Privacy Policy

Provider & Contact

Aijaa Bot, 108/107 SaothongHin, Bangyai, Nonthaburi 11140, Thailand
Contact: theaijaa.co@gmail.com

1. Scope

This Policy applies to information we process when a Facebook Page administrator connects a Page to our Service, when the connected Page receives Messenger events, and when administrators use our website or tools to configure the integration. This Policy does not cover Facebook's own processing; please review Facebook/Meta's terms and policies separately.

2. Roles and Responsibilities

For Page messaging data, the Page owner/admin is the data controller and Aijaa Bot acts as a data processor. We process personal data only under your documented instructions—i.e., to enable the described chatbot and handover functionality.

3. Information We Collect

We collect only what is necessary for the Service to function:

3.1 From Facebook when you connect a Page

• Page details: Page ID, Page name, Page category;
• Page Access Token for the selected Page;
• Admin metadata used to label the connection (e.g., admin ID and display name returned by Facebook when you authorize);
• Business Manager associations (to the extent needed to list/select Pages that are business assets).

3.2 Messenger events (from Facebook webhooks)

• Event metadata such as Page ID, Page-scoped user identifiers (PSIDs), timestamps, message/postback payloads, and delivery/read events.
• Important: In this version of the Service, we do not call Messenger User Profile APIs and do not read profile fields (e.g., first name, last name, profile photo). PSIDs may appear in events and logs as identifiers but are not enriched to a name/photo.

3.3 System and operational data

• Connection status, token expiry, success/failure of subscribe/unsubscribe actions;
• Diagnostic logs and audit entries (e.g., "subscribed", "disconnected", or error codes).

3.4 Optional billing/admin data (if you purchase paid features)

• Contact details, plan selections, and transaction identifiers required to process payments (processed by our payment provider).

4. How We Use Information

We use information to:

• Provide the Service: list your Pages, connect/disconnect, subscribe to Messenger webhooks, receive/send messages for your Page, and operate the Handover Protocol (pass/take thread control);
• Secure and maintain the Service: authentication, fraud prevention, incident detection, and diagnostics;
• Provide support and improve reliability (quality assurance based on aggregate or de-identified data).

We do not sell personal data. We do not use data for behavioral advertising. We do not use Messenger profile enrichment in this version.

5. Legal Bases

Where applicable (e.g., under Thai PDPA, GDPR-style regimes), we rely on:

• Performance of a contract (to provide the Service you requested);
• Legitimate interests (to secure and maintain the Service);
• Compliance with legal obligations (e.g., tax, accounting, security).

6. Retention

• Page tokens & configuration: retained while the Page remains connected or until token expiry; deleted upon disconnect/deauthorize.
• Webhook/event-derived logs & audit entries: retained up to 90 days for support and reliability, then deleted or irreversibly de-identified.
• Billing/financial records (if any): retained as required by applicable law.

You may request deletion earlier (see Section 10).

7. Sharing and Sub-processors

We share data only as necessary to operate the Service:

• Facebook/Meta (as the platform delivering tokens and events);
• Hosting & infrastructure providers (secure cloud hosting, logging, monitoring);
• Workflow/runtime tools used to orchestrate subscriptions and message handling;
• Storage or productivity services used for configuration data (e.g., Google services).

Sub-processors are bound by written contracts to protect personal data and act only on our instructions.

8. International Transfers

Data may be processed outside Thailand, including where Facebook or our sub-processors operate. We use appropriate safeguards (e.g., contractual commitments) to protect data during transfers.

9. Security

We implement technical and organizational measures appropriate to the risk, including HTTPS in transit, restricted token storage, access controls on a need-to-know basis, audit logging, and secure key management. No system is perfectly secure; please notify us promptly if you believe your account or Page token has been compromised.

10. Your Rights and Choices

Depending on your jurisdiction, you may have rights to access, correct, delete, or obtain a copy of personal data, and to object or restrict certain processing. As the Page controller, you may exercise these rights by contacting us or by disconnecting the Page. You can also remove the app in Facebook settings, which triggers our Data Deletion Callback.

• Disconnect via Aijaa website (primary method):

1. Open the Disconnect link and log in with Facebook if prompted.
2. After you're redirected back to Aijaa, you'll see a list of Pages you administer that are currently connected.
3. Select the Page to disconnect and click Disconnect.
4. On submit, we call DELETE /{page-id}/subscribed_apps, delete stored Page Access Token and Page-linked configuration (and any identifiable logs), write an audit entry, and display "Disconnected."

• Remove the app in Facebook settings (deauthorize):

When you remove the app on Facebook, Facebook sends us a signed_request. We verify the signature (HMAC-SHA256 with our App Secret), then perform the same deletion actions and return a confirmation code with a status URL.

To submit a data request directly, email theaijaa.co@gmail.com with your Page ID and request type. We will respond within the time required by law.

For detailed information about our data deletion mechanisms, see our Data Deletion Appendix.

11. Children's Privacy

The Service is not intended for children under 18. We do not knowingly process data from children. If you believe we have collected such data, contact us to request deletion.

12. Cookies and Similar Technologies

Our website may use strictly necessary cookies (e.g., session, security). If we use analytics, it will be aggregated or de-identified, and you may opt out where applicable. Browser settings may block or delete cookies, but some features may not function.

13. Changes to this Policy

We may update this Policy to reflect service or legal changes. Material changes will be posted on this page with an updated "Last updated" date.

14. Contact

Questions or requests about privacy can be sent to theaijaa.co@gmail.com.
Postal address: Aijaa Bot, 108/107 SaothongHin, Bangyai, Nonthaburi 11140, Thailand.