Privacy Policy

This policy applies to personal data we process in connection with the Site (our marketing and account pages) and the Service. It covers three broad groups of people:

• Visitors to the Site who browse our pages or contact us.
• Subscribers (our business customers) who register for a free trial or a paid plan and use the Service.
• End-customers of our subscribers, whose messages the AI agent processes when they chat with a business over WhatsApp, Telegram, or the website widget.

Our role differs for each group, and that difference is important. For Site visitors and Subscriber account data, we act as the data controller. For the end-customer conversation data that the agent processes on a business's behalf, we act as a data processor and the business is the controller. See the sections "Who We Are" and "Controller and Processor Roles" below.

The Service is operated by TagoAgent. The legal entity responsible for the personal data described in this policy (the data controller, where we act as controller) is:

• Legal entity: TagoAgent
• Registered address: Cairo, Egypt
• Privacy contact: privacy@tagoagent.com
• General support: support@tagoagent.com

If you have any question about this policy or about how we handle your personal data, you can reach us at the privacy contact above. Where a separate data protection officer or representative is appointed, their details will be added here.

We collect different categories of data depending on how you interact with the Site and the Service. We have grouped them below.

Account data. When a business registers, we collect identification and contact details such as name, email address, phone number, password (stored only in hashed form), preferred language, and business information such as company name, industry, website, and the channels you connect (for example, a WhatsApp or Telegram account).

Business content used to train the agent. To configure and run your AI agent, we process the content you provide or connect, such as product catalogs, prices, FAQs, policies, documents, links, and any other knowledge you upload or supply so the agent can answer questions, capture orders, and handle support. This content may itself contain personal data if you choose to include it.

End-customer conversation data. When your end-customers message your business through WhatsApp, Telegram, or the website chat widget, the agent processes those messages so it can reply. This may include the message text, the sender's display name or handle, phone number or chat ID, timestamps, order or support details the customer shares, and the agent's responses. We process this data on your behalf as a processor; the business is the controller of this data (see the "Controller and Processor Roles" section).

Usage, device, and technical data. When you use the Site or the Service, we automatically collect technical data such as IP address, browser type, device and operating system information, pages viewed, referring URLs, language settings, approximate location derived from IP, and log and diagnostic data. We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service, and understand how the Site is used (see the "Cookies" section).

Payment data. We do not collect or store full card numbers. Payments are processed by our payment providers. International and worldwide card purchases are handled by Paddle.com, which acts as the Merchant of Record (the authorized reseller and seller of record for those orders). Customers in Egypt are billed through Paymob (which supports Fawry, mobile wallets, InstaPay, and cards). Card details are entered with, and held by, these providers. We receive only limited billing information such as your name, billing country, the last four digits and card brand, transaction identifiers, subscription status, and invoices.

Communications and support data. If you contact us by email, through the Site, or via support channels, we keep a record of the correspondence and any information you provide so we can respond and improve the Service.

We use personal data for the following purposes:

• To create and manage your account, authenticate you, and provide the Service, including the free trial and paid subscriptions.
• To build, train, configure, and operate your AI agent so it can reply to your end-customers across WhatsApp, Telegram, and the website widget.
• To process and route end-customer conversations and generate the agent's replies through our AI/LLM provider.
• To take payment, manage billing and subscriptions, issue invoices, apply taxes, and handle refunds through Paddle and Paymob.
• To provide customer support and respond to your requests.
• To monitor, maintain, secure, and improve the Site and the Service, including troubleshooting, preventing fraud and abuse, and measuring usage against plan allowances.
• To send service and transactional messages (for example, trial expiry, billing, security, and important changes) and, where permitted, relevant product updates.
• To comply with legal obligations and to establish, exercise, or defend legal claims.

Where data-protection law (such as the GDPR) requires a legal basis, we rely on the following:

• Performance of a contract: to provide the Service, manage your account, and process payments under our Terms of Service.
• Legitimate interests: to secure, maintain, and improve the Site and Service, prevent fraud and abuse, and communicate about the Service, balanced against your rights.
• Consent: where required, for example certain non-essential cookies and optional marketing communications; you may withdraw consent at any time.
• Legal obligation: to meet accounting, tax, and other legal requirements.

For end-customer conversation data that we process on a business's behalf, the business (as controller) is responsible for establishing the appropriate legal basis or consent for that processing.

Our business customers control the data of their own end-customers. When a business uses the Service to chat with its end-customers, that business decides what data is collected and why. In that relationship, the business is the data controller and TagoAgent acts as a data processor, processing the end-customer conversation data only on the business's documented instructions to provide the Service.

As a processor, we will: process end-customer data only to deliver the Service and as instructed; apply appropriate security measures; use sub-processors only as described in this policy; assist the controller, where reasonable, with data-subject requests and security obligations; and delete or return end-customer data at the end of the engagement, subject to legal retention requirements.

As the controller of their end-customers' data, each business is responsible for providing its own privacy notice to its end-customers, having a valid legal basis or consent, and handling end-customer rights requests. A data processing agreement (DPA) governing this relationship is available to business customers on request.

For account data, Site usage, and our own operation of the Service, TagoAgent is the controller.

We do not sell your personal data. We share data only with trusted service providers (sub-processors) who help us run the Site and the Service, and only as needed for the purposes described in this policy. Each is bound by contractual confidentiality and data-protection obligations. Our key sub-processors and third parties are:

• Paddle (Paddle.com) - billing and payments for international and worldwide orders, acting as Merchant of Record; handles invoicing, taxes, and refunds on our behalf.
• Paymob - billing and payments for customers in Egypt (Fawry, mobile wallets, InstaPay, and cards).
• Supabase - database hosting and user authentication.
• Vercel - application hosting and content delivery for the Site and Service.
• An AI/LLM provider - generates the AI agent's replies by processing the relevant conversation content.
• WhatsApp / Meta - messaging channel used to send and receive WhatsApp messages.
• Telegram - messaging channel used to send and receive Telegram messages.

We may also disclose personal data where required by law, regulation, legal process, or government request; to protect the rights, safety, and security of TagoAgent, our users, or others; or in connection with a merger, acquisition, or sale of assets, in which case we will notify you and ensure your data remains protected.

Messaging channels (WhatsApp/Meta and Telegram) operate under their own privacy policies for the data they hold as independent controllers of their platforms; we encourage you and your end-customers to review them.

We and our sub-processors operate globally, so your personal data may be transferred to, stored in, or accessed from countries other than your own, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer personal data across borders, we take steps to ensure it remains protected, including relying on recognized transfer mechanisms such as the European Commission's Standard Contractual Clauses (and the UK equivalent) where applicable, and the transfer safeguards required under Egyptian and Saudi (PDPL) data-protection law. You may contact us for more information about these safeguards.

We keep personal data only for as long as necessary for the purposes set out in this policy, and then delete or anonymize it. In general:

• Account data is retained for the life of your account and for a reasonable period afterward to handle wind-down, disputes, and legal obligations.
• Business content and agent configuration are retained while your account is active and deleted or returned after termination, subject to backup cycles and legal requirements.
• End-customer conversation data is retained on behalf of the controlling business according to its instructions and our agreement, and deleted or returned at the end of the engagement, subject to legal retention requirements.
• Billing and transaction records are retained as required by accounting and tax law (these are also held by Paddle and Paymob).
• Usage, log, and diagnostic data are retained for a limited period for security and operational purposes.

When you close your account or request deletion, we will delete or anonymize your personal data within a reasonable timeframe, except where we must keep it to comply with law or to resolve disputes.

We take the security of personal data seriously and apply appropriate technical and organizational measures designed to protect it against unauthorized access, loss, misuse, or alteration. These include:

• Encryption of data in transit (HTTPS/TLS) and encryption at rest where supported by our infrastructure providers.
• Authentication and access controls that limit access to personal data to those who need it.
• Passwords stored only in hashed form; we never store your full card numbers.
• Use of reputable infrastructure and security practices from providers such as Supabase and Vercel.
• Monitoring, logging, and regular review of our systems.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities as required by applicable law.

Depending on where you live and the applicable law, you may have some or all of the following rights over your personal data:

• Access: to request a copy of the personal data we hold about you.
• Correction: to ask us to correct inaccurate or incomplete data.
• Deletion: to ask us to delete your personal data, subject to legal exceptions.
• Objection and restriction: to object to, or ask us to restrict, certain processing, including processing based on legitimate interests.
• Portability: to receive certain data in a structured, commonly used, machine-readable format, or to have it transferred to another provider where technically feasible.
• Withdraw consent: to withdraw consent at any time where we rely on it, without affecting prior processing.
• Lodge a complaint: to complain to your local data-protection authority.

These rights reflect the GDPR. We also honor data-subject rights provided under Egypt's Personal Data Protection Law and Saudi Arabia's Personal Data Protection Law (PDPL), which grant individuals comparable rights of access, correction, and deletion, and the ability to complain to the competent national authority.

To exercise any right, contact us at privacy@tagoagent.com. We may need to verify your identity before acting on a request, and we will respond within the timeframe required by applicable law. If your request concerns end-customer conversation data that we process on a business's behalf, we will refer you to, or work with, the business as the controller of that data.

We use cookies and similar technologies on the Site and within the Service to keep you signed in, remember your preferences (such as language), secure the Service, and understand how the Site is used so we can improve it.

Some cookies are strictly necessary for the Site and Service to function. Others (such as analytics or preference cookies) are optional, and where required by law we will ask for your consent before setting them. You can control cookies through your browser settings and, where offered, through our cookie controls. Disabling some cookies may affect how the Site or Service works.

The Service is intended for businesses and adults, and is not directed at children. We do not knowingly collect personal data from children below the age of digital consent under applicable law. If you believe a child has provided us with personal data, please contact us so we can investigate and delete it. Where a business's end-customers may include minors, the business as controller is responsible for handling such data in line with applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or the Service. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you through the Site or by email. We encourage you to review this page periodically. Your continued use of the Site or Service after an update means you accept the revised policy.

If you have questions, requests, or complaints about this policy or your personal data, you can reach us at:

• Privacy and data requests: privacy@tagoagent.com
• General support: support@tagoagent.com
• Legal entity: TagoAgent
• Registered address: Cairo, Egypt

We will do our best to resolve any concern. You also have the right to contact the data-protection authority in your country.