Broxon (“we”, “us”, “our”) is committed to protecting personal information and the right to privacy. This Privacy Policy explains what information we collect, how we use it, with whom we share it, the legal bases on which we rely, and the rights available to you in relation to it when our platform at broxon.ca(the “Service”) is used.
This policy is prepared in accordance with Canada’s Personal Information Protection and Electronic Documents Act(PIPEDA) and applicable provincial privacy legislation. Where individuals are located in the European Economic Area (EEA) or the United Kingdom, additional rights under the General Data Protection Regulation (GDPR) and UK GDPR may apply and are noted where relevant. Our use of data obtained through Meta’s platforms is additionally governed by the Meta Platform Terms and Developer Policies, which we commit to upholding (see Section 4).
1. Who This Policy Covers — Two Categories of Individuals
This Service processes the personal information of two distinct groups, and it is important to understand which one applies to you:
- Account Holders. Businesses and the individuals who register for, pay for, and operate a Broxon account. Most of the rights and obligations in this policy relating to accounts, billing, and login apply to Account Holders.
- Message Senders (End Users).Members of the public who send direct messages to a Facebook Page or Instagram Business account that an Account Holder has connected to Broxon. We process Message Senders’ information on behalf of the Account Holder in order to generate automated replies. If you are a Message Sender, you likely have no direct relationship with Broxon, but you still have privacy rights, which are set out in Section 9.
Roles under data protection law. For Account Holder information, Broxon acts as a data controller. For Message Sender information processed through a connected account, Broxon acts as a data processoracting on the documented instructions of the Account Holder, who is the controller. Both parties’ responsibilities are described in our Terms & Conditions and, where required, in a separate Data Processing Addendum (DPA) available to Account Holders on request.
2. Information We Collect
- Account information: First name, last name, and email address provided at registration.
- Payment information: Billing details and payment method information processed securely through our third-party payment processor. We do not store full card numbers on our servers.
- Communications: Any messages or inquiries sent to our support team.
- The Account Holder’s Facebook user ID and associated Page IDs.
- Page name, category, and the access tokens necessary to send messages on the Account Holder’s behalf.
- The Instagram Business account ID and username linked to the connected Pages.
- For each Message Sender who contacts a connected account: a Page-Scoped User ID (PSID), and the name and limited public profile information associated with that PSID.
- Log data: IP address, browser type, pages visited, time and date of access, and other diagnostic data.
- Device information: Device type, operating system, and browser version.
- Cookies and similar technologies: Session and authentication cookies required to keep Account Holders logged in. We do not use advertising or tracking cookies (see Section 8).
3. How We Use Information
- Provide and operate the Service: Create and manage accounts, process connected-account credentials, operate message queues, and deliver AI-generated replies.
- Manage subscriptions and billing: Process payments, send invoices, and manage subscription plans.
- Improve the Service: Analyse Account Holder usage patterns, diagnose technical issues, and develop new features. This activity never uses Meta-derived data or Message Sender content.
- Communicate: Send transactional emails (account confirmation, password reset, billing receipts) and important service announcements. We do not send marketing emails without explicit consent.
- Ensure security and prevent fraud and comply with legal obligations.
4. Compliance with Meta Platform Policies
Because the Service accesses data through Meta’s APIs, we additionally commit to the following, consistent with the Meta Platform Terms and Developer Policies:
- Purpose limitation. Data received from Meta is used solely to provide the messaging functionality the user expects, and not for any independent purpose.
- Page-Scoped User IDs (PSIDs). We use PSIDs only to facilitate the conversation for which they were provided. We do not attempt to correlate a PSID with any other identifier, across Pages, or with data obtained outside the Meta platform.
- No onward sale or unauthorized transfer. We do not sell Meta-derived data and do not transfer it to any party except the service providers in Section 5, each of which is contractually bound to equivalent use and protection restrictions.
- Token handling. Access tokens are stored encrypted (Section 6) and deleted upon disconnection.
5. How We Share Information
We do not sell, rent, or trade personal information. We share information only in the following limited circumstances:
- Meta Platforms, Inc. — Facebook and Instagram API integration.
- Retell AI — AI-powered conversational responses. Message content is transmitted to Retell AI to generate replies. Retell AI retains message content for up to 90 days and does not use it to train its models.
- Payment processor — secure billing and subscription management.
- Cloud infrastructure provider — hosting, data storage, and message-queue infrastructure, located in Canada.
6. Data Security
We implement industry-standard technical and organizational measures to protect personal information:
- All data is transmitted over HTTPS with TLS encryption.
- Meta access tokens are stored encrypted using AES-256 and are never exposed in plaintext outside secure server processes.
- Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis.
- We perform regular security reviews of our infrastructure.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a breach involving personal information, we will notify affected individuals and the relevant authorities as required by law. For PIPEDA, this means notification where the breach creates a real risk of significant harm. For the GDPR/UK GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, and will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
7. Data Retention
We retain personal information only as long as necessary for the purposes it was collected:
- Account data: Retained for the duration of the account and for up to 90 days following account deletion, after which it is permanently erased.
- Message content:Processed in real time via our queue system. Broxon does not store it persistently beyond what is required to generate a response, except where retained in conversation logs for the Account Holder’s own review within the dashboard (up to 90 days). Our AI provider, Retell AI, retains transmitted message content for up to 90 days to generate responses, after which it is deleted; it is not used for training.
- Billing records: Retained for 7 years as required by Canadian tax law.
- Log data: Retained for up to 90 days for security and debugging.
- Meta access tokens: Stored encrypted and deleted immediately upon account disconnection.
8. Cookies & Tracking Technologies
We use the following types of cookies and similar technologies:
- Strictly necessary cookies: Authentication session tokens required to keep you logged into the Service. These cannot be disabled without affecting core functionality.
- Preference cookies: Store UI preferences such as theme settings.
We do not use advertising cookies, third-party tracking pixels, or sell data to advertising networks. Cookies can be controlled through browser settings, though disabling necessary cookies will prevent use of the Service.
9. Your Privacy Rights
Rights apply to both Account Holders and Message Senders. Depending on your location, you may have the following rights regarding your personal information:
How Message Senders exercise rights. If you sent messages to a business using Broxon and wish to exercise any right, you may contact us at support@broxon.ca. Because we process your information on behalf of that business (the controller), we will either action your request directly or forward it to the relevant Account Holder and assist them in responding. You may also contact the business directly.
To exercise any right, contact us at support@broxon.ca. We will respond within 30 days. We may need to verify your identity before processing your request.
10. Legal Bases for Processing (GDPR / UK GDPR)
Where individuals are in the EEA or UK, we rely on the following legal bases:
- Contractual necessity — to provide the Service under our Terms (account management, messaging, billing).
- Legitimate interests — fraud prevention, security, and service improvement, where not overridden by your rights.
- Legal obligation — compliance with applicable laws.
- Consent — for optional communications; withdrawable at any time.
11. Children's Privacy
The Service is not directed to individuals under the age of 18, and Account Holders must be at least 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at support@broxon.ca and we will take steps to delete such information.
12. International Data Transfers
Broxon is based in Ontario, Canada, and our own infrastructure stores data in Canada. However, some of our service providers (such as Retell AI and our payment processor) may process data in other countries, including the United States. Where data is processed outside your jurisdiction:
- For PIPEDA: We take steps to ensure comparable protection through contractual means when transferring data outside Canada, and remain accountable for that information.
- For GDPR/UK GDPR:Where we transfer personal data of EEA or UK individuals to a country without an adequacy decision, we put in place appropriate safeguards — specifically the European Commission’s Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable). A copy of the relevant safeguards is available on request.
13. Third-Party Links
The Service may contain links to third-party websites or services (such as Meta’s developer portal). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you visit. We are not responsible for the privacy practices or content of third-party sites.
14. Changes to This Privacy Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or Meta’s platform policies. We will post the updated policy here with a revised “Last updated” date and, for material changes, notify Account Holders by email. Continued use of the Service after changes constitutes acceptance of the revised policy.
15. Contact Us & Privacy Complaints
If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Privacy Officer:
If you are in Canada and are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca. If you are in the EEA or UK, you may lodge a complaint with your local supervisory authority.
