Controller vs. processor.

• We act as a controller for personal data about website visitors, account owners/admins, billing contacts, and our own marketing.
• We act as a processor (a/k/a operator, data intermediary) when customers use Clusterbox to process their end-users' data (e.g., contacts, conversations, orders) via connected channels. Customers (your organization) are the controllers for that end-user data.
• Contact: dpo@clusterbox.co
• Data Protection Officer (DPO): Data Protection Head dpo@clusterbox.co

This policy explains what we collect, why we collect it, how we use and share it, how long we keep it, how we protect it, and the choices/rights you have. It applies to the Services and any other websites or apps that link to this policy.

Children. Our Services are not directed to children under 13 (or older, where local law sets a higher age). We do not knowingly market to or profile children.

We process personal data to:

• Provide and operate the Services (create/manage workspaces; route messages; enable inbox, contacts, orders, payments; ensure reliability and backups).
  Legal bases: contract necessity, legitimate interests; consent where required.
• Integrate channels you connect (e.g., WhatsApp/Meta, Instagram, Facebook, SMS/email providers) and follow each platform's rules.
  Legal bases: contract necessity, legitimate interests; consent where required.
• Communicate with you (service notices, security alerts, billing, product updates, optional marketing with unsubscribe).
  Legal bases: contract necessity, legal obligation, legitimate interests; consent where required.
• Improve safety and performance (debug, prevent abuse/fraud/spam, quality assurance, feature development).
  Legal bases: legitimate interests; legal obligation where applicable.
• Comply with laws (tax, accounting, regulator requests, lawful disclosures) and defend legal claims.
  Legal bases: legal obligation, public interest, legitimate interests.
• For EU/UK users, our principal legal bases are GDPR Art. 6(1)(b), (c), and (f), and consent for optional uses.

If you connect messaging channels, you are responsible for:

• Obtaining valid opt-in (where required) that clearly identifies your business and purpose, and honoring opt-out.
• Using approved templates and respecting channel content rules/quality standards.
• Publishing your own privacy notice (as controller for your end-users) and ensuring your processing has a lawful basis.
• We provide tools (e.g., consent flags, unsubscribe options, template management) to help you comply.

• We use cookies/SDKs for sign-in, preferences, security, analytics, and (optionally) attribution/ads.
• Where required, we display a consent banner and honor your selections.
• On iOS, we request App Tracking Transparency permission before any cross-app tracking; denial does not limit core features.
• We honor Global Privacy Control (GPC) signals for applicable jurisdictions.
• You can manage cookies/permissions via in-app settings, your browser, or OS privacy settings.

We share personal data only to operate the Services or as legally required:

• Service providers/sub-processors: hosting, databases, security/observability, email/SMS gateways, analytics, payments, and support tooling—bound by contracts, confidentiality, and security measures. We maintain a current Sub-processor List here: [link].
• Connected platforms you choose: when you enable channels, data flows to those platforms under their terms and your configuration.
• Enterprise administrators: if your account is part of an organization, your admins and authorized users can access workspace data.
• Corporate events: business transfers (merger/acquisition) with continued protection or equivalent safeguards.
• Legal: to comply with laws, lawful requests, or to protect rights, safety, and the integrity of the Services.
• We do not sell personal information. For California residents, we also do not "share" personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.

We operate globally and may transfer data across borders. We use appropriate safeguards for international transfers, including:

• EU/EEA: European Commission Standard Contractual Clauses (SCCs) plus required transfer assessments.
• UK: IDTA or UK Addendum to the SCCs.
• Other regions: applicable local transfer mechanisms (e.g., approvals, contractual clauses, adequacy, or recognized safeguards).
• Details are available in our Data Processing Addendum (DPA).

We keep data only as long as necessary for the purposes above, to meet legal/contractual obligations, or to resolve disputes. Typical ranges:

• Account/workspace data: for your subscription term plus an administrative period , unless your admin requests earlier deletion or law requires longer retention.
• Message content (our systems): retention is workspace-configurable; channel/platform-specific constraints may also apply.
• Backups & logs: retained for limited, rotating periods for security and continuity.

• We use administrative, technical, and physical safeguards aligned to industry practices, including role-based access controls, encryption in transit and at rest (where applicable), network segmentation, monitoring/logging, secure software development practices, vulnerability management, employee training, and incident response procedures.
• If we detect a breach likely to pose risk to individuals, we will notify affected customers/users and regulators without undue delay, consistent with applicable laws.

Your rights depend on your location and role:

• We do not use your customer message content to train general-purpose AI models without your explicit opt-in.
• We may use aggregated, de-identified telemetry to improve performance and safety.
• Any AI assistant features will be clearly labeled; admins can configure or disable them.
• We do not engage in solely automated decisions that produce legal or similarly significant effects without appropriate safeguards and notices.

• Meta (Facebook/Instagram/WhatsApp): We support platform-compliant consent/opt-out flows and template management. Your use of connected channels is subject to the platform's terms and policies.
• Google Play (Data safety) & Apple App Store (App Privacy): Our store disclosures reflect in-app practices, including third-party SDK behavior. If we materially change data collection/sharing, we will update both the policy and store disclosures accordingly.

• Our Services may link to third-party sites/apps. Their privacy practices are governed by their own policies.

• We will update this page for material changes and, where required, notify you (e.g., email or in-app notice). We will maintain prior versions upon request.

• For customer controller-processor relationships, our DPA (including SCCs/UK Addendum/IDTA, as applicable) is available here.
• Current sub-processor list (with purposes, locations, and transfer safeguards) is available here.
• We will provide prior notice for material changes to sub-processors and offer the opportunity to object as set out in the DPA.

• Workspace owners/admins can request deletion of their workspace or specific data in-app or by emailing dpo@clusterbox.co. End-users should contact the relevant Clusterbox customer (controller). We will act on verified requests within the timelines required by applicable law.

• We review requests for legal validity and scope. We require appropriate legal process, notify customers where permitted, and narrowly disclose only what's necessary to comply with the law.

• Email: dpo@clusterbox.co
• Postal: ClusterBox LTD, Nine Planets Court, Kabarnet road, Nairobi, Kenya