Privacy Policy

Pilother — Customer support platform for e-commerce

Last updated: 9 May 2026 · Effective date: 9 May 2026

1. Who we are

Pilother ("we", "our", "us") is a SaaS customer-support platform operated by Pilother Teknoloji A.Ş. We help e-commerce merchants (our "Customers") manage messages, comments and orders coming from channels such as Instagram, WhatsApp, email, SMS and live chat — in a single inbox with optional AI-assisted replies.

This policy describes how we collect, use and protect personal data both for (a) the merchant who signs up for Pilother and (b) the end-customers ("Users") who message, comment on, or otherwise contact the merchant through one of the connected channels.

2. Data we collect from Meta platforms (Instagram & WhatsApp)

When a merchant connects their Instagram Business or WhatsApp Business account, we access only the data needed to deliver the support functionality the merchant has enabled:

Data point	Source permission	Why we need it	Retention
Instagram username, profile picture, account ID	`instagram_business_basic`	Identify which IG account is connected to the merchant workspace.	Until account disconnect
Direct messages, sender name & ID, attachments URLs	`instagram_business_manage_messages`	Display messages in the unified inbox; allow merchant to reply.	Up to 24 months or until merchant deletes
Post comments, commenter name & ID, parent media ID	`instagram_business_manage_comments`	Moderate, hide, reply to comments from the panel.	Up to 24 months or until merchant deletes
Media (photos, videos, captions) when the merchant publishes content from our panel	`instagram_business_content_publish`	Publish merchant-authored posts and stories on their behalf.	Stored for 30 days after publish for audit, then deleted
Aggregate insights: reach, impressions, engagement, profile visits	`instagram_business_manage_insights`	Show analytics in the merchant's reports dashboard.	Aggregated per day; raw values discarded after 90 days
WhatsApp messages, phone number, sender display name	WhatsApp Cloud API (Meta)	Display in inbox; merchant can reply via Cloud API.	Up to 24 months or until merchant deletes

We do not request, store, or process: financial data, government IDs, biometric data, location data, friend lists, or contact lists from Meta platforms.

3. How we use the data

Display incoming messages and comments in the merchant's unified inbox.
Allow the merchant (or their team) to reply to messages and comments.
Generate AI-assisted reply suggestions using our LLM provider (OpenAI). Messages may be sent to OpenAI under their Business Terms with a zero-retention configuration; OpenAI does not train on this data.
Publish content (posts, stories) when the merchant explicitly clicks "Publish" in our panel.
Generate aggregate analytics reports for the merchant.
Detect spam and abusive content to help the merchant moderate.

We do not sell, rent or trade personal data. We do not use Meta platform data for advertising, profile-building, or any purpose outside the merchant's customer-support workflow.

4. Sub-processors

We use the following sub-processors. Each is bound by a Data Processing Agreement (DPA):

Provider	Purpose	Region
Supabase	Database, authentication, file storage	EU (Frankfurt)
Vercel	Application hosting, serverless functions	Global edge
OpenAI	AI reply generation (zero-retention)	USA
Meta Platforms	Instagram & WhatsApp APIs	USA / EU

5. Token storage & security

Instagram and WhatsApp access tokens are stored in our Supabase database in tenant-scoped rows. The database is hosted in the EU, encrypted at rest (AES-256), and accessed only by our backend over TLS 1.2+. Row-Level Security policies ensure each merchant tenant can only read its own tokens.

We rotate tokens automatically using long-lived token exchange. Tokens are revoked immediately when a merchant disconnects an integration or deletes their workspace.

6. Data retention

Default retention windows are listed in section 2. A merchant may set shorter retention from their workspace settings. End-of-life: when a merchant cancels their subscription, all data is deleted within 30 days (90 days for backups), unless we are legally required to retain it longer (e.g. tax law, fraud investigation).

7. Your rights & data deletion

Under GDPR (EU), KVKK (Türkiye) and similar laws, you have the right to access, correct, export and delete your personal data. Three ways to exercise these rights:

For end-users (people who messaged a merchant via Instagram/WhatsApp)

From Instagram: open Apps and Websites in your IG Settings, locate "Pilother", and remove. We receive an automated deletion callback from Meta and erase your data within 30 days.
By email: send a request to privacy@pilother.com stating your IG username or phone number. We respond within 30 days.

For merchants (Pilother account holders)

From the panel: Settings → Workspace → Delete account. All data is purged within 30 days.
By email: privacy@pilother.com with your registered email.

Data Deletion Callback URL (for Meta)

Meta sends an automated POST to https://lobbe-support.vercel.app/api/data-deletionwhen a user revokes our app. We verify the signed request, delete all stored Instagram data linked to that user ID, and return a confirmation URL where the user can verify the deletion.

8. Children's privacy

Pilother is a B2B platform; we do not knowingly collect data from anyone under 13. If a merchant operates a consumer brand whose end-users include minors, the merchant is responsible for parental-consent compliance in their jurisdiction.

9. International data transfers

Personal data is primarily stored in the EU. When data is transferred to non-EU sub-processors (e.g. OpenAI, Meta), we rely on Standard Contractual Clauses (EU SCCs) and supplementary measures to protect the data.

10. Changes to this policy

We update this policy from time to time. Material changes are notified to merchants by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the current version.

11. Contact

Privacy questions, complaints or data-rights requests: privacy@pilother.com

General contact: info@pilother.com