Privacy Policy

This Privacy Policy describes how Reboko ("Reboko", "we", "us", or "our") collects, uses, discloses, and safeguards information when you use our multi-channel AI business-assistant platform (the "Service"), including our web dashboard, mobile applications, and related APIs.

1. Data Controller

The data controller responsible for your personal data is Ismayil Huseynli (individual entrepreneur, Azerbaijan), operating as Reboko. You can contact us at support@reboko.com for any privacy-related question.

2. Information We Collect

We collect the following categories of information:

• Account data: email address, name, password hash, language preference, profile avatar, two-factor authentication settings.
• Business data: business name, type, location, operating hours, reservation rules, resources, menu or service catalog, knowledge-base entries, Instagram/WhatsApp/Telegram/TikTok channel identifiers you choose to connect.
• Customer-conversation data: messages your customers send to your connected channels, replies your business (or the AI on your behalf) sends, timestamps, channel metadata, and customer identifiers (phone numbers, social-media handles) as provided by the upstream channel.
• Payment metadata: subscription plan, billing status, invoice references. Full card numbers are never seen or stored by Reboko — payment is processed by Paddle (see Processors below).
• Device + technical data: IP address, device type, operating system, app version, push-notification device tokens, crash logs, performance telemetry.
• Cookies + analytics: session cookies on the web dashboard and minimal product analytics to measure usage and reliability. No ad-tech trackers.

3. How We Use Your Data

• To provide, operate, and maintain the Service.
• To generate AI replies to customer conversations on your behalf, using business context you provide (see the AI Use disclosure).
• To process payments and manage subscriptions via Paddle.
• To send transactional emails (account, billing, security).
• To deliver push notifications when you opt in (new messages, bookings, escalations).
• To investigate abuse, enforce our Terms of Service, and comply with legal obligations.

4. Sub-Processors + Third Parties

We share data with the following processors strictly to operate the Service. Each is contractually bound to protect your data.

• OpenAI — AI model inference for generating replies. OpenAI's API terms state API data is not used to train their models.
• Paddle — payment processing, subscription billing, tax, invoicing.
• Meta Platforms (WhatsApp Business, Instagram, Messenger) — when you connect these channels, messages route through Meta's APIs per their terms.
• Telegram — when you connect a Telegram bot, messages route through Telegram's Bot API.
• TikTok — when you connect TikTok messaging, messages route through TikTok's APIs.
• Microsoft Azure — cloud hosting (compute, storage, networking) in the EU region.
• Resend — transactional email delivery.
• Cloudflare — DNS, CDN, DDoS protection.
• Apple / Google — push notification delivery (APNs, FCM) and mobile-app distribution.

We do not sell your personal data and do not share it with advertisers.

5. International Transfers

Your data may be processed in the European Union (our primary hosting region) and in the United States (OpenAI, Paddle, Cloudflare, Apple/Google). Where required, transfers rely on Standard Contractual Clauses or equivalent safeguards.

6. Retention

• Account + business data: retained while your account is active; deleted within 30 days of account deletion, except where law requires longer retention (e.g. tax records).
• Customer conversations: retained indefinitely while the account is active so you can review history. Deleted within 30 days of account deletion.
• Application + security logs: retained for up to 90 days.
• Deletion audit log: we keep a minimal record (user id, date of deletion) for legal and anti-fraud purposes for up to 24 months after deletion.

7. Your Rights

Depending on your jurisdiction (including the EU / EEA, UK, California, and similar regimes), you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Deletion — request deletion of your account and associated data (right to erasure).
• Portability — receive your data in a machine-readable format.
• Objection + restriction — object to or limit certain processing.
• Withdrawal of consent — where processing is based on consent.
• Complaint — lodge a complaint with your local supervisory authority.

To exercise any of these rights, email support@reboko.com. Account deletion can also be initiated from More → Profile → Delete account inside the app — full instructions are on our Data Deletion page.

7a. California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act grants you additional rights:

• Right to know the categories and specific pieces of personal information we have collected.
• Right to delete personal information we have collected, subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing. Reboko does not sell or share personal information for cross-context behavioral advertising. There is nothing to opt out of, but the right is preserved.
• Right to limit use of sensitive personal information. We do not use sensitive PI for any purpose other than providing the Service.
• Right to non-discrimination for exercising any of the above.

Submit California requests by emailing support@reboko.com with the subject line "CCPA request".

8. Security

We use industry-standard measures — transport encryption (TLS), at-rest encryption for databases and backups, JWT-based authentication, password hashing, least-privilege access controls — to protect your data. No system is perfectly secure; please report suspected vulnerabilities to support@reboko.com.

9. Children

Reboko is a business-operations tool intended for users age 16 and over. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with data, please contact us and we will delete it.

10. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via the app and via email to the account owner. The "Last updated" date at the top of this page reflects the current version.