PRIVACY POLICY

PRIVACY POLICY

Last updated: January 21, 2026

This Privacy Policy describes how Asistone Yazılım ve Teknoloji Sanayi ve Ticaret Limited Şirketi ("Asistone", "we", "us", or "our") collects, uses, stores, discloses, and protects personal data when you access or use our websites, applications, and services. This policy applies to all Asistone products, including Asistone AI and Asistone ERP.

Company Information Legal name: Asistone Yazılım ve Teknoloji Sanayi ve Ticaret Limited Şirketi Address: Kınıklı Mahallesi, Hüseyin Yılmaz Caddesi Pamukkale Üniversitesi No: 67 İç Kapı No: 2, Pamukkale, Denizli, Türkiye Contact email: bilgi@asistone.ai Phone/WhatsApp: +90 258 911 09 59 Websites: https://asistone.ai, https://app.asistone.ai

1. Scope of This Policy

This Privacy Policy applies to all users who access or use Asistone's services, including individual users and authorized representatives acting on behalf of businesses. It covers data collected through our websites, applications, integrations, and APIs, including:

• Messaging platform integrations (WhatsApp, Instagram, Facebook Messenger)
• E-commerce and marketplace integrations (Shopify and other e-commerce platforms)
• Advertising and marketing integrations (Meta Marketing API)
• WhatsApp Campaign and marketing communication features
• ERP and business management features

Our Services are intended for users who are at least 18 years old. By using our Services, you confirm that you are at least 18 years of age.

2. Roles and Responsibilities

In most cases, Asistone acts as a data processor, processing personal data on behalf of its customers (data controllers), particularly in relation to messaging platforms, e-commerce integrations, and marketing features. In limited cases, Asistone may act as a data controller for its own operational, contractual, and compliance purposes.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

• Identity and contact information, including name, surname, email address, phone number, and account identifiers
• Business and account information provided during registration or account management
• Messaging data, including message content, metadata, timestamps, sender and recipient information, and attached media (images, videos, audio, documents) from WhatsApp, Instagram, Facebook Messenger, and similar platforms
• E-commerce data obtained via Shopify and other e-commerce platform integrations, as detailed below

E-Commerce Integration Data (Shopify):

When you connect your Shopify store to Asistone, we process the following data categories:

Customer Data:

• Name, surname, email address, phone number
• Billing and shipping addresses
• Marketing preferences (acceptsMarketing status)
• Order history and purchase patterns

Order Data:

• Order number, date, and status
• Order line items and quantities
• Payment status and method (not full payment credentials)
• Shipping information and tracking details
• Discounts, coupons, and promotional codes applied

Product Data:

• Product titles, descriptions, and prices
• Variants, SKUs, and inventory levels
• Product images (URL references only)
• Stock quantities and location-based inventory

Abandoned Cart Data:

• Cart contents and product selections
• Customer contact information (if provided)
• Cart abandonment timestamp
• Recovery status and follow-up actions

This data is processed solely for service delivery purposes and is not shared with third parties for marketing purposes

• Campaign and marketing data, including customer contact lists uploaded by users for WhatsApp Campaigns and other marketing communications
• Advertising data, including ad performance metrics, campaign analytics, and related insights obtained via Meta Marketing API when users connect their Meta advertising accounts
• Technical data, including IP address, device information, browser type, operating system, and usage logs
• Payment and subscription data, including billing information, subscription status, and transaction history (processed through iyzico; we do not store full credit card numbers)
• Support and communication data exchanged with us

All sensitive data is stored in encrypted form, and sensitive fields are masked in logs.

4. How We Use Personal Data

We process personal data for the following purposes:

• Providing, operating, and maintaining our services
• Enabling unified inbox, messaging management, and customer communication workflows
• Facilitating AI-powered features, including automated responses where explicitly enabled by the user
• Integrating with third-party platforms such as messaging services, e-commerce platforms, and advertising services
• Enabling users to manage and analyze their advertising campaigns via Meta Marketing API
• Facilitating WhatsApp Campaigns and marketing communications on behalf of users
• Providing AI-powered recommendations and content generation for advertising and marketing purposes
• Ensuring security, fraud prevention, system monitoring, and reliability
• Complying with legal and regulatory obligations
• Providing customer support and responding to inquiries

Asistone does not use message data for its own advertising purposes. Users may utilize the platform's marketing features (such as WhatsApp Campaigns) to communicate with their own customers in accordance with applicable laws and platform policies.

5. AI and Automated Processing

Asistone offers optional AI agents that operate based on user-defined system prompts and configured guardrails. AI agents only function when explicitly enabled by the user and within the permissions granted.

• AI-generated responses are not legally or commercially binding
• AI agents do not make automated decisions without user authorization
• AI agents do not respond to topics outside available data; instead, they may create tickets for manual handling
• Message content is used solely for inference and is not used to train AI models
• AI may be used to generate advertising recommendations and marketing content upon user request

6. Marketing and Campaign Features

Asistone provides marketing and campaign management features that enable users to communicate with their own customers:

WhatsApp Campaigns:

• Users may upload customer contact lists or select recipients from existing conversations
• Campaign messages are sent through the user's connected WhatsApp Business account
• Users are responsible for obtaining appropriate consent from their recipients
• Contact lists are stored securely and deleted upon user request or account deletion

Meta Marketing API Integration:

• Users may connect their Meta (Facebook/Instagram) advertising accounts via OAuth
• Asistone retrieves advertising performance data and analytics from Meta on the user's behalf
• Asistone does not upload user customer data to Meta; users manage their own ad targeting through Meta's platforms
• AI-powered recommendations may be provided based on advertising performance data

Users are solely responsible for compliance with applicable advertising regulations and platform policies when using marketing features.

7. Legal Basis for Processing

We process personal data based on one or more of the following legal grounds:

• Performance of a contract
• Compliance with legal obligations
• Legitimate interests, where applicable
• Explicit consent, where required (e.g., AI automation, marketing communications, campaign data processing)

8. Data Sharing and Third Parties

We may share personal data with:

• Messaging platform providers (e.g., WhatsApp, Instagram, Messenger)
• E-commerce platform providers (e.g., Shopify and other marketplace integrations)
• Meta Platforms, Inc. (for Meta Marketing API integration, via user-authorized OAuth connection)
• AI service providers, including OpenAI, solely for inference purposes
• Payment service providers (iyzico) for subscription and payment processing
• Email service providers (Resend) for transactional and notification emails
• SMS service providers (NetGSM) for SMS notifications
• Cloud infrastructure and hosting providers (Hetzner, located in Germany)
• Security, monitoring, and logging service providers

We do not sell personal data.

9. Shopify Data Processing Addendum

This section applies specifically to users who connect their Shopify stores to Asistone.

9.1 Data Processing Purposes

Shopify store data is processed for the following purposes:

• Customer service automation and AI-powered responses
• Order and shipping notifications
• Abandoned cart recovery communications
• Inventory management and ERP synchronization
• Reporting, analytics, and business insights

9.2 Data Synchronization

• Asistone maintains a local copy of your Shopify data for performance and reliability
• Changes are synchronized bidirectionally between Asistone and Shopify
• Shopify is considered the "source of truth" for customer and order data
• Synchronization occurs in real-time via webhooks and periodic polling

9.3 Sub-Processors

The following sub-processors may process Shopify-related data:

| Sub-Processor | Purpose | Location | |---------------|---------|----------| | Hetzner | Server infrastructure and hosting | Germany (EU) | | OpenAI | AI response generation and inference | USA | | Resend | Email delivery (order notifications) | USA | | NetGSM | SMS notifications | Türkiye |

9.4 GDPR Compliance

• Standard Contractual Clauses (SCCs) are implemented for transfers outside the EU/EEA
• Additional safeguards are in place for data processed in non-adequate countries
• Users may request a copy of applicable data transfer agreements

9.5 Integration Removal

• Removing the Shopify integration does not automatically delete synced data
• Data remains available for potential reconnection
• Permanent deletion requires account deletion or explicit written request
• Upon deletion request, all Shopify-related data is permanently removed within 30 days

10. International Data Transfers

Personal data may be transferred and processed outside of Türkiye or the European Economic Area due to the use of international service providers (e.g., AI services, Meta Marketing API). In such cases, appropriate safeguards are implemented in accordance with applicable data protection laws.

11. Data Retention

• Account and operational data is retained for as long as the account is active
• Upon account deletion, all associated data is permanently deleted within 30 days
• Campaign contact lists and marketing data are deleted upon user request or account deletion
• Payment and billing records are retained for the legally required period (up to 10 years for tax and accounting purposes)
• System and security logs are retained for up to 3 years with masking of sensitive data
• Uninstalling integrations (e.g., Shopify App) does not automatically delete data; deletion occurs upon account deletion or explicit request

12. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

• Encryption at rest and in transit
• Role-based access control
• Audit logging and monitoring
• Regular security reviews

13. User Rights

Depending on applicable laws, users may have the right to:

• Access their personal data
• Request correction or deletion
• Object to or restrict processing
• Withdraw consent at any time
• Request data portability

Requests can be submitted via email at bilgi@asistone.ai.

14. Data Deletion Requests

Users may request deletion of their personal data by contacting us at bilgi@asistone.ai. Requests related to platform-provided data will be handled in accordance with the relevant platform's policies.

15. Policy Updates

We may update this Privacy Policy from time to time. Material changes will be communicated via email and published on our websites. Continued use of the Services after updates constitutes acknowledgment of the revised policy.

16. Governing Law

This Privacy Policy is governed by the laws of the Republic of Türkiye.