Privacy Policy

1. Who we are

Suki App (“Suki”, “we”, “us”) is a software service that enables small businesses to run automated order-taking bots on Facebook Messenger. Our platform is accessible at https://suki-app.com.

We act as a data processor on behalf of our business clients (the “Merchants”), who are the data controllers for their own customers’ information.

2. What data we collect

From Merchants (dashboard users)

• Business name, email address, and password (hashed with bcrypt)
• Facebook Page ID and Page Access Token (obtained via Facebook OAuth)
• Business configuration: operating hours, timezone, menu items, prices
• Billing status (whether a paid plan is active; no card data is stored — payments are processed by PayMongo)

From end customers (Messenger users)

• Facebook Page-Scoped ID (PSID) — a non-reversible identifier assigned by Facebook per Page
• Display name as provided by Facebook Messenger
• Order history: items, quantities, prices, timestamps, and delivery notes
• Conversation state (temporary, used only to track order flow)

3. How we use data

• To operate the Messenger bot and fulfil orders on behalf of the Merchant
• To send automated re-order reminders (only when the customer has ordered the same item 3+ times)
• To generate weekly order summary emails sent to the Merchant
• To authenticate Merchant dashboard sessions
• To process subscription payments via PayMongo

We do not sell, rent, or share personal data with third parties for advertising or marketing purposes.

4. Facebook Platform data

Suki uses the Meta Messenger Platform API to send and receive messages on behalf of Merchants. By connecting a Facebook Page, the Merchant grants Suki access to the pages_messaging permission, which allows the bot to read messages sent to that Page and reply to them.

We comply with the Meta Platform Terms and the Messenger Platform Policy. Data obtained from the Meta Platform is used solely to provide the service and is not transferred to unrelated third parties.

End customers may interact with the bot through the Merchant’s Facebook Page. Any personal data collected in those conversations is processed under the Merchant’s responsibility as data controller.

5. Data storage & security

• All data is stored in a PostgreSQL database on a private VPS (Hostinger, Ubuntu 24.04)
• All traffic is encrypted via HTTPS/TLS (Let’s Encrypt)
• Passwords are hashed using bcrypt (cost factor 12)
• API authentication uses short-lived JWTs (15 min) plus httpOnly refresh cookies
• Facebook webhook payloads are verified using HMAC-SHA256 signature validation

6. Data retention

Order and customer data is retained as long as the Merchant account is active. Merchants may request deletion of their account and all associated data at any time by contacting us. Conversation state is ephemeral and only stored while an order flow is in progress.

7. Third-party services

8. Your rights

If you are a Merchant or an end customer whose data is processed by Suki, you have the right to:

• Request access to the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Withdraw consent for proactive messaging (re-order reminders) at any time by replying “No thanks” to any bot message

To exercise these rights, contact us at hello@suki-app.com.

9. Children’s privacy

Suki is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has submitted data through our service, contact us and we will delete it promptly.

10. Changes to this policy

We may update this policy from time to time. When we do, we will update the “Last updated” date at the top. Continued use of the service after changes constitutes acceptance of the revised policy.

11. Contact

Questions about this policy? Reach us at:
hello@suki-app.com
https://suki-app.com