Privacy Policy

KiwKiw – AI Messaging Platform

Last Updated: February 25, 2026

1. Introduction

KiwKiw ("we," "our," or "us") provides a multi-tenant AI-powered messaging automation platform that integrates with third-party services such as Meta (Facebook Messenger), Google, and other platforms.

This Privacy Policy explains how we collect, use, store, and protect personal data when you:

  • Use the KiwKiw platform
  • Connect your Meta Page via OAuth
  • Interact with a business using KiwKiw-powered chat automation
  • Visit our website or dashboard

KiwKiw acts:

  • As a Data Controller for platform account information
  • As a Data Processor on behalf of our business clients for Messenger conversation data

2. Information We Collect

2.1 Account Information (Platform Users)

When businesses create an account, we collect:

  • Name
  • Email address
  • Password (hashed)
  • Role (user, admin, super_admin)
  • Authentication tokens
  • Billing or subscription plan information

2.2 Meta (Facebook) Data

When a user connects their Facebook Page via OAuth, we collect:

  • Facebook Page ID
  • Page name
  • Page access token
  • User access token (short-lived, when required)
  • Permissions granted to the application
  • Messenger sender ID (PSID)
  • Messenger message content sent to the Page

We do not access personal Facebook profiles beyond the permissions granted during OAuth.

We only request permissions necessary to operate messaging automation (e.g., pages_messaging, pages_manage_metadata, business_management).

2.3 Conversation Data

When a customer sends a message to a connected Facebook Page:

  • Message content
  • Sender ID (PSID)
  • Timestamps
  • Metadata required to respond

This data is processed to generate AI responses and may be temporarily stored for conversation continuity and analytics.

2.4 Technical Information

We automatically collect:

  • IP address
  • Device and browser metadata
  • Log files
  • API request logs
  • Error logs

2.5 AI Processing Data

Message content may be securely transmitted to third-party AI providers (e.g., Google Gemini API) for automated response generation.

We do not use conversation data to train public AI models.

3. How We Use Information

We use collected information to:

  • Authenticate users
  • Connect and manage Meta Pages
  • Process and respond to Messenger messages
  • Generate AI-based responses
  • Provide dashboard functionality
  • Maintain system security
  • Improve reliability and performance
  • Prevent abuse and fraud
  • Comply with legal obligations

4. Legal Basis for Processing

Where applicable, we process data based on:

  • User consent (OAuth authorization)
  • Contractual necessity (service provision)
  • Legitimate interest (platform security and performance)
  • Legal obligations

5. Data Storage & Infrastructure

KiwKiw infrastructure includes:

  • Hosting on Hetzner Virtual Private Server (VPS)
  • Backend API built with Hono.js (Bun runtime)
  • PostgreSQL database for persistent storage
  • Redis cache for session and credential caching
  • AWS S3 for file storage
  • Cloudflare for CDN and security
  • Nginx reverse proxy

All communication uses HTTPS with TLS encryption.

Access tokens are encrypted at rest.

6. Data Retention

We retain data as follows:

  • Platform account data: Retained while account is active.
  • Messenger conversation data: Retained for operational purposes and may be deleted upon client request.
  • OAuth tokens: Stored securely and deleted upon Page disconnection.
  • Logs: Retained for security and debugging purposes for a limited period.

When a business disconnects their Page or deletes their account, associated credentials are permanently removed.

7. Data Sharing & Third Parties

We do not sell personal data.

We may share information with:

  • Meta Platforms (for Messenger functionality)
  • Google (SSO authentication)
  • Google Gemini API (AI response generation)
  • AWS (S3 storage)
  • Cloudflare (CDN and security services)
  • Infrastructure providers (Hetzner VPS)

Each provider processes data under their respective privacy policies.

8. International Data Transfers

Data may be processed in jurisdictions outside the user’s country depending on infrastructure location. We implement appropriate safeguards and encryption to protect transferred data.

9. Security Measures

We implement:

  • HTTPS encryption
  • HMAC signature verification for Messenger webhooks
  • Token encryption at rest
  • Role-based access control
  • Audit logging
  • Credential caching with limited TTL
  • Firewall and reverse proxy protections
  • Regular dependency updates

Despite these measures, no system can guarantee absolute security.

10. User Rights

Users may:

  • Request access to their personal data
  • Request correction of inaccurate information
  • Request deletion of their data
  • Disconnect their Facebook Page at any time
  • Revoke OAuth permissions through Facebook settings

Messenger users may request deletion by contacting the Page owner or contacting us directly.

11. Children’s Privacy

KiwKiw is not directed at individuals under 13 years of age. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy periodically. The updated version will be posted with a revised “Last Updated” date.

13. Contact Information

If you have questions about this Privacy Policy or wish to exercise your rights, contact:

[email protected]

Back to Sign Up