Privacy Policy

Types of Data Collected

Among the types of Personal Data that Chit Chat Communications LTD collects, by itself or through third parties, there are: Tracker; Usage Data; email address; first name; last name; phone number; payment info; data communicated while using the service; and various types of data.

Complete details on each type of Personal Data collected are provided in the dedicated sections of this privacy policy or by specific explanation texts displayed prior to the data collection. Personal Data may be freely provided by the User, or, in case of Usage Data, collected automatically when using our service.

Unless specified otherwise, all Data requested by Chit Chat Communications LTD is mandatory and failure to provide this Data may make it impossible for Chit Chat Communications LTD to provide its services. Users who are uncertain about which Personal Data is mandatory are welcome to contact the Owner.

Mode and Place of Processing the Data

Methods of Processing

The Owner takes appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Owner, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of Chit Chat Communications LTD (administration, sales, marketing, legal, system administration) or external parties (such as third-party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner.

Legal Basis of Processing

The Owner may process Personal Data relating to Users if one of the following applies:

• Users have given their consent for one or more specific purposes.
• Provision of Data is necessary for the performance of an agreement with the User and/or for any pre-contractual obligations thereof.
• Processing is necessary for compliance with a legal obligation to which the Owner is subject.
• Processing is related to a task that is carried out in the public interest or in the exercise of official authority vested in the Owner.
• Processing is necessary for the purposes of the legitimate interests pursued by the Owner or by a third party.

Place

The Data is processed at the Owner's operating offices and in any other places where the parties involved in the processing are located. Depending on the User's location, data transfers may involve transferring the User's Data to a country other than their own. Users are entitled to learn about the legal basis of Data transfers to a country outside the European Union.

Retention Time

Personal Data shall be processed and stored for as long as required by the purpose they have been collected for:

• Personal Data collected for purposes related to the performance of a contract between the Owner and the User shall be retained until such contract has been fully performed.
• Personal Data collected for the purposes of the Owner's legitimate interests shall be retained as long as needed to fulfill such purposes.

Once the retention period expires, Personal Data shall be deleted. Therefore, the right of access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.

Purposes of Processing

The Data concerning the User is collected to allow the Owner to provide its Service, comply with its legal obligations, respond to enforcement requests, protect its rights and interests, detect any malicious or fraudulent activity, as well as the following: Access to third-party accounts, Analytics, Contacting the User, Hosting and backend infrastructure, Handling payments, Remarketing and behavioral targeting, Advertising, Registration and authentication, Tag Management, and Interaction with live chat platforms.

TikTok Integration and Data Protection

1. TikTok Integration

Our application integrates with TikTok's API to enable messaging automation and related functionality. When you connect your TikTok account, we may access limited data such as: TikTok user IDs and usernames, message content and timestamps, and account profile details necessary to send or manage direct messages. This data is used solely to provide the services you have authorized and is not sold, shared, or used for unrelated purposes.

2. Data Identifiability and Security

The data received from TikTok will not be anonymized or de-identified, as identifiable information (such as TikTok user IDs and message content) is required to provide our messaging automation functionality. However, all data is transmitted and stored securely using industry-standard encryption (HTTPS/TLS and AES-256), accessed only by authorized personnel and systems, and retained only as long as necessary to provide the service and comply with applicable laws.

3. Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is conducted and maintained for our TikTok integration. This assessment identifies and mitigates potential risks to user privacy and ensures compliance with applicable data protection laws, including GDPR and other international standards.

4. Third-Party Risk Management

We maintain a Third-Party Risk Management Policy to evaluate and monitor all external platforms and service providers with whom we exchange data, including TikTok. This process includes security due diligence before establishing integrations, ongoing reviews of TikTok's API compliance and data protection controls, and immediate remediation procedures in case of any security or privacy concerns.

5. Information Security Framework

Our Information Security Program is aligned with industry-leading standards, including ISO/IEC 27001 (Information Security Management) and NIST Cybersecurity Framework (CSF) principles. This ensures that all data handled through the TikTok integration meets or exceeds accepted global best practices for confidentiality, integrity, and availability.

Google API Services User Data Policy

Our app complies with the Google API Services User Data Policy, including the Limited Use requirements. We only use user data for the purposes outlined in our privacy policy and do not share or sell user data to third parties. Specific Google API usage includes:

• Google Drive: We only read the list of Spreadsheets to allow you to select the Spreadsheet you want to work with.
• Google Sheets: We allow you to get data and update your Spreadsheet.
• Google Calendar: We read the list of events on your calendar to avoid overbooking and add events when a customer books an appointment.
• Dialogflow: We use Dialogflow to allow you to automate customer services and detect user intents.

Chit Chat Communications's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Facebook Permissions

Chit Chat Communications LTD may ask for Facebook permissions allowing it to perform actions with the User's Facebook account and to retrieve information, including Personal Data, from it. The permissions asked include:

• Basic information — id, name, picture, gender, and locale by default
• Business Management API — read and write with Business Management API
• Contact email — access the User's contact email address
• Instagram basic — reading an Instagram account profile information and media
• Instagram manage comments — creation, deletion and hiding of comments on behalf of the Instagram account
• Manage Pages — retrieve access tokens for Pages and Applications
• Page Messaging — send and receive messages through a Facebook Page
• Pages manage posts — creation, editing and deletion of Page posts
• Pages read engagement — access to content posted by the Page and followers data

Advertising

We may use User Data for advertising communication purposes. Some of the services we use may utilize Trackers to identify Users or employ behavioral retargeting techniques to display ads tailored to User interests and behavior. Services include Google Ad Manager and Facebook Lookalike Audience.

Users may opt out of behavioral advertising by visiting the Network Advertising Initiative opt-out page or by adjusting their device advertising settings.

User Rights

Users may exercise certain rights regarding their Data processed by the Owner. In particular, Users have the right to:

• Withdraw consent at any time where consent was previously given
• Object to processing of their Data
• Access their Data and check how it is being processed
• Verify and seek rectification of inaccurate Data
• Restrict the processing of their Data under certain circumstances
• Have their Personal Data deleted or otherwise removed
• Receive their Data and have it transferred to another controller (data portability)
• Lodge a complaint with their data protection authority

Any requests to exercise User rights can be directed to the Owner through the contact details provided. These requests can be exercised free of charge and will be addressed by the Owner as early as possible and always within one month.

California Privacy Rights (CCPA)

California residents have the right to know about personal information collected, disclosed or sold; to delete personal information; to opt-out of the sale of personal information; and to non-discrimination for exercising their rights. Some of our advertising services may constitute a "sale" under CCPA definitions. To opt out, please contact us at hello@chitchatbot.ai.

Contact Information

If you have any questions or requests regarding your personal data or this Privacy Policy, please contact us:

Chit Chat Communications Ltd
Email: hello@chitchatbot.ai