Privacy Policy
Effective date: June 12, 2026
1. Introduction
This Privacy Policy explains how {{COMPANY_LEGAL_NAME}} (operator of the Meerlume service, “Meerlume,” “we,” “us”) collects, uses, shares, and protects personal data when you use our bot-building platform for WhatsApp, Telegram, and related channels. It also describes the rights available to you under applicable data-protection law, including the EU and UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), Brazil’s LGPD, and similar laws in other jurisdictions.
Two roles are relevant to this policy:
- For your account information and your use of Meerlume, we are the data controller.
- For data collected by your bots from your end customers (their messages, phone numbers, names, booking details), you are the controller and we act as your processor. A Data Processing Addendum (DPA) is available on request at privacy@meerlume.com.
2. Information We Collect
Account data. When you sign up we collect your email, name, password (stored hashed), and, if you sign in with Google or another OAuth provider, the basic profile information and tokens that provider returns. Account authentication is handled by our sub-processor Stack Auth (operated by Neon).
Bot configuration data. Bot names, descriptions, flow definitions, prompts, instructions, knowledge-base content, channel settings, and any drafts you save while using the builder.
Channel credentials. If you connect a WhatsApp Business or Telegram bot, we store the relevant tokens (WhatsApp access token and phone-number ID; Telegram bot token). These credentials are encrypted at rest.
Notification settings. If you enable owner notifications, we store your notification preferences and the delivery details needed to reach you — for example, the Telegram chat identifier created when you link our notification bot, or a per-bot notification address. Notifications themselves contain submission details (such as the booking summary your template includes).
Support requests. If you contact support, we receive the email address, subject, category, and message you submit, and we retain that correspondence to resolve your request.
End-customer data your bots collect. When your end customers interact with your bots on WhatsApp or Telegram, we receive and store their messages, the phone numbers or usernames the messaging platform exposes, the structured answers they provide to your bot’s questions, conversation transcripts (including messages you exchange with a customer when you take over a conversation), and any booking details they submit (including name, contact details, time slot, and notes). We process this data on your behalf to deliver the Service.
Payment data. Subscription payments are processed by Lemon Squeezy as Merchant of Record. We do not receive or store full payment-card details; we receive only transaction-level data such as plan, status, last four digits, and billing country needed to provision your subscription.
Technical data. Our backend automatically logs IP addresses, user-agent strings, and request metadata for security, debugging, and abuse-prevention purposes. We also use a small number of cookies and local-storage entries described in section 9.
3. How We Use Information
- To provide, operate, and maintain the Service.
- To authenticate you, secure your account, and prevent abuse.
- To deliver your bot’s messages to and from end customers via the chosen messaging platform.
- To send you the notifications you have configured about activity in your bots — in the dashboard, by Telegram, or by email — such as new submissions awaiting your review.
- To improve the Service, diagnose issues, and develop new features.
- To communicate with you about service updates, security notices, and (with your consent where required) marketing.
- To comply with legal obligations and respond to lawful requests.
4. Legal Bases for Processing (GDPR / UK GDPR)
- Contract — to provide the Service you have signed up for.
- Legitimate interests — to keep the Service secure, prevent fraud, and improve our product.
- Consent — for any optional marketing communications and any non-essential cookies (we do not currently use any).
- Legal obligation — to comply with applicable law and respond to lawful requests from authorities.
5. Sub-processors and Third Parties
We share personal data with the following sub-processors strictly to provide the Service:
- Neon (database hosting) and Stack Auth (operated by Neon) for authentication. Receives account data, bot configuration, and end-customer data your bots store.
- Google (Gemini API) for AI-assisted bot building. Receives the bot descriptions, prompts, and instructions you type into the builder. Live conversations with your end customers are executed by our own flow engine and are not sent to the Gemini API. Subject to Google’s API terms and data-handling policies.
- Brevo for transactional email delivery, such as support correspondence and any email notifications you configure. Receives the recipient address and message content of those emails.
- Meta Platforms (WhatsApp Business / Cloud API) for message routing on WhatsApp. Receives the messages, phone numbers, and metadata necessary to send and receive WhatsApp conversations.
- Telegram FZ-LLC for message routing on Telegram. Receives the messages and user identifiers necessary to operate your Telegram bot and, if you enable Telegram notifications, the owner notifications we deliver to you through our notification bot.
- Lemon Squeezy as our Merchant of Record for billing, invoicing, and tax compliance. Receives transaction and billing-country data.
We do not sell your personal data, your end customers’ data, or share it for cross-context behavioural advertising.
6. International Data Transfers
Meerlume is a global service. Personal data may be processed in countries other than the one in which you live, including the United States and other jurisdictions where our sub-processors operate. Where required by law, transfers from the EU/UK are made under appropriate safeguards such as the European Commission’s Standard Contractual Clauses or the UK International Data Transfer Addendum.
7. Data Retention
We retain personal data only for as long as needed for the purposes described in this policy.
- Account data is retained while your account is active and deleted within 30 days after account deletion (subject to backups, which are purged on a rolling cycle of up to 90 days).
- Bot configuration and end-customer data is retained until you delete it or close your account.
- Server access and security logs are retained for up to 30 days.
- We may retain limited information for longer where necessary to comply with legal obligations, resolve disputes, or enforce our agreements.
8. Your Rights
Subject to applicable law, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request deletion of your data;
- request restriction of, or object to, certain processing;
- request a portable copy of your data;
- withdraw any consent you previously gave (without affecting the lawfulness of prior processing);
- lodge a complaint with your local data-protection authority.
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information we collect, the right to delete it, and the right to opt out of “sale” or “sharing” — note that we do not sell or share personal information as those terms are defined under the CCPA.
To exercise any of these rights, email us at privacy@meerlume.com. We will respond within 30 days, as required by the GDPR; if a request is complex or we receive a high volume of requests, we may extend that period by a further two months and will tell you why. If your request concerns data your bot collected from one of your end customers, that customer should contact you (the controller) directly; we will support you in fulfilling such requests under the DPA.
9. Cookies & Local Storage
We use only strictly necessary and functional storage:
- A session cookie set by Stack Auth to keep you signed in.
- A small
sidebar:statecookie that remembers whether you collapsed the dashboard sidebar. - Browser
localStorageentries that hold your theme preference, calendar view choice, panel-collapsed state, and drafts you create in the bot builder before you sign up.
We do not use analytics, advertising, session replay, or cross-site tracking cookies. If we ever add any, we will update this policy and present a consent banner where required.
10. Children's Privacy
The Service is not directed to children under 16 and we do not knowingly collect personal data from them. If you believe a child has provided us personal data, please contact privacy@meerlume.com and we will delete it.
11. Security
We use industry-standard security measures including TLS in transit, encryption at rest for sensitive credentials (such as your WhatsApp access tokens and Telegram bot tokens), access controls, and least-privilege production access. No system can be guaranteed perfectly secure; if we become aware of a breach that affects you, we will notify you as required by applicable law.
12. Changes to This Policy
We may update this Privacy Policy from time to time. The “Effective date” at the top of this page reflects the latest revision. If a change is material we will provide reasonable notice (for example, by email or through the Service) before it takes effect.
13. Contact
Questions, requests, or complaints about this Policy can be sent to privacy@meerlume.com. See also our Terms of Service.