Privacy Policy

Privacy Policy for GPTMyBiz

Effective Date: June 25, 2025
Last Updated: June 25, 2025

1. Controller Information and Contact Details

This privacy policy explains how GPTMyBiz ("we," "us," "our") collects, uses, and protects your personal information when you interact with our AI-powered chatbot on Facebook Messenger.

Data Controller:
GPTMyBiz
Address: Available upon request
Email: michaelrandazzo@tanning.ai
Phone: 586-747-8099
Business Hours: Weekdays 9am-5pm EST

Data Protection Officer:
Email: michaelrandazzo@tanning.ai

2. AI System Disclosure

You are interacting with an artificial intelligence system. Our chatbot uses OpenAI's GPT-4.1 technology to generate automated responses. While we strive for accuracy, AI-generated responses are informational only and should not be considered professional advice. A human representative is available upon request during business hours.

3. Information We Collect

We collect the following personal data when you use our Messenger bot:

  • Facebook User Identifier (sender_id): Your unique Facebook user identifier to maintain conversation continuity and provide personalized responses
  • Message Content (message_text): The content of your messages to provide AI-powered responses and improve our service quality
  • Page Identifier (page_id): Information about which of our Facebook pages you interact with to provide appropriate responses and maintain separate conversation contexts
  • Conversation Timestamps: When messages are sent and received for service delivery and analytics
  • Technical Data: IP addresses, device information, and interaction metadata as provided by Facebook's platform

4. How We Use Your Information

Legal Basis: Legitimate Interest (GDPR Article 6(1)(f))

We process your personal data for the following purposes:

  • Providing AI-powered conversational responses
  • Maintaining conversation context and continuity
  • Improving our chatbot's accuracy and helpfulness
  • Ensuring compliance with Facebook's Platform policies
  • Analyzing usage patterns to enhance user experience (anonymized data only)

5. Third-Party Data Processing

OpenAI Processing:
Your messages are sent to OpenAI's servers located in the United States for AI processing. OpenAI retains API inputs and outputs for up to 30 days for service provision and abuse monitoring, after which they are deleted from OpenAI's systems. We have a Data Processing Agreement with OpenAI that ensures your data is not used to train their models.

Self-Hosted MongoDB Storage:
Your conversation data is stored using our self-hosted MongoDB infrastructure located in Michigan, United States. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2+. Our servers are secured with enterprise-grade firewalls, regular security updates, and 24/7 monitoring.

Self-Hosted n8n Workflow Processing:
Our chatbot workflow is powered by our self-hosted n8n instance located in Michigan, United States. No personal data is stored permanently in n8n systems; it only processes data in transit between Facebook, OpenAI, and MongoDB.

6. Cross-Border Data Transfers

Your personal data may be transferred to and processed in the United States by our AI service provider (OpenAI) for generating responses to your messages. This transfer is based on Standard Contractual Clauses approved by the European Commission and OpenAI's certification under the EU-US Data Privacy Framework, ensuring adequate protection for your data.

7. Data Retention Periods

We retain your personal data for the following periods:

  • Active conversation context: 24-48 hours for immediate response continuity
  • Message content and AI responses: 30 days for service improvement and quality assurance
  • User preferences and settings: Until you delete your account or withdraw consent
  • Technical logs (IP addresses, timestamps): 90 days for security and fraud prevention
  • Customer service interactions: 90 days for quality assurance

Data is automatically deleted at the end of these periods unless we have a legal obligation to retain it longer.

8. Your Rights Under GDPR

Right of Access (Article 15):
You can request access to your personal data. Contact michaelrandazzo@tanning.ai or type "show my data" in the chat. We will provide this information within one month.

Right to Rectification (Article 16):
You can request correction of inaccurate or incomplete personal data by contacting michaelrandazzo@tanning.ai or typing "update my information" in the chat.

Right to Erasure/Right to be Forgotten (Article 17):
You can request deletion of your personal data by contacting michaelrandazzo@tanning.ai, typing "delete my data" in the chat, or using our data deletion form at GPTMybiz.AI/delete-data. We will process your request within 30 days.

Right to Data Portability (Article 20):
You can receive your personal data in JSON format by requesting it at michaelrandazzo@tanning.ai or typing "export my data" in the chat.

Right to Object (Article 21):
You can object to processing of your personal data by contacting michaelrandazzo@tanning.ai. You have the absolute right to object to any direct marketing communications.

Right to Withdraw Consent:
You can withdraw your consent at any time by typing "withdraw consent" in the chat or contacting michaelrandazzo@tanning.ai.

9. Data Security Measures

We implement comprehensive technical and organizational measures to protect your data:

  • Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
  • Self-Hosted Infrastructure: Complete control over our servers with enterprise-grade security
  • Access Controls: Role-based access control with multi-factor authentication
  • Regular Audits: Annual security audits of all systems and processes
  • Monitoring: 24/7 security monitoring and automated threat detection
  • Staff Training: Regular privacy and security training for all personnel
  • Incident Response: Comprehensive data breach response procedures with 72-hour notification

10. Data Breach Notification

In the event of a personal data breach, we will notify you and relevant supervisory authorities within 72 hours if the breach is likely to result in a risk to your rights and freedoms.

11. Supervisory Authority

You have the right to lodge a complaint with your local data protection supervisory authority. For EU residents, contact details are available at: https://edpb.europa.eu/about-edpb/board/members_en

For US residents, you may contact the Michigan Attorney General's office or relevant federal authorities.

12. Updates to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. Material changes will be communicated through the chatbot and posted at GPTMybiz.AI/privacy-policy. Continued use after notification constitutes acceptance of the updated policy.

13. Contact Information

For privacy-related questions or to exercise your rights:

  • Email: michaelrandazzo@tanning.ai
  • Phone: 586-747-8099 (Weekdays 9am-5pm EST)
  • In-chat commands: "privacy help", "show my data", "delete my data"
  • Web form: GPTMybiz.AI/privacy-contact
  • Physical address: Available upon request