Privacy Policy

Last updated: January 6, 2025

1. Introduction

Welcome to Bizily AI, a product of Agentica, LLC ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered customer messaging and business management platform.

Bizily AI is a SaaS platform designed for small service businesses such as salons, spas, and clinics. Our platform provides AI-powered customer messaging, booking management, and CRM capabilities, including integration with Meta platforms (Instagram and Facebook Messenger) to enable businesses to communicate with their customers.

Meta Platform Compliance: Our use of data received from Meta APIs complies with the Meta Platform Terms, Developer Data Use Policy, and Platform Policies for Instagram and Messenger.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Full name
  • Account credentials (managed securely through our authentication provider, Clerk)
  • Device information (device type, operating system, browser type)
  • IP address
  • Account creation and login timestamps

2.2 Business Information

For businesses using our platform, we collect:

  • Business name, description, and unique URL slug
  • Logo and branding assets
  • Contact information (phone number, email address, physical address)
  • Business hours and timezone
  • Services offered, including pricing, duration, and variants
  • Resources (rooms, equipment) associated with services
  • AI persona settings (tone, brand voice, response preferences)
  • Booking settings (buffer time, advance notice requirements, deposit policies)
  • Team member information and roles
  • Website URL

2.3 Customer/End-User Data

When businesses use our CRM features, the following information about their customers may be stored:

  • Full name, first name, last name
  • Email addresses (primary and additional)
  • Phone numbers (primary and additional)
  • Physical address
  • Profile pictures (when available from integrated platforms)
  • Social profile data: username, follower count, verification status
  • Source platform (Instagram, Facebook, WhatsApp, LINE, email, web, SMS)
  • Platform-specific user identifiers
  • Customer status (lead, customer, archived)
  • Communication preferences
  • AI-generated notes and intent scores
  • Tags and categorization
  • Booking history and statistics
  • Last interaction timestamp

2.4 Conversation & Message Data

Our messaging features store:

  • Message content (text) between businesses and their customers
  • Message timestamps, delivery status, and read receipts
  • Sender information (customer, business staff, or AI)
  • Platform identifiers (message IDs from Instagram, Facebook, LINE, etc.)
  • Attachments: images, videos, audio files, documents, locations, stickers
  • Attachment metadata: file type, size, dimensions, duration
  • Message reactions
  • AI-generated responses and drafts
  • Conversation summaries (rolling compression of older messages)
  • Booking intent state (captured during booking conversations)

2.5 Booking & Transaction Data

For booking management, we collect:

  • Booking details (date, time, duration, services selected)
  • Assigned staff members
  • Booking status (pending, confirmed, in progress, completed, cancelled)
  • Staff notes about bookings
  • Booking source (manual entry or online booking)
  • Tips and commissions

2.6 Knowledge Base Data

Businesses can upload documents to their knowledge base:

  • Document content, titles, and URLs
  • Custom Q&A pairs
  • Vector embeddings for AI-powered semantic search
  • Tags and categorization
  • Usage analytics (search queries, retrieval frequency)

2.7 AI Memory Data

Your agent maintains contextual memories to provide personalized service:

  • Customer preferences and facts
  • Behavioral patterns
  • Conversation context and summaries
  • Instructions and notes from business staff
  • Memory confidence scores and decay tracking

2.8 Integration Data

When connecting third-party platforms:

  • OAuth access tokens and refresh tokens (encrypted)
  • Token expiration timestamps
  • Platform account identifiers (Instagram account ID, Facebook page ID)
  • Platform account names and avatars
  • Integration status and last sync timestamps
  • Webhook event logs for message delivery reliability

3. How We Use Your Information

We use the collected information to:

  • Provide and maintain our services, including the AI messaging platform
  • Process and manage customer bookings and appointments
  • Enable AI-powered messaging, including automated responses and message drafting
  • Build and maintain customer relationship management (CRM) features
  • Route incoming messages from Instagram, Facebook Messenger, and other platforms
  • Generate AI insights, analytics, and customer sentiment analysis
  • Perform semantic search on knowledge bases to provide accurate responses
  • Maintain AI memories for personalized customer interactions
  • Send service-related communications and notifications
  • Ensure platform security and prevent fraud
  • Improve our services and develop new features
  • Comply with legal obligations

4. Meta Platform Integration

Bizily AI integrates with Meta platforms (Instagram and Facebook Messenger) to enable businesses to communicate with their customers. This section explains how we handle data from Meta platforms.

4.1 Permissions We Use

When you connect your Instagram or Facebook account, we request the following permissions:

  • instagram_basic: To access basic Instagram account information
  • instagram_manage_messages: To send and receive Instagram Direct Messages on behalf of your business
  • instagram_manage_comments: To manage comments on your Instagram posts
  • pages_messaging: To send and receive Facebook Messenger messages on behalf of your business page
  • pages_manage_metadata: To manage your Facebook page settings
  • pages_read_engagement: To read engagement metrics on your page
  • pages_show_list: To display your connected Facebook pages
  • business_management: To manage business account connections

4.2 Data We Access from Meta

Through Meta's APIs, we access:

  • Message content from Instagram DMs and Facebook Messenger
  • Message metadata (timestamps, delivery status, read receipts)
  • User profile information (names, usernames, profile pictures)
  • Message reactions
  • Media attachments shared in conversations
  • Story mentions (Instagram)
  • Page information (name, ID, profile picture)
  • Instagram Business Account details

4.3 Messaging Policies

24-Hour Messaging Window: When a customer initiates a conversation with your business, you have 24 hours to send standard messages in response. Messages sent after this 24-hour window must use message tags and are limited to specific non-promotional use cases as defined by Meta's messaging policies. Each time a customer sends a new message, the 24-hour window resets.

Encryption Status: Important: Instagram Direct Messages and Facebook Messenger conversations between businesses and customers are not end-to-end encrypted by default. Messages are encrypted in transit using TLS/SSL but may be accessed by Meta and our platform as necessary to provide the messaging service.

Automated Responses: Our platform uses AI-powered automated responses to help businesses respond to customer inquiries efficiently. Customers can always request to speak with a human agent (see Section 5.2).

4.4 Meta Platform Terms Compliance

We comply with Meta's Platform Terms, Developer Data Use Policy, and all applicable policies for Instagram and Messenger. We do not sell data received from Meta APIs. We use this data solely to provide messaging services to businesses and their customers as described in this policy.

5. Automated Messaging & AI Processing

5.1 How AI Processes Data

Your agent processes data to provide automated responses and insights. When generating responses, the AI may process:

  • Recent conversation history
  • Relevant knowledge base content
  • Customer preferences and past interactions (from AI memories)
  • Business information (services, hours, policies)
  • Booking availability and status

PII Protection: We implement personal data protection measures before sending information to AI services. Sensitive personal information is sanitized or anonymized where possible while maintaining the context needed for helpful responses.

5.2 Human Agent Escalation

You can always request to speak with a human agent instead of the automated agent. To escalate to a human:

  • Reply with "speak to human" or "talk to agent" in any conversation
  • Ask to speak with a real person or staff member
  • The business can also manually take over any conversation at any time

5.3 Opt-Out of Automation

You can opt out of automated AI responses:

  • As a customer: Request to only receive responses from human staff by messaging the business
  • As a business: Disable AI auto-responses for specific conversations or your entire account through settings

6. Third-Party Services

We integrate with the following third-party services to provide our platform:

6.1 Authentication (Clerk)

We use Clerk for secure user authentication. Clerk processes your login credentials and manages session security. Data shared: email address, name, authentication events.

6.2 AI Services (OpenAI)

We use OpenAI to power our AI features, including message generation, customer insights, sentiment analysis, and knowledge base search. Data shared: conversation messages (with PII protection), knowledge base content, business information.

6.3 Payment Processing (Stripe)

We use Stripe to process payments and manage subscriptions. Data shared: billing information, payment method details, transaction history. Stripe handles payment card data directly; we do not store full card numbers on our servers.

6.4 Meta Platforms (Instagram, Facebook Messenger)

We integrate with Meta Platforms to enable messaging through Instagram and Facebook Messenger. Data shared: OAuth tokens, message content, delivery status. Data received: messages, user profiles, page information.

6.5 SMS & WhatsApp (Twilio)

We use Twilio to send and receive SMS messages and WhatsApp messages. Data shared: phone numbers, message content, delivery status. Data received: incoming messages, delivery receipts, sender information.

6.6 LINE Messaging

We integrate with LINE for messaging in supported regions. Data shared: channel tokens, message content. Data received: messages, user profiles, stickers, locations.

6.7 Google APIs

We integrate with Google services including Google Calendar for calendar sync, Google Maps/Places for location services, and Google Business Profile for review management. Data shared: OAuth tokens, calendar events, business location data. Data received: calendar availability, place details, customer reviews.

6.8 Background Processing (Inngest)

We use Inngest for reliable background job processing, including scheduled reminders, webhook retries, and automated workflows. Data shared: job metadata, event payloads (with PII minimization). Inngest processes tasks asynchronously to ensure reliable delivery of notifications and scheduled actions.

6.9 Hosting & Infrastructure (Vercel)

Our application is hosted on Vercel, a cloud platform for web applications. Vercel processes: request logs (IP addresses, URLs, user agents), edge function execution, and server-side rendering. Vercel's infrastructure is distributed globally for optimal performance.

6.10 Analytics (PostHog)

We use PostHog for product analytics, feature flags, and session insights. Data collected: page views, feature usage, anonymized session recordings, and user interactions. This helps us understand how the platform is used and improve the user experience.

6.11 Database & File Storage (Supabase)

Your data is stored on secure PostgreSQL databases and file storage hosted by Supabase, a cloud platform with enterprise-grade security measures. This includes all business data, customer records, conversations, and message attachments (images, videos, documents).

7. Data Sharing & Recipients

We share data with the following categories of recipients:

Service Providers (Data Processors)

  • OpenAI: For AI-powered message analysis and response generation
  • Clerk: For user authentication and session management
  • Stripe: For payment processing and subscription management
  • Twilio: For SMS and WhatsApp messaging
  • Google: For calendar sync, maps/places, and review management
  • Inngest: For background job processing and scheduled tasks
  • Vercel: For application hosting and edge infrastructure
  • PostHog: For product analytics and feature flags
  • Supabase: For database hosting and file storage

Platform Partners

  • Meta (Instagram, Facebook): To deliver messages via their platforms
  • Twilio (SMS, WhatsApp): To deliver SMS and WhatsApp messages
  • LINE: To deliver messages in supported regions

Business Users

Authorized team members of a business can access customer data, conversation history, and booking information within the platform as necessary to provide services.

Legal & Compliance

We may disclose information if required by law, court order, or government request, or if necessary to protect our rights, property, or safety, or that of our users or the public.

8. Data Security

We implement appropriate security measures including:

  • Encryption of sensitive data (OAuth tokens, credentials) at rest and in transit
  • Secure HTTPS/TLS connections for all data transmission
  • Access controls and role-based authentication
  • Regular security reviews and updates
  • Webhook signature verification (HMAC-SHA256) for platform integrations
  • PII sanitization before AI processing
  • Secure credential storage through our authentication provider
  • Database access controls and query parameterization

9. Data Retention & Deletion

Retention Periods

  • Account data: Retained while your account is active and for a reasonable period after account closure
  • Conversation data: Retained according to business needs; older messages may be compressed into summaries
  • Customer records: Retained while the business account is active
  • AI memories: Subject to automated decay based on memory type and usage
  • Integration tokens: Deleted when integrations are disconnected

Deletion Requests

You can request deletion of your data at any time by contacting us at contact@bizily.ai. We will process deletion requests within 30 days of receiving your request.

When you disconnect an integration (e.g., Instagram or Facebook), we remove the associated access tokens and stop receiving new data from that platform. Historical conversation data may be retained unless you specifically request its deletion.

10. Your Rights

10.1 All Users

You have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Export your data in a portable format
  • Disconnect integrated platforms at any time
  • Opt out of AI-powered features
  • Request human agent escalation in conversations

10.2 GDPR Rights (EU/EEA Users)

If you are located in the European Union or European Economic Area, you have additional rights under GDPR:

  • Legal Basis: We process your data based on: (a) your consent, (b) performance of a contract, (c) compliance with legal obligations, or (d) our legitimate business interests
  • Right to Object: You may object to processing based on legitimate interests
  • Right to Restrict Processing: You may request we limit how we use your data
  • Right to Lodge a Complaint: You may file a complaint with your local data protection authority

To exercise your GDPR rights, contact us at contact@bizily.ai.

10.3 CCPA Rights (California Residents)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about what personal data we collect, use, and share
  • Right to Delete: Request deletion of your personal data
  • Right to Correct: Request correction of inaccurate personal data
  • Right to Opt-Out: We do not sell personal information
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

11. Children's Privacy

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at contact@bizily.ai.

12. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. These countries may have different data protection laws than your country of residence.

For transfers from the EU/EEA, we rely on: (a) the EU-US Data Privacy Framework (where applicable), (b) Standard Contractual Clauses approved by the European Commission, or (c) other legally approved transfer mechanisms. By using our services, you consent to your data being transferred to and processed in these locations.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Last updated" date
  • Sending an email notification for significant changes (where applicable)

We retain all prior versions of this Privacy Policy and will provide them upon request.

14. Contact Us

If you have any questions about this Privacy Policy, our data practices, or wish to exercise your privacy rights, please contact us:

Agentica, LLC

Email: contact@bizily.ai

For Meta platform-related privacy concerns, you may also contact Meta directly through their Privacy Support.