Privacy Policy

Heoxify – Customer Communication Platform Instagram · WhatsApp Business · Web Meta App Review Ready KVKK & GDPR

Last updated: May 2026 Türkçe sürüm

This policy explains clearly what personal data we process when you create an account, connect channels, or use paid plans. Please read it before using the Service.

1. Scope

Heoxify is a product and brand operated by Heoxa Teknoloji.

This Privacy Policy explains how we collect, use, store, and protect personal data when you use Heoxify: AI-assisted customer communication via Instagram Direct Messages, optional WhatsApp Business (Meta Cloud API), an embeddable website chat widget, and related dashboard features (the “Service”). “We” means the data controller Heoxa Teknoloji.

By using the Service, creating an account, or consciously connecting a channel (Instagram, WhatsApp Business, web chat), you acknowledge this policy. Paid plans: payment data is processed by our Merchant of Record; see our Refund & Cancellation Policy. This policy is designed to meet obligations under KVKK (Türkiye) and GDPR where applicable.

Important: Heoxify is not designed for unsolicited bulk messaging or contacting people who have not engaged with your channels. We only process messages from channels you connect or visitors who use your configured web widget.

This page also serves as the Privacy Policy URL required for Meta Platforms app review (Instagram / WhatsApp Business integrations).

2. Data Controller

Heoxa Teknoloji · Istanbul, Türkiye · Product: Heoxify (heoxify.com).

Privacy requests: info@heoxa.com, in-app support, or your registered account email.

3. Data We Collect

Category	What we collect	Why
Account	Email, name, password (stored as bcrypt hash)	Authentication and account management
Meta / Instagram connection	Facebook Page ID, Instagram Business Account ID, OAuth access token (encrypted at rest)	Receive and reply to Instagram DMs via the API
Meta / WhatsApp Business (optional add-on)	WABA ID, Phone Number ID, verified business phone, display name, Cloud API access token (encrypted)	Receive and send business WhatsApp messages in your dashboard
Conversations	Messages and metadata from Instagram, WhatsApp Business, and web chat (timestamps, thread history)	Inbox, history, lead analysis, and optional AI-assisted replies
Web chat widget	Visitor messages, session ID, widget settings, allowed domains you configure	Run embedded chat on your website
Leads	Platform user identifiers, display names, contact details shared in messages, tags and notes	CRM-style lead tracking in your workspace
Subscription & billing	Workspace ID, plan, subscription status; payments via Merchant of Record—full card numbers and CVV are not stored on Heoxify	Provision paid plans, billing, fraud prevention
Technical / logs	IP address, session token, browser type, error logs	Security, debugging, service quality

Conversation content is limited to channels you connect and domains you allow. We do not sell personal data or use message content to build advertising profiles.

4. Meta / Instagram API

Heoxify uses Meta developer permissions only for stated purposes, including:

instagram_basic – Basic profile of your connected Instagram account.
instagram_manage_messages – Receive and send Instagram DMs.
pages_show_list – List Facebook Pages you manage (for linking).
pages_manage_metadata – Webhook subscription for incoming messages.
pages_messaging – Messaging via Messenger Platform where applicable.

Tokens are stored encrypted and used only for API calls. We do not share your tokens with unrelated third parties.

Meta’s privacy policy: Meta Privacy Policy

5. WhatsApp Business Platform (Meta Cloud API)

Heoxify offers optional WhatsApp Business integration as a paid add-on. It applies only to the WhatsApp Business Account (WABA) and business phone line you consciously connect in the dashboard.

People who message you: When end users write to your business WhatsApp number, we process identifiers and message content (e.g., WhatsApp user ID, display name, message text, contact details they share) to provide the Service.

How it works: Meta delivers inbound messages via webhooks to Heoxify; you see threads in the dashboard. According to your rules, we may generate AI-assisted replies or drafts; you can pause AI or take over manually.

Access tokens: Your Meta System User token is stored encrypted and used only to send/receive messages and verify the connection. We do not access your personal WhatsApp app or phone contacts.

Disconnect: Removing the WhatsApp connection in the panel deletes related account and phone records from our systems (subject to legal retention and backup cycles).

Meta & WhatsApp rules: Use must comply with WhatsApp Business policies. Heoxify must not be used for spam, unsolicited bulk outreach, or cold marketing. Customer-care and user-initiated conversations are supported.

Transparency: We do not sell WhatsApp message content or use it for unrelated ad targeting. Sharing is limited to subprocessors needed to run the Service (e.g., hosting, OpenAI when enabled) and legal requirements.

6. Website Chat Widget

The embeddable Heoxify chat widget lets visitors message your business. Only sessions from domains you configure are accepted. We collect message content, session identifiers, and technical data needed to operate the widget.

7. Artificial Intelligence (AI)

When you enable AI features, message text may be sent to the OpenAI API to generate replies or suggestions, under OpenAI’s Privacy Policy. API terms generally prohibit using your content to train public models. You can see and manage model and prompt settings in your account.

8. Legal Bases (GDPR / KVKK Summary)

Contract: Providing the Service when you sign up and connect channels.
Legitimate interests: Security, abuse prevention, and product improvement (balanced with your rights).
Legal obligation: Tax, accounting, and valid authority requests.
Consent: Where required for optional processing (e.g., non-essential marketing).

9. Sharing and Subprocessors

We do not sell, rent, or broker personal data. We share data only with:

Meta Platforms – Instagram and WhatsApp Business API calls and webhooks for accounts you connect.
OpenAI – When AI replies are enabled, for message text processing.
Hosting / infrastructure – Contracted providers that run the Service.
Merchant of Record – Subscription payments and invoicing.
Authorities – When required by applicable law.

10. What We Do Not Do

Sell personal data or share it with ad networks for profiling.
Access Instagram, WhatsApp, or other accounts you have not connected.
Send unsolicited bulk messages or spam campaigns.
Use your message content to train general AI models outside applicable API terms.

11. Retention

Account data: While your account is active; up to 90 days after deletion request.
Conversations: Default 12 months (Instagram, WhatsApp, web chat); earlier deletion via panel or request.
Access tokens: Removed when you disconnect a channel or the token expires.
Logs: Up to 90 days for security and debugging.
Legal retention: As required by tax and applicable law.

12. Security

Access tokens encrypted at rest (e.g., AES-256).
Passwords stored as bcrypt hashes, not plain text.
HTTPS/TLS for data in transit.
Server-side session management with periodic renewal.
Database access limited to authorized technical staff.

No system is 100% secure. If you suspect a vulnerability, contact us promptly.

13. Your Rights

Depending on your location, you may have rights to access, rectify, erase, restrict, port, or object to processing, and to object to solely automated decisions. Contact info@heoxa.com or in-app support. We respond within 30 days where KVKK/GDPR apply. You may also complain to your supervisory authority.

14. Cookies and Sessions

The Heoxify web panel uses a session cookie for login state only—not for third-party advertising or tracking. Marketing/analytics cookies are not used on the panel for profiling.

15. Children

The Service is for businesses and is not directed at anyone under 18. We do not knowingly collect data from children. If you believe we have, contact us and we will delete it promptly.

16. International Transfers

Data may be processed in Türkiye, the EEA, the United States, or other regions where our providers operate. Transfers outside the EEA use appropriate safeguards (e.g., Standard Contractual Clauses) where required.

17. Changes

We may update this policy. Material changes will be announced via the dashboard and/or email. The date at the top shows the latest version. Continued use after changes means you accept the updated policy.

18. Contact

Email: info@heoxa.com
In-app support
Your registered account email

Heoxa Teknoloji · Istanbul, Türkiye · heoxify.com

Response time: 30 days for privacy requests.

Gizlilik Politikası (Türkçe) · Terms of Use · Refunds