This Privacy Policy explains how GoAstraX ("GoAstraX", "we", "us") collects, uses, stores, shares, and protects personal information when our customers (the businesses that subscribe to GoAstraX) use the service to communicate with their own end users ("end users" or "customers" of the subscriber). We process personal information on behalf of our subscribers and also for our own legitimate business purposes, as described below.

If you are an end user interacting with a business that uses GoAstraX, that business is the controller of your personal information. You should review the business's own privacy notice for how they use your data. This policy describes our role as the service provider.

1. Scope

This policy applies to:

• Information collected through the GoAstraX web application, dashboards, APIs, and any official site we operate.
• Information collected indirectly when our subscribers connect their messaging channels (such as email inboxes, live chat widgets, or supported third-party messaging integrations) to GoAstraX.
• Information generated by the operation of the service, including AI-assisted reply drafting.

It does not apply to third-party services our subscribers integrate with — those services have their own privacy policies and platform terms, which the subscriber is responsible for complying with.

2. Information We Collect

2.1 Information you provide directly

• Account data — name, work email address, password (hashed), workspace name, role.
• Billing data — billing contact, plan tier, transaction history. Payment card numbers are processed by our payment processor and never stored on our servers.
• Configuration data — channel credentials, knowledge base documents you upload, product catalog entries, AI prompts and settings.
• Support correspondence — messages you send us when requesting help.

2.2 Conversation data (handled on our subscribers' behalf)

• The content of inbound and outbound messages, including text, attachments, voice notes, and auto-generated transcripts.
• The end user's identifier on the originating channel (such as an email address, display name, profile photo if shared by the channel, or platform-supplied user ID) and any profile attributes that the channel provider chooses to share with the connected account.
• Conversation metadata — timestamps, assignee, status, tags, read receipts, delivery status, SLA timers.

2.3 Information generated by the service

• AI processing artefacts — generated reply drafts, conversation summaries, classification labels, and short customer "memory" facts derived from prior conversations.
• Usage logs — login events, requests issued against our APIs, error traces, audit logs of admin actions.
• Device and network data — IP address, user-agent string, approximate geolocation derived from IP, language preference.

3. How We Use Information

We use the information above only for the following purposes, and only to the extent necessary for each purpose:

• To provide and operate the service — route messages to the right inbox, store conversation history, deliver outbound replies, and surface admin and reporting features.
• To generate AI-assisted replies and summaries on behalf of our subscribers. AI processing is described in section 5.
• To secure the service — detect abuse, prevent fraud, enforce rate limits, investigate incidents.
• To improve the service — diagnose bugs, monitor performance, and build aggregate, non-identifying metrics. We do not train general-purpose AI models on subscriber or end-user content.
• To communicate with subscribers — service announcements, security alerts, billing notices, and (with separate opt-in) product news.
• To comply with law — respond to lawful requests, enforce our Terms, protect rights and safety.

We collect only the information we need for these purposes, and we do not use end-user content for any purpose outside what our subscribers have configured the service to do, except where the law requires it.

4. Legal Bases (for users in jurisdictions that require them)

Where the GDPR or a similar law applies, we rely on the following legal bases:

• Contract — to provide the service to our subscriber and let them communicate with their end users.
• Legitimate interests — operating, securing, and improving the service. We balance this against your rights and will not rely on it where your interests prevail.
• Consent — for optional features (such as marketing emails). You can withdraw consent at any time.
• Legal obligation — where we are required to retain or disclose data by law.

5. AI Processing

To provide AI-assisted drafts, summaries, classification, and customer memory, message content and a limited window of conversation history may be sent to a third-party large-language-model provider that acts as our sub-processor under written agreement. We require these providers to:

• Process content only to return the requested output to us and not for any other purpose.
• Not retain the content beyond the time strictly needed to return a response, except where a short abuse-monitoring window is required by their security policy.
• Not use the content to train general-purpose AI models.

Subscribers can disable AI processing per channel; when disabled, conversation content for that channel is not sent to the AI provider.

6. Sharing & Disclosure

We do not sell personal information. We share information only:

• With sub-processors who help operate the service — cloud hosting, database operations, transactional email delivery, customer-support tooling, AI inference, error monitoring, and analytics — all under contracts that require equivalent protection. A current list is available on request.
• With the originating channel provider — to deliver outbound messages back to your end users on the channel they wrote to you on, the message necessarily flows through the channel's own infrastructure. Each channel operates under its own terms and privacy policy.
• For legal reasons — to comply with a valid court order, subpoena, or government request, or to protect the rights, safety, or property of any person.
• In a business transfer — if GoAstraX is involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice and the receiving party will be bound by this policy.
• With your consent — for any disclosure not described above.

7. Data Retention

We retain personal information only for as long as is necessary for the purposes set out in this policy:

• Active account data — for the duration of the subscription, plus a short reasonable window after termination to handle disputes and finalize billing.
• Conversation content — retained while the subscription is active. Subscribers can delete individual conversations, contacts, or attachments at any time from the admin dashboard. End users may also exercise deletion rights via section 9.
• Logs and audit data — typically retained for 90 days, longer where required for security investigations.
• Backups — encrypted backups follow a rolling expiry schedule of no more than 30 days.

Where the law requires a shorter retention period, we apply the shorter period.

8. Security

We use industry-standard technical and organisational measures to protect personal information, including:

• TLS-encrypted transport for all data in flight.
• Encryption at rest for stored credentials and uploaded files.
• Tenant isolation in the database so one subscriber's data is never returned in another's queries.
• Role-based access controls and audit logs for staff access.
• Regular dependency updates and infrastructure patching.

No system is perfectly secure. We will notify affected subscribers without undue delay if we discover a personal data breach.

9. Your Rights

Depending on where you live, you may have the right to:

• Access the personal information we hold about you.
• Request correction of inaccurate information.
• Request deletion of your information (subject to legal retention requirements).
• Object to or restrict certain processing.
• Receive a portable copy of your information.
• Withdraw consent for processing that relies on consent.
• Lodge a complaint with your local data-protection authority.

End users should contact the business they were messaging with first, since that business is the controller of the conversation. If you are unable to reach them, contact us using the details below and we will route the request appropriately.

10. International Data Transfers

GoAstraX may process personal information in countries other than the one you live in. Where transfers from the European Economic Area, the United Kingdom, or Switzerland are involved, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, supplemented by additional technical measures where needed.

11. Children's Privacy

The service is not directed to children under 13 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have, contact us and we will delete it.

12. Changes to this Policy

We may update this policy from time to time. Material changes will be notified to subscribers by email or via the admin dashboard at least 14 days before they take effect, and the "Last updated" date above will reflect the new revision.