Privacy Policy.

2. Scope & relationship with other documents

This Privacy Policy complements the MessageMind Terms & Conditions and the Data Processing Agreement (DPA) signed with each Customer. It covers the MessageMind public websites, the platform, the APIs, the chatbot runtime, and every integration we operate.

Cookies and similar technologies are governed by a separate Cookie Policy. Sub-processors are listed in a Sub-processor List that is maintained and updated as the vendor stack changes.

3. Key definitions

Customer: the business that subscribes to MessageMind and configures the platform for its own use.

End User: the individual that interacts with a Customer through MessageMind (e.g. a guest, lead, patient, buyer).

Personal Data: any information relating to an identified or identifiable natural person, as defined by Article 4 GDPR.

Special Categories: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex life or sexual orientation.

Processing: any operation performed on Personal Data, automated or not (collection, storage, retrieval, transfer, erasure).

4. What we collect

A. Data you provide directly

Account information (name, email, phone, role), billing information (company name, VAT, billing address, payment instrument metadata), support correspondence (messages, attachments, tickets), and explicit consents you give for marketing, recording or AI features.

B. Data processed through the Platform

Conversations exchanged between End Users and the Customer (messages, transcripts, attachments, status), integration metadata (channel identifiers, OAuth tokens, webhook payloads), and the chatbot/AI inputs and outputs needed to deliver replies.

C. Data collected automatically

Technical logs (IP, user agent, timestamps, request and response metadata) and product analytics (pseudonymous events used to understand usage and improve reliability).

D. Special categories

We do not seek special categories of data. If an End User voluntarily shares them in a conversation, we apply additional safeguards (access restriction, encryption at rest, minimum retention) and rely on the appropriate Article 9 exception.

E. Children

The Services are not directed to children. The minimum age in Italy is 14 years for direct consent. Below that age, processing relies on parental authorization. Customers are responsible for age-gating where their own audience requires it.

5. Why we process data (purposes) and legal bases

We rely on the legal bases of Article 6 GDPR: performance of a contract Art. 6(1)(b), compliance with a legal obligation Art. 6(1)(c), legitimate interests Art. 6(1)(f), and consent Art. 6(1)(a) where consent is the appropriate basis (marketing, non-essential cookies, recording).

Special categories are processed only where an Article 9 exception applies, for example explicit consent or the establishment, exercise or defence of legal claims.

6. Meeting, call, and video recordings

MessageMind never records calls, meetings or video by default. Recording is an opt-in feature and runs only after an informed, explicit consent has been captured from every participant.

Purposes

Quality assurance, training, dispute resolution, transcription and, when explicitly enabled by the Customer, downstream AI processing such as summarization and CRM enrichment.

Controls

A visible banner or audio notice is shown before recording starts. Participants can refuse, and the system must offer a non-recorded path where this is technically feasible.

Storage & access

Recordings are stored encrypted at rest, with role-based access limited to authorized Customer users and to MessageMind staff that strictly need them to deliver support.

Third-party meeting tools

When recordings are produced through third-party meeting tools (e.g. video conferencing platforms), the tool's own privacy notice applies in addition to this Policy.

7. What we do with data

• Provide, operate and maintain the Services that the Customer has subscribed to.
• Route, store and deliver conversations between End Users and Customers across channels.
• Run AI features the Customer has enabled (replies, summaries, qualification, scheduling).
• Maintain security, prevent fraud and abuse, debug failures and protect availability.
• Comply with legal obligations (tax, accounting, lawful requests, records of processing).
• Improve reliability, quality and product performance using aggregated or pseudonymous signals.
• Communicate with the Customer about the Services, including service and security notices.

We do not sell Personal Data. We do not use End User content to train third-party AI models by default. Any exception requires the Customer's explicit, documented opt-in.

8. Sharing of data

8.1 Processors and sub-processors

We rely on infrastructure, communication and AI vendors that act as our sub-processors under written agreements. The current list is published in the Sub-processor List and updated as the stack changes.

8.2 Customer-enabled channel partners & integrations

When the Customer connects a third-party channel or system, data flows to and from that provider under its own privacy notice. This includes Meta (Facebook, Instagram, WhatsApp Business), Twilio, Gmail, Outlook/Microsoft 365, Shopify, WooCommerce, Squarespace, Calendly, Stripe, Revolut, Zapier, Make and n8n, among others.

8.3 Limited-use commitments for certain APIs

For APIs such as Gmail and Microsoft Graph we honor the provider's limited-use requirements: data accessed through those APIs is used only to deliver the user-facing feature, is not transferred to others except as needed for the feature, is not used for advertising, and is not read by humans except for security, legal or with the user's explicit consent.

8.4 Professional advisers & authorities

We may disclose data to auditors, lawyers, accountants, insurers and competent authorities when this is necessary to defend rights, comply with the law, or respond to a binding request.

8.5 Corporate transactions

In the context of a merger, acquisition or asset transfer, data may be shared with the counterparty under confidentiality. We will notify Customers and, where required, End Users.

9. Marketing, soft-spam, telemarketing & RPO

Email, SMS and WhatsApp marketing is sent only on a valid consent. Every message offers a simple, free opt-out, and we honor it promptly.

Soft-spam (limited promotional communications about similar products to existing customers) is permitted under art. 130(4) Codice Privacy, with the same opt-out at any time and at the point of collection.

Telemarketing campaigns respect the Italian Registro Pubblico delle Opposizioni (RPO). Numbers registered in the RPO are filtered out before any campaign is launched.

10. Cookies, SDKs & similar technologies

Strictly necessary cookies are set without consent because they are required to deliver the Services. Non-essential cookies (analytics, marketing, profiling) are activated only after the user grants consent via the cookie banner.

We do not use dark patterns. The cookie banner offers a clear "accept", "reject" and "preferences" choice with equivalent prominence. Closing the banner does not equal consent, and all non-essential technologies remain off.

We do not perform device fingerprinting without consent. Full details, including names, durations and providers, are in the separate Cookie Policy.

11. AI features & model providers

11.1 Scope of AI processing

The platform uses large language and audio models to generate replies, transcribe audio, summarize conversations, classify intent and assist agents. AI is invoked only on the features the Customer has enabled.

11.2 No training / no sharing pledge

By default, End User content is not used to train MessageMind or third-party models. Sub-processors are contracted to disable training on our prompts and completions where the option exists. Any exception requires the Customer's explicit, written opt-in.

11.3 Data minimization & redaction

Where feasible we redact direct identifiers (emails, phone numbers, card numbers) from prompts that are not strictly required to answer. Prompt size and context are kept to the minimum needed.

11.4 Calls, audio & recordings

Audio is processed only when the Customer enables voice features. Recordings, transcripts and derived embeddings inherit the retention rules of the corresponding feature and are deleted on request, subject to legal-hold exceptions.

11.5 Custom voice cloning (optional)

Lawful basis & consent. Voice cloning is offered only on the explicit consent of the voice owner, with a clear description of purpose, duration and revocation rights.

Purpose limitation. A cloned voice is used solely for the purposes the voice owner has agreed to, on the specific MessageMind tenant that requested the clone.

Isolation. Voice models are tenant-isolated and not shared across Customers. They are not used to fine-tune third-party foundation models.

No impersonation / no identification. Cloned voices may not be used to impersonate other individuals, to bypass authentication or to circumvent voice-based identification.

Inputs & artifacts. Source audio, prompts, transcripts and intermediate artifacts are stored encrypted, with access strictly limited to engineers that need them for delivery or support.

Retention & deletion. Voice clones are deleted when consent is revoked, when the underlying contract ends, or at the end of the retention window agreed with the voice owner.

Transparency to End Users. When a cloned voice speaks to End Users, the Customer is responsible for the disclosure required by applicable law (e.g. AI Act transparency obligations).

11.6 Vendor roles & contracts

AI vendors act as our sub-processors under signed DPAs that implement Article 28 GDPR. The vendor list and roles are in the Sub-processor List.

11.7 Human oversight, fairness & safety

Customer admins can review, override or disable AI outputs. Sensitive flows (e.g. medical, financial) include guardrails and escalation paths to humans. Outputs are evaluated periodically for safety, accuracy and bias.

12. International data transfers

We prefer EU/EEA primary storage. When a transfer outside the EEA is needed (e.g. to a model provider in the US), we rely on the Standard Contractual Clauses (SCCs), the EU-US Data Privacy Framework where the recipient is certified, and on the supplementary measures appropriate to the destination.

13. Security

We protect the platform with TLS 1.2+ in transit, AES-256 encryption at rest, role-based access control, secure SDLC practices (code review, dependency scanning, secret management), business continuity procedures and periodic staff training.

In the event of a personal data breach, we notify the competent supervisory authority within 72 hours where the breach is likely to result in a risk to individuals, and we inform affected data subjects without undue delay where the risk is high.

14. Retention periods

We keep data only as long as it is necessary for the purposes described, plus the minimum period required by law. The table below summarizes our defaults; Customer-configurable items can be overridden in the relevant settings.

15. Your rights

Subject to the conditions of Articles 15 to 22 GDPR, you have the right to access your data, to rectify it, to erase it, to restrict its processing, to data portability, to object to processing based on legitimate interests, to withdraw consent where consent is the legal basis, and not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you.

How to exercise these rights

Write to [email protected]. End Users should contact the Customer first; we will route the request to the Customer and assist as Processor.

Complaints

You may lodge a complaint with the Garante per la protezione dei dati personali, or with the supervisory authority of your habitual residence, place of work or place of the alleged infringement.

16. Controller and Processor responsibilities

When MessageMind is a Controller (websites, marketing, billing, internal operations), it determines purposes and means of processing. When MessageMind is a Processor (delivery of the Services to a Customer), the Customer determines purposes and means within the boundaries of the DPA and the platform's configuration.

Each party is responsible for its share of obligations: notices to End Users, lawful collection, audience configuration, channel-specific rules, retention overrides, and the response to data subject requests.

17. Integrations & channel-specific disclosures

17.1 E-commerce platforms

Shopify, WooCommerce and Squarespace Commerce: order, customer and conversation metadata flows to enable order-aware replies, status updates and post-purchase support. Card data is never fetched; payment processors handle that directly.

17.2 Scheduling

Calendly: invitee name, email, time slot and the answers to the booking form are processed to confirm meetings and to enrich the conversation context.

17.3 Payments

Stripe and Revolut: we process payment event metadata (status, identifiers, amounts) to confirm transactions and to power receipts. We do not store full card numbers or CVV.

17.4 Email & webmail connectors

Custom SMTP/IMAP, Gmail and Outlook/Microsoft 365: the platform accesses inbox messages within the scope authorized at OAuth time, to deliver inbox-aware features. Limited-use rules apply where the provider requires them.

17.5 Telecoms & messaging

Twilio for SMS and voice, WhatsApp via Meta or Twilio for messaging: phone numbers, message content and call metadata are processed to deliver the conversation across these channels.

17.6 Automation hubs & custom APIs

Zapier, Make / Integromat, n8n and custom webhooks: the data shared depends on the workflow the Customer configures. The Customer is responsible for the lawfulness of the data fields that travel through these hubs.

17.7 Other knowledge & storage connectors

Knowledge bases, file storage and CRM connectors are processed within the scope authorized at connect time, and only to deliver the feature the Customer has activated.

18. Automated decision-making & profiling

The platform does not make decisions producing legal or similarly significant effects without human involvement. AI-suggested replies and lead scoring are advisory; Customer admins can review, override or disable them.

19. Data protection by design & DPIAs

Privacy by design and by default is embedded in our development lifecycle. Where a new feature is likely to result in a high risk to the rights and freedoms of individuals, we run a Data Protection Impact Assessment (DPIA) and consult the supervisory authority where required.

20. International users

If you access the Services from outside the EU/EEA, you acknowledge that data may be processed in the EU/EEA and, where necessary, in jurisdictions outside the EEA under the safeguards described in Section 12.

21. Changes to this Policy

We update this Policy from time to time. The version date at the top of the page reflects the latest update. Material changes are communicated in advance through the platform or by email.

22. Contact

Privacy matters: [email protected].

TMMA SRLS, Via Durazzo 28, 00195 Roma (RM), Italy.

Garante per la protezione dei dati personali: Piazza Venezia 11, 00187 Roma, Italy.

23. Governance, accountability & audits

We maintain internal policies on information security, data protection, vendor management, incident response, retention and acceptable use. Controls are reviewed periodically and adapted to the evolving threat landscape and to the scope of the platform.

Customers with a contractual right to audit may exercise it under the conditions agreed in the DPA, with reasonable notice and under confidentiality.

24. Data classification & handling rules

Data is classified as public, internal, confidential or restricted. Handling rules (storage, transit, sharing, retention, disposal) are aligned to the classification. Restricted data (e.g. credentials, secrets, special categories) receives the strongest protections.

25. Technical & organizational security measures (extended)

Network segmentation, principle of least privilege, secret management with rotation, dependency vulnerability scanning, hardened CI/CD, code review, audit logging, backup with point-in-time recovery, periodic restore tests and tabletop exercises for incident response.

Workstation security: full-disk encryption, MDM enrollment, endpoint detection, password manager, hardware-backed multi-factor authentication on critical systems.

26. Government & law-enforcement requests

We respond only to requests that are valid, lawful and properly addressed. We push back on requests that are overbroad or that do not meet the legal requirements of the jurisdiction. Where lawful, we notify the affected Customer before disclosure.

27. Data subject request (DSR) handling

We acknowledge DSRs without undue delay and reply within one month, extendable by two months where the request is complex or numerous. We verify the requester's identity in a proportionate way, route the request to the Customer when MessageMind is Processor, and keep an internal log to demonstrate accountability.

28. Consent management, cookies & preference center (extended)

We use a consent management platform that records, on a per-user basis, the categories accepted or refused, the timestamp, the text version of the banner and the way consent was collected. Users can change their preferences at any time through the preference center.

29. Advanced integration details & scopes (deep dive)

29.1 Shopify

OAuth scopes are limited to what the activated features require. Typical reads include orders, customers and conversation metadata. Writes (e.g. tagging an order, posting a note) are guarded by the Customer's configuration.

29.2 WooCommerce

Connected via REST API keys with the minimum permissions needed. Order and customer reads enable order-aware replies and proactive messages.

29.3 Squarespace

Connected via the Squarespace Commerce APIs to read orders and customer metadata for support and post-purchase workflows.

29.4 Calendly

OAuth scopes cover invitees, scheduled events and webhooks for booking lifecycle. Used to read invitee data and to power scheduling-aware replies.

29.5 Stripe

Restricted API key or OAuth with read access to payment events and customers. Used to confirm payments and to provide receipt context inside conversations.

29.6 Revolut

Business API access scoped to payment event reads. Same purpose as Stripe: confirmations and receipts in-conversation.

29.7 Gmail / Outlook

OAuth scopes are minimized to what the connector needs (read, send, modify labels). Limited-use rules apply: data is not used for advertising, is not transferred outside the feature, and is not human-read except for security, legal or explicit consent.

29.8 Twilio & WhatsApp

Phone numbers, SMS payloads, voice call metadata and recordings (when enabled) flow through Twilio. WhatsApp business messaging is governed by Meta's policies and by template approvals.

29.9 Zapier / Make / n8n

Webhooks and triggers exchange the fields the Customer maps in their workflow. The Customer is responsible for the lawfulness of the data sent or received through these automations.

30. AI transparency, fairness & evaluation

We document the intended purpose and limits of each AI feature. Outputs are evaluated periodically against quality, safety and bias criteria; failure modes drive guardrails and retraining of prompts or routing logic. End User-facing AI is disclosed where the law requires it.

31. Children & parental authorization (expanded)

The platform is not designed for children under the Italian minimum age (14). When a Customer's audience includes minors, the Customer is responsible for the age-gating, the parental authorization mechanism and the related notices. We provide configurable safeguards to support this.

32. Whistleblowing & reporting channels

Concerns about the lawfulness of processing, security incidents or breach of this Policy can be reported confidentially to [email protected]. We protect reporters from retaliation in line with applicable whistleblowing law.

33. Data portability & export formats

Customers can export account, conversation and configuration data in structured, machine-readable formats (typically JSON or CSV). End User portability requests are handled by the Customer with our assistance as Processor.

34. Service-specific terms & precedence

Some features and integrations are governed by additional terms (e.g. a feature-specific DPA addendum, a vendor's own terms). In the event of conflict, the more specific document prevails for that particular feature, while this Policy remains the general framework.