Privacy Policy - Airochat

This Privacy Policy ("Policy") describes how Airochat, Inc. and its affiliates ("Airochat", "we", "us", or "our") collect, use, disclose, retain, and protect Personal Data when you access or use the Airochat platform, websites at airochat.com and app.airochat.com, mobile applications, application programming interfaces, and any related services (collectively, the "Service").

This Policy applies to (i) visitors to our public websites, (ii) account holders who subscribe to the Service ("Customers"), and (iii) end users who interact with Customers through the Service ("End Users"). When we process Personal Data on behalf of a Customer, we act as a "processor" or "service provider" and the Customer acts as the "controller" or "business" within the meaning of applicable data protection laws. When we process Personal Data for our own purposes (for example, account administration), we act as a controller.

Contents

Definitions
Information We Collect
How We Use Personal Data
Legal Bases for Processing
Disclosure of Personal Data
Third-Party Platform Compliance
International Data Transfers
Data Retention & Deletion
Security
Your Rights
Children's Privacy
Cookies & Similar Technologies
Regional Privacy Notices
Changes to this Policy
Contact & Data Protection Officer

1. Definitions

In this Policy, capitalized terms have the meanings set out below:

"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and erasure.
"Customer Data" means data, content, and Personal Data that a Customer or its End Users submit to the Service.
"Sub-processor" means any third party engaged by Airochat to process Customer Data on our behalf.
"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data, including the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA"), the Saudi Arabia Personal Data Protection Law ("PDPL"), the UAE Federal Decree-Law No. 45 of 2021, and other applicable laws.

2. Information We Collect

2.1 Information You Provide Directly

Account Information: name, email address, phone number, password (hashed), company name, role, country.
Billing Information: billing name, address, tax ID, and the last four digits of payment card numbers. Full payment card details are processed by our PCI-DSS compliant payment provider and never stored on our servers.
Communications: messages you send to our support team, survey responses, and feedback.

2.2 Customer Data

Contacts: phone numbers, names, profile pictures, message identifiers, and metadata of End Users that a Customer imports or that flow into the Service through a connected channel.
Conversations: message content, attachments, timestamps, delivery receipts, and read receipts exchanged between Customer and End Users via connected channels.
Automation Configuration: bot flows, triggers, templates, tags, and custom fields configured by the Customer.

2.3 Information Collected Automatically

Device & Log Data: IP address, browser type and version, operating system, device identifiers, referring URLs, pages visited, dates and times of access, and clickstream data.
Diagnostic Data: crash reports, performance metrics, and error logs used to maintain and improve the Service.

2.4 Information from Third Parties

When a Customer connects a third-party platform (such as Meta, X, Google, TikTok, or Telegram) to the Service, we receive the data necessary to fulfill the connection in accordance with the scopes the Customer has authorized. We process such data strictly as instructed by the Customer and in accordance with the relevant platform's policies described in Section 6.

3. How We Use Personal Data

We use Personal Data for the following purposes:

Service Delivery: to operate, maintain, and provide the features and functionality of the Service to our Customers.
Account Administration: to create and manage accounts, authenticate users, and prevent unauthorized access.
Customer Support: to respond to inquiries, troubleshoot issues, and provide technical assistance.
Billing & Payments: to process subscriptions, invoices, refunds, and tax obligations.
Service Improvement: to analyze usage patterns, develop new features, and improve performance, security, and reliability.
Communications: to send service announcements, security alerts, and—where permitted—marketing communications, which you may opt out of at any time.
Legal Compliance: to comply with legal obligations, court orders, and regulatory requirements, and to enforce our agreements.
Fraud Prevention & Security: to detect, prevent, and respond to fraud, abuse, and security incidents.

We do not sell Personal Data, and we do not use Customer Data, Conversations, or End User information to train artificial intelligence or machine learning models for our own benefit or for the benefit of any third party.

4. Legal Bases for Processing (EEA/UK)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR:

Contract (Art. 6(1)(b)): to perform the Customer agreement and provide the Service.
Legitimate Interests (Art. 6(1)(f)): to secure the Service, prevent fraud, and improve our products, where such interests are not overridden by your rights.
Legal Obligation (Art. 6(1)(c)): to comply with applicable laws and regulatory requirements.
Consent (Art. 6(1)(a)): for marketing communications and certain cookies, which you may withdraw at any time.

5. Disclosure of Personal Data

We disclose Personal Data only in the limited circumstances set out below:

Sub-processors: we engage vetted third-party providers (cloud hosting, analytics, payment processing, customer support tools) under written contracts that impose data-protection obligations no less protective than those set forth in this Policy. A current list of Sub-processors is available on request from hi@airochat.com.
Connected Platforms: when a Customer instructs us to send or receive data through a third-party messaging or marketing platform.
Corporate Transactions: in connection with a merger, acquisition, financing, or sale of all or part of our assets, subject to standard confidentiality protections.
Legal Requirements: when required by valid legal process, court order, or to protect the safety, rights, or property of Airochat, our users, or the public.
With Customer Authorization: at the direction of the Customer or with the Customer's explicit consent.

6. Third-Party Platform Compliance

Airochat operates as an authorized partner of several messaging platforms. When a Customer connects a third-party platform, both Airochat and the Customer are bound by the relevant platform's policies in addition to this Policy.

6.1 Meta Platforms (Facebook, Instagram, Messenger, WhatsApp Business)

As an authorized Meta Business Partner, Airochat complies with the Meta Platform Terms, the Meta Developer Policies, and the WhatsApp Business Solution Terms. In particular:

Lawful Use: We process Meta-derived data only for the purposes the Customer has been authorized to use, and only for the duration necessary to provide the Service.
Opt-In Required: Customers must obtain prior opt-in from End Users before sending messages through WhatsApp, Instagram, or Messenger, in accordance with each platform's messaging rules.
24-Hour Customer Service Window (WhatsApp): Free-form messages outside the 24-hour window initiated by an End User require an approved Message Template, and we enforce this restriction within the Service.
No Restricted Use Cases: We do not permit Customers to use the Service for prohibited categories under Meta and WhatsApp Commerce Policies, including but not limited to firearms, illegal drugs, adult content, and unauthorized financial products.
No Sale or Unauthorized Transfer: We do not sell, license, or transfer data obtained through Meta APIs to data brokers, ad networks, or any other third party for advertising or marketing purposes.
Data Minimization & Deletion: We retain Meta-derived data only as long as necessary for the Service. End Users may request deletion of their data through their Customer or by contacting us at hi@airochat.com. Deletion requests are honored within thirty (30) days unless a longer period is required by law.
Data Use Restrictions: We do not use Meta data to discriminate against any user, build user profiles for advertising purposes, or determine eligibility for credit, employment, insurance, housing, or similar decisions.
Security: We maintain administrative, physical, and technical safeguards designed to protect Meta-derived data, including encryption in transit and at rest, access controls, and regular security testing.
Incident Notification: In the event of a security incident involving Meta-derived data, we will notify Meta and affected Customers without undue delay and in accordance with Meta Platform Terms.

6.2 X (formerly Twitter) Platform

When Customers connect their X accounts, we operate in accordance with the X Developer Agreement, the X Developer Policy, and the X Automation Rules:

Display Requirements: We render X content (posts, profile information) in accordance with the X Display Requirements and do not modify, alter, or obscure X content without authorization.
Rate Limits: We respect the rate limits set out in the X API documentation and provide tools to help Customers stay within those limits.
Off-Platform Matching: We do not match X user data with data from other sources without explicit user consent.
No Resale: We do not sell, lease, or sublicense X content or X-derived data to any third party.
Automation Rules: We prohibit Customers from using Airochat to perform bulk follows, unfollows, mass-likes, mass-DMs, or any other automated activity that would violate X Automation Rules.
Deletion Compliance: When an X user deletes content or revokes access, we delete the corresponding cached data within twenty-four (24) hours, in accordance with the X Developer Policy.

6.3 TikTok

As a TikTok Marketing API user, we comply with the TikTok Marketing API Terms of Service, the TikTok Marketing Partner Program requirements, and the TikTok Community Guidelines. We process TikTok data solely for the purposes the Customer has authorized and never share TikTok data for advertising or profiling outside the scope of the connected service.

6.4 Google Services

When Customers connect Google services (such as Google Sheets, Google Calendar, or Google Contacts), we comply with the Google API Services User Data Policy, including its Limited Use requirements. Specifically: (i) we use Google user data only to provide or improve user-facing features that are prominent in the Service; (ii) we do not transfer Google user data to third parties except as necessary to provide or improve those features; (iii) we do not use Google user data for serving advertisements; and (iv) we do not allow humans to read Google user data unless we have obtained user consent for specific messages, doing so is necessary for security, doing so is necessary to comply with applicable law, or the data has been aggregated and is used for internal operations.

6.5 Telegram

For Telegram bot integrations, we operate in accordance with the Telegram Bot Terms of Service and the Telegram Privacy Policy. We do not share bot or user data with unauthorized third parties.

7. International Data Transfers

Airochat operates globally and may transfer Personal Data to countries other than the country in which it was originally collected. When we transfer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms. A copy of the relevant transfer mechanism is available on request.

8. Data Retention & Deletion

We retain Personal Data only for as long as necessary to fulfill the purposes set out in this Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

Account Data: retained for the duration of the Customer's subscription and deleted within ninety (90) days of account closure, except where retention is required by law.
Customer Data: retained according to the Customer's configuration and deleted within thirty (30) days of a verified deletion request.
Billing Records: retained for the period required by applicable tax and accounting laws (typically seven years).
Diagnostic & Log Data: retained for up to twelve (12) months, then deleted or anonymized.

End Users may request deletion of their Personal Data by contacting the Customer that controls their data. If the Customer is unresponsive, End Users may contact us directly at hi@airochat.com and we will route the request appropriately.

9. Security

We implement and maintain a comprehensive information security program that includes administrative, technical, and physical safeguards designed to protect Personal Data. These safeguards include encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256), role-based access controls, multi-factor authentication for administrative access, intrusion detection, regular vulnerability scanning and penetration testing, employee security training, and formal incident response procedures. We undergo independent security assessments and align our practices with internationally recognized frameworks. No method of transmission or storage is one hundred percent secure, but we are committed to protecting Personal Data using industry best practices.

10. Your Rights

Subject to Applicable Data Protection Laws, you may have the following rights with respect to your Personal Data:

Right of Access: to obtain confirmation of whether we process your Personal Data and to receive a copy.
Right to Rectification: to correct inaccurate or incomplete Personal Data.
Right to Erasure ("right to be forgotten"): to request deletion of your Personal Data.
Right to Restrict Processing: to limit how we use your Personal Data in certain circumstances.
Right to Data Portability: to receive your Personal Data in a structured, machine-readable format.
Right to Object: to object to Processing based on legitimate interests or for direct marketing.
Right to Withdraw Consent: where Processing is based on consent, you may withdraw it at any time.
Right to Lodge a Complaint: with your local supervisory authority.

To exercise any of these rights, contact us at hi@airochat.com. We will respond within the timeframe required by Applicable Data Protection Laws (typically thirty days). We do not discriminate against users for exercising their rights.

11. Children's Privacy

The Service is not directed to individuals under the age of sixteen (16), and we do not knowingly collect Personal Data from children. If we become aware that we have collected Personal Data from a child without verified parental consent, we will delete that information promptly. Parents or guardians who believe their child has provided us with Personal Data may contact us at hi@airochat.com.

12. Cookies & Similar Technologies

We use cookies and similar tracking technologies to operate the Service, remember your preferences, analyze usage, and improve performance. You can control cookies through your browser settings; however, disabling certain cookies may impair the functionality of the Service. We honor "Global Privacy Control" and "Do Not Track" signals where required by law.

13. Regional Privacy Notices

13.1 European Economic Area, United Kingdom & Switzerland

If you are located in the EEA, UK, or Switzerland, the GDPR applies to our Processing of your Personal Data. You have the rights described in Section 10 and may lodge a complaint with your local supervisory authority. Our EU representative can be contacted via hi@airochat.com.

13.2 California, United States

Under the CCPA/CPRA, California residents have the right to know what Personal Information we collect, the right to delete, the right to correct, the right to opt out of sale or sharing, and the right to limit the use of sensitive Personal Information. We do not sell Personal Information as defined under the CCPA. To exercise your rights, contact hi@airochat.com.

13.3 Saudi Arabia (PDPL)

Residents of the Kingdom of Saudi Arabia have the rights set forth in the Personal Data Protection Law and its implementing regulations, including the right to be informed, the right of access, the right to request correction, and the right to request destruction of Personal Data. We process Personal Data in accordance with PDPL requirements.

14. Changes to this Policy

We may update this Policy from time to time. When we make material changes, we will notify Customers by email or through an in-app notification at least thirty (30) days before the changes take effect, except where a shorter notice is required by law. The "Effective date" at the top of this Policy reflects the most recent revision.

15. Contact & Data Protection Officer

If you have questions, concerns, or requests regarding this Policy or our Processing of your Personal Data, please contact our Data Protection team:

Airochat, Inc.

Attention: Data Protection Officer

Email: hi@airochat.com

If you are not satisfied with our response, you have the right to lodge a complaint with the data-protection authority in your country of residence.