Privacy Policy
Last updated: June 28, 2026 ·
Effective: June 28, 2026 ·
Operator: Chups Inc. (operating the Eesa AI service at eesa.ai)
This Privacy Policy describes how Chups Inc. ("we", "us", "our") collects, uses, stores, and shares information when you use the Eesa AI service (the "Service") accessible at eesa.ai and via integrated messaging channels including WhatsApp Business and Telegram.
By using the Service you agree to the practices described here. If you do not agree, do not use the Service.
1. Information we collect
1.1 Information you provide
- Account information: email address, full name, role within your tenant, and (optionally) a profile picture if you sign in with Google.
- Business data: information about your business operations that you input or that flows in through integrated systems — customer orders, inventory data, staff records, schedules, vendor records, financial figures.
- Messages: the content of conversations you have with the Eesa AI agent through any channel (web chat, WhatsApp, Telegram, email).
- Configuration data: integration credentials and tokens you provide (e.g., access tokens for connected services). These are stored encrypted at rest using field-level Fernet encryption.
1.2 Information collected automatically
- Usage data: IP address, browser type, pages visited, time stamps, and interactions with the Service.
- Device data: approximate location derived from IP, device type, operating system, browser version.
- Cookies and session storage: JWT tokens for authentication, user preferences.
1.3 Information from third parties
When you connect an external account, we receive specific information from that service:
1.3.1 Google Workspace
When you connect Google Workspace, we request the following scopes:
openid, email, profile — to identify you and display your name in the app.
calendar.events — to read and create calendar events on your behalf when you ask the agent to.
spreadsheets — to read, create, and update Google Sheets when you ask the agent to.
drive.file — to upload files to your Google Drive and access only files that Eesa AI itself created on your behalf. Eesa AI cannot access pre-existing files in your Drive.
We only access Google data in response to your explicit requests through the agent. We do not bulk-scan, train models on, or share your Google data with any third party. Access tokens and refresh tokens are stored encrypted and used solely to fulfill your requests.
1.3.2 WhatsApp Business Cloud API (Meta)
When messages are exchanged through our WhatsApp Business number, we receive from Meta:
- Your phone number, WhatsApp display name, and message content.
- Message delivery status, read receipts, and timestamps.
We use this information only to: (a) route the message to the appropriate agent or workflow within your tenant, (b) compose and send a reply through the same WhatsApp number, and (c) maintain conversation history for support continuity.
1.3.3 Other connected integrations
If you connect additional integrations (QuickBooks, Stripe, Telegram, etc.), we receive only the data necessary for that integration as described in its respective consent screen.
2. How we use information
- To provide the Service: authenticate you, execute the workflows and agent actions you request, send replies through the channel you contacted us on.
- To operate your tenant: store your business data so it is available across sessions and to your authorized teammates.
- To improve the Service: diagnose bugs, monitor performance, and improve agent quality. Aggregate usage statistics may be reviewed; individual messages are reviewed only if you ask for support or to investigate abuse.
- To communicate with you: service notifications, security alerts, billing notices.
- To comply with law: respond to lawful requests, prevent fraud, enforce our Terms.
3. How we share information
We do not sell your personal information. We share data only in these circumstances:
- With your tenant: data you upload or generate within a tenant is visible to other authorized members of that tenant per role-based permissions you control.
- With service providers we rely on: infrastructure (Amazon Web Services), databases (Supabase / Postgres), large-language-model providers (Anthropic, OpenAI) for processing your messages, vector database (Qdrant Cloud), Stripe (billing). These providers process data on our behalf under contractual data-processing terms.
- With integrations you connect: Google, Meta/WhatsApp, QuickBooks, etc. — limited to the scope you granted.
- With law enforcement: only when legally required and after good-faith review.
- In a business transfer: if Chups Inc. is acquired or merges, your data may transfer to the successor under the same Privacy Policy.
4. Data retention
- Account data: retained while your account is active. Deleted within 90 days of account closure unless required to be retained for legal/tax reasons.
- Business data: retained while your tenant is active. Deleted within 90 days of tenant cancellation.
- Chat conversation history: retained for 12 months by default. You can request earlier deletion at any time.
- Operational logs: retained for up to 90 days for security and debugging.
- Backups: backups containing your data are rotated and fully purged within 35 days of deletion.
5. Data security
- Transport: all connections to the Service use TLS 1.2+.
- Storage: integration credentials and other sensitive fields are encrypted at rest using Fernet symmetric encryption with keys held in a separate secret store.
- Access: tenant data isolation is enforced at the database query layer. Internal access to tenant data by Chups Inc. staff is limited to the minimum needed for support and security investigations, logged, and auditable.
- No system is perfectly secure; we use commercially reasonable safeguards.
6. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal information we hold about you.
- Correct inaccurate information.
- Delete your account and associated personal information.
- Export your data in a portable format.
- Object to or restrict certain processing.
- Withdraw consent for integrations (you can revoke a Google or WhatsApp connection at any time from /settings/integrations).
To exercise any right, email anbu@chups.com. We respond within 30 days.
7. International transfers
The Service is operated from servers located in the United States. If you access it from outside the US, you are transferring your data to the US for processing. Where required, we rely on standard contractual clauses or your explicit consent for such transfers.
8. Children
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us and we will delete it.
9. Changes to this policy
We may update this policy from time to time. When we make material changes, we will notify users via email or an in-app banner at least 7 days before the change takes effect. Continued use of the Service after the effective date constitutes acceptance.
10. Google API Services User Data Policy compliance
Eesa AI's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements. In particular:
- We only use Google user data to provide and improve user-facing features.
- We do not use Google user data to develop, improve, or train generalized AI models.
- We do not transfer Google user data to third parties except as necessary to provide the service, comply with applicable law, or as part of a merger or acquisition.
- We do not allow humans to read Google user data unless we have obtained explicit consent from the user, it is necessary for security purposes (such as investigating abuse), or to comply with applicable law.
11. Meta Platform Terms compliance
Eesa AI's use of the WhatsApp Business Cloud API complies with Meta Platform Terms. We do not sell, license, purchase, or otherwise share personal data obtained from Meta APIs with third parties for advertising or any other purpose prohibited by Meta's terms.