Legal

Privacy Policy

Last updated: June 29, 2026

Overview

MessyChat ("we", "us", or "our") operates the MessyChat platform — an AI-powered customer messaging tool for small businesses. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

By using MessyChat, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use our services.

MessyChat is a Meta Business Partner and a WhatsApp Business Solution Provider. Our platform integrates with the WhatsApp Business API and Instagram Messaging API. We are committed to complying with Meta's Platform Terms, WhatsApp Business Policy, and all applicable data protection laws including the GDPR.


Data We Collect

Account & Profile Information

When you create a MessyChat account we collect:

  • Full name and email address
  • Business name, type, and size
  • Phone number (optional)
  • Profile photo (if provided via Google Sign-In)

WhatsApp & Messaging Channel Data

When you connect a WhatsApp or Instagram channel, we collect and process:

  • Your WhatsApp Business phone number and Phone Number ID
  • WhatsApp Business Account ID
  • Incoming customer messages received through your connected channel
  • Customer names and phone numbers as provided by the messaging platform
  • Message timestamps, delivery status, and conversation metadata

Important: MessyChat processes your customers' messages solely to provide the service to you (i.e., to display conversations in your dashboard, classify them, and enable AI replies). We do not use your customers' message content for advertising or sell it to third parties.

Usage & Technical Data

  • IP address, browser type, and operating system
  • Pages visited, features used, and time spent in the dashboard
  • Device information
  • Error logs and crash reports

Payment Information

Payment card details are processed directly by our payment provider (Stripe). We store only a subscription status record and masked card last-four digits. We never store full card numbers.


How We Use Your Data

We use the information we collect to:

  • Provide the service: Display your customer conversations, classify messages, and generate AI-suggested replies in your dashboard.
  • Send messages on your behalf: When you or our AI sends a reply, we transmit it through the WhatsApp Cloud API or Instagram API using your connected account credentials.
  • Account management: Authenticate you, manage your subscription, and send transactional emails (e.g., password resets, billing receipts).
  • Product improvement: Understand how users interact with features to improve MessyChat. We use aggregated, anonymised data only.
  • Security & fraud prevention: Detect abuse, enforce our Terms of Service, and protect both MessyChat and its users.
  • Legal compliance: Meet our obligations under applicable laws and Meta's Platform Policies.

We will never sell your data or your customers' data to third parties. We do not use customer message content to train AI models without explicit consent.


WhatsApp & Meta Data Handling

MessyChat integrates with Meta's WhatsApp Business Platform Cloud API and Instagram Messaging API. Using these features is subject to WhatsApp's Business Policy and Meta's Platform Terms, in addition to this Privacy Policy.

How WhatsApp Message Data Flows

  1. A customer sends a message to your WhatsApp Business number.
  2. Meta's Cloud API delivers the message to our secure webhook endpoint.
  3. We store the message in your private Firestore database, accessible only to your account.
  4. The message appears in your MessyChat dashboard for you to read or reply to.

What We Store

  • Message text, sender phone number, and timestamps — stored in Firebase Firestore (Google Cloud, US region).
  • Conversation metadata (booking/inquiry/complaint classification, unread count, resolved status).

Data Minimisation

We store only what is necessary to display and manage your conversations. We do not store WhatsApp media files (images, audio, documents) server-side beyond what Meta's Cloud API temporarily holds for delivery.

Meta Permissions We Request

When you connect your Facebook/Meta account to MessyChat, we request only the permissions required to deliver the service:

  • whatsapp_business_management — to manage your WhatsApp Business Account settings.
  • whatsapp_business_messaging — to send and receive WhatsApp messages on your behalf.
  • instagram_basic and instagram_manage_messages — to read and reply to Instagram DMs on your behalf.
  • pages_manage_metadata — to connect your Facebook Page to enable Instagram messaging.

We request only the minimum permissions necessary. You can revoke these permissions at any time from your Facebook Business Settings.

Your Customers' Data

You are the data controller for your customers' personal information. MessyChat acts as a data processor on your behalf. You are responsible for ensuring you have a lawful basis to process your customers' data and that you comply with applicable privacy laws when using MessyChat to communicate with them.


Third-Party Services

We use a limited set of third-party services to operate MessyChat:

ProviderPurposeData Shared
Firebase (Google)Authentication, database, hostingAccount info, messages, usage data
Meta / WhatsAppMessage delivery (Cloud API)Message content, phone numbers
Meta / InstagramInstagram DM deliveryMessage content, Instagram IDs
StripePayment processingBilling info (PCI-DSS compliant)
VercelWeb hosting & edge deliveryRequest logs, IP addresses

Each provider is bound by their own privacy policies and applicable data processing agreements. We do not share your data with any other third parties without your explicit consent, except as required by law.


Data Retention

  • Account data: Retained while your account is active. Deleted within 30 days of account deletion request.
  • Conversation & message data: Retained for the duration of your subscription plus 90 days after cancellation to allow data export.
  • Payment records: Retained for 7 years to comply with tax and accounting obligations.
  • Usage logs: Retained for 30 days for security and debugging purposes.
  • Deleted accounts: All personal data is purged within 30 days of account deletion, except where retention is required by law.

Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Correct inaccurate or incomplete data.
  • Right to Erasure: Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction: Ask us to limit how we process your data.
  • Right to Data Portability: Receive your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or for direct marketing.
  • Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time.

How to Delete Your Data

You can delete your MessyChat account and all associated data at any time from your dashboard under Settings → Account → Delete Account. You may also email us at privacy@messychat.com with a deletion request. We will process your request within 30 days.

To exercise any other rights, contact us at privacy@messychat.com. We will respond within 30 days.


Security

We implement industry-standard security measures to protect your data:

  • All data is transmitted over TLS/HTTPS encryption.
  • Firebase Security Rules restrict database access to authenticated account owners only.
  • API keys and credentials are stored as environment variables, never in client-side code.
  • Webhook endpoints verify Meta's signature on every incoming request.
  • Passwords are hashed using Firebase Authentication's bcrypt-based system.

No method of transmission over the internet is 100% secure. While we strive to protect your data using commercially acceptable means, we cannot guarantee absolute security. In the event of a data breach affecting your rights and freedoms, we will notify you as required by applicable law.


Cookies

MessyChat uses a minimal set of cookies:

  • Authentication cookies: Set by Firebase to keep you logged in. These are strictly necessary and cannot be disabled.
  • Preference cookies: Store your dashboard preferences (e.g., selected filters). These are session-based.

We do not use third-party advertising or tracking cookies. You can control cookies through your browser settings, though disabling authentication cookies will prevent you from logging in.


Children's Privacy

MessyChat is a business tool intended for use by adults (18+). We do not knowingly collect personal information from children under the age of 13. If you believe we have inadvertently collected information from a child, please contact us immediately at privacy@messychat.com and we will delete it promptly.


Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the dashboard at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of MessyChat after changes become effective constitutes acceptance of the updated policy.


Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

MessyChat

Privacy & Data Requests

Email: privacy@messychat.com

If you are located in the European Union and are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.