Privacy Policy

Last updated: January 28, 2025

1. Introduction

Welcome to Daber.AI (“we,” “our,” or “us”). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered business communication platform.

2. Information We Collect

2.1 Information You Provide

  • Account information (name, email, phone number)
  • Business information (business name, description, industry)
  • WhatsApp business account information
  • Social media links
  • Calendar data (when using Google Calendar integration)
  • Instagram Business account data (when using Instagram integration)
  • Communication content and messages
  • Customer service interactions

2.2 Automatically Collected Information

  • Device information (IP address, browser type, operating system)
  • Usage data (features accessed, interaction patterns)
  • Performance data and error logs
  • Cookies and similar tracking technologies

3. How We Use Your Information

We use your information to:

  • Provide and maintain our services
  • Train and improve our AI models
  • Personalize your experience
  • Process transactions
  • Send administrative communications
  • Analyze service usage and performance
  • Comply with legal obligations
  • Prevent fraud and abuse

4. Data Sharing and Disclosure

We may share your information with:

  • Service providers and business partners
  • Third-party integrations (with your consent)
  • Legal authorities when required by law
  • Business transferees in case of merger or acquisition

5. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.

5.1 Technical Data Protection Mechanisms

We implement comprehensive technical safeguards to protect your sensitive data, including:

Encryption

  • All data is encrypted in transit using TLS 1.3
  • All data is encrypted at rest using AES-256 encryption
  • Database encryption with industry-standard encryption keys
  • Encrypted backups with separate encryption keys

Access Controls

  • Role-based access control (RBAC) limiting data access to authorized personnel only
  • Multi-factor authentication (MFA) required for all administrative access
  • Regular access reviews and privilege auditing
  • Automated access logging and monitoring

Data Minimization

  • We collect only the minimum data necessary for service functionality
  • Automatic data anonymization where possible
  • Regular data purging of expired or unnecessary information
  • Sensitive data masking in logs and debugging systems

Infrastructure Security

  • Cloud infrastructure with SOC 2 Type II compliance
  • Regular security vulnerability assessments
  • Automated intrusion detection and prevention systems
  • Secure development lifecycle with security code reviews

Google API Data Protection

  • OAuth 2.0 with PKCE for secure Google API authentication
  • Token encryption and secure storage
  • Automatic token refresh with rotation
  • Strict scope limitation to only required permissions
  • Google API data segregation from other business data

Data Processing Safeguards

  • Sensitive information masking in system logs
  • Automated PII detection and protection
  • Email and phone number masking in application interfaces
  • Secure API rate limiting and throttling
  • Regular security monitoring and alerting

Incident Response

  • 24/7 security monitoring and alerting
  • Documented incident response procedures
  • Regular security training for all personnel
  • Breach notification procedures compliant with applicable regulations

Gmail Integration Data Protection

When you use our Gmail integration, we implement additional specific protections:

Gmail API Security

  • OAuth 2.0 authentication with secure token management
  • Encrypted storage of Gmail access and refresh tokens
  • Automatic token rotation and expiration handling
  • Strict rate limiting to prevent API abuse
  • Gmail data segregation from other business data

Gmail Data Processing

  • Email content processing only for AI assistant functionality
  • Automatic masking of sensitive information in email processing
  • Secure email attachment handling with virus scanning
  • Email data retention limited to service requirements
  • No sharing of Gmail data with third parties

Gmail Permissions

We request the following Gmail API scopes:

  • https://www.googleapis.com/auth/gmail.readonly - Read email messages and metadata
  • https://www.googleapis.com/auth/gmail.send - Send email messages on your behalf
  • https://www.googleapis.com/auth/gmail.compose - Create draft email messages
  • https://www.googleapis.com/auth/gmail.modify - Modify email messages (mark as read, archive, etc.)
  • https://www.googleapis.com/auth/gmail.labels - Manage Gmail labels
  • https://www.googleapis.com/auth/userinfo.email - Access your email address
  • https://www.googleapis.com/auth/userinfo.profile - Access your basic profile information

6. Your Rights

You have the right to:

  • Access your personal information
  • Correct inaccurate data
  • Request deletion of your data
  • Object to processing
  • Data portability
  • Withdraw consent

7. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers.

8. Data Retention

We retain your information for as long as necessary to provide our services and comply with legal obligations. You may request deletion of your data at any time.

9. Children's Privacy

Our services are not intended for children under 13. We do not knowingly collect information from children under 13.

10. Third-Party Links

Our service may contain links to third-party websites. We are not responsible for their privacy practices.

11. WhatsApp Data Usage

When you connect your WhatsApp Business account:

  • We process messages and media shared through WhatsApp
  • We store conversation history for AI training and support
  • We comply with WhatsApp Business Solution Terms of Service

12. AI and Machine Learning

Our AI systems:

  • Process communication data to provide automated responses
  • Learn from interactions to improve service quality
  • Maintain data privacy and security standards
  • Allow human oversight when necessary

We explicitly affirm that we do not use Google Workspace APIs data to develop, improve, or train generalized AI and/or ML models. Any AI/ML training we perform is strictly limited to personalized models that serve your specific business needs and is done with your explicit consent.

Google Workspace API Data Usage

Regarding our use of Google Workspace APIs:

  • We do not use Google Workspace API data to develop, improve, or train generalized AI and/or ML models
  • We do not transfer Google Workspace API data to third-party AI tools for generalized/non-personalized AI/ML model training
  • Any AI/ML processing of Google Workspace data is strictly limited to:
    • Personalized models that serve your specific business needs
    • Features and services you explicitly consent to
    • Improvements to your individual user experience
  • We maintain strict data segregation to ensure Google Workspace data is not used for generalized AI/ML training
  • We comply with all Google Workspace API User Data Policy requirements

13. Changes to Privacy Policy

We may update this Privacy Policy periodically. We will notify you of any material changes through our service or via email.

14. Contact Us

For privacy-related questions or concerns, contact us at:

Email: privacy@daber.ai
Address: [Your Business Address]

15. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA), we process personal data based on:

  • Contract performance
  • Legal obligations
  • Legitimate interests
  • Your consent

16. California Privacy Rights

California residents have additional rights under CCPA/CPRA. Contact us for more information about these rights.

17. Cookie Policy

We use cookies and similar technologies to:

  • Maintain your session
  • Remember your preferences
  • Analyze service usage
  • Improve user experience

You can control cookie settings through your browser preferences.

18. Compliance

We comply with applicable data protection laws, including:

  • GDPR (European Union)
  • CCPA/CPRA (California)
  • LGPD (Brazil)
  • Other applicable regional regulations

For specific privacy-related requests or concerns, please contact our Data Protection Officer at dpo@daber.ai.

Google Calendar Integration

When you use our Google Calendar integration:

  • We access your Google Calendar data only after obtaining explicit consent
  • We request and use the minimum necessary permissions required to provide our scheduling services
  • We access calendar data to:
    • Read your calendar events to check availability
    • Create and modify events for appointments
    • Manage scheduling preferences and settings
  • We do not:
    • Share your calendar data with third parties without consent
    • Use calendar data for advertising purposes
    • Store calendar data beyond what's necessary for service operation
  • You can revoke calendar access at any time through your Google Account settings

Google Calendar Data Processing and Security

For Google Calendar data specifically, we implement enhanced security measures:

Authentication and Access Control

  • OAuth 2.0 authentication with secure token management
  • Encrypted storage of calendar access and refresh tokens
  • Automatic token rotation and expiration handling
  • Access to calendar data strictly limited to authorized personnel
  • Multi-factor authentication required for system access

Data Encryption and Storage

  • All calendar data encrypted in transit using TLS 1.3
  • All calendar data encrypted at rest using AES-256
  • Separate encryption keys for calendar data segregation
  • Secure backup procedures with encrypted storage

Privacy Protection

  • Automatic masking of sensitive information in calendar processing
  • Email and phone number masking in system logs
  • PII detection and protection in calendar event data
  • Calendar data segregation from other business data

Monitoring and Auditing

  • Detailed access logging for all calendar operations
  • Real-time security monitoring and alerting
  • Regular security audits and vulnerability assessments
  • Automated anomaly detection for unusual access patterns

Google Calendar Data Retention

Regarding Google Calendar data specifically:

  • We retain calendar data only for the duration necessary to provide our services
  • Calendar data is automatically deleted when:
    • You disconnect your Google Calendar integration
    • You delete your account
    • The data is no longer needed for the service
  • You can request immediate deletion of your calendar data at any time
  • We maintain backups for a maximum of 30 days for disaster recovery purposes

Google Calendar Data Access and Export

You have the following rights regarding your Google Calendar data:

  • View what calendar data we store through your account dashboard
  • Export your calendar data in a machine-readable format
  • Request a complete list of all calendar data we process
  • Revoke access through either:
    • Your Daber.AI account settings
    • Google Security settings (https://myaccount.google.com/permissions)

Google Calendar API Scopes

We request the following Google Calendar permissions:

  • https://www.googleapis.com/auth/calendar - Full access to your Google Calendar to read, create, modify, and delete events

This scope allows us to provide comprehensive scheduling functionality including:

  • Reading your calendar to check availability
  • Creating new appointments and events
  • Modifying existing appointments
  • Deleting appointments when cancelled
  • Managing appointment reminders and notifications

We regularly review these permissions to ensure we're using only what's necessary for service functionality.

Limited Use Disclosure

Our use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we will:

  • Only request necessary data and permissions
  • Be transparent about how we use the data
  • Never sell the data
  • Never use the data for advertising
  • Never use the data to target ads to users
  • Never transmit the data to third parties unless necessary for service provision

Instagram Integration

When you use our Instagram integration:

  • We access your Instagram Business account data only after obtaining explicit consent through Facebook OAuth
  • We require an Instagram Business or Creator account connected to a Facebook Page
  • We access Instagram data to:
    • Create and publish posts on your behalf through our AI assistant
    • Retrieve account information and follower metrics
    • Access recent posts and engagement data for analytics
    • Provide hashtag suggestions and content optimization
  • We do not:
    • Share your Instagram data with third parties without consent
    • Use Instagram data for advertising purposes
    • Post content without your explicit instruction
    • Access personal Instagram accounts or direct messages
  • You can revoke Instagram access at any time through your account settings or Facebook permissions

Instagram Data Processing and Security

For Instagram data specifically:

  • We follow Facebook OAuth 2.0 protocols for secure authentication
  • All Instagram data is encrypted in transit and at rest
  • Access to Instagram data is strictly limited to authorized personnel
  • We maintain detailed access logs for security monitoring
  • We automatically refresh access tokens to maintain secure connections
  • We comply with Meta's Platform Terms and Developer Policies

Instagram Data Retention and Deletion

Regarding Instagram data specifically:

  • We retain Instagram access tokens and account data only for the duration necessary to provide our services
  • Instagram data is automatically deleted when:
    • You disconnect your Instagram integration
    • You delete your account
    • You request data deletion through Facebook
    • Access tokens expire and cannot be renewed
  • We provide a data deletion callback endpoint for Facebook data deletion requests
  • We maintain compliance with Meta's data deletion requirements
  • You can request immediate deletion of your Instagram data at any time

Instagram Data Access and Control

You have the following rights regarding your Instagram data:

  • View what Instagram data we store through your account dashboard
  • Control which Instagram features our AI assistant can access
  • Revoke access through either:
    • Your Daber.AI account settings
    • Facebook Business Settings (https://business.facebook.com/)
    • Facebook App permissions (https://www.facebook.com/settings?tab=applications)
  • Request deletion of Instagram data through Facebook's data deletion process
  • Export your Instagram integration settings and preferences

Meta Platform Compliance

Our use of Instagram data complies with Meta's Platform Terms and Developer Policies. We adhere to Facebook's data use policies and security requirements.

Specifically, we:

  • Only request necessary Instagram permissions
  • Use Instagram data solely to provide our AI assistant services
  • Never sell or share Instagram data inappropriately
  • Provide transparent data deletion processes
  • Maintain secure data handling practices
  • Respect user privacy and content ownership