Terms and Conditions & Refund Policy
Privacy Policy & Data Protection Notice
Last updated: 27 August 2025
Applies to: messagemind.ai and subdomains, the MessageMind platform, APIs, SDKs, and related services (the “Services”).
Plain‑language summary: This Privacy Policy explains what data we collect, why we collect it, how we use it, how long we keep it, who we share it with, where we store it, and what rights you have. Where this notice differs for end‑users of our customers (“End Users”) versus our direct business customers (“Customers”), we say so explicitly.
1) Who we are and how to contact us
Data Controller (for our own website, accounts, billing, support, product analytics & marketing):
TMMA SRLS (“Company”)
VAT: IT17152861005
Registered office: Via Durazzo 28, 00195 Roma (RM), Italy
General contact: [email protected]
Privacy contact: [email protected]
Data Processor (for End User data processed on behalf of Customers using the Platform):
For content, messages, transcripts, metadata and other personal data processed on instruction of a Customer inside the Platform, TMMA SRLS acts as processor and the relevant Customer acts as controller. The controller’s privacy notice applies to End Users in addition to this one.
EU location & supervisory authority: We are established in Italy and our lead supervisory authority is the Garante per la Protezione dei Dati Personali (GPDP). You may also complain to your local EU/EEA authority.
Data Protection Officer (DPO): Not currently appointed because our processing does not currently meet the criteria requiring a DPO. We routinely reassess this and will update this Policy if a DPO is designated. You can still contact [email protected] with any privacy question.
2) Scope & relationship with other documents
This Policy complements our Terms & Conditions and our Data Processing Agreement (DPA). In case of conflict while we act as processor, the DPA prevails for processing performed on our Customer’s documented instructions.
This Policy covers websites, platform, APIs, chatbots, integrations (e.g., Meta channels, Twilio, Gmail, Outlook, custom email domains), and support channels.
Separate
Cookie Policy explains cookies/SDKs and consent preferences; and
Sub‑processor List (kept updated online) identifies service providers.
3) Key definitions
Customer: the business entity purchasing/using our Services.
End User: an individual who interacts with a Customer’s channels (e.g., website chat, WhatsApp, Facebook/Instagram, SMS) that are connected to MessageMind.
Personal Data: any information relating to an identified or identifiable person.
Special Categories: data revealing racial/ethnic origin, political opinions, religious/philosophical beliefs, trade‑union membership; genetic, biometric, health, sex‑life or sexual orientation data.
Processing: any operation on personal data (collection, storage, use, disclosure, etc.).
4) What we collect
A. Data you provide directly
Account data (Customers): name, role, business email, phone, password hash, authentication tokens (e.g., OAuth), billing contact.
Billing & payments: invoicing address, VAT number, plan/usage records, payment method tokens (via our PCI‑compliant payment processor – we don’t store full card numbers).
Support communications: emails, chat messages, attachments, and call/meeting recordings only with explicit consent.
Consents & preferences: marketing opt‑in/opt‑out, cookie choices, channel permissions.
B. Data processed through the Platform (typically as processor)
Conversation content & metadata: user messages, attachments, timestamps, channel identifiers, delivery/read receipts.
Integrations data: when Customers connect channels (e.g., Meta Facebook/Instagram/WhatsApp Business APIs), Twilio (SMS/WhatsApp), email (custom SMTP), Gmail, Outlook/Microsoft 365 and other business systems (CRMs, helpdesks). We ingest and process only data required to provide the features configured by the Customer.
Chatbot/AI data: prompts, responses, context, knowledge base snippets, and system logs used to deliver and improve functionality; see §11 for AI specifics.
C. Data collected automatically
Technical logs & device data: IP address, device identifiers, OS/browser type, timestamps, log events, crash reports, and security signals (e.g., unusual login patterns).
Product analytics (pseudonymous): feature usage events, session identifiers, and A/B test flags. Where required, we obtain consent via our cookie banner.
D. Special categories & sensitive data
We do not seek to collect Special Categories. If Customers or End Users voluntarily share such data in conversations, it will be processed only to deliver the requested service, with additional safeguards, and should be avoided unless strictly necessary. Customers must not configure the Platform to intentionally collect Special Categories without an appropriate lawful basis and safeguards.
E. Children
Our Services are not directed to children. For information‑society services offered directly to minors in Italy, we treat 14 years as the minimum age for valid consent. If we learn we processed a child’s data without appropriate consent/authorization, we will delete it.
5) Why we process data (purposes) and legal bases
We rely on one or more of the following bases under GDPR and Italian law:
Contract (Art. 6(1)(b)): to create and manage accounts, deliver the Services, provide support, and fulfill SLAs.
Legal obligation (Art. 6(1)(c)): tax/recordkeeping, responding to lawful requests, consumer and telecom laws.
Legitimate interests (Art. 6(1)(f)): security (fraud/abuse detection, preventing spam), service improvement, internal analytics (where compatible and minimally intrusive), B2B relationship management, soft‑spam to existing paying Customers as permitted by Italian law (see §9), and legal defense. We conduct and document a balancing test and offer opt‑out where required.
Consent (Art. 6(1)(a)): non‑essential cookies/SDKs, direct marketing to prospects, meeting/call recordings, and where a Customer configures optional features that require consent.
Special Categories are processed only if an exception applies (e.g., explicit consent, legal claims) and only if strictly necessary.
6) Meeting, call, and video recordings (audio, video, transcripts)
We never record by default. We record **only with the informed, explicit consent of participants, obtained via a clear in‑product notice and/or verbal prompt at the start of the session.
Purposes: quality assurance, security incident review, training of staff, and documenting support interactions. Where Customers ask us to analyze recordings with AI (e.g., to summarize), we do so only under the Customer’s instructions and consent.
Controls: participants can decline, stop, or later withdraw consent; if consent is withdrawn, we cease future recordings and—where feasible—delete existing recordings unless retention is required by law or for legal claims.
Storage & access: recordings are encrypted; access is role‑based and logged; we minimize retention (see §14).
Third‑party meeting tools: if you use Zoom, Google Meet, Teams, or similar, their privacy terms apply independently; we receive recordings/transcripts only if you explicitly share or integrate them.
7) What we do with data
Provide, maintain, and secure the Services; route and deliver messages across connected channels.
Configure and operate chatbots, automations, and integrations selected by Customers.
Troubleshoot, support, and improve reliability and user experience.
Detect, prevent, and remediate spam, fraud, and abuse; protect accounts and networks.
Analyze aggregated usage patterns (de‑identified where possible) to improve product performance.
Communicate service announcements, security alerts, and product updates.
Conduct permitted marketing to Customers and prospects (see §9) with clear opt‑out mechanisms.
We do not sell personal data. We do not use End User content to train third‑party foundation models unless the Customer has enabled a feature that explicitly requires such sharing and received a valid lawful basis.
8) Sharing of data
We share personal data only with:
Processors/Sub‑processors who help us deliver the Services under written contracts that include GDPR Art. 28 terms and confidentiality obligations (e.g., cloud hosting, storage, security monitoring, email/SMS delivery, communications APIs, analytics, customer support tooling, and AI model providers used as processors). We maintain an updated list online.
Channel partners / integrations that Customers connect by choice (e.g., Meta/WhatsApp/Facebook/Instagram, Twilio, Gmail, Microsoft Outlook/365, custom SMTP/IMAP, CRMs, helpdesks). When enabled, we exchange the minimum necessary data to provide the selected features.
Professional advisors (lawyers, auditors) under confidentiality.
Public authorities when legally required or to protect rights/safety.
Corporate transactions (merger, acquisition, restructuring) subject to safeguards and notice.
We require all recipients to implement appropriate technical and organizational measures.
9) Marketing, soft‑spam, telemarketing & the Registro Pubblico delle Opposizioni (RPO)
Email/SMS/WhatsApp marketing to prospects requires prior consent where e‑privacy rules apply; every message provides a clear opt‑out.
Soft‑spam (Italy, art. 130(4) Codice Privacy): we may send promotional emails only to existing paying Customers about similar products/services without prior consent, provided we offered an opt‑out at collection and in every message. If you never purchased from us, we won’t rely on soft‑spam. You can opt out at any time.
Telemarketing: when conducting telephone marketing in Italy, we respect the Registro Pubblico delle Opposizioni (RPO) to suppress registered numbers and follow applicable rules.
10) Cookies, SDKs & similar technologies
We use necessary cookies for security (e.g., session management, CSRF protection). These do not require consent.
We use non‑essential cookies/SDKs (analytics, A/B testing, advertising) only with your consent via our cookie banner. You can withdraw or change choices anytime via the Cookie Settings link.
Consent banners offer granular choices, easy reject options, and no dark patterns. Closing the banner without a choice results in non‑essential tools staying off.
Server‑side or device fingerprinting for tracking is not used without consent.
Full details appear in our Cookie Policy, including vendor identities, purposes, storage periods, and how to manage identifiers on your device.
11) AI features & model providers
AI features may send prompts/inputs (which can include personal data) to hosted models to generate responses, summarize content, classify intents, or perform automations configured by Customers.
Default stance: we configure AI providers to not use Customer or End User content to train or improve their products unless (i) the provider’s enterprise program contractually excludes training by default, or (ii) the Customer has explicitly opted in and obtained valid consent or another lawful basis.
We log model usage metadata (timestamps, token counts, error codes) for reliability and billing. Where feasible, we pseudonymize inputs.
Customers remain responsible for their prompts, instructions, and datasets loaded into knowledge bases. We provide controls to delete conversations, purge knowledge sources, or exclude data from chat contexts.
12) International data transfers
We prefer EU/EEA data residency for primary storage whenever possible. Some processors or integrations may transfer data outside the EEA.
When personal data is transferred internationally, we rely on lawful mechanisms such as adequacy decisions (e.g., EU–US Data Privacy Framework for certified recipients) and/or Standard Contractual Clauses (SCCs) plus supplementary measures (encryption in transit and at rest, access controls, minimization). We monitor legal developments and adjust our transfer tools as needed.
13) Security
We apply defense‑in‑depth safeguards:
Encryption in transit (TLS 1.2+) and at rest; segregation of environments.
Role‑based access control (RBAC), least privilege, SSO/MFA for staff, just‑in‑time access with approvals and logging.
Secure software development lifecycle (threat modeling, code review, secrets management, dependency scanning, vulnerability management, and regular penetration tests).
Business continuity (backups, disaster recovery), change management, vendor risk assessments, data minimization and pseudonymization where appropriate.
Employee confidentiality and security training.
Incident response: If we become aware of a personal‑data breach, we assess risk and notify Customers without undue delay. Where we are controller and the breach is notifiable, we notify the supervisory authority within 72 hours and affected individuals when required.
14) Retention periods (how long we keep data)
We keep personal data only as long as necessary for the purposes collected, including to meet legal/accounting/reporting requirements. Typical periods are:
| Data Category | Typical Retention | Notes |
|---|---|---|
| Customer account data (profile, credentials) | For the contract + 24 months after closure | Delete sooner on verified request unless needed for legal claims. |
| Billing & invoices | 10 years | To meet Italian civil/fiscal law. |
| Support tickets & emails | 36 months | May be extended for legal claims. |
| Meeting/call recordings (with consent) | 12 months | Unless earlier deletion requested or longer retention needed for security/legal claims. |
| Conversation logs (End Users) | Configurable by Customer; default 24 months | Customer may override via settings or DPA. |
| Security logs | 12 months | Extended if investigating abuse/fraud. |
| Product analytics (pseudonymous) | 24 months | Shorter if required by consent withdrawal. |
| Cookie identifiers | Per Cookie Policy | Respect browser/device settings and consent. |
When retention ends, we delete or irreversibly anonymize data. Backups are purged on rolling schedules.
15) Your rights
Depending on your role and location, you can:
Access your data and obtain a copy.
Rectify inaccurate or incomplete data.
Erase data (“right to be forgotten”).
Restrict processing in certain cases.
Port data in a structured, commonly used, machine‑readable format.
Object to processing based on legitimate interests, and to direct marketing at any time.
Withdraw consent at any time (does not affect prior lawful processing).
Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, unless permitted by law with safeguards.
How to exercise rights: email [email protected]. If you are an End User of a Customer, please contact that Customer (the controller) first; we will support them as processor.
Complaints: you may lodge a complaint with the Garante per la Protezione dei Dati Personali or with your local supervisory authority. We would appreciate the chance to resolve your concerns first.
16) Controller ↔ Processor responsibilities
When we are controller, this Policy applies in full and we determine purposes and means.
When we are processor, we process personal data only on documented instructions of the Customer (controller), under the DPA, and subject to audits. We assist the controller with data‑subject requests, security, breach notifications, DPIAs and prior consultations where applicable.
17) Integrations & channel‑specific disclosures
Meta (Facebook, Instagram, WhatsApp)
If a Customer connects these channels, we process message content, attachments, profile identifiers and delivery metadata to route/respond and to provide analytics. WhatsApp Business messaging may flow via Meta’s Cloud API or via Twilio; end‑to‑end encryption practices depend on the chosen integration. We do not enable features that read device address books.
Twilio (SMS/WhatsApp/voice)
We exchange message/voice content and metadata as required to deliver communications. Phone numbers are used solely to route messages and for anti‑abuse controls.
Email connectors (custom SMTP/IMAP, Gmail, Outlook/Microsoft 365)
With your authorization, we access the minimum scopes required to read, send and organize messages for the features you enable (e.g., unified inbox, automated replies). We store message content and metadata only as necessary to provide the Services and to maintain an audit trail. You can disconnect at any time.
Web chat widgets & forms
If you embed our widgets, you must provide your own privacy notice on your domain, inform End Users of the data flows, and collect any required consents (cookies, marketing, recordings, optional fields).
18) Automated decision‑making & profiling
We do not perform decisions based solely on automated processing that produce legal or similarly significant effects on individuals. We may use profiling for routing (e.g., automatically classifying messages for faster support) or for security (spam/fraud detection). You can object to profiling for marketing at any time.
19) Data protection by design & DPIAs
We incorporate privacy by design/default into product architecture, including minimization, pseudonymization, and configurable retention. We conduct Data Protection Impact Assessments (DPIAs) where processing is likely to result in high risk (e.g., large‑scale monitoring across multiple channels, novel AI use, or processing of special‑category data). Where required, we will consult the supervisory authority before proceeding.
20) International users
If you access the Services from outside the EU/EEA, data may be processed in the EU/EEA and other countries where our processors operate, under the safeguards described in §12 and our DPA.
21) Changes to this Policy
We may update this Policy to reflect legal, technical or business developments. We will post the updated version with an effective date and, where changes are material, provide email/ in‑app notice at least 30 days in advance. Continued use after the effective date constitutes acknowledgment of the updated Policy.
22) Contact
Questions or requests?
Email: [email protected]
Postal: TMMA SRLS, Via Durazzo 28, 00195 Roma (RM), Italy
Supervisory Authority: Garante per la Protezione dei Dati Personali, Piazza Venezia 11, 00187 Roma, Italy.
Annex A — Examples of processing activities (Records of Processing overview)
This appendix summarizes typical processing activities; the full Article 30 records are maintained internally and available to authorities upon request.
| Role | Activity | Categories of data | Purpose & legal basis | Recipients | Transfers | Retention |
|---|---|---|---|---|---|---|
| Controller | Website & account operation | Identifiers, contact data, credentials, logs | Contract; Legitimate interests (security, product improvement) | Hosting, security, analytics providers | Possible non‑EEA via SCCs/DPF | See §14 |
| Controller | Billing | Identity, VAT, payment identifiers | Legal obligation; Contract | Payment processor, accountants | EEA/EEA‑equivalent | 10 years |
| Controller | Marketing (prospects) | Contact data, consent status | Consent; Legitimate interests for B2B outreach where permitted | Email/SMS providers | Possible non‑EEA via SCCs/DPF | Until withdrawal + up to 24 months |
| Controller | Soft‑spam to paying Customers | Contact data | Legitimate interests & e‑privacy soft‑spam exception | Email provider | EEA / SCCs as needed | 24 months from last contact |
| Processor | Omnichannel messaging for Customers | Message content, attachments, metadata | Controller’s chosen basis (usually contract or legitimate interests; sometimes consent) | Channels (Meta, Twilio, email), AI processors | As configured by Customer | Customer‑defined (default 24 months) |
| Controller/Processor | Meeting/call recording (with consent) | Audio/video, transcript, participants | Consent; Legitimate interests for security/legal defense | Secure storage, optional AI transcript service | As configured | 12 months (unless legal claims) |
Annex B — Cookie & tracking technologies (summary)
Strictly necessary (session, security, load balancing): no consent required; stored for session or limited periods.
Analytics & performance: load only with consent; IP masking, short retention; no cross‑site tracking without consent.
Advertising/retargeting: off by default; only with consent; per‑vendor controls and easy opt‑out.
Server‑side tracking: treated as similar to cookies; not used for marketing without consent.
See our Cookie Policy for the full, always‑current vendor list and lifetimes.
Annex C — How we handle requests & complaints
We verify identity for rights requests and respond within one month (extendable by two months for complex requests, with notice). We keep a limited log of requests to demonstrate compliance.
For complaints, you may contact us first. You can also contact the Garante Privacy or your local authority. We cooperate fully with regulators and dispute‑resolution bodies and, where applicable, participate in third‑party redress mechanisms related to international transfers.
Annex D — Customer responsibilities (when you are the controller)
If you are a Customer using our Platform to process End User data, you must:
Provide your own clear and accessible privacy notice to End Users that describes your use of MessageMind and the channels you connect (Meta, Twilio, Gmail/Outlook, etc.), including the lawful bases you rely on.
Obtain and manage all necessary consents (cookies, marketing, recordings, use of special categories, WhatsApp/SMS opt‑ins, etc.).
Configure retention to match your policies; avoid uploading special‑category data unless necessary and justified.
Respect opt‑outs and the RPO when engaging in telemarketing in Italy.
Enter into our DPA and flow down GDPR‑equivalent terms to your own processors.
Use our security features (SSO, MFA, roles, audit logs) and notify us promptly of any suspected breaches affecting data in our systems.
Annex E — Vendor & sub‑processor categories (illustrative)
Cloud hosting & storage (EU regions preferred)
Content delivery & DDoS protection
Email delivery & inbox connectors (custom SMTP/IMAP, Gmail, Outlook)
Telecoms & messaging (Twilio; WhatsApp Business via Meta/Twilio)
Analytics & error monitoring
Security monitoring & IAM
AI model providers / vector databases (processor role; no training by default)
Payments & accounting
Customer support & ticketing
The authoritative, current list with legal entities and locations is maintained on our website and forms part of the DPA.
