AIOChat.ie
All in One Chat
← Back to app
Legal

Privacy Policy

Effective: 21 June 2026

AIOChat.ie ('we', 'us', 'our') operates a unified inbox service that lets you read and reply to customer messages from Facebook Messenger, Instagram, WhatsApp, Gmail and TikTok in one place. This page explains what data we collect, how we use it, who we share it with, and the choices you have. We try to keep this short and in plain English.

1. Data we collect

Account data. When you sign in we store your username (from the AUTH_USER_B64 / AUTH_PASS_B64 environment variables) in a signed, HttpOnly session cookie. We do not store the password itself. Messages and conversations. When you connect a channel we receive the message bodies, sender identifiers (e.g. PSID, WhatsApp phone number, Instagram-scoped user ID, email address), timestamps, and any media URLs that the platform includes in the webhook payload. We store these in a JSON file on the server's filesystem (or /tmp on read-only hosts) so the inbox can show the conversation history. Channel credentials. Access tokens and verify tokens you paste, or that we receive via OAuth, are stored locally in data/credentials/<platform>.json with file permissions set to 0600. The browser only ever sees a masked preview (e.g. "EAAJ…ZCHQ"). Usage data. Standard server logs (path, status code, response time, anonymised IP) are recorded for reliability and debugging. We do not use third-party analytics on the inbox.

2. How we use the data

We use the data solely to render your unified inbox, deliver your replies back to the originating channel via the relevant Meta / Google / TikTok APIs, and to display connection diagnostics (token scopes, last-test results, page names). We do not: • read or train on your messages; • sell any data to third parties; • share message content with anyone other than the platforms you explicitly connected; • use your data for advertising or profiling.

3. Third-party services

When you connect a channel, message content flows through that platform's API. Each platform is a separate data controller for the customer-side data: • Meta Platforms Ireland Ltd / Meta Platforms Inc. — Facebook Messenger, Instagram, WhatsApp Cloud API. Governed by Meta's Platform Terms and Data Policy. • Google Ireland Ltd — Gmail (when configured). Governed by Google Cloud / Workspace terms. • TikTok Pte. Ltd. — TikTok messaging (when approved). Governed by TikTok for Business terms. We only request the scopes strictly necessary to receive and send messages on your behalf. You can revoke access at any time from your Meta App, Google account or TikTok Business settings.

4. Cookies

We use first-party cookies for two purposes only: • NextAuth session cookies (e.g. 'authjs.session-token', '__Secure-authjs.session-token') — keep you signed in. HttpOnly, SameSite=Lax, 8-hour expiry. • aiochat_oauth_state / aiochat_oauth_pending — short-lived (15 min) cookies used during the Meta OAuth flow. We do not use advertising or cross-site tracking cookies.

5. Data retention

Messages stay in the JSON store until you delete the conversation, close the channel, or delete the store file. On Vercel the store lives under /tmp/data and is wiped when the deployment cold-starts or is replaced. Export or back up your store file if you need long-term retention. You can request deletion of all data we hold by emailing the address below. We action verified requests within 30 days.

6. Your rights (GDPR / UK GDPR / CCPA)

If you are in the EEA, UK or California you have the right to: • access the personal data we hold about you; • correct inaccurate data; • request deletion; • restrict or object to processing; • data portability; • lodge a complaint with your local supervisory authority. To exercise any of these, email the address at the bottom of this page.

7. Security

All traffic is served over HTTPS. Credentials are stored locally with restrictive file permissions and never echoed back to the browser after the initial save. Session cookies are HttpOnly and signed with HMAC-SHA-256. No system is perfectly secure. If you discover a vulnerability, please email us rather than filing a public issue.

8. Changes to this policy

We will post any material changes on this page and bump the "Effective" date above. Continued use of the service after a change indicates acceptance of the updated policy.

9. Contact

AIOChat.ie Email: hello@aiochat.ie If you prefer post, request the postal address by email and we'll send it back.