Privacy Policy

Elizabeth.ai ("we", "our", "us") is a Filipino-language AI ordering platform built specifically for Philippine micro-businesses and small retailers selling via Facebook Pages and Messenger. We help merchants automate order taking, inventory, and customer communication in both Filipino and English ("the Service").

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

By using Elizabeth.ai, you agree to the collection and use of information in accordance with this policy.

2.1 Merchant Information

When you sign up as a merchant, we collect:

• Name and email address
• Business/store name
• Facebook Page information (Page ID, Page name) when you connect your Facebook Page
• Product catalog data you enter (names, prices, inventory)

2.2 Customer Information (End-Users)

When customers interact with a merchant's Facebook Page that uses Elizabeth.ai, we may collect:

• Facebook User ID and public profile name (as provided by Facebook Messenger)
• Messages sent to the merchant's Page via Messenger or comments
• Order information (items ordered, delivery details provided voluntarily)

2.3 Automatically Collected Information

• Webhook event data from Facebook (message timestamps, event types)
• Usage analytics (page views, feature usage) for improving the Service
• AI processing metadata (token counts for billing purposes)

2.4 Parser Analytics and Session Data

To operate and improve our services, we also automatically collect:

• Parse attempt records — the text of each incoming message processed by our parser, the method used (regex or AI), the outcome, and a link to the resulting order. Stored per merchant for analytics and accuracy monitoring.
• Intent classification logs — the classified intent (e.g., order, inquiry, greeting), confidence score, and the Facebook User ID of the sender. Used solely for per-merchant analytics and parser tuning.
• Conversation session state — a temporary record of the active conversation flow (e.g., awaiting delivery address). Retained only for the duration of the conversation.
• Customer profile pictures — fetched from Facebook and stored to display in the merchant's CRM dashboard.
• One-Time Notification (OTN) tokens — stored when a customer opts in to receive a restock or order update notification via Messenger, used solely for that notification type.

We use the information we collect to:

• Process and manage orders placed through Facebook Messenger and Page comments
• Provide AI-powered natural language parsing of customer orders
• Manage inventory, delivery tracking, and customer relationship data for merchants
• Send order confirmations and updates via Messenger
• Improve the accuracy of our Filipino-language order parsing system using anonymized, de-identified parse records — no Facebook User IDs or customer names are used for this purpose
• Personalise conversational AI replies for returning customers by providing a compact summary of their name and order history to our AI provider for that specific response (see Section 6)
• Monitor usage for billing and subscription tier management
• Communicate with merchants about their account

Our use of Facebook Platform data complies with the Meta Platform Terms and Developer Policies.

• We only request permissions necessary for the Service (pages_messaging, pages_manage_metadata, pages_read_engagement, pages_show_list)
• Facebook Page Access Tokens are stored securely and used solely to operate the merchant's ordering bot
• We do not sell, share, or use Facebook data for advertising purposes
• Merchants can disconnect their Facebook Page at any time via their dashboard settings

• All data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) enforcing strict tenant isolation
• Each merchant's data is fully isolated — merchants cannot access other merchants' data
• Access tokens are encrypted at rest and transmitted only over HTTPS
• Webhook payloads are verified using HMAC-SHA256 signatures
• We follow industry-standard security practices including environment-based configuration and secret management

We do not sell your personal information. We may share data:

• With AI service providers (Anthropic, Google, OpenAI) for two distinct purposes:
  • Order parsing: Only the raw message text and your product list are sent. No customer names or identifiers are included.
  • Conversational replies (Suki feature): For returning customers, a compact personalisation context including the customer's display name, recent order history, and preferred payment method may be included in the AI prompt to enable a warm, personalised greeting. This information is used only for generating that single response and is not retained or used for model training by our AI providers under their data processing agreements. Merchants are responsible for obtaining appropriate consent from their customers for this personalisation feature as required under RA 10173.
• With infrastructure providers (Vercel, Supabase) as necessary to operate the Service
• When required by law or to protect our legal rights

• Merchant account data is retained for the duration of the account
• Order and customer data is retained as long as the merchant account is active
• Conversation session state is retained for the duration of the active conversation and is cleared upon order completion or merchant account deletion
• Parse attempt and intent classification records are retained for up to 90 days for merchant analytics, after which they are permanently deleted
• Upon account deletion, all associated data is permanently removed within 30 days

8.1 Merchant Rights

As a merchant (account holder), you have the right to:

• Access the personal data we hold about your account
• Request correction of inaccurate data
• Request deletion of your account and all associated data
• Disconnect your Facebook Page at any time via settings
• Export your data (order history, customer list, product catalog)

To exercise these rights, contact us at privacy@myelizabeth.studio.

8.2 End-User Rights (Merchant Customers)

If you are a customer who has interacted with a merchant's Facebook Page that uses Elizabeth.ai, we may hold your Facebook display name, order history, and conversation data on behalf of that merchant. Under RA 10173 and applicable law, you have the right to:

• Request access to the personal data we hold about you
• Request correction or deletion of your data
• Object to the processing of your data

To exercise these rights, email privacy@myelizabeth.studio with the name of the merchant page you interacted with. We will respond within 30 days.

Our Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us to have it removed.

Merchants are responsible for ensuring that their use of Elizabeth.ai does not involve the collection of personal data from individuals under 18 without verifiable parental consent, as required under RA 10173 and applicable law. Account registration requires the merchant to be at least 18 years old (see our Terms of Service, Section 3).

We may update this Privacy Policy from time to time. We will notify merchants of material changes via email or dashboard notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

Elizabeth.ai processes personal data of Philippine residents in compliance with Republic Act No. 10173 (Data Privacy Act of 2012) and its Implementing Rules and Regulations.

• Personal Information Controller: Elizabeth.ai acts as a Personal Information Controller for merchant account data, and as a Personal Information Processor for end-user data processed on behalf of merchants.
• Data Protection Officer (DPO): Our designated DPO can be contacted at dpo@myelizabeth.studio for any privacy concerns, data subject requests, or compliance inquiries.
• Lawful basis: We process personal data on the basis of contractual necessity (to deliver the Service), consent (where explicitly granted by the merchant via our Terms of Service), and legitimate interest (for parser accuracy improvement using anonymized, de-identified data).
• Breach notification: In the event of a personal data breach, we will notify the National Privacy Commission (NPC) within 72 hours of discovery and notify affected data subjects without undue delay.
• NPC Registration: Elizabeth.ai will register with the National Privacy Commission as required under RA 10173 and NPC Circular 16-01 when applicable thresholds are met.

If you have questions about this Privacy Policy, please contact us:

• Email: privacy@myelizabeth.studio
• DPO: dpo@myelizabeth.studio
• Website: myelizabeth.studio