Privacy Policy
Table of Contents
- Information We Collect
- How We Use Your Information
- Legal Basis for Processing
- How We Share Your Information
- Third-Party Service Providers
- International Data Transfers
- Data Retention
- Your Privacy Rights
- California Privacy Rights (CCPA)
- Brazilian Privacy Rights (LGPD)
- Data Security
- Children's Privacy
- WhatsApp Data Practices
- AI and Automated Processing
- Cookies and Tracking
- Changes to This Policy
- Contact Us
Axel Business Solutions Ltd ("Company," "we," "us," or "our") operates Inboxxit, a WhatsApp-integrated customer relationship management platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.
We are committed to protecting your privacy and complying with applicable data protection laws, including the European Union General Data Protection Regulation (GDPR), the Brazilian Lei Geral de Proteção de Dados (LGPD), and the California Consumer Privacy Act (CCPA).
By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.
1 Information We Collect
1.1 Information You Provide Directly
We collect information you voluntarily provide when registering for the Service, including:
| Category | Examples |
|---|---|
| Account Information | Name, email address, password, phone number, company name |
| Billing Information | Payment card details, billing address (processed by third-party payment processors) |
| Business Information | Business name, industry, team member details, business address |
| Communication Content | Messages, templates, notes, and other content you create within the Service |
| Support Communications | Information provided when contacting customer support |
1.2 Information Collected Automatically
When you use the Service, we automatically collect:
- Device Information: IP address, browser type, operating system, device identifiers
- Usage Data: Pages viewed, features used, click patterns, session duration
- Log Data: Access times, error logs, referring URLs
- Performance Data: Load times, system performance metrics
1.3 Information from Third Parties
We receive information from third-party services you connect:
- WhatsApp (Meta): Incoming messages, delivery statuses, phone numbers, message metadata
- Google Calendar: Calendar events, availability, event details (when you connect)
- Microsoft Outlook: Calendar events, availability, event details (when you connect)
1.4 Information About Your Customers
When you use the Service to communicate with your customers via WhatsApp, we process:
- Customer phone numbers
- Customer names (as provided by you or extracted from messages)
- Message content between you and your customers
- Message delivery and read status
- AI-generated analysis (intent, sentiment, interests)
You are responsible for obtaining appropriate consent from your customers to collect and process their data through our Service. You must comply with WhatsApp's Business Policy and applicable privacy laws.
2 How We Use Your Information
2.1 Service Delivery
- Provide, maintain, and improve the Service
- Process and deliver WhatsApp messages on your behalf
- Manage your account and provide customer support
- Process payments and billing
- Sync appointments with connected calendars
2.2 AI-Powered Features
- Analyze message content for intent and sentiment
- Calculate lead temperature scores
- Generate automated chatbot responses
- Provide smart reply suggestions
- Detect appointment booking requests
2.3 Service Improvement
- Understand how users interact with the Service
- Identify and fix technical issues
- Develop new features and functionality
- Conduct research and analytics
2.4 Security and Compliance
- Detect, prevent, and address fraud and abuse
- Enforce our Terms of Service
- Comply with legal obligations
- Protect the rights and safety of users
3 Legal Basis for Processing
For users in the European Economic Area (EEA), United Kingdom, Brazil, and other jurisdictions requiring a legal basis for processing, we rely on:
| Legal Basis | Processing Activities |
|---|---|
| Contract Performance | Providing the Service, processing payments, account management |
| Legitimate Interests | Service improvement, security, fraud prevention, analytics |
| Consent | Marketing communications, optional features, AI analysis of customer data |
| Legal Obligation | Tax records, responding to legal requests, compliance requirements |
You may withdraw consent at any time by contacting us or adjusting your account settings.
4 How We Share Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes.
4.1 Service Providers
We share information with third-party service providers who perform services on our behalf. All service providers are contractually obligated to protect your information and use it only for specified purposes.
4.2 WhatsApp (Meta)
To deliver WhatsApp messages, we share recipient phone numbers, message content, and media files. This sharing is governed by WhatsApp's Business API terms.
4.3 Legal Requirements
We may disclose information if required by law or in good faith belief that such action is necessary to:
- Comply with legal obligations or valid legal process
- Protect and defend our rights or property
- Prevent or investigate possible wrongdoing
- Protect the personal safety of users or the public
4.4 Business Transfers
If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your information becomes subject to a different privacy policy.
5 Third-Party Service Providers
5.1 Cloud Infrastructure
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Hosting, storage, databases | São Paulo, Brazil (primary) |
5.2 Artificial Intelligence
| Provider | Purpose |
|---|---|
| OpenAI (GPT-4o-mini) | Message analysis, intent detection, scoring |
| Anthropic (Claude 3.5 Sonnet) | Chatbot responses, smart replies |
AI Data Practices:
- AI providers process data to provide responses only
- We use API configurations that minimize data retention by AI providers
- Message content is not used to train AI models without explicit consent
- AI processing occurs in real-time; data is not stored by AI providers beyond processing
5.3 Communication Services
| Provider | Purpose |
|---|---|
| Meta (WhatsApp) | WhatsApp Business API |
| SendGrid (Twilio) | Email delivery |
5.4 Calendar Integrations
| Provider | Purpose |
|---|---|
| Google Calendar sync | |
| Microsoft | Outlook Calendar sync |
6 International Data Transfers
6.1 Data Location
Your data is primarily stored in AWS data centers located in São Paulo, Brazil (sa-east-1 region).
6.2 Cross-Border Transfers
Some of our service providers operate in countries outside your jurisdiction. When we transfer data internationally, we ensure appropriate safeguards:
- Standard Contractual Clauses (SCCs): EU-approved contractual terms with service providers
- Adequacy Decisions: Transfers to countries with adequate data protection
- Binding Corporate Rules: For providers with approved BCRs
- Consent: Where other mechanisms are not available
7 Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Account information | Duration of account + 2 years | Contract performance, legal claims |
| Messages and conversations | 5 years | Business records, dispute resolution |
| Lead and customer data | 5 years | Business records, legal requirements |
| Billing records | 7 years | Tax and accounting requirements |
| Audit logs | 7 years | Security, compliance |
| Usage analytics | 2 years | Service improvement |
| Deleted data (soft delete) | 90 days | Recovery, mistake prevention |
7.2 Deletion
When you delete your account or request data deletion:
- Active data is marked for deletion immediately
- Soft-deleted data is permanently purged after 90 days
- Backup copies are purged within 30 days of backup rotation
- Some data may be retained as required by law
8 Your Privacy Rights
Depending on your jurisdiction, you may have the following rights:
| Right | Description |
|---|---|
| Access | Request a copy of your personal data |
| Correction | Request correction of inaccurate data |
| Deletion | Request deletion of your data |
| Data Portability | Receive your data in a structured, machine-readable format |
| Withdraw Consent | Withdraw consent for processing based on consent |
| Complaint | Lodge a complaint with a supervisory authority |
How to Exercise Your Rights
To exercise your rights, you may:
- Self-Service: Use account settings to access, correct, or delete data
- Email: Contact us at privacy@inboxxit.com
- Written Request: Send a request to our mailing address
We will respond to requests within 30 days (or as required by applicable law).
9 California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the CCPA:
9.1 Right to Know
You may request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties with whom we share data.
9.2 Right to Delete
You may request deletion of personal information we collected, subject to exceptions.
9.3 Right to Non-Discrimination
We will not discriminate against you for exercising CCPA rights.
9.4 Categories of Information
| Category | Collected | Sold | Shared for Advertising |
|---|---|---|---|
| Identifiers (name, email, phone) | Yes | No | No |
| Commercial information | Yes | No | No |
| Internet activity | Yes | No | No |
| Professional information | Yes | No | No |
10 Brazilian Privacy Rights (LGPD)
If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD):
- Confirmation: Confirm whether we process your data
- Access: Access your personal data
- Correction: Correct incomplete, inaccurate, or outdated data
- Anonymization: Request anonymization, blocking, or deletion of unnecessary data
- Portability: Receive your data in portable format
- Deletion: Delete data processed with consent
- Information: Know about entities with whom we share data
- Revocation: Revoke consent
You may file complaints with the Autoridade Nacional de Proteção de Dados (ANPD) at www.gov.br/anpd.
11 Data Security
We implement technical and organizational measures to protect your data:
| Category | Measures |
|---|---|
| Encryption in Transit | TLS 1.3 for all connections |
| Encryption at Rest | AES-256 for sensitive data, encrypted database backups |
| Access Control | Role-based access, multi-factor authentication for admin |
| Network Security | Firewalls, DDoS protection (Cloudflare), VPC isolation |
| Monitoring | 24/7 security monitoring, intrusion detection |
| Auditing | Comprehensive audit logs for all data access |
Incident Response
In the event of a data breach, we will notify affected users within 72 hours (or as required by law) and notify relevant supervisory authorities as required.
12 Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@inboxxit.com. If we discover we have collected information from a child, we will delete it promptly.
13 WhatsApp Data Practices
Our Service integrates with WhatsApp Business API provided by Meta. By using WhatsApp features:
- You agree to WhatsApp's Business Terms of Service
- You agree to WhatsApp's Business Policy
- Messages are transmitted through WhatsApp's infrastructure
Your Obligations
As a user of our Service to communicate via WhatsApp, you must:
- Obtain appropriate consent from your customers
- Comply with WhatsApp's messaging policies
- Honor opt-out requests from your customers
- Not send spam or unauthorized promotional messages
14 Artificial Intelligence and Automated Processing
14.1 AI Features
Our Service uses AI to provide:
- Temperature Scoring: Analyze lead readiness to purchase (OpenAI GPT-4o-mini)
- Intent Analysis: Understand customer message intent (OpenAI GPT-4o-mini)
- Chatbot Responses: Generate automated replies (Anthropic Claude)
- Smart Replies: Suggest response options for agents (Anthropic Claude)
- Booking Detection: Identify appointment requests (OpenAI GPT-4o-mini)
14.2 Automated Decision-Making
Our AI systems assist with lead prioritization, chatbot responses, and appointment status updates. You have the right to:
- Request human review of automated decisions
- Opt out of automated processing where legally required
- Understand the logic behind automated decisions
14.3 AI Data Practices
- Message content is sent to AI providers for real-time processing
- AI providers do not retain your data beyond processing the request
- Your data is not used to train AI models without explicit consent
15 Cookies and Tracking Technologies
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential | Authentication, security, session management | Session |
| Functional | User preferences, language settings | 1 year |
| Analytics | Usage patterns, performance monitoring | 1 year |
You can control cookies through browser settings or account settings (analytics opt-out). Note: Blocking essential cookies may prevent access to the Service.
We do not use third-party advertising trackers.
16 Changes to This Privacy Policy
We may update this Privacy Policy periodically. Changes will be effective when posted, and the "Last Updated" date will be revised.
For material changes, we will:
- Notify you via email (if provided)
- Display a prominent notice within the Service
- Obtain consent where required by law
Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.
17 Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us: