Privacy Policy

1. Introduction

Digital Agents Studio ("we", "us", or "our") operates the website digitalagents.studio and the Digital Agents Studio platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service. By accessing or using the Service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

We collect information that you provide directly to us and information collected automatically when you use the Service:

2.1 Information You Provide

• Account Information: name, email address, and password when you create an account.
• Billing Information: payment details processed securely through Stripe. We do not store your full credit card number on our servers.
• Connected Accounts: when you connect third-party services (e.g., Instagram, WhatsApp), we collect the tokens and profile information necessary to provide the Service.
• API Keys: proprietary API keys you provide to configure your AI agents (see Section 5 for details on how we protect these).
• Communications: information you provide when contacting our support team.

2.2 Information Collected Automatically

• Usage Data: pages visited, features used, actions taken, and time spent on the platform.
• Device Information: IP address, browser type and version, operating system, and device identifiers.
• Cookies and Similar Technologies: we use cookies for session management, analytics, and preferences. See our Cookie Policy for details.

2.3 Meta Platform Data

When you connect your Instagram, Facebook, or WhatsApp accounts through our Service, we receive data from Meta's APIs ("Platform Data"). This may include:

• Instagram: your Instagram user ID, username, profile picture, and the content of Direct Messages sent to and from your professional account.
• Facebook Messenger: your Facebook Page ID, Page name, Page profile picture, Page-Scoped User IDs (PSIDs) of people who message your Page, and the content of Messenger conversations.
• WhatsApp: your WhatsApp Business Account (WABA) ID, phone number ID, display name, and the content of WhatsApp messages exchanged with your customers.

We use this Platform Data solely to provide the Service, including displaying conversations in your unified inbox and enabling AI-powered automated responses on your behalf. We do not sell, license, or otherwise commercialize Meta Platform Data. We do not use Platform Data for purposes unrelated to the Service, including advertising, data brokering, or building user profiles for third parties.

3. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service.
• Process transactions and manage your subscription.
• Send you service-related communications, including billing reminders and security alerts.
• Respond to your requests, comments, and questions.
• Monitor and analyze usage trends to improve the Service.
• Detect, investigate, and prevent fraudulent or unauthorized activity.
• Comply with legal obligations.
• AI-Powered Responses:when you enable automated replies for your connected messaging channels (Instagram, Messenger, WhatsApp), the content of incoming customer messages is sent to third-party AI providers (Google Gemini and/or OpenAI) to generate contextual responses on your behalf. Only the message content and your agent's configuration (e.g., business name, instructions) are sent — no customer personal identifiers (names, phone numbers, emails) are included in AI prompts unless they appear within the message text itself. AI providers process this data under their own data processing agreements and do not use it to train their models.

4. Sharing of Information

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: trusted third parties who assist us in operating the Service (e.g., Stripe for payments, Resend for email delivery, Vercel for hosting). These providers are contractually obligated to protect your data.
• AI Processing Providers: Google (Gemini API) and OpenAI process message content to generate automated responses. These providers act as data processors on our behalf and are located in the United States. They are contractually prohibited from using your data for purposes other than providing the AI service.
• Database Provider: Turso (ChiselStrike, Inc.) hosts our application database, including conversation data and encrypted credentials. Located in the United States.
• Legal Requirements: when required by law, regulation, legal process, or governmental request.
• Business Transfers: in connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.
• With Your Consent: when you explicitly authorize us to share information with a third party.

5. Security of Your Information & Encryption of API Keys

We take the security of your data seriously and implement industry-standard measures to protect it:

• Encryption in Transit: all communications between your browser and our servers are encrypted using HTTPS (TLS 1.2+). This means that any data you transmit — including API keys, passwords, and personal information — is encrypted before it leaves your device and cannot be intercepted by third parties in transit.
• Encryption of Proprietary API Keys: any API keys you provide (e.g., OpenAI, third-party service keys) are encrypted at rest using strong, industry-standard encryption algorithms before being stored in our database. The keys are encrypted in such a way that only you, the end user, can use them through the Service. Our team does not have access to your plaintext API keys. We cannot view, read, or recover your original keys — only the encrypted version is stored.
• Encryption at Rest: all sensitive data stored in our databases is encrypted at rest.
• Access Controls: access to personal data is strictly limited to authorized personnel who need it to operate the Service.
• Regular Audits: we periodically review and update our security practices to address new threats and vulnerabilities.

While no method of electronic storage or transmission is 100% secure, we strive to use commercially acceptable means to protect your personal information.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you close your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records). You may request deletion of your data at any time by visiting our Data Deletion page or by contacting us.

6.1 Meta Platform Data Retention

Data received from Meta APIs (Instagram, Facebook Messenger, and WhatsApp) is retained only for as long as necessary to provide the Service to you. Specifically:

• Conversation data (messages, contact identifiers) is retained while your account is active and the corresponding channel is connected.
• Access tokens are stored encrypted and are deleted immediately when you disconnect a channel or delete your account.
• Upon channel disconnection or account deletion, all associated Meta Platform Data (messages, contacts, tokens) is permanently deleted within 30 days.
• If Meta sends a Data Deletion Callback (e.g., when a user removes our app from their Instagram settings), we delete all data associated with that user immediately upon receipt of the callback.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Correction: request that we correct inaccurate or incomplete data.
• Deletion: request the deletion of your personal data.
• Portability: request a copy of your data in a structured, machine-readable format.
• Objection: object to the processing of your personal data for certain purposes.
• Withdraw Consent: where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, please contact us at support@digitalagents.studio.

8. Government & Law Enforcement Requests

We are committed to protecting the privacy of our users and handle all government and law enforcement requests for personal data with the following policies and procedures:

• Legal Validity Review: we evaluate every government or law enforcement request to confirm it is legally valid under applicable law. We require requests to be made through proper legal channels (e.g., court orders, subpoenas, or other valid legal process) and reject requests that lack a valid legal basis.
• Scope Limitation: when we receive a valid legal request, we narrow the scope of data disclosed to the minimum necessary to comply with the specific request. We do not provide bulk or unrestricted access to user data.
• User Notification: unless legally prohibited (e.g., by a gag order or court seal), we will notify affected users before disclosing their data in response to a government request, so they may seek legal remedies.
• Transparency: we have not received any national security requests for user data to date. If applicable law permits, we will publish aggregate information about the number and types of government requests we receive.
• No Voluntary Disclosure: we do not voluntarily provide user data to government agencies or law enforcement unless required by valid legal process or in emergency situations involving imminent risk of death or serious physical injury.

9. Third-Party Services

Our Service may contain links to or integrations with third-party websites and services (e.g., Instagram, Meta, OpenAI). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

10. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: support@digitalagents.studio
• Website: digitalagents.studio