Legal

Privacy Policy

Last updated: May 14, 2026

1. Who we are

InvoxLab is a multi-tenant Software-as-a-Service platform that provides eCommerce merchants in Latin America with a unified inbox for their messaging channels, including WhatsApp Cloud API, Instagram Direct, and TikTok Business Messaging. This Privacy Policy explains how we collect, use, store, and protect personal information.

This policy applies to two groups of people: (a) merchants who operate accounts on InvoxLab to run their customer service, and (b) end customers of those merchants whose messages and contact details are processed through the platform on the merchant's behalf.

2. Information we collect

2.1 Merchant account data

• Name, email address, phone number of the account owner and team members.
• Company name, country, billing details.
• Authentication credentials and OAuth tokens for connected messaging and commerce platforms.

2.2 End-customer data processed on behalf of merchants

• Phone numbers, social handles, and profile information made available by WhatsApp, Instagram and TikTok APIs.
• Message content (text, images, audio, video, stickers, shared posts) exchanged between the merchant and their customers through connected channels.
• Conversation metadata: timestamps, delivery and read states, message identifiers.
• eCommerce context the merchant chooses to sync, such as order history from WooCommerce.

2.3 Technical data

• IP addresses, browser fingerprints, device data, and access logs for security and abuse prevention.
• Aggregate usage analytics to operate and improve the service.

3. How we use information

• To deliver the core service: routing inbound and outbound messages, syncing conversations, and presenting them in the merchant's workspace.
• To authenticate users and protect accounts from unauthorized access.
• To comply with the policies and technical requirements of the underlying platforms (Meta, TikTok) and applicable law.
• To provide customer support to merchants who contact us.
• To improve product reliability, fix bugs, and detect abuse.

We do not use end-customer message content to train generic third-party AI models. When a merchant opts in to our AI auto-responder, the content is processed only to generate replies for that merchant's tenant.

4. TikTok user data

When a merchant connects their TikTok Business Account via OAuth, InvoxLab acts as a data processor on behalf of that merchant. We:

• Store the encrypted access and refresh tokens scoped to that merchant tenant.
• Ingest direct messages and account configuration via TikTok's Business Messaging webhooks and APIs.
• Send replies through the TikTok send endpoint strictly within the 24-hour customer-initiated window.
• Never send unsolicited or promotional outbound messages.
• Never resell, share, or expose TikTok user data outside the merchant tenant who owns the conversation.

5. Meta (WhatsApp and Instagram) user data

InvoxLab uses the WhatsApp Cloud API and Instagram Graph API under each merchant's own Meta Business Account. All Meta user data is processed in accordance with Meta's Platform Terms and Developer Policies, and is isolated per tenant.

6. Sharing of information

We do not sell personal information. We share data only with:

• Infrastructure providers (cloud hosting, database, email delivery) bound by data-processing agreements.
• Platform providers (Meta, TikTok, WooCommerce, payment processors) strictly as needed to deliver the requested integration.
• Legal authorities when required by valid legal process.

7. Data isolation and security

• The platform enforces strict per-tenant isolation: queries are scoped by company at the application layer, and access is denied across tenants.
• OAuth tokens and sensitive credentials are encrypted at rest.
• All traffic is encrypted in transit via TLS.
• Access to production systems is limited, logged, and authenticated.

8. Retention

We retain merchant account data while the account is active. End-customer conversation data is retained for as long as the merchant needs it for legitimate customer service. Merchants may delete data at any time from their workspace, and end customers may request deletion through the merchant or directly to us, as described below.

9. Your rights

Depending on the jurisdiction, individuals may have the right to access, correct, port, restrict the processing of, or delete their personal data. To exercise these rights, contact us at support@invoxlab.app or follow the data deletion process.

10. International transfers

InvoxLab operates globally and may transfer data across borders, including to the United States and the European Union, using safeguards such as standard contractual clauses where applicable.

11. Children

The service is not directed to children under 13 (or the applicable minimum age in the user's jurisdiction). We do not knowingly collect personal data from children.

12. Changes

We may update this policy. Material changes will be announced in the application or by email to account owners.

13. Contact

Questions about this policy or about how your data is handled: support@invoxlab.app.