Privacy Policy

Last updated: June 13, 2026

1. Introduction

This Privacy Policy describes how Kastana Apps ("Kastana Apps," "we," "us," or "our") collects, uses, stores, and shares information when you use the SalesAgent platform, including our website at salesagent.kastanaapps.com, admin dashboard, API, and embeddable chat widget (collectively, the "Service").

SalesAgent is a business-to-business (B2B) software platform. Our customers are small and medium businesses ("Tenants" or "Business Customers") that use the Service to communicate with their own customers ("End Customers") through messaging channels such as WhatsApp, Instagram, Facebook Messenger, Telegram, and web chat.

2. Roles and responsibilities

Kastana Apps acts as a data processor when handling End Customer messaging data on behalf of Business Customers. Each Business Customer is the data controller for its End Customer data and is responsible for providing appropriate privacy notices and obtaining any required consents.

Kastana Apps acts as a data controller for account, billing, platform usage, and security-related information relating to Business Customers and their authorized users.

3. Information we collect

3.1 Business account information

  • Name, email address, username, and password (stored as a secure hash)
  • Business name, industry, and configuration settings
  • Billing and subscription information where applicable
  • Audit logs of administrative actions within the platform

3.2 Messaging and customer data

When a Business Customer connects messaging channels, we process data received from those channels on the Business Customer's behalf, including:

  • Message content (text, media metadata, and attachments where enabled)
  • Sender identifiers such as phone numbers, social profile IDs, and display names
  • Conversation metadata, timestamps, channel type, and delivery status
  • Leads, appointments, product inquiries, and other records created through the Service
  • Knowledge base content uploaded or scraped by the Business Customer (FAQs, policies, catalog data)

3.3 AI and automation data

  • Conversation context sent to large language model (LLM) providers to generate replies
  • Semantic embeddings of knowledge content for retrieval-augmented responses
  • AI-generated conversation summaries stored to maintain context across sessions
  • Agent configuration such as tone, enabled tools, and escalation rules

3.4 Technical and usage data

  • IP address, browser type, device information, and access timestamps
  • Authentication tokens and session data
  • API usage, error logs, and performance metrics
  • Webhook delivery and queue processing records

3.5 Credentials and secrets

API keys and channel credentials (for example Meta, WhatsApp, LLM providers) provided by Business Customers are encrypted at rest using AES-256 and stored separately from general application data.

4. How we use information

We use collected information to:

  • Provide, operate, maintain, and improve the Service
  • Authenticate users and enforce multi-tenant data isolation
  • Route, store, and deliver messages between Business Customers and End Customers
  • Power AI-assisted sales conversations, product search, FAQ responses, and lead capture
  • Escalate conversations to human staff when configured or required
  • Generate analytics, usage reporting, and audit trails for Business Customers
  • Detect abuse, fraud, and security incidents
  • Comply with legal obligations and enforce our Terms of Service
  • Communicate with Business Customers about the Service, support, and product updates

We do not sell personal information. We do not use End Customer messaging content to train public AI models.

5. Meta and third-party messaging platforms

When Business Customers connect Meta products (WhatsApp Business, Instagram messaging, Facebook Messenger, or related APIs), data is exchanged with Meta Platforms, Inc. and its affiliates in accordance with Meta's terms and the Business Customer's authorization. Message delivery, webhook events, and OAuth authentication are handled through Meta's APIs.

Business Customers must comply with Meta Platform Terms, WhatsApp Business Messaging Policy, and applicable messaging rules. Kastana Apps processes Meta-related data solely to provide the Service to the authorizing Business Customer.

6. AI service providers

The Service may send conversation content and knowledge snippets to third-party AI providers to generate responses, including:

  • Google (Gemini) for conversational AI
  • OpenAI for text embeddings and optional LLM features when configured

These providers process data according to their own privacy policies and our agreements with them. Business Customers may configure which providers are used through platform settings and API keys.

7. Data sharing

We may share information with:

  • Service providers that help us host, secure, and operate the Service (cloud infrastructure, email delivery, payment processing)
  • Messaging and integration partners necessary to deliver connected channels (Meta, Telegram, and similar platforms)
  • AI providers when generating automated responses or embeddings, as configured by the Business Customer
  • Legal authorities when required by law, court order, or to protect rights, safety, and security
  • Business successors in connection with a merger, acquisition, or sale of assets, subject to this Privacy Policy

All subprocessors are bound by confidentiality and data protection obligations appropriate to the nature of the data processed.

8. Data retention

Business Customers may configure message retention periods (typically 30, 90, or 365 days). Unless otherwise required by law or contract, closed conversations and related messages may be deleted automatically after the configured retention period.

Account and billing records are retained for as long as the account is active and for a reasonable period thereafter to comply with legal, tax, and audit requirements.

9. Security

We implement administrative, technical, and organizational measures designed to protect personal data, including:

  • Multi-tenant isolation with tenant-scoped database access
  • Encryption of sensitive credentials at rest (AES-256)
  • HTTPS/TLS for data in transit
  • Role-based access controls and authentication for platform users
  • Webhook signature verification for inbound messaging events
  • Audit logging of sensitive administrative actions

No method of transmission or storage is completely secure. Business Customers are responsible for safeguarding their account credentials and API keys.

10. Your rights

Depending on your location, you may have rights to access, correct, delete, restrict, or export personal data, and to object to or withdraw consent for certain processing.

Business Customer users: Contact us at info@kastanaapps.com to exercise rights relating to your account data.

End Customers of a Business Customer: Contact the relevant business directly to exercise rights relating to your conversations with that business. Business Customers may use built-in compliance tools (data export and deletion endpoints) to respond to End Customer requests.

We will respond to verified requests within the timeframes required by applicable law.

11. Cookies and similar technologies

We use essential cookies and local storage to maintain authenticated sessions and remember user preferences. We do not use third-party advertising cookies on the admin platform. The embeddable web chat widget may use local storage to maintain conversation continuity.

12. International data transfers

We may process and store information in countries other than where it was collected, including where our infrastructure and subprocessors operate. Where required, we implement appropriate safeguards for cross-border transfers consistent with applicable data protection laws.

13. Children's privacy

The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page and update the "Last updated" date. Material changes may also be communicated to Business Customers by email or in-product notice.

15. Contact us

For privacy questions, data subject requests, or complaints, contact:

Kastana Apps
Email: info@kastanaapps.com
Website: salesagent.kastanaapps.com