Privacy Policy
Last updated: April 27, 2026
1. Who we are
AAT Systems (the «Platform») is a product of AAT Systems LLC (Georgia). We provide a SaaS for automating business communications via Instagram, Facebook Messenger and WhatsApp Business.
Privacy contact: privacy@aatsyst.com
2. What data we collect
2.1. From Platform users (our customers)
- Email, name, avatar (via Meta OAuth or Google OAuth at sign-up)
- Payment data (via Paddle, our Merchant of Record — we do not store card numbers)
- Workspace settings, chosen plan, subscription history
- Refresh tokens for connected integrations (Google Sheets, Anthropic, OpenAI) — encrypted with AES-256-GCM in our database
- Action logs (for audit and support)
- Team Managers (sub-accounts): name and optional email of employees granted limited access by the workspace owner. Authentication is via a 256-bit token; we store only the SHA-256 hash and a visible prefix (
mgr_xxxx). The plain token is shown once at creation and is not recoverable afterwards. Deactivation immediately invalidates the token and all active manager sessions. - AI Managers (Claude-powered virtual assistants): the workspace owner can configure AI agents that automatically reply to subscribers in Live Chat. Each AI Manager has a system prompt (set by the owner) and a configuration (chosen Claude model, optional settings). An optional owner-supplied Anthropic API key is encrypted with AES-256-GCM in our database. During message processing: conversation text, contact name and custom fields are sent to the Anthropic Claude API; relevant snippets from the workspace Knowledge Base are included in context. Anthropic does not use these data for model training (see their Privacy Policy). Every AI Manager turn is recorded in the audit log (action:
ai_manager_turn). Opt-out: the owner may remove the AI Manager at any time or replace it with a human teammate.
2.2. From customers' subscribers (End Users in Meta terms)
When a subscriber messages your bot on IG/FB/WA, we receive from Meta:
- Page-Scoped User ID (PSID) / IG Business User ID / WhatsApp ID
- Name and avatar (if allowed by subscriber settings)
- Message contents (text, media URLs, button payloads)
- Metadata: timestamp, message type, channel
We do not request a subscriber's phone, email or address without explicit consent (via a customer-side lead form).
3. Why we use it
- Deliver messages to customers via Meta API within flows configured by our customer (data controller)
- Store conversation history to display in our customer's Live Chat
- Run AI blocks (Claude / OpenAI) to generate replies based on a knowledge base supplied by the customer
- Billing (Paddle) and usage metrics (for plan limits)
- Send system emails (sign-up confirmation, payment receipts)
We do not sell data to third parties and do not use it for advertising.
4. Who we share with
Sub-processors:
- Meta Platforms — sending messages via Graph API / Cloud API
- Anthropic / OpenAI — generating AI replies (only when the customer configured an AI Reply block); prompts are NOT used to train the models (Anthropic zero-retention API + OpenAI zero-retention). The AI Support Assistant uses prompt caching: the provider temporarily caches (up to 1 hour, auto-deleted) our internal system prompt — it contains none of your personal data; your workspace context and chat history stay outside the cache. See how this affects cost in the Terms, section 5
- Google — only if the customer connected the Google Sheets integration
- Paddle — processing payments and subscriptions (Merchant of Record; remits sales tax)
- Resend — transactional email notifications (magic links, confirmations)
- Cloudflare — DNS, DDoS protection, email routing for corporate addresses
- Vercel — application hosting (edge sites in EU/US)
- Vercel Blob — storage for media attachments (images, video, audio, PDF) that an operator or flow attaches to messages. Files are stored in public-read mode (accessible by direct URL so the Meta API can fetch and deliver them to recipients) — DO NOT upload confidential documents. Vercel Inc., region Washington D.C. (iad1)
- Neon — managed PostgreSQL (region eu-central-1 for GDPR)
- Sentry — error monitoring (no PII in logs)
5. Retention
- Messages and contacts — retained while your account exists, including during the Free Trial and after it ends even if you haven't subscribed yet (so you can subscribe and restore everything with nothing lost). Never auto-deleted. Removed only at your explicit request or on account closure (within 30 days of closure)
- OAuth tokens — while the channel is connected; deleted immediately on disconnect
- Logs and metrics — 90 days by default; the workspace owner can configure retention per category (from 7 to 365 days or «never auto-clean») in Settings → Storage for: Audit log, AI Usage Log, AI Memory, Webhook Events, Flow Runs, Scheduled Jobs, Flow Versions
- Billing history — 7 years (tax law requirement)
6. Your rights (GDPR Articles 15-22)
You have the right to:
- Access — request a copy of all data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure («right to be forgotten») — request full deletion
- Portability — receive your data in a machine-readable format (JSON)
- Object — opt out of certain types of processing
- Complaint to a data protection authority (for the EU — your local DPA; for Georgia — Personal Data Protection Service of Georgia)
Send any of these requests to privacy@aatsyst.com — we'll respond within 30 days. For deletion you can also use /data-deletion.
7. Security
- HTTPS-only traffic (TLS 1.3)
- OAuth tokens are AES-256-GCM encrypted in the database
- Webhook signatures are verified with HMAC-SHA256
- Cookies: HttpOnly, Secure, SameSite=Lax
- Production DB access only via VPN, audit log of all admin actions
- Multi-tenant isolation at the SQL query level — one workspace's data is not visible to another
8. Cookies
We only use functional cookies:
aat-session— auth token (HttpOnly)aat-theme— theme choice (light/dark)
No analytics or ad tracking. Details at /cookies.
9. Children
The Platform is not intended for children under 16. We do not knowingly collect data about such users. If we learn of any, we delete it immediately.
10. Policy changes
We notify you of material changes by email at least 30 days before they take effect. The last update date is shown at the top.