Privacy Policy

1. Introduction

This Privacy Policy describes how Pommy.ai ("Platform", "Service", "we", "us") collects, processes, stores, and protects your personal data when you use our platform. Pommy considers protecting user privacy and ensuring data security a fundamental responsibility.

By using the Platform, you agree to the terms outlined in this Privacy Policy. If you do not agree, please do not use the Service.

2. Data Controller

The data controller responsible for processing your personal data is Pommy.ai. You can direct all data protection inquiries to privacy@dev.pommy.ai.

3. Information We Collect

Pommy may process the following categories of data:

3.1 Account Information

• Full name and email address
• Company / organization details
• User role and permissions
• Profile photo (optional)
• Encrypted password hash

3.2 Customer Service Data

• Live chat contents and message history
• Support ticket records
• Visitor interaction data and session information
• Customer satisfaction ratings and feedback
• AI chatbot conversation logs

3.3 Technical Data

• IP address
• Browser type, version, and language preference
• Device information and operating system
• Session logs and access timestamps
• Page views and click data
• Referrer URL

3.4 Payment Information

• Payment transactions are processed through third-party payment providers (e.g., Stripe).Pommy does not directly store credit card numbers or full payment details.
• Billing address and tax identification numbers may be stored.

4. How We Collect Data

Your personal data is collected through:

• Account creation and profile update forms
• Automatically during your interactions on the Platform
• Visitor information submitted through the chat widget
• Cookies and similar tracking technologies
• API integrations

5. How We Use Your Data

Collected data is processed for the following purposes:

• Providing and maintaining core Platform functionality
• Managing customer support operations
• Improving AI-powered features (chatbot, auto-reply, sentiment analysis)
• Ensuring system security and preventing unauthorized access
• Analytics, performance measurement, and service quality improvement
• Fulfilling legal obligations
• Providing technical support to users
• Billing and subscription management

6. Legal Basis for Processing

Your personal data is processed under the following legal bases:

• Contract performance: Data processing necessary for establishing and fulfilling the service agreement
• Legitimate interest: Platform security, fraud prevention, and service improvement
• Legal obligation: Tax, accounting, and regulatory requirements
• Consent: Marketing communications and optional data processing activities

7. Data Sharing

Pommy:

• Never sells user data to third parties under any circumstances.
• Does not use or share personal data for advertising purposes.
• Data may only be shared in the following cases and to the extent necessary:
  • Infrastructure providers: Cloudflare (hosting, CDN, security), database services
  • Payment processors: Stripe or similar PCI-DSS compliant providers
  • AI model providers: For chatbot functionality (data is transmitted in anonymized form)
  • Legal requirement: Court orders or requests from competent authorities

Data Processing Agreements (DPA) are in place with all third-party service providers.

8. International Data Transfers

Pommy operates on Cloudflare's global edge network. Your data may be processed at Cloudflare data centers in different countries to provide the service. These transfers:

• Are conducted under EU Standard Contractual Clauses (SCC)
• Are subject to appropriate safeguards under GDPR Article 46
• Are supported by additional technical and organizational measures

9. Data Security

Pommy implements the following security measures to protect your data:

• TLS 1.3 encrypted data transmission (in-transit encryption)
• AES-256 encrypted data storage (at-rest encryption)
• Role-based access controls (RBAC) and least-privilege principle
• Comprehensive audit log system
• Automatic session timeouts and secure session management
• DDoS protection and Web Application Firewall (WAF)
• Regular security assessments and updates

10. Data Retention

Data is retained for the duration of the service and as required by legal obligations:

• Account data: While the account is active, plus 30 days after closure
• Chat records: According to the retention policy set by the organization (default 90 days, maximum 365 days)
• Technical logs: 90 days for security purposes
• Billing data: 10 years as required by law

Upon user request, data outside of legal retention requirements will be deleted or anonymized.

11. Your Rights

Under KVKK and GDPR, you have the following rights:

• Right of access: Learn whether your personal data is being processed and request access to it
• Right to rectification: Request correction of incomplete or inaccurate data
• Right to erasure: Request deletion of your personal data ("right to be forgotten")
• Right to restriction: Request limitation of processing under certain conditions
• Right to data portability: Receive your data in a structured, commonly used, machine-readable format (JSON)
• Right to object: Object to processing based on legitimate interest
• Right to withdraw consent: Withdraw your consent at any time for consent-based processing

To exercise these rights, contact privacy@dev.pommy.ai or use the Account > Privacy & Data Management section within the Platform to export or delete your data.

Requests are responded to within 30 days.

12. Children's Privacy

Pommy is not intended for individuals under 16 years of age. We do not knowingly collect personal data from children. If you become aware that a child has provided personal data, please contact us.

13. Policy Updates

Pommy may update this Privacy Policy from time to time. When significant changes are made, we will notify you via your registered email address and through an announcement on the Platform. The updated policy takes effect from the date of publication.

14. Contact

For questions about our privacy practices or how your data is processed: