Privacy Policy

Last updated: July 23, 2025

Please also review our Terms of Service, which govern your use of the Sponge AI platform.

This Privacy Policy explains how QDIGITAL (doing business as “Sponge AI”) (“Company,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you interact with our conversational chatbot services provided through Facebook Messenger, Instagram Direct, WhatsApp and any other Meta-integrated messaging channels we support (collectively, the “Service”). It also covers data transmitted from those channels to our backend systems, where messages may be processed by third-party AI model providers (currently Anthropic Claude and Google Gemini) to generate automated responses.

By using the Service, you acknowledge that your messages and related information will be transmitted to and processed by us and our service providers in accordance with this Privacy Policy and applicable law. If you do not agree, please do not use the Service.

1. Interpretation and Definitions

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

1.1 Interpretation

Words whose initial letter is capitalised have meanings defined below. The same meaning applies whether the terms appear in singular or plural form.

1.2 Definitions

Term	Meaning
Account	A unique profile that allows you to access or interact with the Service.
AI Processor	A third‑party large‑language‑model provider—currently Anthropic PBC (“Claude”) and Google LLC (“Gemini”)—that processes Message Content on our behalf to generate automated replies.
Application / Bot	The “Sponge AI” chatbot software we provide through Messenger, WhatsApp, Instagram (and any other Meta channel we add).
Company	QDIGITAL, doing business as “Sponge AI,” located at Kazakhstan, Aktau, microregion 12, building 56, office 60.
Country	Kazakhstan (where the Company is registered).
Device	Any hardware that can send or receive messages via the Service, such as a smartphone or computer.
Message Content	Text, images, voice notes, documents, links, stickers, or other files you send to or receive from the Bot, plus any metadata supplied by Meta (e.g., sender ID, timestamps).
Personal Data	Any information that relates to an identified or identifiable individual, including Message Content when it can be linked to a user.
Processing / Processed	Any operation performed on Personal Data, such as collection, transmission, storage, analysis, or deletion.
Service	The chatbot functionality, related APIs, and backend infrastructure offered by the Company.
Service Provider	A natural or legal person who processes Personal Data on behalf of the Company (e.g., hosting vendors, AI Processors).
Usage Data	Technical information automatically collected when you interact with the Service (e.g., IP address, device type, error logs).
User (“you”)	An individual or legal entity accessing or using the Service.

2. Collecting and Using Your Personal Data

2.1 Categories of Personal Data We Collect

Category	What it includes	Typical Source
Message Content	Text, images, voice notes, documents, links, stickers, and other files you exchange with the Bot, plus message‑level metadata supplied by Meta (sender ID, timestamps, delivery status).	You, when you chat with the Bot.
Profile Information	Your public profile name, username, profile photo, and unique user ID provided by Facebook, Instagram, or WhatsApp.	Meta Platforms, when you interact with our Bot.
Contact Information	E‑mail address or phone number, if you provide it inside the chat or via a connected web form.	You.
Technical & Usage Data	IP address, device type, operating system, browser or app version, error logs, and interaction metrics (e.g., number of messages, response times).	Automatically collected by our servers and analytics tools.
Support & Feedback	Any details you include when you contact us for help or send feedback surveys.	You.
Sensitive data	We do not intentionally collect special categories of data (e.g., health, biometrics, political views). Please avoid sending such information in your messages. If we discover it, we will delete it unless we have a lawful reason to retain it (see Section 5).

2.2 How We Collect Personal Data

Directly from you. When you send messages or files to the Bot.
Automatically. Through server logs and Meta Webhooks that deliver incoming messages.
From Meta. Profile Information is supplied under the Meta Graph API when you start or continue a chat.
From third‑party integrations. If you link the Bot to another service (e.g., a CRM), we may receive identifiers or tags that allow us to route conversations.

2.3 Why We Process Your Personal Data

Purpose	Legal Ground*	Data Used
Provide the Service – receive your messages, forward them to AI Processors, generate and deliver replies.	Contract performance / Legitimate interest	Message Content, Profile Information, Technical Data
Improve and secure the Service – debug errors, train safer models, detect spam or abuse.	Legitimate interest	Message Content (anonymised), Technical Data
Communicate with you – send service updates, respond to support tickets.	Contract performance / Legitimate interest	Contact Information, Message Content
Legal compliance – keep records required by law, respond to lawful requests.	Legal obligation	Any relevant category
Business continuity – backups, disaster recovery, corporate transactions.	Legitimate interest	Any relevant category

* Detailed regional bases (GDPR, CCPA, Kazakhstan Law No. 94‑V) appear in Section 4 – Legal Basis.

2.4 AI Processors

When you send a message, our backend creates an encrypted prompt that may include preceding chat history needed for context. This prompt is transmitted via TLS to:

Anthropic PBC (“Claude”) (United States)
Google LLC – Google Gemini API (United States / EU data‑center selected by the account region)

Both providers act as Service Providers / Processors under data‑protection law. They store prompts and responses only for the time needed to generate the reply and to comply with their own security and abuse‑monitoring policies; they do not use your data to train public models. We have executed data‑processing agreements and Standard Contractual Clauses with each provider.

2.5 Data Retention Preview

Data type	Standard retention	Deletion triggers
Message Content	30 days	User e‑mails a deletion request
Anonymised logs & metrics	90 days	End of analytics cycle
Support tickets	Until resolved + 12 months	Ticket closure
Backups	90 days rolling window	Automated expiry

Full retention and deletion workflow is detailed in Section 5.

3. Sharing and Disclosure of Personal Data

We disclose Personal Data only as described in this Privacy Policy. We do not sell, lease, or rent your data to third parties for monetary consideration.

3.1 Service Providers

We engage carefully vetted Service Providers that process Personal Data strictly on our instructions and under a written data‑processing agreement. Primary categories:

Provider Type	Example Vendors	Purpose	Safeguard
AI Processors	Anthropic PBC (Claude), Google LLC (Gemini)	Generate automated replies from Message Content.	Standard Contractual Clauses (SCC) & DPAs; prompts stored only as long as needed for service quality and security.
Cloud Hosting & Runtime	Railway (primary application runtime)	Run our backend services and API endpoints.	Network isolation; encrypted connections; Role‑Based Access Control (RBAC).
Object & Media Storage	Google Cloud Storage, Cloudinary	Secure storage of message attachments, images, voice notes.	Data encrypted in transit and at rest; signed URLs for private assets.

All Service Providers are bound to:

(a) process data only on our behalf;
(b) implement appropriate technical and organisational security measures;
(c) delete or return data at contract end.

3.2 Meta Platforms

When you use Messenger, Instagram (or WhatsApp, if applicable), Message Content and Profile Information necessarily transit Meta servers under Meta’s own privacy policies. We receive that data via the Graph API, and Meta continues to process it independently as a separate controller.

3.3 Business Transfers

We may share or transfer Personal Data in connection with an actual or proposed merger, acquisition, asset sale, financing, or other corporate transaction. In such cases, the recipient will be bound by confidentiality obligations and this Privacy Policy or a materially similar one.

3.4 Legal and Regulatory Disclosures

We may disclose Personal Data if we believe in good faith that such action is necessary to:

comply with a legal obligation, court order, or governmental request;
protect and defend our rights or property;
prevent or investigate wrongdoing related to the Service;
protect the personal safety of Users or the public; or
protect against legal liability.

3.5 Affiliates

We may share Personal Data with any parent company, subsidiaries, or other entities under common control with us. All such affiliates are required to honor this Privacy Policy.

3.6 Public or Community Features

If the Bot offers group‑chat, public channels, or community features, any Personal Data you post there becomes visible to other participants by design. Think carefully before sharing information in a public or semi‑public context.

3.7 With Your Consent

Beyond the instances above, we will share Personal Data only when you give us explicit consent for a specific purpose (for example, connecting the Bot to a third‑party CRM you choose).

4. Legal Bases for Processing Personal Data

We process Personal Data only when we have a valid legal basis. Because users may reside in different jurisdictions, multiple bases can apply simultaneously.

4.1 European Economic Area & United Kingdom – GDPR

Purpose (see Section 2.3)	GDPR Legal Basis
Provide and operate the Service, including AI‑generated responses	Art. 6 (1)(b) – contract performance
Improve and secure the Service (debugging, analytics, spam prevention)	Art. 6 (1)(f) – legitimate interests (business operation & security)
Communicate with you about updates or support	(b) contract performance or (f) legitimate interests
Marketing e‑mails about new features (optional)	Art. 6 (1)(a) – consent (you may withdraw at any time)
Compliance with legal obligations	Art. 6 (1)(c)

International transfers. Where data is transferred outside the EEA/UK (e.g., to Anthropic or Google in the USA), we rely on Standard Contractual Clauses plus technical safeguards (encryption, access controls).

4.2 California – CCPA / CPRA

We act as a “Service Provider.”

We do not “sell” or “share” personal information as those terms are defined in the CPRA.

California residents have rights to know, access, delete, correct, and opt out of sale/sharing; see Section 7 for how to exercise them.

4.3 Kazakhstan – Law No. 94‑V “On Personal Data”

We collect Personal Data only with your clear consent (beginning a chat) or to perform a contract you initiate.

Data may be transferred to countries that provide adequate protection or under agreements ensuring comparable safeguards.

You have the right to access, correct, and request deletion of your Personal Data.

4.4 Other Jurisdictions

If local law requires us to obtain consent or follow additional rules, we will comply with those requirements and, where necessary, update this Privacy Policy.

5. Retention and Deletion of Personal Data — 12‑Month Policy

5.1 Retention Schedule

Data Category	Standard Retention Period	Rationale
Message Content (text, images, audio, documents)	12 months (365 days) from the date of receipt	Many customers return months later; a one‑year window lets us resume context, resolve long‑running disputes, and supply audit history if regulators or Meta request it.
Anonymised Analytics & Error Logs	180 days	Trend analysis and model‑safety tuning; data is anonymised, so shorter retention is acceptable.
Support & Feedback Tickets	Until request is resolved + 12 months	Maintains audit trail for recurring issues.
Account / Contact Information	Active account lifespan + 12 months idle time, unless you request earlier deletion.
Encrypted Back‑ups	Rolling 365‑day snapshot window	Ensures disaster recovery while aligning with the new primary retention window.

We will keep data longer only if (i) law requires, (ii) a dispute or investigation is in progress, or (iii) Meta expressly mandates extended logs.

5.2 Deletion Workflow

Method	Action Steps	Completion Time
E‑mail Request	1 ) Write to coobek@sponge.chat from the address linked to your account (or include your Messenger / Instagram user ID). 2 ) We verify your identity. 3 ) We erase your Message Content, Profile Information, and other Personal Data from live databases within 24 hours, and flag the data in backups for purge at the next scheduled deletion cycle.	Acknowledgement ≤ 48 h; live erase ≤ 24 h; backups ≤ 365 days.

After processing, we trigger Meta’s User‑Data‑Deletion callback so your Messenger/Instagram account reflects completion.

5.3 Backup Integrity

Backups are AES‑256–encrypted and stored in a restricted Google Cloud Storage bucket. They are never used for analytics or model training. Once the 365‑day life‑cycle expires, each snapshot is automatically and irreversibly deleted.

5.4 Data Minimisation

We review stored datasets at least annually. If data is no longer required for purposes in Section 2, or retention exceeds the periods above, it is deleted or irreversibly anonymised.

6. Security of Personal Data

We take data security seriously and apply technical, organisational, and contractual safeguards designed to protect Personal Data from unauthorised access, alteration, disclosure, or destruction. While no Internet service can guarantee absolute security, the controls below follow industry standards such as ISO 27001, NIST SP‑800‑53, and OWASP ASVS.

6.1 Technical Safeguards

Control	Implementation
Encryption in transit	All client connections use TLS 1.2+ (HTTPS / WSS). Webhooks from Meta and calls to Anthropic Claude or Google Gemini are likewise encrypted end‑to‑end.
Encryption at rest	PostgreSQL and Redis volumes on Railway are encrypted with AES‑256. Objects stored in Google Cloud Storage and Cloudinary are encrypted server‑side (AES‑256) and exposed through signed URLs only. Backup snapshots inherit the same encryption keys and are stored in a separate GCS bucket with bucket‑level + object‑level encryption policies.
Network isolation	Production services run in private VPCs; inbound traffic is limited to load balancers and Meta webhook IP ranges.
Secrets management	API keys and database passwords are stored in Railway’s encrypted secrets manager; they never appear in code or logs.
Access controls	Role‑Based Access Control (RBAC) restricts database and object‑store access to a small operations group. All privileged accounts require Multi‑Factor Authentication (MFA).
Logging & monitoring	Centralised logs stream to GCP Logging with 30‑day retention and real‑time alerting for anomalous patterns (e.g., brute‑force attempts, excessive API errors).
Rate‑limiting & WAF	A Web Application Firewall in front of the Railway deployment blocks common attack vectors (injection, XSS) and rate‑limits excessive requests.
Dependency scanning & patching	Automatic Dependabot/Snyk scans plus monthly patch windows ensure third‑party libraries and OS packages stay current.

6.2 Organisational Safeguards

Security policy & training. All personnel must review and sign our Information‑Security Policy and complete annual security‑awareness training.
Least‑privilege principle. Access is provisioned only when needed for a role and removed when no longer required.
Background checks. Employees and contractors with production access undergo pre‑employment screening, subject to local law.
Vendor due diligence. We evaluate each Service Provider’s security posture and execute Data‑Processing Agreements that obligate them to comparable safeguards.

6.3 Incident Response

We maintain an Incident‑Response Plan that includes:

Detection & validation. 24×7 alerting on security events.
Containment. Immediate credential rotation or network isolation if compromise is suspected.
Eradication & recovery. Patch vulnerabilities, restore clean backups, and verify service integrity.
Notification. If a breach involves Personal Data, we will notify affected users and regulators (where required) within the timelines set by applicable law (e.g., 72 hours under GDPR).
Post‑mortem. Root‑cause analysis and corrective‑action tracking.

6.4 User Responsibilities

Security is a shared responsibility. To help protect your data:

Do not include highly sensitive information (e.g., credit‑card numbers, health records) in chat messages.
Use strong, unique passwords for any linked accounts and keep your devices secure.
Report suspected vulnerabilities or incidents to coobek@sponge.chat.

6.5 Limitations

Although we employ safeguards that meet or exceed industry standards, no method of transmission over the Internet or method of electronic storage is 100 % secure. We therefore cannot guarantee absolute security and disclaim liability for breaches beyond our reasonable control.

7. Your Rights and Choices

We respect your privacy rights, which may vary by jurisdiction. You can exercise any right by e‑mailing coobek@sponge.chat. We will verify your identity and respond without undue delay, and in any event within 30 days (or the period required by local law).

Right	Available to	Scope & How we comply
Access / Know	GDPR Art. 15; CCPA §1798.110; KZ Art. 12	Receive a copy of the Personal Data we hold about you.
Correction / Rectification	GDPR 16; CCPA §1798.106; KZ 12	Request that inaccurate or incomplete data be corrected.
Deletion / Erasure	GDPR 17; CCPA §1798.105; KZ 12	We will erase Personal Data unless we must keep it for legal reasons.
Portability	GDPR 20	Obtain your data in a structured, machine‑readable format (JSON) and transmit it to another controller at your request, where technically feasible.
Restriction of Processing	GDPR 18	Temporarily block processing while we verify accuracy, objection, or legal claims.
Objection	GDPR 21	Object to processing based on legitimate interest; we will cease unless we have compelling grounds.
Withdraw Consent	GDPR 7 (3); KZ 12	If processing relies on consent (e.g., marketing e‑mails), you may withdraw it at any time.
Opt‑Out of Sale/Share	CCPA/CPRA §1798.120 & §1798.115	We do not sell or share Personal Data, but California residents retain this right.
Complaint to Regulator	GDPR 77; KZ Art. 25	Contact your supervisory authority (e.g., EU Data Protection Authority, Kazakhstan’s Ministry of Digital Development).

Fees. We do not charge a fee unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse.
Proof of identity. For security, we may ask for identifying information (e.g., your Meta user ID or a code sent to your registered e‑mail).

8. Children’s Privacy

The Service is not directed to children under 13 (or the age defined by local law for requiring parental consent, 16 in parts of the EU). We do not knowingly collect Personal Data from children.

If you are a parent or guardian and believe your child has provided Personal Data, please e‑mail coobek@sponge.chat.

Upon verified notice, we will delete the child’s data and terminate the account.

If we ever need to rely on consent as a legal basis for processing Personal Data of a child, we will obtain parental consent first.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time.

Notification. We will post the revised policy on this page and update the “Last updated” date. If changes are material, we will also notify you via a prominent banner in the chatbot or by e‑mail (if on file) at least 7 days before they take effect.
Review. Continued use of the Service after the effective date constitutes acceptance of the revised policy.
Archival. Previous versions will remain accessible on request for at least one year.

10. Contact Information

Controller / Operator
QDIGITAL (d/b/a “Sponge AI”)
Registered address: Kazakhstan, Aktau, microregion 12, building 56, office 60
E‑mail (general & privacy): coobek@sponge.chat

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, please e‑mail us. We will endeavour to resolve any issue promptly, and you may also contact your local data‑protection authority if you are unsatisfied.