aliat.io

Sign in
Start free

PRIVACY POLICY

Aliat Platform 

Operated by Jivy Group Software S.R.L. 

Effective date: 10 April 2026   |   Last updated: 28 April 2026

1. Who We Are 

This Privacy Policy explains how JivyGroup Software S.R.L. (“we”, “us”, “our”, “Jivy Group”), a Romanian limited liability company (Societate cu Răspundere Limitată), collects, uses, and protects personal data in connection with the Aliat platform (“Aliat”, the “Service”). JivyGroup Software S.R.L. is registered with the Romanian Trade Register under no. J2022002531405, fiscal code (CUI) 45627469. Our registered address is Bucharest, Sector 2, Pipera Road, no.48A, off. 408, Romania. Aliat is the product brand under which we operate the Service at https://aliat.io. 

For general enquiries, contact us at contact@aliat.io. For privacy-specific enquiries, contact privacy@aliat.io 

Designated Privacy Contact 

For privacy enquiries, please contact our Data designated privacy contact, reachable at privacy@aliat.io. 

2. Scope of This Policy 

This Privacy Policy applies to: 

  • The Aliat website (https://aliat.io and any subdomains). 
  • The Aliat platform (the web application accessible after sign-in). 
  • All connected channel integrations (Instagram, Facebook Messenger) operated through Aliat. 
  • Communications between you and us, including email, support tickets, and demos. 

  

This Policy does not cover websites, apps, or services operated by third parties, even when accessed through links from Aliat. Those services are governed by their own privacy policies.  

3. Definitions 

Throughout this Policy, the following terms have the meanings set out below:   

Term 

Meaning 

Customer 

A business or organization that has registered for an account with Aliat to use the Service. Customers are typically small or medium businesses (SMBs) such as salons, wellness centers, restaurants, e-commerce shops, etc. 

End-User 

A natural person who interacts with a Customer through one of the messaging channels connected to Aliat (e.g. an Instagram or Facebook user who sends a direct message to the Customer’s page). 

Personal Data 

Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR. 

Processing 

Any operation performed on Personal Data, as defined in Article 4(2) GDPR (collection, storage, use, disclosure, deletion, etc.). 

Controller 

The party that determines the purposes and means of Processing Personal Data (Article 4(7) GDPR). 

Processor 

The party that Processes Personal Data on behalf of a Controller (Article 4(8) GDPR). 

Sub-processor 

A third party engaged by us to assist in Processing on behalf of our Customers (e.g. cloud hosting, AI inference providers). 

GDPR 

Regulation (EU) 2016/679, the General Data Protection Regulation. 

Service / Platform 

The Aliat software-as-a-service product. 

4. Our Two Roles: Controller and Processor 

Aliat operates in two distinct capacities under GDPR. Understanding the difference is essential, because your rights and our obligations differ depending on which role applies. 

4.1 When We Act as Data Controller 

We act as a Data Controller where we determine the purposes and means of processing Personal Data for our own business operations, independent of the services provided to Customers. This includes the following categories for Personal Data: 

  • Personal data of Customers (business account holders) — name, email, account activity, service preferences, account settings, usage information. 
  • Personal data of website visitors — IP address, device and browser information, cookie identifiers, and information relating to interactions with our website and marketing pages. 
  • Personal data of prospects, contacts, and recipients of marketing communications, including contact details and communication preferences. 
  • Personal data processed when responding to enquiries, including information submitted through support requests, sales inquiries, demo requests, or other communications with us. 

 

 4.2 When We Act as Data Processor 

We act as a Processor on behalf of our Customers when they use Aliat to receive, store, process, and respond to messages from End-Users. In this case, the Customer is the Controller of End-User Personal Data, and we Process that data only on the Customer’s documented instructions, as set out in our Data Processing Agreement (DPA). 

This means: when an Instagram user sends a direct message to a salon that uses Aliat, the salon (our Customer) is the Controller of that End-User’s data. We process the message content on the salon’s behalf to deliver the Service. 

5. Personal Data We Collect 

5.1 Information You Provide Directly 

When you sign up, configure, or use the Service, we may collect: 

  • Account data: name, email address,  preferred language, time zone. 
  • Business information: company name, country, business type, role within the business, website URL. 
  • Knowledge Base content: any business information, documents, FAQs, services, or other content you upload to train the bot. 
  • Communications: messages exchanged with our support team, feedback, survey responses and other information you choose to provide when contacting us. 

 

5.2 Information Collected Automatically 

When you visit the website or use the platform, we automatically collect: 

  • Technical data: IP address, browser type and version, operating system, device and session identifiers, and referring URLs. 
  • Usage data: pages viewed, features used, clicks, session duration, timestamps, and error or performance logs generated through interactions with our website or platform. 
  • Cookies and similar technologies: including analytics and functional technologies, as detailed in our separate Cookie Policy. 

 

5.3 Information Received from Connected Channels 

When a Customer connects a Meta (Facebook, Instagram) business asset to Aliat, we receive Personal Data from those platforms for the purpose of providing the Service. This data is Processed on behalf of the Customer and includes: 

  • End-User profile information: name, profile picture URL, platform-specific user identifier (e.g. Instagram-Scoped User ID) and language settings, where made available by the relevant platform. 
  • Message content: the text, attachments, and metadata of messages sent by End-Users to the Customer’s connected business asset, as well as responses generated and sent by Aliat through the Service in accordance with the Customer’s configuration and instructions.. 
  • Conversation metadata: timestamps, channel of origin, message ID, sender and receiver identifiers, and delivery status. 
  • Page / account metadata: Customer’s connected Facebook Page ID, Instagram Business Account ID, Telegram Bot ID, etc. 

 

Important: We do not collect End-User data on our own initiative. We only receive End-User data when an End-User chooses to send a message to a Customer’s connected business asset, or when the platform (e.g. Meta) provides such data to deliver the messaging service. 

 

5.4 Information Received from Third Parties 

We may receive Personal Data from: 

  • Identity and authentication providers, primarily out authentication provider Auth0, and where applicable, the external identity provider selected by the user, (such as Google or Meta).  This may include identity and account information such as name, email address, profile identifier, profile image, authentication status, and related account metadata. Aliat does not receive or store user passwords. 
  • Payment service provider (Stripe) — limited billing and transaction information, such as transaction status, payment method type, card brand and last four digits, billing country, and related payment metadata. We do not receive or store full payment card numbers. 
  • Analytics and marketing partners where permitted or required, based on your consent, we may receive information from analytics, attribution, and marketing partners through cookies and similar technologies. Further details are provided in our Cookie Policy. 

 

6. Purposes and Legal Bases for Processing 

We Process Personal Data only for specific, legitimate purposes, and only where a valid legal basis under Article 6 GDPR applies. The table below sets out the main purposes and the corresponding legal basis. 

Purpose 

Categories of data 

Legal basis (GDPR Art. 6) 

Providing the Service to Customers (delivering messages, generating AI responses, displaying conversations, billing) 

Account data, business info, Knowledge Base, billing, conversation data 

Performance of a contract (Art. 6(1)(b)) 

Processing End-User messages on behalf of Customers 

End-User profile, message content, conversation metadata 

Processing on documented instructions of the Controller (Art. 28 GDPR). The Customer, as Controller, determines the applicable legal basis for this processing. 

Account security, fraud prevention, abuse detection 

Account data, technical data, usage data 

Legitimate interests (Art. 6(1)(f)) — our interest in protecting the security and integrity of the Service and safeguarding our users against fraud and abuse. 

Compliance with legal obligations (tax, accounting, lawful requests, anti-money laundering) 

Account data, billing, transactions 

Legal obligation (Art. 6(1)(c)) 

Customer support and service communications 

Account data, communications 

Performance of contract (Art. 6(1)(b)) and legitimate interests 

Direct marketing of similar services to existing Customers 

Account data, business info 

Legitimate interests (Art. 6(1)(f)) — our interest in promoting our services to existing Customers with similar offerings (soft opt-in per Recital 47 and Romanian Law 506/2004 Art. 12(2)), subject to your right to object at any time. 

Marketing to prospects who opted in 

Email, name, company, marketing preferences 

Consent (Art. 6(1)(a)), revocable at any time 

Analytics and product improvement 

Usage data, technical data (often pseudonymised or aggregated) 

Legitimate interests (Art. 6(1)(f)) — our interest in understanding how the Service is used to improve its functionality, performance, and user experience. 

Defending legal claims, enforcing terms 

Any relevant data 

Legitimate interests (Art. 6(1)(f)) — our interest in establishing, exercising, or defending legal claims, including the enforcement of our Terms of Service. 

 

7. Sharing and Sub-processors 

We do not sell Personal Data. We share Personal Data only as described below. 

7.1 Sub-processors 

We engage trusted third parties to help us deliver the Service. Each sub-processor is bound by a written agreement requiring them to Process Personal Data only on our instructions and to apply appropriate technical and organizational security measures. Our current sub-processors are:  

Sub-processor 

Purpose 

Location of processing 

Stripe Payments Europe Ltd. 

Subscription billing and payment processing 

Ireland (with onward transfers to Stripe affiliates in the United States under SCCs) 

Microsoft Ireland Operations Limited 

AI inference via Azure OpenAI Service (generating bot responses based on Customer Knowledge Base and incoming messages). Prompt and completion data is processed in the Azure West Europe region and is not retained after inference. OpenAI models are hosted on Microsoft Azure infrastructure; data is not shared with OpenAI. 

West Europe 

Twilio Ireland Limited (SendGrid) 

Sending transactional emails (account, billing, notifications) 

Ireland and United States (under SCCs) 

 Microsoft Ireland Operations Limited 

Hosting the Aliat platform infrastructure (compute, databases, file storage) 

West Europe 

 

 

An up-to-date list of sub-processors is available on request. We notify Customers in advance of any new sub-processor and offer the opportunity to object on reasonable grounds. 

7.2 Other Disclosures 

We may also disclose Personal Data: 

  • To professional advisers (lawyers, accountants, auditors) under confidentiality obligations. 
  • To public authorities, courts, or law enforcement when required by applicable law and only in response to valid, written legal process. We push back on overbroad requests. 
  • In connection with a corporate transaction (merger, acquisition, sale of assets), in which case the recipient will be bound by privacy obligations no less protective than those in this Policy. 
  • With your consent, in any other case. 

 

7.3 Platform Operators 

When a Customer connects a messaging channel, the platform operator processes message data under its own policies as an independent controller or joint controller. These platforms are not Aliat sub-processors — we interact with them via their APIs to deliver the Service. The platforms currently supported are: 
– Meta Platforms Ireland Ltd. / Meta Platforms, Inc. (Facebook Messenger, Instagram Direct) — Ireland and United States. 

Each platform’s own privacy policy governs its processing of message data. We do not transfer Customer Data to these platforms beyond what is necessary for message delivery via their APIs. 

8. International Data Transfers 

Some of our sub-processors transfer data outside the European Economic Area. Currently, Twilio (SendGrid) may transfer data to the United States for email delivery. For such transfers, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission and, where applicable, the EU-U.S. Data Privacy Framework. We also apply supplementary measures including encryption in transit and at rest. 

You may request a copy of the safeguards applicable to a specific transfer by writing to privacy@aliat.io. 

9. How Long We Keep Personal Data 

We keep Personal Data only for as long as necessary for the purposes for which it was collected, plus any period required by law. The principal retention periods are summarized below. 

Category 

Retention period 

Notes 

Customer account data 

For the duration of the account, plus up to 12 months after closure 

Unless extended by legal claim, dispute, or regulatory obligation 

Conversation data (messages, contacts, conversation metadata) 

For the duration of the account 

Customers may delete conversations on demand from within the platform 

Knowledge Base content 

For the duration of the account, plus 30 days after account closure without a deletion request (in case of restoration). If the Customer submits a verified deletion request, Knowledge Base content is permanently deleted within 30 days of the request — the 30-day restoration window does not apply 

Then permanently deleted 

Billing and tax records 

10 years 

As required by Romanian fiscal law 

Marketing communications data (prospects) 

Until consent is withdrawn, then permanently deleted within 30 days 

 

Web analytics and cookies 

As specified in our Cookie Policy (typically up to 13 months) 

 

Backups 

Up to 90 days 

After deletion of live data, residual copies may persist in encrypted backups for the backup rotation period before being overwritten 

Logs (security, access, error) 

Up to 12 months 

Longer retention only where required for security investigations 

10. How We Protect Personal Data 

We apply technical and organizational security measures appropriate to the risk, including: 

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent). 
  • Role-based access controls and least-privilege access to production systems. 
  • Two-factor authentication for staff with administrative access. 
  • Hashed and salted password storage. 
  • Regular dependency and vulnerability scanning. 
  • Audit logging for sensitive operations. 
  • Backups with encryption and tested recovery procedures. 
  • Confidentiality obligations on all employees and contractors. 
  • Vendor due-diligence and contractual data-protection requirements on sub-processors. 
  • Incident response and breach notification procedures.  

 

We will notify relevant Customers of a personal data breach affecting their data without undue delay, and in any event within 48 hours of becoming aware of the breach, to enable the Customer to fulfil its own obligations under Articles 33–34 GDPR. Where required, we will notify the ANSPDCP within 72 hours.  

No system can be perfectly secure. If you become aware of a security issue affecting Aliat, please report it to security@aliat.io — we treat such reports seriously and respond promptly. 

11. Your Rights 

Subject to applicable conditions, you have the following rights under the GDPR. These rights apply to data we hold about you, regardless of whether you are a Customer, an End-User, a website visitor, or another individual. 

  • Right of access (Art. 15): obtain confirmation of whether we hold your data and a copy of it. 
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data. 
  • Right to erasure / ‘right to be forgotten’ (Art. 17): request deletion of your data when one of the legal grounds applies. 
  • Right to restriction (Art. 18): request that Processing be limited in specific circumstances. 
  • Right to data portability (Art. 20): receive your data in a structured, commonly used, machine-readable format. 
  • Right to object (Art. 21): object at any time to Processing based on legitimate interests, including profiling. You may object to direct marketing at any time, with no need to give a reason. 
  • Right to withdraw consent: where Processing is based on consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of Processing carried out before withdrawal. 
  • Rights related to automated decision-making (Art. 22): the Aliat platform uses AI to generate automated responses to End-User messages. When we act as Controller (for our own account management and billing purposes), we do not make solely automated decisions with legal or similarly significant effects on you. When we act as Processor on behalf of a Customer, the AI-generated responses are part of the Customer’s service to their End-Users. Whether such responses constitute solely automated decision-making with legal or similarly significant effects depends on the Customer’s specific use case and configuration. Our Terms of Service require Customers to (a) maintain meaningful human oversight of bot responses, (b) not use the Service for decisions with legal or similarly significant effects without independent human review, and (c) ensure End-Users can request to speak with a human agent. If you are an End-User and believe an automated response has significantly affected you, you may (i) request human review from the business you were communicating with, (ii) express your point of view, and (iii) contest the decision. You may also contact us at privacy@aliat.io and we will assist. 
  • Right to lodge a complaint: with a supervisory authority. In Romania, the supervisory authority is the National Supervisory Authority for Personal Data Processing (ANSPDCP). 

  

We respond within one month of receiving a verifiable request, extendable by up to two further months for complex or numerous requests, in which case we will inform you of the extension. 

If you are an End-User (someone who has messaged a business that uses Aliat) and you wish to exercise rights regarding your message data, the primary point of contact is the business you messaged (the Controller). However, you may also contact us at privacy@aliat.io and we will assist or forward your request to the Customer as appropriate. 

How to Exercise Your Rights 

Send a request to privacy@aliat.io with: 

  • A description of the right you wish to exercise. 
  • Sufficient information for us to identify you (we may ask for verification before disclosing or deleting data, to prevent fraud). 
  • Where relevant, the specific account, business, or conversation involved. 

12. Data Deletion 

In addition to the rights described above, we provide the following dedicated data-deletion mechanisms: 

12.1 For Customers 

Customers can request deletion of their account and all associated data: 

  • From within the Aliat platform: Settings → Account → Delete Account. 
  • By emailing privacy@aliat.io from the registered account email. 

Upon a verified deletion request, we permanently delete account data, configuration, Knowledge Base content, conversation history, and contact records within 30 days, except for data we are required by law to retain (notably accounting and tax records). 

The 12-month post-closure retention period described in Section 9 applies where the Customer closes (pauses) the account without requesting deletion. A verified deletion request under this Section triggers permanent deletion within 30 days regardless of any post-closure retention window. 

12.2 For End-Users 

End-Users — for example, an Instagram or Facebook user who has messaged a business that uses Aliat — may request deletion of their data either by contacting the business directly, or by contacting us at privacy@aliat.io. We will identify and delete the relevant records within 30 days and confirm completion in writing. 

12.3 Meta-Initiated Deletion (Data Deletion Callback) 

If you remove Aliat’s access to your data through Facebook, Instagram, or WhatsApp settings (under Apps and Websites or Apps Connected to Your Account), Meta sends us an automated deletion request. Upon receipt, we delete the corresponding records within 30 days and provide a confirmation status that you can check by contacting privacy@aliat.io with the confirmation code provided by Meta. 

13. Artificial Intelligence (AI) Processing Disclosure 

Aliat uses artificial intelligence to generate responses to End-User messages on behalf of Customers. We are transparent about this: 

  • Conversations on connected channels may be handled, in full or in part, by an AI bot rather than a human agent. 
  • Customers are required by our Terms of Service to disclose this to End-Users when applicable, and Aliat is configured to identify itself as an automated assistant when reasonably required. 
  • End-User message content is sent to Microsoft Azure OpenAI Service (our AI inference sub-processor) for the limited purpose of generating a response. Data is processed within the EU and is not retained after inference. The AI models are hosted on Microsoft Azure infrastructure and the data is not shared with or used to train OpenAI’s foundation models. 
  • AI-generated responses are based on the Customer’s Knowledge Base and the conversation context. They are not infallible. Customers retain full responsibility for the content sent on their behalf. 
  • End-Users may at any time request to speak with a human agent. Where supported by the channel and the Customer’s configuration, we route the conversation to a human. 

14. Cookies and Similar Technologies 

We use cookies and similar technologies on the Aliat website. We will publish a detailed Cookie Policy at https://aliat.io/cookies before deploying any non-essential cookies. Until that policy is published, the Aliat website uses only strictly necessary cookies that do not require consent.  

15. Children’s Data 

Aliat is a business-facing tool. The Service is not directed at children, and we do not knowingly collect Personal Data from children under the age of 16. If you become aware that a child has provided Personal Data to us, please contact privacy@aliat.io and we will take steps to delete that information. 

Customers using Aliat to communicate with End-Users are responsible for complying with applicable law regarding minors in their own market. The default minimum age of digital consent is 16 under GDPR; some EU Member States have set lower thresholds (down to 13). Romania has set the threshold at 16. 

16. Changes to This Policy 

We may update this Policy from time to time. The ‘Last updated’ date at the top of the page reflects the most recent revision. For material changes, we will provide additional notice — for example, by email to Customers or by a prominent banner on the website — at least 30 days before the change takes effect, except where the change is required by law and must take effect sooner. 

17. Contact Us 

If you have any questions, requests, or complaints about this Policy or about how we handle Personal Data, please contact us: 

  • Privacy email: privacy@aliat.io 
  • General contact: contact@aliat.io 
  • Postal address: JivyGroup Software S.R.L., Bucharest, Sector 2, Pipera Road, no.48A, off. 408, Romania 
  • Website: https://aliat.io