Privacy Policy

Chatsona.app ("Chatsona", "we", "us") provides tools for managing Instagram DM workflows, AI-assisted reply drafting, bot profiles, waitlist registration, subscriptions, connected account features, and related account and automation tools. This Privacy Policy explains what information we collect, how we use it, how we protect it, how we share it, how long we retain it, and the choices available to you.

Chatsona.app is currently operated as a pre-launch product under the Chatsona.app brand. Until a formal legal entity is established, privacy and data requests may be sent to info@chatsona.app. When a formal operating entity is established, this Privacy Policy will be updated with the legal entity name, registered address, and other legally required business information.

1. Scope and Our Role

This Privacy Policy applies to personal data processed through Chatsona.app, related web applications, waitlist pages, account features, connected platform features, subscription features, analytics, server logs, and communications with us.

For personal data that we process for our own business purposes, such as account registration, security, billing, analytics, product communications, and support, Chatsona acts as a data controller or equivalent role under applicable privacy laws.

For conversation data, message content, connected platform data, and other information imported, entered, or made available by a user through a connected Instagram or other platform account, Chatsona generally processes that data to provide the service to that user and in accordance with the user's configuration, instructions, and use of the product.

Users are solely responsible for ensuring that their use of Chatsona, including any processing of conversations involving third-party participants, complies with applicable laws, platform rules, privacy notices, consent requirements, confidentiality obligations, and any other legal basis requirements that apply to them.

2. Information We Collect

The information we collect depends on how you interact with Chatsona. We may collect the following categories of information:

• Account information, such as name, e-mail address, password hash, account status, login activity, role, preferences, security metadata, and authentication information.
• Waitlist information, such as e-mail address and the source you selected, including Reddit, X/Twitter, TikTok, Instagram, or Other.
• Connected platform information, such as account identifiers, usernames, display names, profile URLs, access tokens, refresh tokens, token expiry data, scopes, tracked DM links, and related metadata needed to operate the service.
• DM management and AI reply information, such as participant names/usernames, message text, timestamps, message metadata, conversation summaries, memory notes, pending reply drafts, bot settings, bot profiles, style samples, screenshots or manually entered style examples, personal profile information you enter, weekly schedule data, language settings, timezone settings, blocked topics, and training notes.
• Billing and subscription information, such as plan, subscription status, renewal and cancellation dates, provider customer or subscription identifiers, usage limits, usage events, and audit records. We do not intend to store full payment card numbers; payments are handled by third-party payment processors when enabled.
• Technical and usage data, such as page views, referrers, country or region, device and browser type, IP-derived information, performance metrics, product events, and server logs.

3. How We Collect Personal Data

We may collect personal data in the following ways:

• Directly from you when you register, join the waitlist, update your profile, configure a bot, enter style samples, contact us, or use product features.
• From connected platforms or integrations when you choose to connect an Instagram or other platform account and authorize Chatsona to access information needed to provide the service.
• Automatically through the service, server logs, security systems, analytics tools, cookies or similar technologies where applicable, and product usage events.
• From service providers, such as payment processors, e-mail providers, hosting providers, AI providers, or authentication systems, where needed to operate the service.
• From communications with us, including support requests, e-mails, feedback, forms, or other messages.

4. Customer Content and Conversation Participant Data

When you connect an Instagram or other platform account, Chatsona may process information relating to people you communicate with, including their usernames, display names, profile information made available through the platform, message content, message metadata, conversation summaries, and other conversation-related information. We refer to this as conversation participant data.

Chatsona does not have a direct relationship with most conversation participants. If a conversation participant wants to access, correct, delete, or restrict the use of information that a Chatsona user has imported or processed through the service, the participant should generally contact that Chatsona user first. If a participant contacts us directly, we may ask for information needed to identify the relevant account and may forward or refer the request to the applicable user where appropriate.

Users must not use Chatsona to collect, monitor, store, process, profile, or automate conversations in a way that violates applicable law, Meta/Instagram rules, confidentiality obligations, privacy rights, or the rights of other individuals. Users are solely responsible for providing any required notices, obtaining any required permissions or consents, and ensuring that they have a valid legal basis for processing conversation participant data.

5. Sensitive Personal Data

Chatsona is not designed for the intentional collection or processing of sensitive personal data. You should not intentionally submit sensitive personal data to Chatsona, including information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health information, sex life or sexual orientation, criminal records, precise location data, or similar special-category information under applicable law.

Because DM content may contain free-text messages, sensitive personal data may appear incidentally in conversations. Where this occurs, Chatsona processes such information only as necessary to provide the requested service, secure the service, comply with law, or protect rights and safety. We do not intentionally use sensitive personal data to infer sensitive characteristics or for advertising purposes.

6. How We Use Information

We use information to:

• Create, authenticate, manage, and secure accounts.
• Provide DM management, conversation tracking, AI-assisted reply drafting, pending reply workflows, bot profile features, language and timezone-aware settings, weekly schedules, and automation settings.
• Generate AI-assisted reply drafts and, where enabled by the user, support automated reply flows according to user settings.
• Save bot profiles, preferences, blocked topics, style samples, training notes, conversation summaries, and memory notes.
• Manage waitlist registrations, early access communications, and product update e-mails.
• Enforce plan limits, manage subscriptions, process billing metadata, and maintain audit records.
• Prevent fraud, abuse, unauthorized access, spam, security incidents, and misuse of the service.
• Debug issues, provide support, improve product reliability, maintain logs, analyze aggregate usage, and improve the product.
• Comply with legal obligations, enforce agreements, resolve disputes, and protect the rights, privacy, safety, and property of Chatsona, users, and others.

We do not sell DM content. We do not use your conversations to train our own model unless we separately ask for and receive explicit permission.

7. Legal Bases for Processing

Depending on your location and applicable law, we may process personal data under one or more legal bases, including performance of a contract, legitimate interests, consent, compliance with legal obligations, and protection of rights and safety.

Examples include:

• Account creation, login, authentication, and core service features: performance of contract and legitimate interests in security and service operation.
• DM management, connected account features, AI-assisted reply drafting, bot settings, and schedules: performance of contract, user instructions, and legitimate interests in operating requested features.
• Security logs, fraud prevention, abuse detection, audit records, and service integrity: legitimate interests and legal obligations where applicable.
• Billing, subscriptions, tax, accounting, chargebacks, and payment metadata: performance of contract, legal obligations, and legitimate interests.
• Waitlist, early access, product updates, and marketing communications: consent or legitimate interests where permitted, with opt-out rights where required.
• Analytics and product improvement: legitimate interests or consent where required by law.
• Legal requests, disputes, enforcement, and compliance: legal obligations, legitimate interests, and establishment, exercise, or defense of legal claims.

8. AI Features and Providers

AI features may send relevant conversation context, message content, bot profile settings, style instructions, sample messages, personal information fields you provide, schedule data, language and timezone settings, blocked topics, memory notes, summaries, and reply instructions to third-party AI providers such as OpenAI, Anthropic/Claude, xAI/Grok, or another configured provider.

This means that, when AI features are used, DM content and related context may be transmitted to and processed on servers operated by third-party AI providers. These providers process the data to generate, evaluate, moderate, secure, or deliver the requested AI-assisted feature.

We aim to send only the information reasonably needed to generate, evaluate, or improve a requested AI-assisted reply or related feature. Where technically and commercially available, we prefer AI provider configurations that offer no-training commitments, zero-retention, reduced-retention, or similar privacy-protective settings. However, provider availability, configurations, retention practices, abuse monitoring practices, and terms may vary and may change over time.

Each AI provider may apply its own security, retention, abuse monitoring, compliance, and service operation policies. Users should not submit content to AI features unless they have the right and legal basis to do so.

AI-generated outputs may be inaccurate, incomplete, or inappropriate. Users are responsible for reviewing AI-assisted replies where manual review is enabled and for configuring automation carefully where auto-reply features are enabled.

9. Encryption and Protection of DM Data

Chatsona is designed to protect sensitive DM-related data. Sensitive conversation fields, including message text, participant names/usernames, conversation previews, memory summaries, pending reply drafts, sensitive conversation metadata, and connected platform tokens are encrypted at rest where implemented in the application database.

Some operational identifiers, timestamps, relationship keys, usage records, indexing metadata, and service logs may be stored separately or in non-encrypted form where necessary to operate, secure, debug, enforce limits, maintain integrity, or comply with legal obligations.

Passwords are stored as cryptographic hashes and are not stored in plain text. Password reset, account reactivation, and e-mail change tokens are stored as hashed tokens.

Access to sensitive DM data is limited to what is necessary to operate, secure, debug, and support the service. We do not sell DM content or the personal information of conversation participants.

No method of transmission or storage is completely secure. We use reasonable administrative, technical, and organizational safeguards designed to protect personal data, but we cannot guarantee absolute security.

10. Deletion of DM Boxes and Conversation Participant Data

When you delete a DM box or tracked conversation from Chatsona, we remove the related conversation record from the active application database. This includes the other participant's stored name, username, external conversation identifier, message history, message previews, conversation summaries, memory notes, pending reply drafts, bot settings tied to that conversation, conversation logs, and related app-managed runtime artifacts.

After deletion, Chatsona will no longer use that deleted DM box or conversation for AI reply generation, memory, summaries, style analysis, automation, or future response context.

If you delete a connected Instagram or platform account, we delete the DM conversations, messages, bot settings, tracked thread references, and platform account tokens associated with that connected account from the active application database.

Some limited records may remain temporarily in encrypted backups, security logs, billing records, subscription usage records, e-mail notification logs, or audit logs where necessary for security, fraud prevention, legal compliance, dispute resolution, or service integrity. These retained records are not used to generate replies or rebuild deleted DM context.

11. Account Deletion and Reactivation

If you delete your Chatsona account, we remove connected platform accounts, DM conversations, messages, bot profiles, platform tokens, and related workspace data from the active application database, subject to limited retention for legal, billing, security, backup, and audit purposes.

If you later reactivate a deleted account, the account is reactivated with a fresh product workspace. Previously deleted DM boxes, conversation participant data, message history, bot profiles, and connected platform data are not restored into the active product experience.

12. Data Deletion Instructions

You may request deletion of data held by Chatsona by using in-product controls where available or by contacting info@chatsona.app. We may ask for information needed to verify your identity and identify the relevant account, connected platform, DM box, or conversation.

To delete a DM box or tracked conversation, use the DM box deletion controls in the product. This removes the related active conversation data from Chatsona as described above.

To disconnect a connected Instagram or platform account, remove the account from Chatsona's connected account settings. This removes the platform account connection and associated active DM workspace data.

To delete your Chatsona account, use the account deletion flow where available or contact info@chatsona.app.

If you are a Meta/Instagram user seeking deletion of data obtained through Meta/Instagram integrations, you may contact info@chatsona.app with enough information to identify the relevant Chatsona account or connected platform account. We will process verified requests in accordance with applicable law and platform requirements.

We may retain limited records where necessary for backups, security, fraud prevention, billing, accounting, legal compliance, dispute resolution, or audit purposes.

13. Sharing and Third-Party Services

We may share personal data only as described in this Privacy Policy, as needed to provide the service, as instructed by the user, with consent, or as required or permitted by law.

We may share information with:

• Service providers that help us operate Chatsona, including hosting, analytics, e-mail, infrastructure, AI, database, logging, support, and payment providers.
• Connected platforms such as Meta/Instagram where needed for account connection, message management, platform functionality, token validation, or other connected account features.
• Payment processors when billing features are enabled. Payment processors may process payment information under their own terms and privacy policies.
• Professional advisors, such as lawyers, auditors, accountants, insurers, or consultants, where necessary for business, compliance, legal, or risk management purposes.
• Authorities, courts, law enforcement, or other parties where required by law, legal process, or where we believe disclosure is necessary to protect rights, safety, security, or service integrity.
• Successors or acquirers in connection with a merger, acquisition, financing, restructuring, or sale of assets.

We do not knowingly sell personal information. We do not sell DM content or conversation participant personal information.

14. Sub-processors and Service Providers

We use third-party service providers and sub-processors to operate Chatsona. These providers are permitted to process personal data only for the purposes of providing their services to us or as otherwise permitted by applicable law and their agreements with us.

Provider names, availability, and processing locations may change over time. We may update this list from time to time.

Current provider categories include:

• Vercel: hosting, deployment, web analytics, performance monitoring. Data processed may include usage data, page views, technical data, region/device/browser data.
• Resend or similar e-mail provider: transactional and product e-mails. Data processed may include e-mail address, e-mail metadata, and message delivery information.
• OpenAI, Anthropic/Claude, xAI/Grok, or configured AI provider: AI-assisted reply drafting and related AI features. Data processed may include conversation context, bot settings, style instructions, samples, summaries, and reply instructions.
• Meta/Instagram or connected platform provider: connected account functionality and platform integration. Data processed may include account identifiers, usernames, scopes, tokens, thread references, and platform metadata.
• Payment processor when enabled: billing and subscription processing. Data processed may include customer/subscription identifiers, payment status, and billing metadata. Chatsona does not intend to store full card data.
• Database, infrastructure, logging, or security providers: storage, backups, logs, security, monitoring, and service reliability. Data processed may include account data, service data, encrypted sensitive fields where implemented, logs, and metadata.

Where required, we may make additional sub-processor information available upon request or through a dedicated sub-processor page.

15. Analytics, Cookies and Similar Technologies

We use Vercel Web Analytics and server logs to understand traffic and page performance. This helps us see aggregate metrics such as page views, referrers, country or region, device, browser, and performance information. Vercel Web Analytics does not rely on third-party advertising cookies, and we do not use analytics to sell personal data.

Chatsona may use cookies, local storage, session storage, or similar technologies for authentication, security, preferences, analytics, performance, and product functionality.

Current categories may include:

• Essential technologies: authentication, security, session management, fraud prevention, and service functionality.
• Functional technologies: language, timezone, interface, and product preferences.
• Analytics technologies: privacy-conscious traffic and performance analytics, currently through Vercel Web Analytics.
• Marketing technologies: not currently intended for third-party advertising cookies or retargeting. If introduced later, they will be disclosed and controlled as required by law.

Where required by applicable law, we will request consent before enabling non-essential cookies, pixels, retargeting, advertising measurement, or similar tracking technologies. Users may be able to manage cookie or storage preferences through browser settings or consent controls where available.

16. E-mail Communications

We may send transactional e-mails such as welcome messages, password reset messages, account reactivation messages, e-mail change confirmations, subscription notices, cancellation notices, billing notices, product notices, and security messages.

If you join the waitlist, we may send early access and product update e-mails. Marketing e-mails will include a clear way to opt out where required. Where applicable, we will honor marketing opt-out requests within the legally required timeframe. Even if you opt out of marketing e-mails, we may still send transactional, account, billing, security, or service-related communications.

17. Retention

We keep personal data for as long as reasonably necessary to provide the service, comply with legal obligations, resolve disputes, enforce agreements, maintain security, preserve backups, prevent fraud and abuse, and protect rights and service integrity.

Our current target retention periods are:

• Account data: for the life of the account and up to 24 months after closure, unless longer retention is required for legal, security, billing, audit, or dispute purposes.
• Waitlist data: until you unsubscribe, request deletion, or up to 24 months after launch/early access completion, unless continued communication is permitted by law or consent.
• Connected account tokens: until the connected account is disconnected, the token expires or is revoked, or the account is deleted, subject to limited security/audit retention.
• DM content and conversation data: until you delete the relevant DM box, disconnect the platform account, delete your account, or request deletion, subject to limited backup, audit, legal, and security retention.
• Bot profiles, style samples, memory notes, schedules, and settings: until deleted by the user, the related workspace/account is deleted, or no longer needed to provide the service.
• Billing and subscription records: up to 7 years or longer where required for tax, accounting, chargebacks, fraud prevention, disputes, or legal obligations.
• Security, audit, and server logs: generally up to 12 months, unless needed longer for security investigation, abuse prevention, compliance, legal claims, or service integrity.
• Backups: generally up to 90 days according to backup rotation and disaster recovery procedures, then deleted or overwritten in the ordinary course, unless preservation is required for security, legal, or disaster recovery reasons.
• E-mail notification logs: generally up to 24 months, unless needed longer for security, compliance, dispute resolution, or delivery troubleshooting.

Deleted data may remain temporarily in backups or logs but will not be used to generate replies, rebuild deleted DM context, or re-create deleted product experiences.

18. International Transfers

Your information may be processed in countries other than where you live, including countries that may have data protection laws different from those in your jurisdiction.

Where required by applicable law, we use appropriate safeguards for international transfers. These may include data processing agreements, Standard Contractual Clauses, adequacy decisions, vendor commitments, technical and organizational safeguards, encryption, access controls, and other lawful transfer mechanisms.

Some service providers, including hosting, AI, infrastructure, analytics, e-mail, or payment providers, may process data in multiple regions. Provider locations may change over time.

19. Your Rights and Choices

Depending on your location and applicable law, you may have rights to request access, correction, deletion, restriction, portability, objection to processing, withdrawal of consent, information about sharing, or opt-out from marketing. You may also have the right to lodge a complaint with a competent data protection authority.

We may ask you to verify your identity before responding to a privacy request. We will respond within the timeframe required by applicable law. Some requests may be limited where we need to retain information for security, billing, legal compliance, dispute resolution, fraud prevention, or service integrity.

You can also control certain information directly through the product by deleting DM boxes, disconnecting connected platform accounts, deleting bot profiles or settings, updating account information, or deleting your account where available.

20. Regional Privacy Rights

Turkiye / KVKK:

Users located in Turkiye may exercise rights under applicable Turkish data protection law, including rights to learn whether personal data is processed, request information about processing, learn the purpose of processing, know third parties to whom personal data is transferred, request correction or deletion where applicable, object to certain processing, and request compensation for damages where applicable. Requests may be sent to info@chatsona.app.

For users in Turkiye, personal data may be transferred abroad to infrastructure, e-mail, analytics, AI, payment, and connected platform providers where necessary to provide the service, subject to applicable legal mechanisms and safeguards.

EEA / UK / Switzerland:

Where applicable, you may have rights under the GDPR, UK GDPR, or similar laws, including access, correction, deletion, restriction, portability, objection, withdrawal of consent, and the right to complain to a supervisory authority. Where we process conversation data on behalf of a Chatsona user, we may need to refer or coordinate your request with that user.

California:

California residents may have rights under the CCPA/CPRA, including the right to know, access, delete, correct, opt out of sale or sharing of personal information where applicable, limit use of sensitive personal information where applicable, and be free from discrimination for exercising these rights.

We do not knowingly sell personal information. We do not knowingly share DM content for cross-context behavioral advertising.

Other regions:

Additional rights may apply depending on your jurisdiction. We will respond to privacy requests in accordance with applicable law.

21. Children and Age Requirements

Chatsona is not intended for children or for individuals below the minimum age required by applicable law. In general, you must be at least 18 years old to use Chatsona.

We do not knowingly collect personal information from children. We may request confirmation of age or take reasonable steps to restrict access if we become aware that a user does not meet the applicable age requirement.

If we learn that we have collected personal information from a child without appropriate consent, we will take reasonable steps to delete that information. Parents or legal guardians may contact us if they believe a child has provided personal data to Chatsona.

22. Security Incidents and Breach Notification

If we become aware of a security incident that results in unauthorized access to personal data and is likely to create a risk to users' rights or privacy, we will take reasonable steps to investigate, mitigate, and notify affected users and/or relevant authorities where required by applicable law.

Where GDPR, KVKK, or similar rules require notification to a competent authority, we will aim to notify without undue delay and, where required and feasible, within 72 hours after becoming aware of the breach. Where notification within that timeframe is not feasible, we may provide reasons for the delay as required by applicable law.

Users are responsible for maintaining the confidentiality of their account credentials, using strong passwords, securing connected platform accounts, and promptly notifying us of suspected unauthorized access.

23. Automated Decision-Making and AI Automation

Chatsona may generate AI-assisted reply drafts, summaries, memory notes, and suggested responses based on user settings and conversation context. These features are intended to assist users with messaging workflows.

Where auto-reply features are enabled, Chatsona may send replies according to the user's configuration, schedule, blocked topics, and automation settings. Auto-reply features may affect interpersonal communications, brand perception, customer relationships, or business outcomes. Users are responsible for configuring these features carefully, monitoring their use, and disabling automation where appropriate.

We do not intend to make decisions that produce legal or similarly significant effects about individuals solely through automated processing. Chatsona's AI features are not intended to determine eligibility for employment, credit, housing, insurance, healthcare, legal rights, public benefits, or similarly significant decisions.

24. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, technical, product, or business changes. If we make material changes, we will take reasonable steps to notify users, such as by updating the effective date, displaying an in-app notice, sending an e-mail, or using other appropriate communication methods.

Your continued use of Chatsona after an updated Privacy Policy becomes effective means that the updated policy applies to your use of the service, subject to applicable law.

25. Contact

For privacy requests, questions, or concerns, contact us at info@chatsona.app.