Privacy Policy

Effective date: 2025-11-04

This Privacy Policy explains how Polant Business SL (the “Service Provider”, “we”, “us”) processes personal data collected via our messaging assistants (“Bots”) integrated with Facebook (Pages/Messenger), Instagram Direct, WhatsApp Business, Telegram, Gmail, and TikTok Direct. Our workflow automation is orchestrated in n8n. We store conversation records and related data in our accounts at Notion, Supabase, MongoDB, and long-term in Google Sheets. This Policy is public and applies to all users who interact with our Bots.

1. Controller & Contact

Controller: Polant Business SL
Contact email: Antonpol2023@gmail.com
Data protection inquiries: Write “Data request” in the subject line.

2. Scope & Channels

We process data when you message our Pages or accounts through:

• Facebook Pages / Messenger, Instagram Direct (Meta)
• WhatsApp Business
• Telegram
• Gmail (incoming email to our mailboxes)
• TikTok Direct Messages

3. Categories of Data

• Identifiers and profile data you provide in messages (name, username/handle, phone number on WhatsApp, email address, company, role).
• Message content, attachments, timestamps, technical metadata (IP where available, user/chat IDs and message IDs sent by the platform).
• Operational data we generate: conversation labels, routing decisions, workflow/job IDs in n8n, status, and analytics (counts, response times).

4. Sources

Data originates from you (messages), from platform providers (Meta (Facebook, Messenger), WhatsApp, Telegram, Google, TikTok), and from our internal systems (n8n, Notion, Supabase, MongoDB, Google Sheets).

5. Purposes & Legal Bases

• Responding to your requests and delivering services (contract performance or legitimate interest).
• Customer support and administration (legitimate interest).
• Security, abuse prevention, debugging (legitimate interest, legal obligation).
• Service analytics & quality improvement using aggregated statistics (legitimate interest).
• Marketing or proactive notifications (only with your prior consent where required; for WhatsApp Business, explicit opt‑in is required before proactive messaging).

6. Processing & Storage

We orchestrate flows in n8n and store records in the following processors under our accounts:

• Notion (CRM, notes, purchases data)
• Supabase (contact data required for identification in n8n)
• MongoDB (chat memory storage)
• Google Sheets (long‑term tables and logs)
• Stripe (payment processing for orders; invoices & refunds; we do not store full card numbers or CVC)

6A. Payments via Stripe

When you make a purchase or pay an invoice, payment processing is performed by Stripe. We transmit only data necessary to process the payment and comply with legal requirements, including:

• Billing details: name, email, phone, billing address;
• Order details: order ID, amount, currency, description, customer ID;
• Payment method metadata: card brand and last 4 digits, expiry month/year, payment method type (we do not receive or store full card numbers or CVC on our servers);
• Fraud‑prevention and risk signals provided by Stripe (where applicable).

Legal bases: contract performance (to process your transaction) and legitimate interests (fraud prevention and accounting compliance). Some transaction records must be retained to meet legal/tax obligations.

Retention: We retain our copies of transaction records only as long as necessary for accounting, refunds/chargebacks, and legal obligations. Stripe may retain data in accordance with its own legal obligations and policies.

Security & compliance: card data is handled by Stripe on PCI DSS‑compliant infrastructure using tokenization. Our systems receive only masked payment details and transaction references. We may use Stripe webhooks in n8n to update order status; webhook payloads are stored only to the extent required for operations and audit.

For details, refer to Stripe’s Privacy Policy and Security.

These vendors act as data processors. We maintain Data Processing Agreements where offered and configure access controls and encryption where available.

7. Sharing & Recipients

We share data only with:

• Platform providers to deliver messages (Meta/Facebook, Instagram, WhatsApp, Telegram, Google, TikTok).
• Cloud vendors listed in Section 6 as processors.
• Professional advisors, authorities, or courts where legally required.

8. Retention

Conversation data is retained for the duration necessary to handle your request and operate the Bots. Logs in Google Sheets may be kept long‑term for audit and compliance. We periodically review and delete or anonymize data that is no longer needed. You may request deletion at any time (see Section 10).

9. International Transfers

Some processors may operate outside your country. Where applicable, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Your Rights

• Access, rectification, erasure (“right to be forgotten”), restriction, portability, and objection.
• Withdraw consent at any time where processing is based on consent (e.g., marketing or proactive WhatsApp notifications).

To exercise rights, contact us at Antonpol2023@gmail.com. We may need to verify your identity.

11. Data Deletion

You can request deletion of your data via the instructions at /privacy/data-deletion or by emailing us. For Meta (Facebook/Instagram), you may also remove our app/page access in your Facebook/Instagram account settings. For WhatsApp, send a message “STOP” to opt out. For email, reply with “UNSUBSCRIBE”. Where payments have been made, certain transactional records (e.g., invoices, refunds, chargebacks) may be retained as required by law and for accounting.

12. Security

We implement administrative, technical, and physical safeguards including role‑based access, transport encryption, and regular reviews of n8n workflows, databases, and integrations. Cardholder data is processed by Stripe; we do not store full PAN or CVC on our servers.

13. Children

Our Bots are not directed to children under 13. We do not knowingly collect personal data from children under 13; if you believe a child provided data, contact us to delete it.

14. Changes

We may update this Policy. Material changes will be indicated by updating the “Effective date”. Continued interaction with our Bots after changes constitutes acceptance.

This Policy is intended to satisfy the transparency requirements of applicable laws (e.g., GDPR Art. 13/14). Nothing here constitutes legal advice.