Broxon

Privacy Policy

Last updated: May 23, 2026

Broxon (“we”, “us”, “our”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and what rights you have in relation to it when you use our platform at broxon.ca(the “Service”).

This policy is prepared in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. If you are located in the European Economic Area, additional rights under the General Data Protection Regulation (GDPR) may apply and are noted where relevant.

By using the Service, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree, please discontinue use of the Service.

1. Information We Collect

We collect the following categories of personal information:

(a) Information You Provide Directly.

  • Account information: Your first name, last name, and email address when you register for an account.
  • Payment information: Billing details and payment method information processed securely through our third-party payment processor. We do not store your full card details on our servers.
  • Communications: Any messages or inquiries you send to our support team.

(b) Information from Meta (Facebook & Instagram). When you connect a Facebook Page or Instagram Business account via OAuth, Meta provides us with:

  • Your Facebook user ID and associated Page IDs.
  • Page name, category, and access tokens necessary to send messages on your behalf.
  • Instagram Business account ID and username linked to your connected Pages.
  • The names and profile information of individuals who message your connected Pages (used solely to personalize AI Agent responses).

(c) Message Content. To operate the Service, we process the text content of inbound direct messages received by your connected Facebook and Instagram accounts. This content is used exclusively to generate automated AI responses and is not used for advertising or sold to any third party.

(d) Usage & Technical Data.

  • Log data: IP address, browser type, pages visited, time and date of access, and other diagnostic data.
  • Device information: Device type, operating system, and browser version.
  • Cookies and similar technologies: Session tokens and authentication cookies required to keep you logged in. We do not use advertising or tracking cookies.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • To provide and operate the Service: Creating and managing your account, processing connected account credentials, operating message queues, and delivering AI-generated replies.
  • To manage subscriptions and billing: Processing payments, sending invoices, and managing your subscription plan.
  • To improve the Service: Analysing usage patterns, diagnosing technical issues, and developing new features.
  • To communicate with you: Sending transactional emails (account confirmation, password reset, billing receipts) and important service announcements. We do not send marketing emails without your explicit consent.
  • To ensure security and prevent fraud: Monitoring for suspicious activity, enforcing our Terms & Conditions, and protecting the integrity of the Service.
  • To comply with legal obligations: Responding to lawful requests from government authorities or courts where required by applicable law.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, we process your personal data under the following legal bases:

  • Contractual necessity: Processing required to provide the Service under our Terms & Conditions (account management, messaging, billing).
  • Legitimate interests: Fraud prevention, security monitoring, and service improvement, where such interests are not overridden by your rights.
  • Legal obligation: Compliance with applicable laws and regulatory requirements.
  • Consent: Where we rely on consent (e.g., optional communications), you may withdraw it at any time.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

(a) Service Providers. We engage trusted third-party companies to assist in operating the Service. These providers have access to personal information only as necessary to perform their functions and are contractually obligated to protect it:

  • Meta Platforms, Inc. — for Facebook and Instagram API integration.
  • Retell AI — for AI-powered conversational agent capabilities. Message content is transmitted to Retell AI to generate responses.
  • Payment processor — for secure billing and subscription management.
  • Cloud infrastructure provider — for hosting, data storage, and message queue infrastructure.

(b) Legal Requirements. We may disclose your information if required to do so by law or in response to valid legal process (e.g., a court order, subpoena, or government request), or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

(c) Business Transfers. In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.

(d) With Your Consent. We may share your information with third parties when you have explicitly consented to such sharing.

5. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: Retained for the duration of your account and for up to 90 days following account deletion, after which it is permanently erased.
  • Message content: Inbound message text is processed in real time via our queue system and is not stored persistently beyond what is required to generate a response, except where retained in conversation logs for your own review within the dashboard.
  • Billing records: Retained for 7 years as required by Canadian tax law.
  • Log data: Retained for up to 90 days for security and debugging purposes.
  • Access tokens: Meta page access tokens are stored in encrypted form and deleted immediately upon account disconnection.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information against unauthorized access, disclosure, alteration, or destruction:

  • All data is transmitted over HTTPS with TLS encryption.
  • Meta access tokens are stored in encrypted form using AES-256 encryption and are never exposed in plaintext outside of secure server processes.
  • Access to production systems and personal data is restricted to authorized personnel only.
  • We perform regular security reviews of our infrastructure.

No method of transmission over the Internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security. In the event of a data breach that poses a real risk of significant harm, we will notify affected users and relevant authorities as required by PIPEDA.

7. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

  • Strictly necessary cookies: Authentication session tokens required to keep you logged into the Service. These cannot be disabled without affecting core functionality.
  • Preference cookies: Store UI preferences such as theme settings.

We do not use advertising cookies, third-party tracking pixels, or sell your data to advertising networks. You can control cookies through your browser settings, though disabling necessary cookies will prevent you from using the Service.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

(a) Access. You have the right to request a copy of the personal information we hold about you.

(b) Correction. You have the right to request that we correct any inaccurate or incomplete personal information.

(c) Deletion. You have the right to request deletion of your personal information. We will comply unless we are required to retain it by law (e.g., billing records).

(d) Withdrawal of Consent. Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

(e) Data Portability (GDPR). If you are in the EEA, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.

(f) Objection & Restriction (GDPR). If you are in the EEA, you have the right to object to or request restriction of processing in certain circumstances.

To exercise any of these rights, please contact us at support@broxon.ca. We will respond within 30 days. We may need to verify your identity before processing your request.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at support@broxon.ca and we will take steps to delete such information.

10. International Data Transfers

Broxon is based in Ontario, Canada. Your information may be processed and stored on servers located in Canada or in other countries where our service providers operate (including the United States). By using the Service, you consent to the transfer of your information to countries that may have different data protection laws than your jurisdiction.

Where we transfer personal data outside of Canada to countries that may not provide an equivalent level of protection, we take steps to ensure appropriate safeguards are in place, such as contractual clauses consistent with PIPEDA requirements.

11. Third-Party Links

The Service may contain links to third-party websites or services (such as Meta’s developer portal). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you visit. We are not responsible for the privacy practices or content of third-party sites.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on this page with a revised “Last updated” date and, where appropriate, by sending you an email notification. Your continued use of the Service after any changes constitutes your acceptance of the revised policy.

13. Contact Us & Privacy Complaints

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Privacy Officer:

Broxon — Privacy Officer

Ontario, Canada

Email: support@broxon.ca

Website: https://broxon.ca

If you are not satisfied with our response, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca.