed to data accuracy. If you become aware that our AI has generated inaccurate personal data, please contact us immediately so we can take corrective action.

7.6 AI Bias Monitoring

AI systems may produce outputs that reflect biases present in their training data. We monitor our AI integrations for potential bias and discriminatory outputs. If you observe biased or discriminatory responses, please report them to us immediately. We are committed to compliance with emerging AI regulations including the EU AI Act.

7.7 AI-Generated Responses Disclaimer

AI-generated responses are produced by machine learning models and may occasionally be inaccurate, incomplete, or inappropriate. Ashoon does not guarantee the accuracy of AI-generated content. Customers are responsible for configuring, monitoring, and supervising AI responses sent on their behalf. End Users should be aware that they may be interacting with an AI-powered system and should contact the business directly for critical matters.

8. Data Sharing, Third Parties & Sub-processors

We do NOT sell, rent, or trade your Personal Data to third parties for their marketing purposes. We share Personal Data only in the following circumstances and with the following categories of recipients:

8.1 Named Sub-processors

The following table lists our sub-processors, their purpose, and the country where data is processed:

The specific cloud infrastructure provider is identified on our sub-processor page. A complete, up-to-date list of sub-processors is available upon request by contacting us at .

8.2 AI Processing Providers

OpenAI and Anthropic: Message content, conversation context, and knowledge base excerpts are sent to these providers via API to generate AI responses. These providers act as sub-processors under our Data Processing Agreements and do not use your data for model training.

8.3 Social Media Platforms

Meta (Instagram and Facebook): We exchange messaging data with Meta's platform APIs to send and receive messages on your behalf. Data shared includes message content, media attachments, and recipient identifiers. Meta's own privacy policy governs how Meta processes this data on their platform.

8.4 Authentication Providers

Google: We use Google OAuth for user authentication. Google receives authentication requests and provides us with your basic profile information (name, email, profile picture) upon your consent.

8.5 Payment Processors

Stripe: Stripe handles all payment transactions. They receive your payment details directly and are PCI-DSS compliant. We do not have access to your full credit card number.

8.6 Analytics Providers

PostHog: We use PostHog for product analytics to understand how users interact with our Service. PostHog may collect pseudonymized usage data, IP addresses (which may be anonymized), and browsing behavior.

8.7 Error Tracking

Sentry: We use Sentry for error monitoring and crash reporting. Sentry may receive technical data such as stack traces, device information, IP addresses, and request metadata to help us identify and fix software bugs.

8.8 Other Disclosures

We may also disclose your information: (a) to comply with applicable laws, regulations, or legal processes (e.g., court orders, subpoenas); (b) to enforce our Terms of Service or other agreements; (c) to protect the rights, property, or safety of Ashoon, our Customers, or others; (d) in connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, in which case you will be notified of any change in ownership or control of your Personal Data; or (e) with your explicit consent.

9. Meta Platform-Specific Disclosures

Because Ashoon integrates with Meta Platforms (Instagram and Facebook), the following additional disclosures apply:

9.1 Meta Data Deletion Callback

We implement Meta's data deletion callback mechanism. When Meta sends a data deletion request, we process it within the timeframes required by Meta's Platform Policy. This ensures that if a user removes our app from their Meta account, their associated data is deleted from our systems in compliance with Meta's requirements.

9.2 Meta Limited Data Use (LDU)

For California users whose data is received via Meta integrations, we comply with Meta's Limited Data Use (LDU) requirements. We process data received from Meta in accordance with applicable privacy laws and Meta's Platform Terms.

9.3 Meta Webhook Data

Data received via Meta webhooks (message events, read receipts, delivery confirmations) is processed and stored in accordance with this Privacy Policy and Meta's Platform Terms. We only retain Meta-sourced data for as long as necessary to provide the Service and in compliance with Meta's data retention requirements.

10. International Data Transfers

Your data may be transferred to and processed in the United States and Germany. These countries may have data protection laws that differ from the laws of your jurisdiction.

When we transfer Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries that have not been deemed to provide an adequate level of data protection, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We use European Commission-approved Standard Contractual Clauses as the primary mechanism for cross-border data transfers. These clauses impose contractual obligations on the data importer to protect your data.
• Adequacy Decisions: Where applicable, we transfer data to countries that the European Commission has recognized as providing an adequate level of data protection.
• Supplementary Measures: Where required, we implement additional technical and organizational measures (such as encryption and access controls) to ensure the transferred data receives an equivalent level of protection.

You may request a copy of the relevant safeguards by contacting us at the email address provided in Section 24.

11. Data Retention

We retain your Personal Data only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law. The specific retention periods depend on the type of data:

• Account Data: Retained for the duration of your account plus 30 days after account deletion to allow for recovery.
• Conversation and Message Data: Retained for the duration of the Customer's account. Customers may delete individual conversations at any time. Upon account deletion, all conversation data is deleted within 30 days.
• Knowledge Base Data: Retained for the duration of the Customer's account. Deleted within 30 days of account deletion or upon Customer request.
• Widget Visitor Data: Retained for the duration of the associated Customer's account. Session-level data (IP address, browser info) is retained for up to 90 days.
• Usage and Log Data: Retained for up to 12 months for analytics and security purposes, then anonymized or deleted.
• Payment Records: Retained for up to 7 years as required by applicable tax and financial regulations.
• Error Logs and Crash Reports: Retained for up to 90 days.
• Marketing Consent Records: Retained for 3 years after the last interaction or until consent is withdrawn.
• AI Processing Logs (Prompts and Completions): Deleted within 30 days from our systems. AI provider retention: up to 30 days for abuse monitoring per provider terms.

Upon account deletion, we will delete or anonymize your Personal Data within 30 days, except where retention is required by law (e.g., tax records, legal disputes) or legitimate business purposes (e.g., fraud prevention). Backups containing your data may persist for up to 90 days before being overwritten through our regular backup rotation cycle.

12. Data Security

We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, destruction, or accidental loss. Our security commitments include:

12.1 Encryption

• Data encrypted in transit using TLS 1.2 or higher
• Data encrypted at rest using AES-256 encryption
• Social media access tokens are encrypted before storage
• Database connections are encrypted

12.2 Access Controls

• Role-based access controls with principle of least privilege
• Multi-factor authentication required for all employee access to production systems
• Regular review and revocation of access credentials

12.3 Infrastructure Security

• Regular security assessments and vulnerability scanning
• Automated security monitoring and alerting
• Network segmentation and firewall protection
• Regular patching and software updates
• Secure software development lifecycle (SDLC) practices

12.4 Organizational Measures

• Employee security awareness training
• Confidentiality agreements with all personnel
• Incident response plan tested and updated annually
• Regular backup procedures with tested recovery processes

While we strive to use commercially acceptable means to protect your Personal Data, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

13. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) as required by GDPR Article 35 for processing activities that are likely to result in a high risk to data subjects, including our AI-powered automated messaging features. These assessments evaluate the necessity and proportionality of the processing, the risks to data subjects, and the measures we implement to mitigate those risks. If you have questions about our DPIAs, please contact our Data Protection Officer at .

14. Your Rights

Depending on your location and applicable laws, you may have the following rights regarding your Personal Data. To exercise any of these rights, please contact us using the information in Section 24.

14.1 Rights Under GDPR (European Economic Area, UK, Switzerland)

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of Access: You have the right to request a copy of the Personal Data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate or incomplete Personal Data.
• Right to Erasure ("Right to be Forgotten"): You have the right to request deletion of your Personal Data under certain circumstances.
• Right to Restriction of Processing: You have the right to request that we restrict the processing of your Personal Data under certain circumstances.
• Right to Data Portability: You have the right to receive your Personal Data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object: You have the right to object to the processing of your Personal Data based on legitimate interests or for direct marketing purposes.
• Right Regarding Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
• Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

14.2 Rights Under CCPA/CPRA (California, United States)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of Personal Data we have collected, the categories of sources, the purposes for collection, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request the deletion of your Personal Data, subject to certain exceptions.
• Right to Opt-Out of Sale/Sharing: You have the right to opt out of the "sale" or "sharing" of your Personal Data. We do not sell your Personal Data.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Right to Correct: You have the right to request correction of inaccurate Personal Data.
• Right to Limit Use of Sensitive Personal Information: You have the right to limit the use and disclosure of sensitive Personal Data to purposes necessary for providing the Service.

Do Not Sell or Share

We do not sell or share your personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act. If you wish to exercise your rights under CCPA, including the right to opt-out, please contact us at .

Financial Incentives

We do not offer financial incentives, price differences, or service differences in exchange for the retention, sale, or sharing of personal information.

Authorized Agent

California residents may designate an authorized agent to submit privacy requests on their behalf. To do so, provide a signed written authorization or power of attorney. We may verify both the identity of the authorized agent and the California resident on whose behalf the request is made.

14.3 Rights Under Other US State Privacy Laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, or other states with comprehensive consumer privacy laws, you may have similar rights, including:

• Right to access, correct, and delete your Personal Data
• Right to data portability
• Right to opt out of targeted advertising, sale of Personal Data, and certain profiling
• Right to appeal our decision regarding your privacy request

14.4 How to Exercise Your Rights

To exercise any of the rights described above, you may:

• Email us at
• Use the data management tools available in your account settings
• Submit a request through our contact page

We will respond to your request within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. If we deny your request, we will explain the reasons and inform you of your right to appeal.

15. Cookies Policy

We use cookies and similar tracking technologies to enhance your experience on our Service. This section explains the types of cookies we use and your choices regarding them.

We comply with the EU ePrivacy Directive (Directive 2002/58/EC) and the UK Privacy and Electronic Communications Regulations (PECR) with respect to electronic communications and the use of cookies and similar technologies.

15.1 Essential Cookies

These cookies are strictly necessary for the operation of the Service. They include session cookies for authentication, CSRF protection tokens, and cookies that remember your privacy preferences. These cookies cannot be disabled without affecting the functionality of the Service.

15.2 Functional Cookies

These cookies enable enhanced functionality and personalization, such as remembering your language preferences, display settings, and recently accessed features. If you disable these cookies, some features may not function properly.

15.3 Analytics Cookies

These cookies help us understand how users interact with the Service by collecting aggregated and anonymized information about page visits, feature usage, and navigation patterns. We may use services such as PostHog for this purpose. You can opt out of analytics cookies through your browser settings or by using provider-specific opt-out tools.

15.4 Managing Cookies

Most web browsers allow you to control cookies through their settings. You can set your browser to refuse all cookies, accept only certain cookies, or delete cookies when you close your browser. Please note that disabling cookies may limit your ability to use certain features of the Service. For more information about cookies and how to manage them, visit www.allaboutcookies.org.

16. Website Chat Widget Privacy

This section applies specifically to individuals ("Widget Visitors") who interact with chat widgets embedded on third-party websites powered by Ashoon.

16.1 Data Collected From Widget Visitors

When you interact with an Ashoon-powered chat widget, the following data may be collected:

• Chat messages you send and receive
• Name and email address (only if you voluntarily provide them)
• IP address (for security and abuse prevention)
• Browser type, operating system, and device information
• The URL of the page where the widget appears
• Session identifiers and timestamps

16.2 Widget Cookie Consent Requirements

If you embed the Ashoon widget on your website, you are responsible for obtaining appropriate cookie and tracking consent from your website visitors before the widget is loaded, in accordance with applicable laws including the EU ePrivacy Directive and GDPR. The widget sets a session identifier cookie and stores session data in the visitor's browser localStorage. These are considered functional cookies and may require prior consent depending on your jurisdiction.

16.3 How Widget Data is Stored and Processed

Chat conversations are stored on Ashoon's servers and are accessible to the Customer (the business operating the website). Messages may be processed by AI providers (as described in Section 7) to generate automated responses. Conversation data is retained in accordance with the data retention schedule in Section 11.

16.4 Widget Data Residency

Widget conversation data is stored on servers located in our hosting region. We do not currently offer data residency options for specific regions. If you have data residency requirements, please contact us to discuss available options.

16.5 Widget Data Deletion on Removal

If you remove the widget from your website but maintain your Ashoon account, widget conversation data will be retained according to the retention periods stated in Section 11. You may request deletion of widget conversation data at any time by contacting us at .

16.6 Data Controller vs. Data Processor

For data collected through the website chat widget, the Customer (the business that embedded the widget on their website) is the Data Controller, and Ashoon acts as the Data Processor. This means:

• The Customer determines the purposes and means of processing your data
• The Customer is responsible for providing privacy notices to Widget Visitors and obtaining any necessary consent
• Ashoon processes data only on the Customer's instructions and in accordance with our Data Processing Agreement
• The Customer is responsible for responding to data subject requests, with Ashoon providing reasonable assistance

16.7 Widget Visitor Rights

If you are a Widget Visitor and wish to exercise your data protection rights (access, deletion, rectification, etc.), you should contact the business whose website hosts the chat widget, as they are the Data Controller. If you are unable to reach the business or need further assistance, you may contact Ashoon at and we will make reasonable efforts to assist you.

17. Cross-Context Behavioral Advertising

We do not engage in cross-context behavioral advertising. We do not use personal information collected from one context (e.g., widget interactions) for advertising purposes in another context. We do not sell or share your personal information for cross-context behavioral advertising as defined under the California Consumer Privacy Act.

18. Children's Privacy

The Service is not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction, which may be up to 18). We do not knowingly collect Personal Data from children under the age of 16.

In compliance with the Children's Online Privacy Protection Act (COPPA) and similar laws, if we become aware that we have inadvertently collected Personal Data from a child under the age of 16 without verified parental consent, we will take steps to delete such information as quickly as possible.

If you are a parent or guardian and believe that your child has provided us with Personal Data, please contact us at so that we can take appropriate action.

19. Data Processing Agreement

For business Customers who require a formal Data Processing Agreement (DPA) to comply with GDPR, CCPA/CPRA, or other applicable data protection regulations, we offer a DPA that covers:

• The scope, nature, and purpose of data processing
• Obligations and rights of the Data Controller and Data Processor
• Sub-processor management and notification procedures
• Data security measures and requirements
• Data breach notification procedures
• Data subject rights and assistance obligations
• Data transfer mechanisms (including Standard Contractual Clauses)
• Data deletion and return upon contract termination
• Audit and inspection rights

To request a DPA or to discuss data processing terms, please contact us at .

20. Data Breach Notification

In the event of a personal data breach, we will follow established incident response procedures and comply with all applicable data breach notification laws.

20.1 GDPR Breach Notification

In accordance with GDPR Articles 33 and 34, where a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.

20.2 Notification to Customers

When acting as a Data Processor, we will notify affected Customers of any personal data breach without undue delay after becoming aware of the breach. The notification will include:

• The nature of the breach, including the categories and approximate number of records affected
• The likely consequences of the breach
• The measures taken or proposed to address the breach and mitigate its effects
• Contact information for further inquiries

20.3 US State Law Notifications

We will comply with breach notification requirements under applicable US state laws, including the California Data Breach Notification Law (Cal. Civ. Code 1798.82), and similar statutes in other states, which may require notification to affected individuals and state attorneys general within specified timeframes.

21. Do Not Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we currently do not respond to DNT browser signals or headers. However, you can manage your tracking preferences through the cookie settings described in Section 15 and through your browser's privacy settings. We will continue to monitor developments in DNT technology and may adopt a DNT standard in the future if one is established.

22. California "Shine the Light" Law

Under California Civil Code Section 1798.83 (the "Shine the Light" law), California residents who have an established business relationship with us may request information about whether we have disclosed Personal Data to any third parties for the third parties' direct marketing purposes during the preceding calendar year. We do not share your Personal Data with third parties for their direct marketing purposes. If you are a California resident and would like to make such a request, please contact us at .

23. Other International Privacy Laws

23.1 Brazil (LGPD)

If you are located in Brazil, you may have additional rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correct, anonymize, block, or delete personal data. You may also request information about public and private entities with which we have shared your data, and you have the right to revoke consent at any time. To exercise your rights under the LGPD, please contact us at .

23.2 Canada (PIPEDA)

If you are located in Canada, your personal information is protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws. Under PIPEDA, you have the right to access your personal information held by us, to challenge its accuracy and completeness, and to have it amended as appropriate. To exercise your rights under PIPEDA, please contact us at .

23.3 EU/UK Representative

If you are in the EEA and wish to contact our EU representative, or in the UK and wish to contact our UK representative, please email . We are in the process of formally appointing representatives under GDPR Article 27 and UK GDPR.

23.4 Commitment to All Users

Regardless of your location, we aim to provide all users with the same high standard of data protection. If you have questions about your rights under the privacy laws of your jurisdiction, please contact us and we will assist you.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" date at the top of this page
• For material changes, we will provide prominent notice by email to the address associated with your account and/or by posting a notice on the Service prior to the changes taking effect
• We will provide at least 30 days' notice before material changes take effect, where required by law
• We may request your explicit consent for material changes where required by applicable law

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

25. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the following channels:

Privacy Inquiries

For general privacy questions and data subject rights requests:

Data Protection Officer (DPO)

For matters related to data protection compliance, DPA requests, or to escalate a privacy concern:

We will endeavor to respond to all privacy-related inquiries within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension and the reasons for it.

26. Right to Lodge a Complaint With a Supervisory Authority

If you are located in the European Economic Area, the United Kingdom, or Switzerland, and you believe that our processing of your Personal Data infringes applicable data protection laws, you have the right to lodge a complaint with your local data protection supervisory authority.

A list of EU data protection authorities and their contact information can be found on the European Data Protection Board website. For the United Kingdom, you may contact the Information Commissioner's Office (ICO).

We encourage you to contact us first so that we can attempt to resolve your concern before you file a complaint with a supervisory authority. We take all privacy concerns seriously and will work diligently to address them.