MonkeyMachine — PRIVACY POLICY

This Privacy Policy ("Policy") describes how Sole Proprietor Rabadan Izabakarov ("MonkeyMachine," "we," "us," or "our") collects, uses, stores, and protects personal data in connection with the MonkeyMachine multi-tenant software-as-a-service platform and all related services (collectively, the "Service").

MonkeyMachine is a multi-tenant SaaS platform that provides customer relationship management (CRM), omnichannel messaging, AI-powered automation, and e-commerce tools. The Service enables our customers ("Customers") to communicate with their own end users ("End Users") through integrated communication channels, including but not limited to Facebook Messenger, Instagram Direct, WhatsApp, Telegram, email, and web chat.

This Policy applies to:

• Visitors — individuals who browse our website or public-facing pages;
• Customers — businesses and individuals who register for and use the Service;
• End Users — individuals who interact with our Customers through communication channels integrated with the Service;
• Authorized Users — individuals granted access to a Customer's account (employees, agents, contractors).

By accessing or using the Service, you acknowledge that you have read and understood this Policy. If you are a Customer using the Service to process End User data, you are responsible for ensuring that your own privacy practices comply with applicable law and with the terms of any third-party platform whose APIs you access through the Service.

Data protection law distinguishes between the entity that determines the purposes and means of processing personal data (the "Controller") and the entity that processes data on behalf of the Controller (the "Processor"). Our role depends on the context of the data being processed:

MonkeyMachine as Controller. We act as the Controller for personal data that we collect and process for our own purposes, including:

• Customer account registration and billing data;
• Usage analytics and telemetry related to the Service;
• Data collected through our website (cookies, contact forms);
• Communications between us and our Customers (support tickets, emails).

MonkeyMachine as Processor. We act as the Processor (or sub-processor) when our Customers use the Service to collect, store, or communicate with their End Users. In this capacity:

• The Customer is the Controller and determines the purposes and means of processing End User personal data;
• MonkeyMachine processes End User data solely on the Customer's instructions and in accordance with our Terms of Service and Data Processing Agreement;
• We do not determine the purposes for which End User data is processed, nor do we sell, rent, or use End User data for our own commercial purposes, including advertising or profiling.

Customer obligations. Each Customer is responsible for:

• Obtaining all necessary consents and providing all required notices to End Users before processing their data through the Service;
• Complying with applicable data protection laws in their jurisdiction;
• Complying with the terms and policies of third-party platforms (e.g., Meta Platform Terms, WhatsApp Business Policy, Telegram Terms of Service) when using those integrations;
• Responding to End User data subject requests, with our reasonable assistance where required.

We process the following categories of personal data, depending on the role we perform and the features used:

3.1 Customer Account Data

• Full name, email address, phone number;
• Business name, address, tax identification number;
• Login credentials (password stored as a salted hash only);
• Billing information and payment history;
• Account preferences and configuration settings.

3.2 Authorized User Data

• Full name, email address, role within the Customer's organization;
• Login credentials and access permissions;
• Activity logs within the Service (actions performed, timestamps).

3.3 End User Data (processed by MonkeyMachine as Processor on behalf of the Customer)

• Contact identifiers: name, email, phone number, platform-specific user IDs (e.g., Facebook PSID, Instagram IGSID, WhatsApp phone number, Telegram user ID);
• Message content: text messages, images, files, voice messages, and other media exchanged between the End User and the Customer through integrated channels;
• Conversation metadata: timestamps, channel type, delivery and read status;
• CRM data: custom fields, tags, notes, and segmentation data as defined by the Customer;
• E-commerce data: order history, cart contents, product preferences (where the Customer uses our e-commerce features);
• Consent records: opt-in/opt-out status for marketing communications.

3.4 Technical & Usage Data

• IP address, browser type and version, operating system;
• Device identifiers and screen resolution;
• Pages visited, features used, session duration;
• Referral source and clickstream data;
• Error logs and performance diagnostics.

3.5 Cookie & Tracking Data

• Cookies, local storage tokens, and similar tracking technologies (see Section 9 below).

We process personal data for the following purposes and on the following legal bases:

We do not process personal data for purposes incompatible with those listed above. We do not sell personal data. We do not use End User data or platform data for advertising, ad targeting, or building advertising profiles.

The Service integrates with third-party messaging and communication platforms to enable Customers to manage omnichannel conversations. This section describes how we handle data received from or transmitted to these platforms.

5.1 Meta Platform (Facebook Messenger & Instagram Direct)

When a Customer connects their Facebook Page or Instagram Professional Account to MonkeyMachine, we access data through the Meta Platform APIs (Graph API, Messenger Platform, Instagram Messaging API) in accordance with the Meta Platform Terms and Meta Developer Policies. Specifically:

• We receive and process message content, sender/recipient identifiers (PSIDs, IGSIDs), timestamps, and media attachments solely to deliver the messaging functionality requested by the Customer.
• We do not sell, license, purchase, or sublicense Meta Platform Data to or from any third party, data broker, advertising network, or ad‑related service.
• We do not use Meta Platform Data for advertising, ad targeting, ad ranking, or building advertising profiles.
• We do not use Meta Platform Data to discriminate against or disadvantage any individual or group based on race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical condition, genetic information, or any other characteristic protected by applicable law.
• We do not use Meta Platform Data to determine eligibility for housing, employment, insurance, education, credit, government benefits, or immigration status.
• We do not use Meta Platform Data for surveillance, law enforcement, or national security purposes, or provide tools that facilitate such activities.
• We do not attempt to decode, re‑identify, de‑anonymize, decrypt, reverse‑hash, or reverse‑engineer any Meta Platform Data provided to us in anonymized, aggregated, or hashed form.
• We do not create or supplement user profiles using Meta Platform Data without the valid consent of the applicable End User.
• Meta Platform Data is stored in encrypted databases with logical tenant isolation — one Customer's data is never accessible to another Customer or to MonkeyMachine personnel without a legitimate operational need.
• When a Customer disconnects their Meta integration, or when an End User requests deletion, all associated Meta Platform Data is permanently deleted within 30 days. End Users and Customers may also request immediate deletion via our Data Deletion page.
• We comply with Meta's requirements for annual re‑verification, App Review, and any data deletion callbacks issued by Meta.

5.2 WhatsApp (WhatsApp Business API / Cloud API)

When a Customer connects a WhatsApp Business Account to MonkeyMachine, we access data through the WhatsApp Cloud API hosted by Meta. In addition to the general commitments in Section 5.1 above, the following applies specifically to WhatsApp data:

• We process messages, phone numbers, message templates, delivery receipts, and media files transmitted through the WhatsApp Business API solely for the purpose of enabling the Customer to communicate with their End Users.
• We comply with the WhatsApp Business Policy, WhatsApp Commerce Policy, and the WhatsApp Business Terms of Service.
• Opt‑in requirement: The Customer is solely responsible for obtaining explicit prior consent (opt‑in) from each End User before sending messages via WhatsApp. MonkeyMachine does not initiate WhatsApp communications without the Customer's instruction.
• GDPR roles: For WhatsApp Cloud API, the Customer acts as the Controller, Meta acts as the Processor of Company Personal Data (phone numbers, message content, message metadata), and MonkeyMachine acts as a sub‑processor on behalf of the Customer. Processing is governed by the Meta Global Processor Terms (MGPT).
• VoIP‑only restriction: WhatsApp Calling via Cloud API is limited to VoIP‑to‑VoIP connections. Public Switched Telephone Network (PSTN) connections on any leg of a call are prohibited by Meta and may result in regulatory sanctions.
• Prohibited data: The Customer must not transmit data subject to heightened regulatory requirements (including data governed by HIPAA or equivalent healthcare regulations) through the WhatsApp Cloud API. The Cloud API is not HIPAA‑compliant.
• No full card numbers: The Customer must not send full payment card numbers, CVVs, or other unmasked cardholder data via WhatsApp messages.
• No cross‑client data sharing: Data received from one Customer's WhatsApp Business Account is logically isolated and is never shared with, transferred to, or made accessible to any other Customer.
• Message content and metadata are stored only for the duration specified by the Customer's retention settings and applicable law. Upon disconnection of the integration, all WhatsApp data is permanently deleted within 90 days.
• We do not use WhatsApp data for any purpose other than providing the Service to the Customer.

5.3 Telegram (Bot API)

• We process messages, user identifiers, chat metadata, and media files received through the Telegram Bot API solely to provide the Customer's bot and messaging functionality.
• We comply with the Telegram API Terms of Service.
• We do not store Telegram data beyond the Customer's configured retention period.

5.4 Other Integrations (Email, Web Chat, SMS)

• For each additional channel, we process only the data necessary to deliver and display messages between the Customer and their End Users.
• The same principles apply: data is processed solely for Service delivery, not sold, and deleted upon account termination or valid deletion request.

5.5 General Commitments for All Platform Data

• All platform data is logically isolated per tenant — one Customer's data is never accessible to another Customer.
• Platform API tokens and credentials are encrypted at rest and are never exposed to other Customers or unauthorized personnel.
• We undergo periodic security reviews and maintain technical safeguards to prevent unauthorized access to platform data.
• In the event that a platform revokes or restricts API access, affected Customers will be notified promptly, and any cached data will be handled in accordance with the platform's requirements.

5.6 CRM Systems and Business Automation Platforms

The Platform provides integration with external CRM systems and business automation platforms (hereinafter — "CRM Systems"). Integration is initiated solely by the Customer for the purpose of bidirectional synchronization of client data, appointments, orders, services, and related information.

When a CRM integration is enabled, the Platform may receive and transmit the following categories of personal data:

• Client identification data: name, phone number, email address;
• Appointment and order data: date, time, service type, amount, status;
• Staff data: name, position, schedule (to the extent provided by the CRM system via API);
• Other data as determined by the specific integration settings.

Legal bases for processing:

• Processing on behalf of the controller (Art. 28 GDPR / Art. 6(3) of Federal Law No. 152-FZ) — the Customer, as the data controller in relation to their clients, instructs MonkeyMachine to process data received from the CRM system for the purpose of providing Platform functionality;
• Performance of a contract (Art. 6(1)(b) GDPR / Art. 6(1)(5) of Federal Law No. 152-FZ) — processing is necessary for the performance of the agreement between MonkeyMachine and the Customer.

Customer obligations:

• Ensure legal bases for the transfer of personal data between the CRM system and the Platform, including obtaining data subject consents where required;
• Notify data subjects of the fact that MonkeyMachine processes their data on the Customer's behalf;
• Ensure the accuracy and completeness of transmitted data;
• Maintain their own privacy policy disclosing the CRM integration.

MonkeyMachine commitments:

• Process CRM integration data solely for the purpose of providing the Service and within the scope of the Customer's instructions;
• Not independently determine purposes of processing for data received through CRM integrations;
• Store data for Russian Federation residents on servers located within the Russian Federation in accordance with Art. 18(5) of Federal Law No. 152-FZ;
• Ensure confidentiality of CRM system API keys and authorization tokens;
• Upon deactivation of the integration, cease synchronization; previously received data remains within the Customer's account until deleted by the Customer or upon account termination.

The list of CRM systems with which integration is available is published on the /legal/subprocessors page. Each CRM system is an independent data controller and is responsible for data processing within its own system in accordance with its own privacy policy.

The following table maps the main products and features of the Service to the categories of personal data processed and the applicable retention periods.

Upon account termination, Customers may export their data during a 30-day grace period. After this period, all data is permanently deleted within 90 days, except where longer retention is required by law.

MonkeyMachine offers AI-powered features that process personal data to deliver automated and enhanced functionality to Customers.

7.1 AI Features

• AI Chatbots — automated conversational agents that respond to End User messages based on rules, knowledge bases, and language models configured by the Customer;
• Auto-Replies & Suggested Responses — AI-generated response suggestions presented to Customer agents;
• Conversation Summaries — automated summaries of conversation threads;
• Analytics & Insights — aggregated reporting on conversation patterns and engagement metrics.

7.2 Data Processing by AI

• AI features process End User message content and metadata to generate responses, summaries, or analytics.
• Data sent to third-party AI providers is transmitted securely and subject to data processing agreements.
• We do not use End User data to train general-purpose AI models. Customer data is processed solely to provide the AI features within the Service.
• Third-party AI providers are contractually prohibited from using Customer or End User data to train their own models.

7.3 Automated Decision-Making

AI features do not make automated decisions that produce legal or similarly significant effects on End Users. If a Customer configures AI in a manner that may involve automated decision-making, the Customer is responsible for ensuring compliance with applicable law.

7.4 Opting Out

Customers may disable AI features at any time through their account settings.

8.1 Data Hosting

The Service infrastructure and primary databases are hosted in data centers located in the European region. We select hosting providers that maintain industry-standard certifications (ISO 27001, SOC 2, or equivalent).

8.2 International Transfers

Personal data may be transferred to or accessed from countries outside of the country where it was originally collected when:

• Using third-party sub-processors located in other jurisdictions (see Sub-Processors);
• Sending data to AI providers or communication platform APIs;
• Providing customer support from different locations.

8.3 Transfer Safeguards

Where personal data is transferred outside of a jurisdiction that imposes transfer restrictions (e.g., the EEA), we implement appropriate safeguards including Standard Contractual Clauses (SCCs), data processing agreements, and technical measures such as encryption in transit and at rest.

9.1 Cookies We Use

• Strictly Necessary Cookies — required for authentication, session management, security, and core functionality. Cannot be disabled.
• Functional Cookies — remember user preferences such as language, timezone, and display settings.
• Analytics Cookies — collect anonymized usage data to improve performance.

We do not use advertising cookies or tracking pixels for ad retargeting purposes.

9.2 Managing Cookies

You can control cookies through your browser settings or our cookie consent banner. Disabling strictly necessary cookies may impair functionality.

We do not sell, rent, or trade personal data. We share personal data only in the following circumstances:

10.1 Sub-Processors

We engage third-party sub-processors bound by data processing agreements. See /legal/subprocessors.

10.2 Communication Platforms

Message data is transmitted to and from third-party channels (Facebook Messenger, Instagram Direct, WhatsApp, Telegram, etc.) via their APIs to deliver messaging functionality.

10.3 Customer's Third-Party Integrations

Customers may configure integrations with third-party services. MonkeyMachine is not responsible for the data practices of third-party services selected by the Customer.

10.4 Legal & Regulatory Disclosure

We may disclose personal data if required by law, regulation, legal process, or enforceable governmental request.

10.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity with prior Customer notification.

11.1 General Principles

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements.

11.2 Customer-Controlled Retention

For End User data, Customers may configure retention settings. Deleted data is permanently removed from active systems within 30 days and from backups within 90 days.

11.3 Account Termination

• 30-day grace period for data export;
• Permanent deletion within 90 days after the grace period;
• Certain data retained longer where required by law.

11.4 Data Deletion Requests

Deletion requests can be submitted via /legal/data-deletion or by contacting us. Processed within 30 days.

We implement appropriate technical and organizational measures to protect personal data:

Technical Measures:

• Encryption in transit (TLS 1.2+) and at rest (AES-256);
• Logical tenant isolation per Customer;
• Regular vulnerability scanning and penetration testing;
• Secure credential storage (salted hashing, encrypted API tokens);
• Access controls based on least privilege;
• Automated backup with encrypted storage.

Organizational Measures:

• Access restricted to personnel who require it;
• Personnel subject to confidentiality obligations;
• Documented incident response procedures;
• Sub-processor security evaluation before engagement.

Depending on your jurisdiction, you may have the following rights:

• Right of Access — obtain a copy of your personal data;
• Right to Rectification — correct inaccurate data;
• Right to Erasure — request deletion of your data;
• Right to Restriction — limit processing in certain circumstances;
• Right to Data Portability — receive data in machine-readable format;
• Right to Object — object to processing based on legitimate interests;
• Right to Withdraw Consent — withdraw consent at any time;
• Right Not to Be Subject to Automated Decision-Making.

How to Exercise Your Rights: Contact us at privacy@monkeymachine.ru or use our Data Deletion page. We respond within 30 days.

End Users: If your data is processed by a Customer through the Service, direct your request to the Customer (the Controller). If you contact us directly, we will forward your request to the relevant Customer.

We engage third-party sub-processors under written agreements with data protection obligations no less protective than this Policy.

Current list: /legal/subprocessors.

Customers subscribed to change notifications will be notified before new sub-processors are engaged, with the opportunity to object per their DPA.

The Service is designed for businesses and professionals and is not directed at children under 18. We do not knowingly collect personal data from children.

If we become aware that we have collected data from a child, we will promptly delete it.

Customers are responsible for ensuring they do not use the Service to collect data of children in violation of applicable law (COPPA, GDPR, etc.).

In the event of a personal data breach likely to result in risk to individuals, we will:

• Notify affected Customers within 72 hours of becoming aware;
• Cooperate with Customers to fulfill their notification obligations;
• Document the breach in our internal register;
• Take immediate remedial action to contain and prevent recurrence.

Where we act as Controller, we will notify the relevant supervisory authority and affected individuals directly where required by law.

We may update this Policy to reflect changes in our practices or applicable law:

• Material changes: 30 days' notice via email or in-Service notification;
• Non-material changes: updated without prior notice.

Continued use after the effective date constitutes acknowledgment. If you disagree, discontinue use before changes take effect.

Data Controller: Sole Proprietor Rabadan Izabakarov

Email: privacy@monkeymachine.ru

Data Deletion: /legal/data-deletion

Sub-Processors: /legal/subprocessors

We respond to all inquiries within 30 days.

Complaints: You have the right to lodge a complaint with a supervisory authority in the jurisdiction where you reside, work, or where the alleged violation occurred. We encourage you to contact us first.