Legal

Chatbot Privacy Policy

Effective date: 21 April 2026 · Last updated: 21 April 2026 · Applies to Quiet Signals Lab chatbot integrations on Messenger and Instagram

1. Who We Are

Quiet Signals Lab ("we", "our", or "us") operates automated conversational assistants on Meta platforms — specifically Facebook Messenger and Instagram Direct Messages — on behalf of businesses that choose to use our service (collectively, the "Service"). This policy explains what personal data we collect, why we collect it, how we process it, and what rights you have.

2. Scope

This policy applies to data processed when you interact with a chatbot powered by Quiet Signals Lab through Facebook Messenger or Instagram DMs. It does not cover data collected directly by Meta Platforms or the individual businesses whose pages host the chatbot — please review their own policies for those interactions.

For data processed through quietsignalslab.com (this website), see our website privacy notice.

3. Data We Collect and Why

We process only the minimum data needed to operate and improve the Service:

Category	Examples	Purpose
Platform identifiers	Facebook Page-Scoped ID (PSID), Instagram Scoped ID (IGSID)	Identify your conversation session. These IDs are assigned by Meta and are unique per page — they do not expose your personal profile to us.
Message content	Text you send to the chatbot	Generate appropriate automated replies; classify intent using an AI language model.
Voluntarily provided contact information	Your first name, phone number (if you share these in conversation)	Personalise responses and, where applicable, arrange a follow-up with the business.
Conversation metadata	Timestamps, detected language, conversation branch / stage	Maintain context across turns; analytics and service improvement.
Inferred signals	Estimated intent category, urgency level, language preference	Route your message to the most relevant scripted response. Not used for profiling or advertising.

We do not collect payment information, government-issued IDs, passwords, or sensitive special-category data as defined by GDPR (e.g. health, ethnicity, religion).

4. Legal Basis for Processing

Where applicable law requires a legal basis, we rely on:

Legitimate interests (Art. 6(1)(f) GDPR) — operating and improving the automated messaging service in a way that is proportionate and does not override your fundamental rights.
Contract performance — where a conversation leads to arranging a service or appointment, processing is necessary to take steps at your request.
Compliance with legal obligations — retaining minimal records as required by applicable law and honouring deletion requests.

5. AI-Assisted Processing (OpenAI)

To classify your intent and generate contextually appropriate replies, the text of your messages is sent to OpenAI via its API. OpenAI processes this data as a data processor on our behalf, subject to its own privacy policy. Your messages are not used to train OpenAI's models. Under OpenAI's API Terms of Service, data submitted via the API is not used for model training by default.

6. Data Retention

Data	Storage	Retention period
Active conversation state	Redis (in-memory)	24 hours from last activity, then automatically deleted
Conversation analytics records	PostgreSQL database	Until you request deletion or we cease operating the relevant page
Scheduled follow-up tasks	Redis	Automatically removed once sent or cancelled (typically within 72 hours)

7. Data Sharing and Disclosure

We share data only as described below:

OpenAI — AI intent classification and response generation (see Section 5).
Meta Platforms — we call Meta's Send API to deliver replies to your Messenger / Instagram conversation. Meta operates as an independent controller for that data.
Businesses using the Service — the business whose page you contacted may receive a summary of your conversation (e.g. your name, phone number, and stated interest) to follow up with you. This is disclosed contextually in the conversation.
Infrastructure providers — hosting, database, and caching services (e.g. Railway, managed Redis and Postgres). These providers are contractually bound to protect your data.
Legal requirements — we may disclose data where required by law, court order, or to protect rights, property, or safety.

We do not sell your personal data or share it with advertisers.

8. Security

We implement appropriate technical and organisational measures to protect your data, including:

HMAC-SHA256 verification of all incoming webhook requests from Meta.
Encrypted data in transit (TLS/HTTPS) for all API communications.
Access-controlled infrastructure; no public read access to databases.
Minimal data collection and short retention periods by design.

No method of electronic transmission is 100% secure. If we become aware of a breach that affects your rights, we will notify relevant authorities and affected parties as required by law.

9. Your Rights

Under the GDPR you have the right to:

Access — request a copy of the data we hold about you.
Rectification — ask us to correct inaccurate data.
Erasure — request deletion of your personal data.
Restriction — ask us to limit how we process your data in certain circumstances.
Objection — object to processing based on legitimate interests.
Portability — receive your data in a structured, machine-readable format where technically feasible.

To exercise any right, email hello@quietsignalslab.com with the subject line "Privacy Request". Requests are handled within 30 days.

10. Meta Data Deletion Callback

As required by Meta's Platform Terms, we implement a Data Deletion Callback endpoint. When you revoke permissions for the app via Facebook's settings, Meta will notify us and we will delete all conversation state associated with your user ID within 24 hours.

You can also request manual deletion at any time by emailing hello@quietsignalslab.com.

11. Cookies and Tracking

The chatbot itself does not set cookies or use tracking pixels. Any cookies present in your Meta Messenger or Instagram interface are governed by Meta's own cookie policy.

12. Children's Privacy

The Service is not directed at children under 13 (or the relevant minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

13. International Data Transfers

Our infrastructure and sub-processors may be located outside your country of residence. Where data is transferred to countries not recognised as providing adequate protection by relevant data protection authorities, we ensure appropriate safeguards are in place (e.g. Standard Contractual Clauses for EU data).

14. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be communicated via the chat interface or other appropriate means.

15. Contact and Complaints

For any privacy-related questions or requests:

Quiet Signals Lab — Alexander Hepburn
KvK: 99556650 · VAT: NL005394204B58
Amsterdam, Netherlands
hello@quietsignalslab.com

If you are located in the European Economic Area and believe we have not addressed your concern satisfactorily, you have the right to lodge a complaint with the Dutch supervisory authority: Autoriteit Persoonsgegevens.