Privacy Policy

Last updated: April 6, 2026

Datalya Inc. ("Datalya"), operating under the brand name Zalena ("Zalena", "we", "our", "us"), operates an AI-powered chat and voice assistant platform for businesses. This Privacy Policy explains how we collect, use, store, and share personal information when you use our website (zalena.ai), dashboard, APIs, embeddable chat widget, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect information such as your name, email address, organization name, business type, phone number, website URL, and business address. Account authentication is managed through our identity provider, Clerk.

1.2 Business Configuration Data

To power your AI assistant, we collect business information you provide, including services and pricing, frequently asked questions, working hours, staff details, and knowledge base content. This data is used solely to generate accurate AI responses for your customers.

1.3 Conversation Data

We collect and store the content of chat conversations conducted through the Zalena widget embedded on your website. This includes messages sent by your website visitors and AI-generated responses. Chat data may include visitor-provided names, email addresses, and phone numbers.

1.4 Messaging Platform Data (Facebook, Instagram, WhatsApp)

When you connect the Service to third-party messaging platforms such as Facebook Messenger, Instagram Direct, or WhatsApp Business, we receive and process data from those platforms, including:

  • Message content exchanged between your customers and your AI assistant
  • User profile information provided by the platform (e.g., name, profile picture, platform user ID)
  • Metadata such as timestamps, message delivery status, and conversation identifiers

This data is collected solely to deliver AI-powered responses on your behalf and to display conversation history in your dashboard. We do not sell, license, or transfer data received from Meta platforms (Facebook, Instagram, WhatsApp) to any third party, including data brokers, advertising networks, or analytics providers — except to our AI sub-processor (Anthropic) as described in Section 3, solely for generating responses.

We do not use data received from Meta platforms for purposes unrelated to the Service, including surveillance, profiling for advertising, or building independent user databases.

1.5 Voice Call Data

If you use our voice assistant feature, we record and transcribe phone calls handled by your AI receptionist. Call recordings are stored securely and transcripts are generated for your review. It is your responsibility to inform callers that calls may be recorded and transcribed, in compliance with applicable consent laws.

1.6 Booking and Appointment Data

When customers book appointments through the AI assistant, we collect scheduling details including customer contact information, selected services, preferred staff member, date/time, and any notes provided.

1.7 Payment Information

Payment processing is handled entirely by Stripe. We do not store credit card numbers or sensitive payment credentials on our servers. We retain Stripe customer identifiers, subscription status, and invoice records.

1.8 Usage and Analytics Data

We automatically collect usage data including IP addresses, browser type and version, pages visited, time and date of visits, time spent on pages, and other diagnostic data. We use Google Analytics to understand how the Service is used.

1.9 Website Crawl Data

When you use our website import feature, we crawl your publicly accessible website to extract business information (services, FAQs, contact details, hours). This data is used exclusively to configure your AI assistant's knowledge base.

2. How We Use Your Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Power AI-generated chat and voice responses using your business knowledge base
  • Process bookings and appointments on your behalf
  • Process payments and manage subscriptions
  • Send transactional emails (account notifications, booking confirmations)
  • Monitor usage against plan limits
  • Detect, prevent, and address security issues and abuse
  • Improve and develop new features for the Service
  • Comply with legal obligations

3. AI Processing and Data Training

We do not use your data to train AI models. Zalena uses a Retrieval-Augmented Generation (RAG) architecture: your business data is stored in a knowledge base and retrieved at query time to provide context to the AI model. Your data is never incorporated into model weights or used to improve models for other customers.

AI responses are generated by third-party large language model providers (currently Anthropic). Conversation data sent to these providers is processed solely to generate responses and is subject to the provider's data processing terms, which prohibit use of inputs for model training.

4. Data Processor Role

Zalena operates as a data processor on behalf of the businesses ("data controllers") that use our platform. When your customers interact with your AI assistant — whether through your website widget, Facebook Messenger, Instagram, WhatsApp, or voice — we process their data on your behalf and according to your instructions.

As a data processor, we:

  • Process end-user data only as necessary to provide the Service to you
  • Maintain strict tenant isolation — data from one business is never accessible to another
  • Do not independently determine the purposes of processing end-user data
  • Act on documented instructions from you, the data controller
  • Assist you in fulfilling data subject requests (access, deletion, portability)

If you require a formal Data Processing Agreement (DPA), please contact us at privacy@zalena.ai.

5. Meta Platform Data

When the Service is connected to Meta platforms (Facebook Messenger, Instagram, WhatsApp), the following additional terms apply to data received from Meta:

  • Limited Use: Data received from Meta platforms is used exclusively to provide AI-powered messaging responses and display conversation history in your dashboard. We do not use Meta platform data for any other purpose.
  • No Sale or Transfer: We do not sell, license, or transfer Meta platform data to third parties, data brokers, or advertising networks.
  • No Surveillance: Meta platform data is not used for surveillance, user profiling for advertising, or building independent user databases.
  • Sub-Processor: Message content from Meta platforms is sent to Anthropic (our AI provider) solely for generating responses. Anthropic processes this data under contractual terms that prohibit retention or use for model training.
  • Retention: Data from Meta platform interactions is retained while your account is active. If an end user has not interacted with your AI assistant for 90 days, their personally identifiable data from Meta platforms may be anonymized or deleted unless you have an independent legal basis for retention.
  • Breach Notification: In the event of a data breach involving Meta platform data, we will notify Meta within 24 hours and affected businesses promptly thereafter.

Our use of data received from Meta platforms complies with the Meta Platform Terms and Meta Developer Policies.

6. Third-Party Services

We use the following third-party services to operate the platform. Each processes data in accordance with their own privacy policies:

  • Anthropic — AI language model provider for generating chat and voice responses (sub-processor for message content)
  • Meta Platforms — Facebook Messenger, Instagram, and WhatsApp messaging channels
  • Clerk — Authentication, user management, and organization management
  • Stripe — Payment processing and subscription billing
  • Amazon Web Services (AWS) — Cloud infrastructure, file storage (S3), and email delivery (SES)
  • Neon — Managed PostgreSQL database hosting
  • Vercel — Web application hosting and deployment
  • Google — Calendar integration (when enabled by you) and website analytics

7. Google API Data

If you connect Google Calendar, we access calendar event data solely to manage appointment availability and synchronize bookings. We support multiple sync modes including one-way push and two-way sync (busy/free status only — we do not read event details from your personal calendar beyond availability windows).

Google API data is not used to train AI or machine learning models. Our use of Google API data complies with the Google API Services User Data Policy, including the Limited Use requirements.

8. Data Sharing

We do not sell your personal information. We share data only in the following circumstances:

  • Service Providers: With the third-party providers listed in Section 6, solely to operate the Service
  • Legal Requirements: When required by law, regulation, legal process, or government request
  • Safety: To protect the rights, property, or safety of Zalena, our users, or the public
  • Business Transfers: In connection with a merger, acquisition, or sale of assets, with notice to affected users
  • With Your Consent: When you explicitly authorize sharing with a third party

We may share aggregated, anonymized data that cannot identify you or your customers for analytics and benchmarking purposes.

9. Data Storage and Security

Your data is stored on servers located in the United States. We use industry-standard security measures including:

  • Encryption in transit (TLS/SSL) and at rest
  • Secure authentication via Clerk with support for multi-factor authentication
  • Role-based access controls (organization admin vs. member)
  • Widget domain validation to prevent unauthorized embed usage
  • Regular security reviews of our infrastructure

While we implement commercially reasonable security measures, no method of transmission over the Internet or electronic storage is 100% secure.

10. Data Retention

  • Account Data: Retained for the duration of your account. Deleted upon verified request after account closure.
  • Conversation Data: Chat transcripts and voice recordings are retained while your account is active. You may request deletion at any time.
  • Meta Platform Data: Data from Facebook Messenger, Instagram, and WhatsApp interactions is subject to the 90-day inactivity rule described in Section 5. Personally identifiable data from inactive users may be anonymized or deleted.
  • Customer Records: Auto-created customer profiles from chat/voice interactions are retained while your account is active.
  • Payment Records: Invoice and billing records are retained as required by applicable tax and financial regulations.
  • Usage Analytics: Aggregated usage data may be retained indefinitely in anonymized form.

Upon account deletion, we will delete or anonymize your data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, financial records).

11. Data Deletion Requests

You may request deletion of your data at any time by contacting us at privacy@zalena.ai or through your dashboard settings.

For End Users (Customers of Our Business Clients)

If you are an individual who has interacted with a business through Zalena (e.g., via a website chat widget, Facebook Messenger, Instagram, or WhatsApp), you may request deletion of your data by contacting the business directly or by emailing us at privacy@zalena.ai with the details of your interaction.

Facebook and Instagram Users

If you remove the Zalena app from your Facebook or Instagram account settings, we will receive a data deletion request from Meta and will delete all data associated with your Meta user ID within 30 days. You can check the status of your deletion request using the confirmation link provided by Meta.

You may also submit a data deletion request directly to us at privacy@zalena.ai. Include your name and the business you interacted with so we can locate and remove your data.

12. Cookies and Tracking

We use cookies and similar technologies to maintain your session, remember preferences, and understand how the Service is used. Specifically:

  • Essential Cookies: Required for authentication and core functionality (Clerk session cookies)
  • Analytics Cookies: Google Analytics (GA4) to understand usage patterns. You may opt out using browser settings or the Google Analytics Opt-out Browser Add-on.
  • Widget Tracking: The embeddable chat widget uses local storage to maintain conversation continuity for returning visitors

13. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your personal data
  • Portability: Request a machine-readable copy of your data
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request that we limit processing of your data
  • Withdraw Consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@zalena.ai. We will respond within 30 days.

For California Residents (CCPA)

California residents have additional rights under the California Consumer Privacy Act, including the right to know what personal information is collected, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

For European Residents (GDPR)

If you are in the European Economic Area, our legal bases for processing your data include: performance of a contract (providing the Service), legitimate interests (improving and securing the Service), and consent (where applicable). Data transferred to the United States is protected by Standard Contractual Clauses.

14. Children's Privacy

The Service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we will provide additional notice via email or an in-app notification.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: