Privacy Policy
Last updated: 27 August 2025
Applies to: messagemind.ai and subdomains, the MessageMind platform, APIs, SDKs, and related services (the “Services”).
Plain‑language summary: This Privacy Policy explains what data we collect, why we collect it, how we use it, how long we keep it, who we share it with, where we store it, and what rights you have. Where this notice differs for end‑users of our customers (“End Users”) versus our direct business customers (“Customers”), we say so explicitly.
1) Who we are and how to contact us
Data Controller (for our own website, accounts, billing, support, product analytics & marketing):
TMMA SRLS (“Company”)
VAT: IT17152861005
Registered office: Via Durazzo 28, 00195 Roma (RM), Italy
General contact: [email protected]
Privacy contact: [email protected]
Data Processor (for End User data processed on behalf of Customers using the Platform):
For content, messages, transcripts, metadata and other personal data processed on instruction of a Customer inside the Platform, TMMA SRLS acts as processor and the relevant Customer acts as controller. The controller’s privacy notice applies to End Users in addition to this one.
EU location & supervisory authority: We are established in Italy and our lead supervisory authority is the Garante per la Protezione dei Dati Personali (GPDP). You may also complain to your local EU/EEA authority.
Data Protection Officer (DPO): Not currently appointed because our processing does not currently meet the criteria requiring a DPO. We routinely reassess this and will update this Policy if a DPO is designated. You can still contact [email protected] with any privacy question.
2) Scope & relationship with other documents
This Policy complements our Terms & Conditions and our Data Processing Agreement (DPA). In case of conflict while we act as processor, the DPA prevails for processing performed on our Customer’s documented instructions.
This Policy covers websites, platform, APIs, chatbots, integrations (e.g., Meta channels, Twilio, Gmail, Outlook, custom email domains), and support channels.
Separate
Cookie Policy explains cookies/SDKs and consent preferences; and
Sub‑processor List (kept updated online) identifies service providers.
3) Key definitions
Customer: the business entity purchasing/using our Services.
End User: an individual who interacts with a Customer’s channels (e.g., website chat, WhatsApp, Facebook/Instagram, SMS) that are connected to MessageMind.
Personal Data: any information relating to an identified or identifiable person.
Special Categories: data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade‑union membership; genetic, biometric, health, sex‑life or sexual orientation data.
Processing: any operation on personal data (collection, storage, use, disclosure, etc.).
4) What we collect
A. Data you provide directly
Account data (Customers): name, role, business email, phone, password hash, authentication tokens (e.g., OAuth), billing contact.
Billing & payments: invoicing address, VAT number, plan/usage records, payment method tokens (via our PCI‑compliant payment processor – we don’t store full card numbers).
Support communications: emails, chat messages, attachments, and call/meeting recordings only with explicit consent.
Consents & preferences: marketing opt‑in/opt‑out, cookie choices, channel permissions.
B. Data processed through the Platform (typically as processor)
Conversation content & metadata: user messages, attachments, timestamps, channel identifiers, delivery/read receipts.
Integrations data: when Customers connect channels (e.g., Meta Facebook/Instagram/WhatsApp Business APIs), Twilio (SMS/WhatsApp), email (custom SMTP), Gmail, Outlook/Microsoft 365 and other business systems (CRMs, helpdesks). We ingest and process only data required to provide the features configured by the Customer.
Chatbot/AI data: prompts, responses, context, knowledge base snippets, and system logs used to deliver and improve functionality; see §11 for AI specifics.
C. Data collected automatically
Technical logs & device data: IP address, device identifiers, OS/browser type, timestamps, log events, crash reports, and security signals (e.g., unusual login patterns).
Product analytics (pseudonymous): feature usage events, session identifiers, and A/B test flags. Where required, we obtain consent via our cookie banner.
D. Special categories & sensitive data
We do not seek to collect Special Categories. If Customers or End Users voluntarily share such data in conversations, it will be processed only to deliver the requested service, with additional safeguards, and should be avoided unless strictly necessary. Customers must not configure the Platform to intentionally collect Special Categories without an appropriate lawful basis and safeguards.
E. Children
Our Services are not directed to children. For information‑society services offered directly to minors in Italy, we treat 14 years as the minimum age for valid consent. If we learn we processed a child’s data without appropriate consent/authorization, we will delete it.
5) Why we process data (purposes) and legal bases
We rely on one or more of the following bases under GDPR and Italian law:
Contract (Art. 6(1)(b)): to create and manage accounts, deliver the Services, provide support, and fulfill SLAs.
Legal obligation (Art. 6(1)(c)): tax/recordkeeping, responding to lawful requests, consumer and telecom laws.
Legitimate interests (Art. 6(1)(f)): security (fraud/abuse detection, preventing spam), service improvement, internal analytics (where compatible and minimally intrusive), B2B relationship management, soft‑spam to existing paying Customers as permitted by Italian law (see §9), and legal defense. We conduct and document a balancing test and offer opt‑out where required.
Consent (Art. 6(1)(a)): non‑essential cookies/SDKs, direct marketing to prospects, meeting/call recordings, and where a Customer configures optional features that require consent.
Special Categories are processed only if an exception applies (e.g., explicit consent, legal claims) and only if strictly necessary.
6) Meeting, call, and video recordings (audio, video, transcripts)
We never record by default. We record **only with the informed, explicit consent of participants, obtained via a clear in‑product notice and/or verbal prompt at the start of the session.
Purposes: quality assurance, security incident review, training of staff, and documenting support interactions. Where Customers ask us to analyze recordings with AI (e.g., to summarize), we do so only under the Customer’s instructions and consent.
Controls: participants can decline, stop, or later withdraw consent; if consent is withdrawn, we cease future recordings and—where feasible—delete existing recordings unless retention is required by law or for legal claims.
Storage & access: recordings are encrypted; access is role‑based and logged; we minimize retention (see §14).
Third‑party meeting tools: if you use Zoom, Google Meet, Teams, or similar, their privacy terms apply independently; we receive recordings/transcripts only if you explicitly share or integrate them.
7) What we do with data
Provide, maintain, and secure the Services; route and deliver messages across connected channels.
Configure and operate chatbots, automations, and integrations selected by Customers.
Troubleshoot, support, and improve reliability and user experience.
Detect, prevent, and remediate spam, fraud, and abuse; protect accounts and networks.
Analyze aggregated usage patterns (de‑identified where possible) to improve product performance.
Communicate service announcements, security alerts, and product updates.
Conduct permitted marketing to Customers and prospects (see §9) with clear opt‑out mechanisms.
We do not sell personal data. We do not use End User content to train third‑party foundation models unless the Customer has enabled a feature that explicitly requires such sharing and received a valid lawful basis.
8) Sharing of data
We share personal data only as described below, applying strict minimization and contractual safeguards.
8.1 Processors and sub‑processors
We engage vetted service providers under written data‑processing terms meeting GDPR Art. 28 requirements, confidentiality obligations, and security controls. Categories include: cloud hosting, storage/backup, CDN/DDoS, email/SMS/voice delivery, identity & access management, logging/monitoring, analytics (consent‑based), ticketing/support, payments & accounting, and AI model providers used as processors. We maintain an always‑current list on our website and will notify Customers of material changes in accordance with the DPA.
8.2 Customer‑enabled channel partners & integrations (independent controllers or processors)
When Customers connect third‑party channels or business systems, we exchange the minimum data necessary to provide the configured features, as described in §17 and Annex F. Examples include Meta (Facebook/Instagram/WhatsApp), Twilio, Gmail, Outlook/Microsoft 365, Shopify, WooCommerce, Squarespace Commerce, Calendly, Stripe, Revolut, and automation hubs (e.g., Zapier, Make (Integromat), n8n). The legal status of each recipient (controller vs. processor) depends on their role and contract with you; many of these providers act as independent controllers for their own services.
8.3 Limited‑use commitments for certain APIs
For connectors that access user communications (e.g., Gmail, Microsoft Graph), we request the minimum OAuth scopes needed and store refresh tokens encrypted with strict access controls. We do not use email content or metadata for advertising, and we restrict human access to cases strictly necessary for security, support (with your authorization), or legal compliance. You can revoke access at any time in the respective account’s security settings or inside our dashboard.
8.4 Professional advisers & authorities
We may share data with lawyers, auditors, and insurers bound by confidentiality, and with public authorities when required by law or to protect rights/safety.
8.5 Corporate transactions
If we undergo a merger, acquisition, or reorganization, personal data may be transferred under appropriate safeguards and with prior notice where required.
9) Marketing, soft‑spam, telemarketing & the Registro Pubblico delle Opposizioni (RPO)
Marketing, soft‑spam, telemarketing & the Registro Pubblico delle Opposizioni (RPO)
Email/SMS/WhatsApp marketing to prospects requires prior consent where e‑privacy rules apply; every message provides a clear opt‑out.
Soft‑spam (Italy, art. 130(4) Codice Privacy): we may send promotional emails only to existing paying Customers about similar products/services without prior consent, provided we offered an opt‑out at collection and in every message. If you never purchased from us, we won’t rely on soft‑spam. You can opt out at any time.
Telemarketing: when conducting telephone marketing in Italy, we respect the Registro Pubblico delle Opposizioni (RPO) to suppress registered numbers and follow applicable rules.
10) Cookies, SDKs & similar technologies
We use necessary cookies for security (e.g., session management, CSRF protection). These do not require consent.
We use non‑essential cookies/SDKs (analytics, A/B testing, advertising) only with your consent via our cookie banner. You can withdraw or change choices anytime via the Cookie Settings link.
Consent banners offer granular choices, easy reject options, and no dark patterns. Closing the banner without a choice results in non‑essential tools staying off.
Server‑side or device fingerprinting for tracking is not used without consent.
Full details appear in our Cookie Policy, including vendor identities, purposes, storage periods, and how to manage identifiers on your device.
11) AI features & model providers (expanded)
11.1 Scope of AI processing
Our AI features may process text messages, images/attachments (if you enable them), calls and audio/voice, and optional custom voice clones to generate responses, summarize content, classify intents, extract entities, or perform automations you configure. Unless otherwise stated in writing, these features operate on your instructions; for End‑User data we act as processor.
11.2 No training / no sharing pledge
We do not use Customer or End‑User content (including messages, calls, audio/voice, or custom voice clones) to train or improve third‑party foundation models by default.
We do not permit model providers to use your content for their own training. Contracts require no training and no secondary use.
We do not sell personal data. We do not share voice samples, voiceprints/embeddings, or custom voice models with other Customers or for advertising.
11.3 Data minimization & redaction
Where feasible, we pseudonymize or redact inputs before sending them to model endpoints (e.g., masking email addresses, phone numbers, or order IDs) and send only the context needed for the requested task. We log operational metadata (timestamps, token counts, error codes) for reliability and billing; we do not log raw audio content by default.
11.4 Calls, audio & recordings
Calls/meetings are never recorded by default (see §6). When recording is enabled, we obtain explicit, informed consent from all participants.
With your instruction, recordings may be transcribed and summarized to assist support/quality purposes. Transcripts and summaries are processed solely to deliver the feature and for security/legal defense where necessary; they are not used to train models.
You can disable transcription/summarization at any time; existing content will be retained or deleted per §14 and your settings.
11.5 Custom voice cloning (optional)
Custom voice cloning is off by default. If you request it:
Lawful basis & consent: You must collect and document explicit consent from the voice owner for the creation and use of a synthetic voice. If the voice data could be considered biometric for uniquely identifying a person, you must rely on an appropriate Art. 9 condition (typically explicit consent) and apply enhanced safeguards. Voices of minors must not be cloned.
Purpose limitation: The cloned voice may be used only to generate audio responses for your account and channels, for the purposes you specify (e.g., reading order updates).
Isolation: Each custom voice model is single‑tenant and not shared across Customers or between projects. It will never be used to respond for other Customers or to train any general model.
No impersonation / no identification: We prohibit cloning without the subject’s authorization, celebrity/deepfake misuse, and any use to impersonate or deceive. We do not use voiceprints for identity verification or matching.
Inputs & artifacts: Source samples and any derived artifacts (e.g., voice embeddings) are encrypted and access‑controlled. We avoid storing raw source audio longer than necessary to build or update the model.
Retention & deletion: Unless you configure a shorter period, we retain source samples for up to 30 days after model creation to support quality fixes; model artifacts are retained up to 12 months (or shorter per your setting) and then deleted or rotated, subject to legal holds. You may request deletion at any time; we will action deletion across active systems and allow backups to expire per Annex R.
Transparency to End Users: Where a synthetic voice is used, you must disclose to End Users that the voice is AI‑generated and provide an easy way to contact a human.
11.6 Vendor roles & contracts
AI vendors (LLM hosting, speech‑to‑text, text‑to‑speech, voice cloning, embeddings/vector stores) engaged through the Platform act as our processors under Art. 28, with no‑training commitments, confidentiality, security, and deletion obligations. Data residency preferences are respected where offered.
11.7 Human oversight, fairness & safety
We provide controls to require human review for sensitive actions, set guardrails (e.g., blocklists, safety filters), and log automated decisions. We evaluate models periodically for quality and bias on de‑identified samples, and we allow users to object to profiling for marketing. We do not take decisions based solely on automated processing that produce legal or similarly significant effects (see §18).
12) International data transfers International data transfers International data transfers
We prefer EU/EEA data residency for primary storage whenever possible. Some processors or integrations may transfer data outside the EEA.
When personal data is transferred internationally, we rely on lawful mechanisms such as adequacy decisions (e.g., EU–US Data Privacy Framework for certified recipients) and/or Standard Contractual Clauses (SCCs) plus supplementary measures (encryption in transit and at rest, access controls, minimization). We monitor legal developments and adjust our transfer tools as needed.
13) Security
We apply defense‑in‑depth safeguards:
Encryption in transit (TLS 1.2+) and at rest; segregation of environments.
Role‑based access control (RBAC), least privilege, SSO/MFA for staff, just‑in‑time access with approvals and logging.
Secure software development lifecycle (threat modeling, code review, secrets management, dependency scanning, vulnerability management, and regular penetration tests).
Business continuity (backups, disaster recovery), change management, vendor risk assessments, data minimization and pseudonymization where appropriate.
Employee confidentiality and security training.
Incident response: If we become aware of a personal‑data breach, we assess risk and notify Customers without undue delay. Where we are controller and the breach is notifiable, we notify the supervisory authority within 72 hours and affected individuals when required.
14) Retention periods (how long we keep data)
We keep personal data only as long as necessary for the purposes collected, including to meet legal/accounting/reporting requirements. Typical periods are:
| Data Category | Typical Retention | Notes |
|---|---|---|
| Customer account data (profile, credentials) | Contract term + 24 months | Deleted sooner on verified request unless needed for legal claims. |
| OAuth tokens & integration configs | While integration is active + 30 days | Tokens are encrypted; revocation deletes access immediately. |
| API/webhook call logs | 12–18 months | For reliability, security and audit; may extend during incident review. |
| Billing & invoices | 10 years | To meet Italian civil/fiscal law. |
| Support tickets & emails | 36 months | May be extended for legal claims. |
| Meeting/call recordings (with consent) | 12 months | Unless earlier deletion requested or longer retention needed for security/legal claims. |
| Conversation logs (End Users) | Customer‑configurable; default 24 months | Controller may override via settings or DPA. |
| E‑commerce data synced from Shopify/WooCommerce/Squarespace (as processor) | Customer‑configurable; default 24 months | Includes order lookups, fulfillment status, customer contact details; excludes full card data. |
| Scheduling data (Calendly invitees/meetings) | Customer‑configurable; default 24 months | Includes invitee name/email, time slots, meeting metadata. |
| Payment event metadata from Stripe/Revolut (as processor) | Customer‑configurable; typical 36 months | Event type, status, amounts, last4/brand tokens; no storage of full PAN/CVV. |
| Security logs (auth, access, admin actions) | 12 months | Extended if investigating abuse/fraud. |
| Product analytics (pseudonymous) | 24 months | Shorter if required by consent withdrawal. |
| Cookie identifiers | Per Cookie Policy | Respect device settings and consent. |
When retention ends, we delete or irreversibly anonymize data. Backups are purged on rolling schedules.
15) Your rights Your rights
Depending on your role and location, you can:
Access your data and obtain a copy.
Rectify inaccurate or incomplete data.
Erase data (“right to be forgotten”).
Restrict processing in certain cases.
Port data in a structured, commonly used, machine‑readable format.
Object to processing based on legitimate interests, and to direct marketing at any time.
Withdraw consent at any time (does not affect prior lawful processing).
Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, unless permitted by law with safeguards.
How to exercise rights: email [email protected]. If you are an End User of a Customer, please contact that Customer (the controller) first; we will support them as processor.
Complaints: you may lodge a complaint with the Garante per la Protezione dei Dati Personali or with your local supervisory authority. We would appreciate the chance to resolve your concerns first.
16) Controller ↔ Processor responsibilities
When we are controller, this Policy applies in full and we determine purposes and means.
When we are processor, we process personal data only on documented instructions of the Customer (controller), under the DPA, and subject to audits. We assist the controller with data‑subject requests, security, breach notifications, DPIAs and prior consultations where applicable.
17) Integrations & channel‑specific disclosures
This section expands on user‑connected APIs and integrations. Enable only what you need. The Customer (controller) remains responsible for informing End Users and obtaining any required consents. We expose toggles, granular permissions, and a dashboard to disconnect integrations at any time.
17.1 E‑commerce platforms (Shopify, WooCommerce, Squarespace Commerce)
Data exchanged (examples): customer profile (name, email, phone, billing/shipping address), order/fulfilment data (order ID, items, totals, taxes/VAT, discounts, shipping status, tracking links), product/catalog info (titles, SKUs, inventory), support events (refunds, returns).
Purpose: allow chatbots/agents to look up orders, answer “where is my order?” queries, create/cancel/return orders (if you enable), and personalize support.
Legal basis: contract; legitimate interests (efficient customer service).
What we do not store: full card numbers or CVV. Payment details remain with your payment processor.
Controls: per‑permission scopes (read orders/products/customers; optional write actions), audit logs, and configurable retention (see §14).
Sources: REST/Admin APIs and webhooks you enable in each platform.
17.2 Scheduling (Calendly)
Data exchanged: invitee name and contact, availability windows/time zone, event details (title, location/link), reschedule/cancellation status.
Purpose: let the chatbot offer/book/modify appointments; send reminders/updates.
Legal basis: contract; consent for reminders where e‑privacy rules require it.
Controls: OAuth with minimum scopes, revoke anytime; meeting recordings are not created by default and—if you choose to record—require explicit, informed consent of all participants (see §6).
17.3 Payments (Stripe, Revolut)
Data exchanged: event/webhook metadata (customer name/email, transaction amounts/currency, outcome, non‑sensitive card descriptors like brand/last4, charge/refund IDs), dispute notifications, payout references.
Purpose: enable status lookups inside conversations (e.g., “did my payment succeed?”), issue refunds when you authorize it, reconcile support issues.
Security/PCI: We are not a PCI DSS processor and do not store or handle full PAN/CVV. Payment inputs are collected via the provider’s hosted fields/SDKs where applicable.
Legal basis: contract; legal obligations (accounting); legitimate interests (fraud prevention, service reliability).
Retention: see §14 (typically 36 months for event metadata; invoices/receipts 10 years under accounting law).
17.4 Email & webmail connectors (custom SMTP/IMAP, Gmail, Outlook/Microsoft 365)
Data exchanged: message content and headers, attachments, labels/folders, thread IDs, and send/receive status for the accounts you connect.
Purpose: unified inbox, automated replies, routing, and analytics.
Scopes & policies: minimum OAuth scopes; tokens encrypted; no advertising use; human access only for security or with your authorization for support.
Controls: disconnect from our dashboard or your provider’s security settings; configurable retention and redaction; role‑based access and audit logs.
17.5 Telecoms & messaging (Twilio; WhatsApp via Meta/Twilio)
Data exchanged: SMS/WhatsApp content and metadata (sender/recipient IDs, timestamps, delivery status), media attachments if present.
Purpose: send/receive messages, two‑factor authentication (2FA), broadcasting (where permitted).
Consent: where e‑privacy rules apply (e.g., promotional SMS/WhatsApp), you must obtain and record valid opt‑ins; provide opt‑outs in each message.
Security: TLS in transit; content retention per §14; spam/abuse monitoring.
17.6 Automation hubs & custom APIs (Zapier, Make/Integromat, n8n, custom webhooks)
Data exchanged: whatever fields your flow maps (contacts, tickets, orders, etc.).
Purpose: orchestrate workflows between MessageMind and your stack.
Controls: per‑flow logs, secrets management, signed webhooks, IP allow‑listing; you remain responsible for mapping only necessary fields and avoiding special‑category data unless your legal basis and safeguards cover it.
17.7 Other knowledge & storage connectors (optional)
Examples include CRM/helpdesk, knowledge bases, and storage (e.g., Google Drive, OneDrive). We ingest only the documents/collections you select. You can remove sources at any time and purge embeddings/caches.
Important: Each integration provider has its own privacy terms. Where they act as independent controllers, they determine their own purposes and means. We encourage you to link those notices in your End User privacy disclosures.
18) Automated decision‑making & profiling Automated decision‑making & profiling
We do not perform decisions based solely on automated processing that produce legal or similarly significant effects on individuals. We may use profiling for routing (e.g., automatically classifying messages for faster support) or for security (spam/fraud detection). You can object to profiling for marketing at any time.
19) Data protection by design & DPIAs
We incorporate privacy by design/default into product architecture, including minimization, pseudonymization, and configurable retention. We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk (e.g., large‑scale monitoring across multiple channels, novel AI use, or processing of special‑category data). Where required, we will consult the supervisory authority before proceeding.
20) International users
If you access the Services from outside the EU/EEA, data may be processed in the EU/EEA and other countries where our processors operate, under the safeguards described in §12 and our DPA.
21) Changes to this Policy
We may update this Policy to reflect legal, technical or business developments. We will post the updated version with an effective date and, where changes are material, provide email/ in‑app notice at least 30 days in advance. Continued use after the effective date constitutes acknowledgment of the updated Policy.
22) Contact
Questions or requests?
Email: [email protected]
Postal: TMMA SRLS, Via Durazzo 28, 00195 Roma (RM), Italy
Supervisory Authority: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma, Italy.
23) Governance, accountability & audits
Accountability program: We maintain Article 5(2) accountability through policies, training, vendor due‑diligence, Records of Processing, DPIAs, and periodic audits. We review this program at least annually.
Roles: An internal Privacy Lead coordinates with Security, Legal and Engineering. Product owners are responsible for privacy by design in their components.
Policies: documented data handling, access control, incident response, retention and deletion, secure development, and vendor management.
Training & awareness: onboarding + annual refresh covering GDPR, Italian e‑privacy, phishing/social‑engineering, confidential information handling, and AI safety. Completion is logged.
Audits & certifications: we pursue recognized security frameworks (e.g., ISO/IEC 27001 or SOC 2). External assessments and pen tests are conducted at least annually; significant findings are remediated per our risk policy.
24) Data classification & handling rules
We classify information into Public, Internal, Confidential, and Restricted. Handling rules include:
Storage & encryption: Confidential/Restricted data encrypted at rest; keys rotated regularly; secrets stored in a dedicated secrets manager.
Transmission: TLS (1.2+) in transit; no unencrypted portable media; file‑sharing via approved tools only.
Access: role‑based, least‑privilege; periodic re‑certification; session timeouts; strong MFA for admins.
Copying & exports: exports logged; large/bulk exports require managerial approval where appropriate.
Data in lower environments: use redaction, masking or synthetic data in test/staging environments.
25) Technical & organizational security measures (extended)
Architecture: segregated VPCs, private subnets, firewalls/WAF, hardened bastions, endpoint protection.
Cryptography: AES‑256 at rest; TLS 1.2+ in transit; HSTS; forward‑secrecy ciphers; key management via KMS/HSM; regular rotation and access logs.
Identity & access: SSO/MFA, just‑in‑time privileged access with approvals; device posture checks for employees.
Monitoring: central logging (immutable storage), SIEM correlation, anomaly detection, alerting; time‑sync; least 12 months log retention.
SDLC: code reviews, SAST/DAST, dependency scanning, container security, IaC scanning, segregated CI/CD; change management with rollback plans.
Resilience: backups with encryption and periodic restore tests; RPO ≤ 24h, RTO ≤ 24h for critical services (targets, not guarantees).
Vulnerability management: monthly patch windows; CVSS‑based prioritization; security advisories triaged within 24–72h depending on severity.
Third‑party risk: vendor due‑diligence, DPAs/SCCs, security questionnaires, continuous monitoring where available.
26) Government & law‑enforcement requests
We require a valid legal basis (e.g., subpoena, court order) and scope limitation. We notify the relevant controller (Customer) before disclosure unless legally prohibited. We challenge overbroad or unlawful requests. Emergency disclosures are limited to immediate risk to life or serious harm, documented internally.
27) Data subject request (DSR) handling – detailed
Verification: we verify identity using appropriate measures (email verification, logged‑in request, or additional proof for sensitive data). Agents may not receive data beyond the principle of data minimization.
Timelines: we respond within one month; may extend up to two months for complex requests with notice. We log reasons for any extension.
Scope limits: we may refuse or charge a reasonable fee for manifestly unfounded or excessive requests, as permitted by law. We will explain the decision and provide complaint routes.
Portability: we provide machine‑readable exports (e.g., JSON/CSV) of data you provided to us and data observed from your use where technically feasible.
Deletion constraints: backups, security logs, and data required by law (e.g., invoices) may be retained for limited periods; such data will be isolated and not used for other purposes.
28) Consent management, cookies & preference center (extended)
CMP: our cookie banner/consent manager provides granular toggles, equal prominence for “Accept” and “Reject”, and per‑purpose details. Closing the banner without a choice keeps non‑essential tools off.
Signals: we honor consent withdrawal immediately and propagate to vendors via APIs where supported. We respect device/browser privacy settings to the extent legally required.
Cross‑device: when users are authenticated, we sync their consent preferences across sessions/devices.
Proof of consent: we store a hashed log of consent state (timestamp, version, IP region, selections) for audit purposes.
29) Advanced integration details & scopes (deep dive)
29.1 Shopify
Scopes: read_orders, write_orders (optional), read_customers, read_products; webhooks for orders/create, orders/paid, orders/fulfilled, refunds/create.
PII handled: customer identifiers, order metadata; no full card data.
Use: order lookup/status, refunds/cancellations when explicitly enabled.
29.2 WooCommerce
Auth: REST API keys; granular permissions by role/capability.
Events: order.created/updated, refund.created, status.changed; product updates for availability answers.
29.3 Squarespace Commerce
Capabilities: order and inventory queries; we cache minimal fields necessary for chat responses with configurable TTL.
29.4 Calendly
Scopes: read:scheduled_events, read:invitees; optional write scopes for reschedule/cancel when you allow it.
Privacy: no recording by default; explicit consent required for any recording (see §6).
29.5 Stripe
Scopes/Events: payment_intent., charge., refund., dispute., invoice.*.
Security: we redirect payment inputs to provider‑hosted fields as applicable; Strong Customer Authentication (SCA/PSD2) flows are managed by Stripe.
29.6 Revolut Business
Events: payment status updates, refunds, disputes; we use only references needed for support workflows.
29.7 Gmail / Outlook / custom mail
Scopes: minimum OAuth/Graph scopes (read/sent items, send, basic profile).
Guardrails: token encryption, revocation UI, redaction filters for automated workflows, optional per‑mailbox access policies.
29.8 Twilio & WhatsApp
Messaging: delivery receipts, rate limits, and sender verifications; opt‑in tracking required for promotional traffic; easy opt‑out keywords.
29.9 Zapier / Make / n8n / custom webhooks
Security: webhook signatures, IP allow‑listing, field‑level mapping; avoid special‑category data unless your basis and safeguards cover it.
30) AI transparency, fairness & evaluation
Model cards: for each major AI capability we document purpose, inputs, outputs, limitations, and known failure modes.
Bias & fairness: we conduct pre‑deployment and periodic evaluations on synthetic and de‑identified samples to detect disparate error rates; we calibrate thresholds and allow human override.
Safety: toxicity filters, PII redaction, abuse rate‑limiting; red‑team exercises at least annually.
Explainability: where reasonable, we expose summaries of key factors that influenced an automated recommendation; users may request human review.
31) Children & parental authorization (expanded)
We do not target children. If lawful services to minors are offered by a Customer, the Customer must implement an age‑gate and obtain/verify parental authorization where required. Upon notice of child data without proper authorization, we promptly delete or anonymize it.
32) Whistleblowing & reporting channels
Employees and contractors can confidentially report suspected privacy/security issues via designated internal channels. Retaliation is prohibited. Reports are triaged by the Privacy Lead and Security.
33) Data portability & export formats
We support self‑service exports (JSON/CSV) for account data and conversation logs where feasible, subject to authentication. For processor data, we assist the Customer‑controller in fulfilling portability requests via APIs or bulk exports.
34) Service‑specific terms & precedence
This Privacy Policy works together with the Terms & Conditions, DPA, Cookie Policy, and integration‑specific terms. If you are a Customer:
For End User data processed in the Platform, the DPA prevails.
For website/marketing data where we are controller, this Policy prevails over conflicting marketing materials.
Integration providers’ own privacy notices govern their independent processing when they act as controllers.
Annex A — Examples of processing activities (Records of Processing overview)
This appendix summarizes typical processing activities; the full Article 30 records are maintained internally and available to authorities upon request.
| Role | Activity | Categories of data | Purpose & legal basis | Recipients | Transfers | Retention |
|---|---|---|---|---|---|---|
| Controller | Website & account operation | Identifiers, contact data, credentials, logs | Contract; Legitimate interests (security, product improvement) | Hosting, security, analytics providers | Possible non‑EEA via SCCs/DPF | See §14 |
| Controller | Billing | Identity, VAT, payment identifiers | Legal obligation; Contract | Payment processor, accountants | EEA/EEA‑equivalent | 10 years |
| Controller | Marketing (prospects) | Contact data, consent status | Consent; Legitimate interests for B2B outreach where permitted | Email/SMS providers | Possible non‑EEA via SCCs/DPF | Until withdrawal + up to 24 months |
| Controller | Soft‑spam to paying Customers | Contact data | Legitimate interests & e‑privacy soft‑spam exception | Email provider | EEA / SCCs as needed | 24 months from last contact |
| Processor | Omnichannel messaging for Customers | Message content, attachments, metadata | Controller’s chosen basis (usually contract or legitimate interests; sometimes consent) | Channels (Meta, Twilio, email), AI processors | As configured by Customer | Customer‑defined (default 24 months) |
| Controller/Processor | Meeting/call recording (with consent) | Audio/video, transcript, participants | Consent; Legitimate interests for security/legal defense | Secure storage, optional AI transcript service | As configured | 12 months (unless legal claims) |
Annex J — Lawful‑basis matrix (examples)
| Scenario | Controller/Processor | Personal data | Lawful basis | Notes |
|---|---|---|---|---|
| Account creation for Customer admins | Controller | Name, email, role | Contract | Security monitoring under Legitimate Interests. |
| Prospect newsletter | Controller | Email, consent status | Consent | Easy unsubscribe required. |
| Soft‑spam to paying Customers | Controller | Work email | Legitimate Interests + e‑privacy exemption | Must be similar products/services; provide opt‑out. |
| End User support via WhatsApp | Processor | Phone, message content | Controller’s basis (Contract/LI/Consent) | Opt‑in/opt‑out managed by controller. |
| Call recording of support session | Controller/Processor | Audio/video | Consent | Prominent notice; ability to decline; retention 12 months. |
| Fraud detection | Controller | Device/IP, usage patterns | Legitimate Interests | Balancing test documented; opt‑out not available where it would undermine security. |
Annex K — Legitimate Interests Assessment (LIA) template (summary)
Purpose test: What is the legitimate interest? (e.g., service security, product improvement).
Necessity test: Are less intrusive means available?
Balancing test: Impact on individuals; expectations; safeguards (opt‑out, pseudonymization, retention limits).
Outcome & review: Decision, Privacy Lead sign‑off, review date.
Annex L — DPIA triggers & checklist
Large‑scale monitoring; systematic profiling; combining datasets across channels; processing of special categories; innovative AI uses; vulnerable individuals; international transfers without adequacy; inability for users to opt out.
Checklist outputs: description of processing, necessity/proportionality analysis, risks to rights/freedoms, measures to address risks, residual risk, consultation need with the authority.
Annex M — Security control catalog (non‑exhaustive)
Access control, authentication, encryption, network security, application security, logging/monitoring, vulnerability management, secure configuration, supplier security, asset management, backup/DR, physical security, secure disposal, change management, incident response, training/awareness.
Annex N — Cookie categories & CMP mapping
| Category | Examples | Consent required? | Typical retention |
|---|---|---|---|
| Strictly necessary | session, load balancer, CSRF | No | Session/short |
| Analytics/performance | product analytics, error tracking | Yes | 13–24 months |
| Advertising | retargeting pixels, cross‑site IDs | Yes | 3–13 months |
| Functional | preference storage, chat widget | Sometimes | 6–12 months |
Annex O — Article 30 ROPA example record (abridged)
Activity: Omnichannel support for Customer X (processor).
Data: message content, attachments, metadata, identifiers.
Recipients: Meta, Twilio, email providers, AI model processors.
Transfers: SCCs/DPF where applicable.
Retention: per Customer settings (default 24 months).
Security: encryption at rest/in transit; RBAC; audit logs; backups.
Annex P — Law‑enforcement request transparency (policy)
We publish aggregate counts of legally binding requests (if any) on an annual basis, distinguishing emergency vs. non‑emergency, and whether content or metadata was requested. Individual notice will be provided to affected controllers where lawful.
Annex Q — Model providers & data‑handling (placeholders)
We maintain an up‑to‑date list of AI model providers used as processors (e.g., LLM hosting, embedding services) with the following fields: provider, region, training/default policy, retention, encryption at rest, certification status, and contact.
Annex R — Data deletion schedules & backup windows
Primary stores: logical deletion within 30 days; physical purge within 90 days.
Backups: rolling backups retained up to 35 days; deleted on rotation; not accessible for routine purposes.
Customer‑initiated purge: honored across active stores within 30 days; backup copies fall out of rotation automatically.
End of Policy
Annex S — AI audio/voice cloning policy & consent language (templates)
Use these templates with your legal counsel. Store a copy of the exact text shown to the user, the timestamp, identity, and a hash of the consent record.
S.1 Recording/transcription consent (call banner)
Short banner: “We’d like to record and transcribe this call to improve support quality and security. This is optional. By selecting Agree, you consent to recording and transcription. You can stop at any time.”
Buttons: Agree • Decline
If Decline: no recording/transcription; notes may still be taken.
S.2 Custom voice cloning — explicit consent (voice owner)
“I, [name], consent to TMMA SRLS/MessageMind creating a synthetic version of my voice from the samples I provide. I understand it will be used only by [Customer name] for [describe purpose], will not be shared with other customers or used to train general AI models, and may be deleted on my request subject to lawful retention. I can withdraw this consent at any time by contacting [contact].”
Checkboxes:
[ ] I am over the age of 18.
[ ] I understand that synthetic audio will be disclosed as AI‑generated.
[ ] I authorize storage of my samples for up to 30 days for model quality fixes.
[ ] I request earlier deletion of my samples once the model is created.
S.3 Revocation language
“You can withdraw your consent to recording or to the use of your synthetic voice at any time. We will stop future processing immediately and delete existing data and/or model artifacts in line with our retention policy, except where we must retain data for legal claims or compliance.”
S.4 Prohibited uses
Cloning without authorization; impersonation, fraud, or deepfakes.
Use for biometric identification or matching.
Use targeting minors or vulnerable persons.
Generation of unlawful, harmful, or deceptive content.
S.5 Security & access
Encryption at rest/in transit; RBAC; just‑in‑time access; audit logs.
Regular vendor assessments; no training/no sharing clauses; data‑residency options where feasible.
Periodic quality and fairness tests; documented guardrails and incident response.
