KanBird Logo
Login
LEGAL

Privacy Policy

Effective Date: May 4, 2026  ·  Version 1.0  ·  Last Updated: May 4, 2026

Applies to: Unisocial Hub — a social media management module integrated within KanBird CRM

Table of Contents

  1. Introduction
  2. Who We Are
  3. Scope
  4. Information We Collect
  5. How We Use Your Information
  6. Legal Basis (GDPR)
  7. Data Sharing
  8. Data Security
  9. Data Retention
  10. Your Rights
  11. Facebook Data Deletion
  12. Children's Privacy
  13. International Transfers
  14. Changes to This Policy
  15. Contact

1. Introduction

KanBird ("Company," "we," "us," "our") operates Unisocial Hub — a B2B social media management SaaS platform integrated within KanBird CRM. This Privacy Policy describes how we collect, use, process, disclose, and protect personal information when you use the Service, including information received through our integration with Meta Platforms, Inc. (Facebook, Instagram, WhatsApp).

By using Unisocial Hub, you agree to the practices described here. If you disagree, please do not use the Service. This policy does not cover Meta Platforms, Inc.'s own privacy practices — see facebook.com/privacy/policy for Meta's policy.

2. Who We Are

KanBird is a software company providing Unisocial Hub as a subscription-based B2B SaaS module within its CRM platform. The platform is designed exclusively for businesses to manage their Facebook Pages, Instagram Business Accounts, and WhatsApp Business phone numbers from a unified dashboard.

Privacy contact: privacy@kanbird.com

3. Scope

This policy applies to all registered users of Unisocial Hub, visitors to our website, and information processed through our Meta Platform API integrations. It does not apply to the privacy practices of Meta Platforms, Inc., Google (Gemini API), or KanBird's other modules unless specifically stated.

4. Information We Collect

4.1 Information You Provide

  • Account information: Name, business email address, and profile photo provided through KanBird SSO. We do not collect or store passwords — credentials are managed by KanBird.
  • Social account access tokens: Tokens granted through the official Meta OAuth flow. Stored encrypted — never exposed to the frontend.
  • Content you create: Post captions, message reply texts, auto-reply rule messages, and message templates.
  • Platform configuration: Auto-reply rules, scheduling settings, keyword lists, team member settings, conversation tags.

4.2 Information from Meta Platform APIs

Facebook Pages (via pages_show_list, pages_read_engagement, pages_messaging, pages_read_user_content):

  • Page ID, name, profile picture, and page access token — to identify the connected page and authenticate API calls
  • Messenger conversation IDs, participant PSIDs, timestamps, unread counts — to maintain the inbox conversation list
  • Messenger message text, sender IDs, timestamps, delivery status — to display conversation threads in the inbox
  • Post comment text, commenter names, commenter IDs, timestamps — to display comment threads in the inbox
  • Aggregated page insights metrics (fans, impressions, reach, views) — displayed in the analytics dashboard; NOT stored persistently
  • Individual post insight metrics (impressions, reach, engaged users, reactions) — cached for up to 1 hour; stored in posts.analytics JSON column

Instagram Business Accounts (via instagram_basic, instagram_manage_messages, instagram_manage_comments):

  • IG account ID, username, profile picture — to identify the connected Instagram account
  • IG DM conversation IDs, participant IGSIDs, timestamps — for inbox thread management
  • IG DM message text, sender IGSIDs, timestamps — to display Instagram DM conversations
  • Instagram media IDs, captions — as context for comment conversations
  • Instagram comment text, commenter usernames, commenter IDs — to display IG comment threads

WhatsApp Business (via whatsapp_business_messaging, whatsapp_business_management):

  • WhatsApp Business phone number ID, verified business name — to identify the connected WA account
  • Inbound message text, sender phone numbers (E.164 format), timestamps — to display WA conversations
  • Message delivery and read status — logged for audit trail

4.3 Automatically Collected

  • Log data: IP address, browser type, pages visited, referring URL, request timestamps (30-day retention)
  • Essential session cookies/tokens: Required for authenticated sessions — no advertising cookies
  • Usage analytics: Features used, navigation paths (if analytics tools enabled)

5. How We Use Your Information

5.1 Core Service Features

Unified Inbox: Message and comment data from Meta APIs is stored and displayed in the Unisocial inbox so business users can read customer conversations and respond. This is the primary purpose for all message content collection.

Sending Replies: When you click Send in the inbox, your reply text is transmitted to the appropriate Meta API endpoint. The reply is also saved as an outbound message record in the conversation history.

Auto-Reply Engine: When you configure auto-reply rules, we evaluate every new inbound message against your rules and send the configured reply via the appropriate Meta API when a rule matches. The auto-reply engine does not access any data beyond the inbound message text and sender ID needed to evaluate rules.

Post Publishing: Post content (caption, media URL, scheduling time) is transmitted to the Meta Graph API for publishing. The external post ID returned by Meta is stored for analytics retrieval.

Analytics: Page metrics are fetched on demand and displayed — not stored. Post metrics are cached for 1 hour.

AI Customer Intelligence: When you explicitly trigger AI analysis, conversation message text only (no sender IDs, no tokens) is sent to Google Gemini API. Results are displayed in the UI and NOT stored persistently.

5.2 Meta Platform Data — Special Use Restrictions

Meta Platform data is never used for advertising targeting, sold, rented, or transferred to any third party for commercial purposes. It is not combined with data from other sources to build profiles of individuals.

  • No advertising use: Meta Platform data is never used for advertising targeting, constructing ad audiences, or serving advertisements.
  • No data sales: Meta Platform data is never sold, rented, licensed, or transferred to any third party for commercial purposes.
  • No cross-platform profiling: Meta Platform data is not combined with data from other sources to build profiles of individuals.
  • Purpose limitation: Message and comment content is used exclusively to display it in the inbox and enable replies.
  • PSID and IGSID handling: Stored only to identify conversation threads. Not used for cross-app tracking, not shared with any third party.
  • Aggregate analytics: Page insights are aggregate statistics that do not identify individuals. Fetched only to provide page performance information to the page administrator.

6. Legal Basis for Processing (GDPR)

  • Contract performance (Art. 6(1)(b)): Processing registered user information is necessary to perform the Terms of Service contract.
  • Legitimate interests (Art. 6(1)(f)): Log data and usage analytics processed for operating, improving, and securing the Service.
  • Legal obligation (Art. 6(1)(c)): Processing to comply with applicable laws, legal process, and data deletion obligations.
  • Consent (Art. 6(1)(a)): Where required by law, explicit consent obtained before processing.

7. Data Sharing

7.1 Third-Party Services

Service Purpose Data Shared Policy
Meta Platforms (Graph API) Social media integration — inbox, publishing, analytics Access tokens for API calls; message content for display facebook.com/privacy/policy
Google Gemini API AI Customer Intelligence — conversation analysis Message text only (no IDs, no tokens, no PII beyond text) when user triggers AI feature policies.google.com/privacy
KanBird (SSO Provider) User authentication — single sign-on Name, email, photo, tenant ID during login KanBird Privacy Policy
Cloud Hosting Provider Database and server hosting All stored data (encrypted at rest) Provider Privacy Policy + DPA
Email Provider Transactional emails (security alerts, billing) Recipient email address and email content Provider Privacy Policy + DPA

We do not share Facebook or Instagram user data with advertising networks, data brokers, analytics services that collect cross-site data, or any party not listed above. We do not sell personal information. Our monetization model is subscription-based.

8. Data Security

  • Encryption in transit: TLS 1.2+ for all communication between browser and servers, and between servers and Meta APIs.
  • Encryption at rest: AES-256 encryption at the database storage layer for all tenant databases.
  • Token protection: Access tokens stored encrypted in database. Never logged or exposed via API responses.
  • Webhook verification: Every Meta webhook POST verified via HMAC-SHA256 before processing. Invalid signatures silently rejected.
  • JWT security: 7-day JWT expiry + tokenVersion increment on logout/delete for instant cross-device invalidation.
  • Tenant isolation: Database-per-tenant architecture. Cross-tenant access is architecturally impossible.
  • Rate limiting: 200 requests/15 minutes per IP via express-rate-limit.
  • Access controls: Production system access restricted to authorized personnel with RBAC and MFA.

9. Data Retention

Data Category Retention Period Deletion Mechanism
Social account records (page IDs, tokens, pictures) Until account disconnected + user account deleted isActive=false on disconnect; destroy() on user delete
Conversation records (thread metadata) Until user account deletion Cascading delete when parent social account or user deleted
Message records (inbound + outbound text) Until user account deletion Cascading delete when parent conversation deleted
Post records Until manually deleted or user account deleted Post.destroy() on manual delete; cascading on user delete
Auto-reply logs 90 days Automatic purge job
Access tokens (disconnected accounts) Deactivated on disconnect; destroyed on user delete isActive=false immediately; destroy() on account delete
Log files 30 days Automatic log rotation
AI Customer Intelligence results Session only — not stored Discarded when browser session ends
Page-level analytics metrics Not stored — session only Discarded after API response rendered in browser
Post-level analytics (cache) 1 hour Overwritten after 1 hour; deleted with parent post

10. Your Rights

Right Description How to Exercise
Right to Access Request a copy of personal data we hold about you, including categories, purposes, and third-party sharing. Email privacy@kanbird.com — "Data Access Request"
Right to Correction Request correction of inaccurate or incomplete data. Update via account settings or email privacy@kanbird.com
Right to Deletion Request permanent deletion of your data (terminates your Unisocial account). Delete account in Settings, or email privacy@kanbird.com — "Account Deletion Request"
Right to Data Portability Request machine-readable copy (JSON) of data you have provided or generated. Email privacy@kanbird.com — "Data Portability Request"
Right to Object Object to processing based on legitimate interests. Email privacy@kanbird.com with specific processing you object to
Right to Restriction Request restriction of processing in specific circumstances. Email privacy@kanbird.com — "Processing Restriction Request"
Right to Withdraw Consent Withdraw consent where processing is based on consent. Disconnect social accounts via Accounts page, or email privacy@kanbird.com
Right to Lodge Complaint Complain to your local Data Protection Authority if you believe we have mishandled your data. Contact your local DPA (e.g., ICO in UK, DPC in Ireland, CNIL in France)

We respond to all data rights requests within 30 days as required by applicable law.

11. Facebook Data Deletion — Callback Implementation

In compliance with the Facebook Platform Terms, Unisocial Hub implements the Facebook Data Deletion Request Callback:

  1. Meta sends HTTP POST to https://api.unisocial.kanbird.com/api/privacy/deletion with a signed_request parameter
  2. Our endpoint decodes and verifies the signed_request using the App Secret
  3. The signed_request contains the Facebook user ID (uid) of the user requesting deletion
  4. Our system searches all tenant databases for conversation records where senderId matches that Facebook user ID
  5. All identified conversation and message records are permanently deleted
  6. Response returned: {"url": "...", "confirmation_code": "..."}
  7. The status URL returns deletion completion status when Meta checks it

Data Deletion Callback URL: https://api.unisocial.kanbird.com/api/privacy/deletion
Deletion Status URL: https://kanbird.com/privacy/deletion-status?id={confirmation_code}

12. Children's Privacy

Unisocial Hub is a B2B platform for business professionals only. We do not knowingly collect information from individuals under 18 years of age. If you believe a minor has provided information, contact privacy@kanbird.com and we will delete it promptly.

13. International Transfers

KanBird is based in Bangladesh. If you are located elsewhere, your data may be transferred internationally. For transfers from the EEA or UK we use Standard Contractual Clauses (SCCs) approved by the European Commission.

14. Changes to This Policy

We notify registered users of material changes by email and in-app notice. The "Last Updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance.

15. Contact