Privacy policy

---

1. Identity of the data controller

SOA Software LLC, based in Orlando, Florida, United States, is the data controller responsible for the personal data you provide to us, in accordance with applicable data protection laws in the jurisdictions where we operate.

For the purposes of this Privacy Policy, SOA Software LLC acts in two capacities:

• As data controller: with respect to personal data of account holders, administrators, agents, and website visitors.
• As data processor: with respect to personal data of end consumers of our business customers, which is processed through the platform on behalf of and under the instructions of said business customers.

Privacy contact:
Email: privacy@cxinbox.ai
Reference subject: “Data Rights Request” or “Privacy Inquiry”

---

2. Personal data we collect

2.1 Account holder data (business customers)

2.2 Data processed on behalf of our customers (messaging)

When our business customers use CX Inbox to communicate with their own customers via WhatsApp, we process the following data as a data processor:

2.3 Website visitor data

---

3. Purposes of data processing

3.1 Primary purposes (necessary)

1. Service delivery: Create and maintain user accounts, process and deliver WhatsApp messages, store conversations and communication history.
2. AI chatbot processing: When the business customer enables bot features, message content is sent to artificial intelligence providers to generate automated responses.
3. Security: Protect platform integrity, detect fraudulent or unauthorized activity, and prevent abuse.
4. Technical support: Resolve incidents, answer inquiries, and provide technical assistance.
5. Legal compliance: Fulfill legal, regulatory, tax, or competent authority obligations.

3.2 Secondary purposes (not necessary)

1. Service improvement: Analyze usage patterns to optimize the platform.
2. Commercial communications: Send information about new features, product updates, and promotions related to CX Inbox.
3. Aggregated analytics: Generate anonymized statistics about platform usage.

If you do not wish your personal data to be processed for secondary purposes, you may communicate this to privacy@cxinbox.ai. Your refusal will not affect service delivery.

---

4. Data sharing and transfers

4.1 Artificial intelligence providers

When chatbot features are enabled by the business customer, message content may be sent to the following AI providers for processing:

Important note: The business customer configures and selects the AI provider. CX Inbox does not choose which provider to use; this decision rests solely with the organization's administrator. None of these providers use data sent through their commercial APIs to train their models.

4.2 Meta Platforms (WhatsApp Business API)

Messages are transmitted through the WhatsApp Business API operated by Meta Platforms, Inc. Meta processes data in accordance with its own privacy policy.

4.3 Microsoft (Clarity)

We use Microsoft Clarity exclusively on the website landing page, not within the application. Clarity collects anonymized interaction data.

4.4 Platform administrators

CX Inbox administrators may access business customer data only when necessary for:

• Technical problem analysis and resolution
• Platform maintenance and updates
• Legal obligation compliance
• Customer-requested support

4.5 We do not sell your data

CX Inbox does not sell, rent, or trade personal data to third parties under any circumstances. We do not share data for third-party advertising purposes.

---

5. Data isolation (multi-tenancy)

CX Inbox operates under a multi-tenant model with strict data isolation. This means:

• Each organization (tenant) has its data completely isolated from all others.
• No business customer can access another organization's data.
• Isolation is implemented at multiple layers: application level, database query level, and infrastructure-level row-level security (RLS) in PostgreSQL.
• Only authorized administrators and assigned agents within a business customer's organization can access that organization's conversations and data.

---

6. Legal bases for processing

For users in the European Union, these legal bases correspond to those established in Articles 6(1)(a), (b), (f), and (c) of the GDPR, respectively.

---

7. Your rights

7.1 ARCO rights (Mexico — LFPDPPP)

As a data subject under Mexican law, you have the right to:

• Access: Know what personal data we hold about you and how we process it.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Cancellation: Request deletion of your data when you consider it unnecessary for the described purposes.
• Opposition: Object to the processing of your data for specific purposes.

To exercise these rights, send your request to privacy@cxinbox.ai including: your full name, account email address, description of the right you wish to exercise, and identity verification documents. We will respond within a maximum of 20 business days.

7.2 Rights under Latin American legislation

CX Inbox recognizes and respects the rights granted by data protection laws in the countries where our customers operate:

• Peru (Law No. 29733): Rights of access, rectification, cancellation, and opposition. Response period: 20 business days.
• Colombia (Law 1581 of 2012): Rights to know, update, rectify, and delete personal data; revoke authorization. Response period: 10 business days (inquiries), 15 business days (claims).
• Ecuador (LOPDP): Rights of access, rectification, deletion, opposition, portability, and restriction of processing.

7.3 Rights under the GDPR (European Union)

If you are located in the European Union or the European Economic Area, you have additional rights including: data portability, restriction of processing, not being subject to automated decision-making, and lodging a complaint with a supervisory authority.

7.4 Rights under the CCPA/CPRA (California, USA)

If you are a California resident, you have the right to know what data we collect, request deletion, and opt out of the “sale” of personal information. CX Inbox does not sell personal data.

---

8. End consumer data

If you are an end consumer communicating with a business that uses CX Inbox:

• The business you communicate with is the data controller of your personal data. CX Inbox acts as a data processor on their behalf.
• To exercise your privacy rights regarding your conversations, you should contact the business you communicated with directly.
• If you need CX Inbox to delete your data for technical reasons, you may contact us at privacy@cxinbox.ai.

---

9. Cookies and tracking technologies

The website uses essential session cookies and Microsoft Clarity for analytics. The application uses only session cookies and JWT tokens necessary for authentication. No advertising tracking cookies or third-party cookies are used within the application.

---

10. Data security

We implement technical, administrative, and physical security measures to protect your personal data, including:

• Encryption in transit: All communications are transmitted via TLS/HTTPS.
• Encryption at rest: Passwords are stored using cryptographic hashing (bcrypt).
• Access control: JWT-based authentication with differentiated roles.
• Data isolation: Multi-tenant architecture with isolation at the application level, database query level, and PostgreSQL row-level security (RLS) policies.
• Private infrastructure: Data is stored on private servers with restricted access.
• Monitoring and backups: Access logging, anomaly detection, and regular encrypted backups.

---

11. Data retention

Business customers may request deletion of all their data at any time by sending a request to privacy@cxinbox.ai. Deletion will be executed within a maximum of 30 calendar days.

---

12. International data transfers

Personal data is stored on private servers. Data transfers occur when the business customer enables bot features (data sent to servers operated by Google, Anthropic, or OpenAI) and through Meta's global infrastructure for WhatsApp messages.

These transfers are carried out on the basis of the business customer's consent, contractual safeguards, and the necessity for the performance of the service contract, in compliance with the GDPR (Chapter V) and applicable data protection laws.

---

13. Children's privacy

CX Inbox is a B2B enterprise service designed exclusively for use by individuals aged 18 and older. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will promptly delete it.

---

14. Automated decision-making and artificial intelligence

When the business customer enables AI chatbot features, the system may classify intents, generate automated responses, and extract relevant information from messages. These automated decisions do not produce significant legal effects on consumers. The consumer may request human agent assistance at any time.

---

15. Use of the platform as a data processor

Business customers are responsible for obtaining necessary consent from their consumers, complying with applicable data protection laws, and supervising AI features. CX Inbox commits to processing data solely in accordance with customer instructions, notifying data breaches, and deleting or returning data upon termination of the contractual relationship.

---

16. Data breach notification

In the event of a security breach compromising personal data, CX Inbox will notify the affected business customer within 72 hours, providing detailed information about the nature of the breach, the data affected, and the measures taken.

---

17. Changes to this privacy policy

We reserve the right to modify this Privacy Policy at any time. Changes will be communicated through publication on this website and email notification to active account holders when changes are substantial.

---

18. Governing law and jurisdiction

This Privacy Policy is governed by the LFPDPPP (Mexico), Law 29733 (Peru), Law 1581 (Colombia), the LOPDP (Ecuador), the GDPR (EU), and the CCPA/CPRA (California, USA), as applicable. For any dispute, the parties shall submit to the jurisdiction of the competent courts of Orange County, Orlando, Florida, United States.

---

19. Contact

For any inquiry, data rights request, or matter related to your data privacy:

• Email: privacy@cxinbox.ai
• Website: https://cxinbox.ai
• Address: SOA Software LLC, 345 W Sand Lake Road, Ste 210 Office 5996, Orlando, FL 32819, United States

This Privacy Policy has been drafted in compliance with the requirements of the LFPDPPP (Mexico), Law 29733 (Peru), Law 1581 (Colombia), the LOPDP (Ecuador), the GDPR (European Union), and the CCPA/CPRA (California, USA).