Privacy Policy

Effective Date: May 22, 2026

1. Introduction

Doms DMs AI ('Company,' 'we,' 'us,' or 'our') provides a messaging management and conversation workflow software platform (the 'Service'). The Service assists businesses in managing inbound communications and routing conversations within supported third-party messaging platforms in accordance with applicable platform policies.

This Privacy Policy describes how we collect, use, disclose, store, and protect Personal Information when you access or use our website, applications, APIs, and related services.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy.

2. Definitions

Personal Information

Personal Information means information about an identifiable individual as defined under applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act (PIPEDA).

User

User means any individual or entity that accesses or uses the Service.

Customer Data

Customer Data means data uploaded to, transmitted through, or processed within the Service by Users, including messaging content and social platform data authorized by the User.

3. Information We Collect

We collect the following categories of information from Users and their connected platforms.

3.1 Information Provided by Users

We may collect the following information directly from Users:

  • Full legal name
  • Business name
  • Email address
  • Telephone number
  • Billing address
  • Payment information (processed by third-party payment providers)
  • Account login credentials
  • Social media account identifiers authorized by the User

3.2 Automatically Collected Information

We may automatically collect technical and usage data while the Service is in use:

  • IP address
  • Device identifiers
  • Browser type
  • Usage data
  • Log files
  • Cookie identifiers

3.3 Information from Third-Party Integrations

When Users connect third-party platforms such as Meta (including Facebook and Instagram), we may receive:

  • Business account identifiers
  • Messaging metadata
  • Page or account data authorized by the User

We collect only the minimum data necessary to provide messaging management and conversation workflow functionality.

4. Purpose of Collection

We collect and process Personal Information solely for legitimate business purposes, including:

  • Providing and maintaining the Service
  • Facilitating inbound communication routing and conversation management
  • Processing subscription payments
  • Providing customer support
  • Monitoring and improving platform performance
  • Complying with legal obligations
  • Detecting and preventing fraud or misuse

We do not sell, rent, or trade Personal Information.

We do not use Meta Platform data for independent profiling, advertising, or purposes unrelated to the User’s authorized account.

5. Legal Basis

We collect, use, and disclose Personal Information with consent or as otherwise permitted under applicable Canadian privacy laws.

6. Data Sharing

We may disclose Personal Information to the following parties when necessary to provide the Service:

  • Payment processors
  • Cloud hosting providers
  • Infrastructure and security providers
  • Analytics providers
  • Contractors bound by confidentiality obligations

We may also disclose information where required by law, regulation, or court order.

7. Data Retention

We retain Personal Information only as long as necessary to:

  • Fulfill contractual obligations
  • Comply with legal requirements
  • Resolve disputes
  • Enforce agreements

7.1 Platform Data Retention

Data obtained through Meta Platform APIs ('Platform Data') is retained according to the following schedule:

  • Access tokens and refresh tokens: deleted within 7 days of integration disconnect, workspace deletion, or receipt of a Meta deauthorization callback
  • Message content and conversation history: deleted within 90 days of workspace deletion, or immediately upon receipt of a Meta data-deletion callback
  • User identifiers (PSIDs, IGSIDs, Page IDs) and profile metadata: deleted alongside the conversations they relate to
  • Audit logs referencing Platform Data: retained for up to 12 months for security and abuse-prevention purposes, then deleted

Users may request deletion of their account and associated Personal Information by contacting support@domsdms.ai, subject to legal retention requirements. Meta-initiated data-deletion requests are processed automatically and a confirmation code is returned for verification.

8. Data Security

We implement administrative, technical, and physical safeguards consistent with industry standards, including:

  • Role-based access controls limiting Platform Data access to authorized personnel
  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of Personal Information and Platform Data at rest using AES-256 in our managed Postgres database
  • Meta access tokens stored in encrypted form and rotated via long-lived token refresh
  • Inbound webhook payloads verified with HMAC-SHA256 signatures against the Meta App Secret before processing
  • Secure hosting environments operated in SOC 2 Type II–certified data centers
  • Audit logging of administrative and Platform Data access events
  • Multi-factor authentication for administrative access

While we take commercially reasonable measures to protect Personal Information, no system is entirely secure.

9. Subprocessors

We engage the following Subprocessors to operate the Service. Each Subprocessor is contractually bound to confidentiality and security obligations consistent with this Privacy Policy and is permitted to process Platform Data only to deliver the Service.

  • Vercel Inc. (United States) — application hosting, serverless compute, edge logging
  • Neon Inc. (United States, EU) — managed PostgreSQL database (Personal Information and Platform Data at rest)
  • Upstash Inc. (United States) — QStash message queue for asynchronous Meta API delivery
  • Google LLC (United States) — Firebase Authentication for User account sign-in (no Platform Data shared)
  • OpenAI, L.L.C. (United States) — large language model used to generate suggested replies for Users who enable AI assistance; processes message content under OpenAI's API data-processing addendum (no training on inputs)
  • Google LLC (United States) — Gemini large language model used for the same purpose under Google's commercial API terms
  • ElevenLabs Inc. (United States) — optional voice generation (no Meta Platform Data shared)
  • Amazon Web Services, Inc. (United States) — Amazon SES / SNS / S3 for transactional email, push notifications, and media storage
  • Stripe Inc. (United States) — subscription billing (no Meta Platform Data shared)

We do not share Platform Data with any party outside this Subprocessor list, and we do not sell, rent, license, or transfer Platform Data.

10. Meta Platform Data Use

When processing data obtained through Meta Platform APIs, we:

  • Respond only to user-initiated conversations
  • Operate within applicable messaging windows (24-hour standard messaging policy)
  • Do not initiate unsolicited bulk messaging
  • Do not scrape or harvest user data
  • Use Meta data solely to provide requested messaging management services
  • Do not use Meta Platform data for profiling, advertising, or any purpose unrelated to the User's authorized account
  • Honor Meta's deauthorization and data-deletion callback requests automatically

Meta data-deletion requests are received at https://www.domsdms.ai/api/v1/integrations/instagram/data-delete and acknowledged with a confirmation code. Deauthorization callbacks are received at https://www.domsdms.ai/api/v1/integrations/instagram/deauthorize and trigger immediate revocation of stored access tokens.

11. Children

The Service is not intended for individuals under 18 years of age. We do not knowingly collect Personal Information from minors.

12. User Rights

Subject to applicable law, Users may request:

  • Access to their Personal Information
  • Correction of inaccurate Personal Information
  • Deletion of Personal Information

13. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. Changes take effect upon posting the updated version.

14. Contact

Questions or requests may be sent to Doms DMs AI via the address below:

Email:support@domsdms.ai