Privacy Policy

Last updated: May 25, 2026

Broxon (“we”, “us”, “our”) is committed to protecting personal information and the right to privacy. This Privacy Policy explains what information we collect, how we use it, with whom we share it, the legal bases on which we rely, and the rights available to you in relation to it when our platform at broxon.ca(the “Service”) is used.

This policy is prepared in accordance with Canada’s Personal Information Protection and Electronic Documents Act(PIPEDA) and applicable provincial privacy legislation. Where individuals are located in the European Economic Area (EEA) or the United Kingdom, additional rights under the General Data Protection Regulation (GDPR) and UK GDPR may apply and are noted where relevant. Our use of data obtained through Meta’s platforms is additionally governed by the Meta Platform Terms and Developer Policies, which we commit to upholding (see Section 4).

1. Who This Policy Covers — Two Categories of Individuals

This Service processes the personal information of two distinct groups, and it is important to understand which one applies to you:

  • Account Holders. Businesses and the individuals who register for, pay for, and operate a Broxon account. Most of the rights and obligations in this policy relating to accounts, billing, and login apply to Account Holders.
  • Message Senders (End Users).Members of the public who send direct messages to a Facebook Page or Instagram Business account that an Account Holder has connected to Broxon. We process Message Senders’ information on behalf of the Account Holder in order to generate automated replies. If you are a Message Sender, you likely have no direct relationship with Broxon, but you still have privacy rights, which are set out in Section 9.

Roles under data protection law. For Account Holder information, Broxon acts as a data controller. For Message Sender information processed through a connected account, Broxon acts as a data processoracting on the documented instructions of the Account Holder, who is the controller. Both parties’ responsibilities are described in our Terms & Conditions and, where required, in a separate Data Processing Addendum (DPA) available to Account Holders on request.

2. Information We Collect

(a) Information Account Holders Provide Directly.
  • Account information: First name, last name, and email address provided at registration.
  • Payment information: Billing details and payment method information processed securely through our third-party payment processor. We do not store full card numbers on our servers.
  • Communications: Any messages or inquiries sent to our support team.
(b) Information from Meta (Facebook & Instagram). When an Account Holder connects a Facebook Page or Instagram Business account via Meta’s OAuth flow, Meta provides us with:
  • The Account Holder’s Facebook user ID and associated Page IDs.
  • Page name, category, and the access tokens necessary to send messages on the Account Holder’s behalf.
  • The Instagram Business account ID and username linked to the connected Pages.
  • For each Message Sender who contacts a connected account: a Page-Scoped User ID (PSID), and the name and limited public profile information associated with that PSID.
(c) Message Content (Message Senders). To operate the Service, we process the text content of inbound direct messages received by connected Facebook and Instagram accounts. This content is used exclusively to generate automated AI replies for that specific conversation. It is never used for advertising, never sold, and never used to train Broxon’s own products or models.
(d) Usage & Technical Data (Account Holders).
  • Log data: IP address, browser type, pages visited, time and date of access, and other diagnostic data.
  • Device information: Device type, operating system, and browser version.
  • Cookies and similar technologies: Session and authentication cookies required to keep Account Holders logged in. We do not use advertising or tracking cookies (see Section 8).

3. How We Use Information

(a) Account Holder Information. Account Holder information is used to:
  • Provide and operate the Service: Create and manage accounts, process connected-account credentials, operate message queues, and deliver AI-generated replies.
  • Manage subscriptions and billing: Process payments, send invoices, and manage subscription plans.
  • Improve the Service: Analyse Account Holder usage patterns, diagnose technical issues, and develop new features. This activity never uses Meta-derived data or Message Sender content.
  • Communicate: Send transactional emails (account confirmation, password reset, billing receipts) and important service announcements. We do not send marketing emails without explicit consent.
  • Ensure security and prevent fraud and comply with legal obligations.
(b) Meta-Derived Data and Message Content. Meta-derived data and Message Content are used for one purpose only: operating the specific messaging interaction the data was collected for — that is, generating and delivering an automated reply within an active conversation. We do not use this data to improve, train, benchmark, or develop our products or any AI model, do not combine it with data from other sources, and do not use it for analytics or profiling beyond what is strictly necessary to deliver a reply.

4. Compliance with Meta Platform Policies

Because the Service accesses data through Meta’s APIs, we additionally commit to the following, consistent with the Meta Platform Terms and Developer Policies:

  • Purpose limitation. Data received from Meta is used solely to provide the messaging functionality the user expects, and not for any independent purpose.
  • Page-Scoped User IDs (PSIDs). We use PSIDs only to facilitate the conversation for which they were provided. We do not attempt to correlate a PSID with any other identifier, across Pages, or with data obtained outside the Meta platform.
  • No onward sale or unauthorized transfer. We do not sell Meta-derived data and do not transfer it to any party except the service providers in Section 5, each of which is contractually bound to equivalent use and protection restrictions.
  • Token handling. Access tokens are stored encrypted (Section 6) and deleted upon disconnection.

5. How We Share Information

We do not sell, rent, or trade personal information. We share information only in the following limited circumstances:

(a) Service Providers. We engage trusted third parties to operate the Service. Each has access only to the information necessary to perform its function and is contractually obligated to protect it and to use it only on our instructions:
  • Meta Platforms, Inc. — Facebook and Instagram API integration.
  • Retell AI — AI-powered conversational responses. Message content is transmitted to Retell AI to generate replies. Retell AI retains message content for up to 90 days and does not use it to train its models.
  • Payment processor — secure billing and subscription management.
  • Cloud infrastructure provider — hosting, data storage, and message-queue infrastructure, located in Canada.
(b) Legal Requirements. We may disclose information where required by law or valid legal process, or where disclosure is necessary to protect our rights or the safety of others.
(c) Business Transfers. In a merger, acquisition, reorganization, or asset sale, information may be transferred to the acquiring entity. We will notify Account Holders by email or prominent notice before information becomes subject to a different privacy policy.
(d) With Your Consent. We share information with other third parties only where you have explicitly consented.

6. Data Security

We implement industry-standard technical and organizational measures to protect personal information:

  • All data is transmitted over HTTPS with TLS encryption.
  • Meta access tokens are stored encrypted using AES-256 and are never exposed in plaintext outside secure server processes.
  • Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis.
  • We perform regular security reviews of our infrastructure.

No method of transmission or storage is completely secure, and we cannot guarantee absolute security. In the event of a breach involving personal information, we will notify affected individuals and the relevant authorities as required by law. For PIPEDA, this means notification where the breach creates a real risk of significant harm. For the GDPR/UK GDPR, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, and will notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.

7. Data Retention

We retain personal information only as long as necessary for the purposes it was collected:

  • Account data: Retained for the duration of the account and for up to 90 days following account deletion, after which it is permanently erased.
  • Message content:Processed in real time via our queue system. Broxon does not store it persistently beyond what is required to generate a response, except where retained in conversation logs for the Account Holder’s own review within the dashboard (up to 90 days). Our AI provider, Retell AI, retains transmitted message content for up to 90 days to generate responses, after which it is deleted; it is not used for training.
  • Billing records: Retained for 7 years as required by Canadian tax law.
  • Log data: Retained for up to 90 days for security and debugging.
  • Meta access tokens: Stored encrypted and deleted immediately upon account disconnection.

8. Cookies & Tracking Technologies

We use the following types of cookies and similar technologies:

  • Strictly necessary cookies: Authentication session tokens required to keep you logged into the Service. These cannot be disabled without affecting core functionality.
  • Preference cookies: Store UI preferences such as theme settings.

We do not use advertising cookies, third-party tracking pixels, or sell data to advertising networks. Cookies can be controlled through browser settings, though disabling necessary cookies will prevent use of the Service.

9. Your Privacy Rights

Rights apply to both Account Holders and Message Senders. Depending on your location, you may have the following rights regarding your personal information:

(a) Access. The right to request a copy of the personal information we hold about you.
(b) Correction. The right to request that we correct any inaccurate or incomplete personal information.
(c) Deletion. The right to request deletion of your personal information, subject to legal retention requirements (e.g., billing records).
(d) Withdrawal of Consent. Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
(e) Data Portability (GDPR / UK GDPR). If you are in the EEA or UK, you have the right to receive your personal data in a structured, machine-readable format and to transmit it to another controller.
(f) Objection & Restriction (GDPR / UK GDPR). If you are in the EEA or UK, you have the right to object to or request restriction of processing in certain circumstances.

How Message Senders exercise rights. If you sent messages to a business using Broxon and wish to exercise any right, you may contact us at support@broxon.ca. Because we process your information on behalf of that business (the controller), we will either action your request directly or forward it to the relevant Account Holder and assist them in responding. You may also contact the business directly.

To exercise any right, contact us at support@broxon.ca. We will respond within 30 days. We may need to verify your identity before processing your request.

10. Legal Bases for Processing (GDPR / UK GDPR)

Where individuals are in the EEA or UK, we rely on the following legal bases:

(a) Account Holder Data.
  • Contractual necessity — to provide the Service under our Terms (account management, messaging, billing).
  • Legitimate interests — fraud prevention, security, and service improvement, where not overridden by your rights.
  • Legal obligation — compliance with applicable laws.
  • Consent — for optional communications; withdrawable at any time.
(b) Message Sender Data. Where a Message Sender initiates contact with a connected business account, the Account Holder (controller)is responsible for establishing a lawful basis for processing that individual’s data — typically the Account Holder’s legitimate interest in responding to inbound customer enquiries, or the individual’s consent. Broxon processes this data only as a processoron the Account Holder’s documented instructions. Account Holders are responsible for providing any notices and obtaining any consents required from Message Senders.

11. Children's Privacy

The Service is not directed to individuals under the age of 18, and Account Holders must be at least 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information without parental consent, please contact us at support@broxon.ca and we will take steps to delete such information.

12. International Data Transfers

Broxon is based in Ontario, Canada, and our own infrastructure stores data in Canada. However, some of our service providers (such as Retell AI and our payment processor) may process data in other countries, including the United States. Where data is processed outside your jurisdiction:

  • For PIPEDA: We take steps to ensure comparable protection through contractual means when transferring data outside Canada, and remain accountable for that information.
  • For GDPR/UK GDPR:Where we transfer personal data of EEA or UK individuals to a country without an adequacy decision, we put in place appropriate safeguards — specifically the European Commission’s Standard Contractual Clauses (SCCs) (and the UK International Data Transfer Addendum where applicable). A copy of the relevant safeguards is available on request.

13. Third-Party Links

The Service may contain links to third-party websites or services (such as Meta’s developer portal). This Privacy Policy does not apply to those third-party sites. We encourage you to review the privacy policies of any third-party services you visit. We are not responsible for the privacy practices or content of third-party sites.

14. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or Meta’s platform policies. We will post the updated policy here with a revised “Last updated” date and, for material changes, notify Account Holders by email. Continued use of the Service after changes constitutes acceptance of the revised policy.

15. Contact Us & Privacy Complaints

If you have any questions, concerns, or complaints about this Privacy Policy or our data practices, please contact our Privacy Officer:

Broxon — Privacy Officer

Ontario, Canada

Email: support@broxon.ca

Website: https://broxon.ca

If you are in Canada and are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada (OPC) at www.priv.gc.ca. If you are in the EEA or UK, you may lodge a complaint with your local supervisory authority.