Privacy Policy

1. Introduction

Welcome to Chata, operated by Tauras Nienius. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Instagram DM AI assistant service.

This Privacy Policy is designed to comply with applicable data protection laws, including but not limited to:

• GDPR (General Data Protection Regulation): For users in the European Union and European Economic Area
• CCPA (California Consumer Privacy Act): For users in California, United States
• LGPD (Lei Geral de Proteção de Dados): For users in Brazil
• DSGVO (Datenschutz-Grundverordnung): For users in Germany and EU member states

By using our service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our service.

2. Information We Collect

2.1 Personal Information

We collect the following personal information when you create an account:

• Email address
• Password (encrypted)

2.2 Instagram Connection Data

When you connect your Instagram Business account, we collect the following information through Meta's OAuth authentication system:

• Instagram User ID
• Instagram Page ID
• Page Access Token (encrypted and stored securely)
• Page name and basic public information

Important: How Instagram/Facebook Connection Works

To connect your Instagram Business account, you must authenticate through Meta's official OAuth system. Here's what you need to know:

• No Password Storage: We never collect, store, or have access to your Facebook or Instagram passwords. All authentication is handled securely through Meta's OAuth system.
• OAuth Tokens Only: We only receive and store an encrypted access token that allows us to send and receive messages on your behalf through Meta's API. This token is encrypted before storage.
• Authentication Requirements: You must be logged into the correct Facebook account that owns or manages the Facebook Page connected to your Instagram Business account. The Facebook Page must be properly linked to your Instagram professional account.
• Limited Access: Our access is limited to what is necessary for the service to function - specifically, reading and sending direct messages. We cannot access your account externally, post content, or perform actions outside of message management.
• Token Revocation: You can revoke access at any time by disconnecting your Instagram account through our dashboard or directly through your Facebook/Instagram settings. Once revoked, we immediately lose access and cannot reconnect without your explicit authorization.

2.3 Usage Data

We automatically collect usage information including:

• Message content and timestamps
• API call logs and costs
• AI settings and configurations
• Activity logs (logins, settings changes, account modifications)
• IP addresses and user agents (for security and fraud prevention)
• Service usage patterns and metrics

2.4 Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience on our platform:

• Essential Cookies: Required for the service to function properly, including authentication and session management. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to improve your experience.
• Analytics Cookies: Help us understand how users interact with our service to improve functionality (anonymized data only).

You can control cookie preferences through your browser settings, though disabling essential cookies may affect service functionality. We do not use cookies for advertising or third-party tracking purposes.

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Provision: To provide and maintain our Instagram DM AI assistant service
• Message Processing: To process and respond to Instagram messages using AI
• Account Management: To manage your account and provide customer support
• Analytics: To analyze usage patterns and improve our service
• Billing: To process payments and manage subscriptions
• Security: To detect and prevent fraud, abuse, and security threats
• Communication: To send important updates and notifications

4. Data Storage and Security

4.1 Data Storage

Your data is stored securely using industry-standard encryption and security measures:

• Encryption: All data is encrypted in transit (using TLS/SSL) and at rest (using AES-256 encryption)
• Password Security: Passwords are hashed using bcrypt with salt, and we never store plain-text passwords
• Token Security: Access tokens are encrypted using industry-standard methods before storage
• Secure Infrastructure: Data is stored on secure cloud infrastructure with regular security audits
• Access Controls: Strict access controls ensure only authorized personnel can access your data
• Regular Updates: We regularly update security measures and conduct security audits

4.2 Data Retention

We retain your data only for as long as necessary to provide our services and comply with legal obligations:

• Account data: Retained until you request account deletion. Upon deletion, data is permanently removed within 30 days, except where required by law.
• Message history: Retained for 12 months to provide message history and improve AI responses. Deleted automatically after this period.
• Usage logs: Retained for 24 months for analytics and service improvement purposes. Data is anonymized where possible.
• Activity logs: Retained for 36 months for security and audit purposes, then permanently deleted.
• Legal requirements: Some data may be retained longer if required by law, regulation, or legal proceedings.

You can request immediate deletion of your data at any time by contacting us or using the account deletion feature in your dashboard.

5. Data Sharing and Disclosure

We do not sell, trade, or rent your personal information to third parties. We may share your information in the following limited circumstances:

• Service Providers: With trusted third-party services that help us operate our service (hosting, payment processing, analytics)
• Legal Requirements: When required by law or to protect our rights and safety
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Consent: With your explicit consent for specific purposes

6. Your Rights and Choices

Depending on your location, you have the following rights regarding your personal information:

• Right to Access: Request a copy of your personal data and information about how we process it
• Right to Rectification: Request correction of inaccurate or incomplete information
• Right to Erasure (Right to be Forgotten): Request deletion of your account and associated data
• Right to Data Portability: Receive your data in a structured, commonly used, and machine-readable format
• Right to Object: Object to processing of your personal data for certain purposes
• Right to Restrict Processing: Request limitation of how we process your data
• Right to Withdraw Consent: Withdraw consent where processing is based on consent
• Right to Opt-out: Unsubscribe from marketing communications at any time
• Right to Non-Discrimination (CCPA): Exercise your privacy rights without discrimination

Exercising Your Rights: To exercise any of these rights, please contact us at chata.dmbot@gmail.com with your request. We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request to protect your privacy and security.

Data Protection Authority: If you are located in the EU, you also have the right to lodge a complaint with your local data protection authority if you believe we have not addressed your concerns adequately.

7. Third-Party Services

Our service integrates with the following third-party services:

• OpenAI: For AI-powered message generation
• Meta/Instagram: For Instagram API access
• Payment Processors: For subscription billing
• Analytics Services: For usage tracking and improvements

Each third-party service has its own privacy policy, and we encourage you to review them.

8. Children's Privacy

Our service is not intended for children under 13 years of age (or 16 years in the European Union). We do not knowingly collect personal information from children under the applicable age limit.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at chata.dmbot@gmail.com. Upon verification, we will promptly delete such information from our systems.

If we become aware that we have collected personal information from a child without parental consent, we will take immediate steps to delete that information.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States and European Union. We ensure that such transfers comply with applicable data protection laws, including:

• GDPR: We implement appropriate safeguards such as Standard Contractual Clauses (SCCs) approved by the European Commission
• CCPA: We maintain compliance with California privacy law requirements for international transfers
• Adequacy Decisions: Where applicable, we rely on adequacy decisions by relevant data protection authorities
• Data Processing Agreements: All third-party processors are bound by strict data processing agreements

By using our service, you consent to the transfer of your information to these countries. We implement appropriate technical and organizational measures to protect your data regardless of where it is processed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Sending you an email notification
• Displaying a notice in our application

Your continued use of our service after any changes constitutes acceptance of the updated policy.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us: