01Who we are

The party responsible.

Aecendion is operated by Aecendir (Pvt) Ltd, a private limited company registered in Sri Lanka under company number PV 00354741, with its registered office at S/3 Thotupola Road, Weragumpita, Matara, Sri Lanka ("Aecendir", "we", "us", "our"). We provide the Aecendion CRM — an application that unifies messaging from Meta's platforms (Facebook Messenger, Instagram Direct, and WhatsApp Business) into a single inbox, with AI-assisted lead scoring and pipeline management. You can reach us at support@aecendion.com.

Aecendir (Pvt) Ltd is the data controller for all Platform Data that Meta makes available to us through the permissions a business grants when connecting a Page, Instagram account, or WhatsApp Business Account to Aecendion. We determine the purposes and means of processing that data as described in this policy.

For data we process on your behalf as a CRM operator — your end customers' messages, contact details, and conversation history shown inside your workspace — we additionally act as a data processor, with you (the connected business) acting as controller for your end users. For data we collect about you, the account holder, we act as the controller.

02From Meta

What we receive from the Meta Graph API.

When you connect your Facebook account via Facebook Login for Business, you grant Aecendion access to specific Pages, Instagram Business Accounts, and WhatsApp Business Accounts. From those connections we receive and store:

Account identifiers
Page IDs, Instagram Business Account IDs, WhatsApp Business Account (WABA) IDs, and the registered phone numbers attached to each WABA.
Access tokens
Long-lived Page Access Tokens and WhatsApp system-user tokens — encrypted at rest using authenticated symmetric encryption (libsodium / secretbox). Decrypted only in memory at the moment of an API call.
Account metadata
Page names, Instagram usernames, profile pictures, and similar public-facing attributes used to label your accounts inside Aecendion.
Message content
The text, attachments, and stickers in messages sent to and from your connected accounts — delivered to us via Meta's signed webhooks.
Sender identifiers
The Page-Scoped IDs (PSIDs), Instagram user IDs, and WhatsApp phone numbers of people who message you. These identify the contact within your CRM.
Timestamps & delivery flags
When each message was sent, delivered, read, and replied to — used for analytics and inbox ordering.

We do not request, store, or process: your Facebook password, your personal Facebook friend graph, the contents of any conversations you have on accounts you didn't connect, or any content from Meta products beyond the accounts you explicitly authorize.

03From you

What you give us directly.

When you sign up for an Aecendion account, we collect:

  • Your email address, used for sign-in and operational messages.
  • Your name, displayed in the app and in audit logs.
  • A password hash — never the password itself — managed by Supabase Auth using industry-standard hashing.
  • Optional workspace settings: pipeline stages you define, message templates, AI-prompt customizations.

We may also collect basic operational telemetry: timestamps of your logins, IP address at sign-in (for security review), and the browser/OS you use. We do not build behavioral profiles for advertising or sell this telemetry.

04How we use it

What the data is for.

Every piece of data we collect serves one of four purposes:

  1. To run the product. Show you your inbox, deliver replies, organize conversations, sync new messages, and persist your pipeline state.
  2. To power AI features. Score lead intent, summarize conversations, extract structured facts (e.g. "asked about pricing tier B"), and suggest next actions. This requires sending relevant message content to our AI provider — see §06.
  3. To keep things secure. Verify webhook signatures, detect unauthorized access, rotate or revoke tokens, and respond to incidents.
  4. To honor your legal rights. Find, export, correct, or delete your data when you ask us to.

We do not use your data, or your customers' data, to train general-purpose AI models, to sell or rent to data brokers, or for any form of advertising targeting.

05Where it lives

Storage & transport.

All persistent data lives in a managed PostgreSQL database operated by Supabase. The database is hosted within the European Union. Connections to it use TLS 1.2 or higher; data at rest is encrypted by the underlying provider. Sensitive secrets — specifically Meta access tokens and AI provider keys — are encrypted by Aecendion before insertion using a key held outside the database, so a database-only breach does not yield usable tokens.

Traffic between your browser, our backend (app.aecendion.com), and Meta's APIs is encrypted in transit with TLS terminated at our edge.

06Third parties

Who we share with — and why.

We share data only with the third parties strictly required to operate Aecendion:

Meta Platforms
Source of all messaging data. We send replies back through Meta's Graph API. Subject to Meta's own terms and privacy policy.
Supabase
Database, authentication, and hosting infrastructure. Acts as a sub-processor; processes data under their published DPA.
Anthropic (Claude)
AI provider for lead scoring and conversation analysis. Message content may be transmitted to Anthropic to generate scores and summaries. Anthropic processes these requests under enterprise data-handling terms that prohibit training on customer data.

If you do not wish AI features to process your conversations, you can disable them per-account in Settings → AI. With them disabled, no message content is transmitted to Anthropic.

We do not share your data with advertising networks, data brokers, or analytics platforms that build cross-site profiles.

07Retention

How long we keep it.

  • While your account is active: we retain your messages, contacts, and pipeline data so the product works as expected.
  • When you disconnect a Meta integration: we revoke the relevant tokens immediately. Synced messages and contacts derived from that integration are deleted within 7 days.
  • When you delete your account: all account-level data (your profile, your messages, your contacts, your pipeline, AI-generated inferences) is permanently deleted within 30 days. Backups containing residual data roll off within 35 days after that.
  • Legal exceptions: we may retain limited records (e.g. payment receipts, abuse reports) where law requires.

You can ask for an earlier deletion at any time. See our User Data Deletion instructions for the exact process.

08Your rights

What you can ask us to do.

Regardless of where you live, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Correct — ask us to fix anything that is wrong.
  • Delete — ask us to erase your data, subject to limited legal carve-outs.
  • Port — receive a machine-readable export of your data.
  • Object or restrict — limit how we process your data, where lawful grounds permit.
  • Withdraw consent — at any time, for any processing we do on the basis of consent.

To exercise any of these, email support@aecendion.com from the address on your account. We respond within 30 days; complex requests may take longer, in which case we'll tell you the new timeline.

If you believe we've mishandled your data and we haven't resolved it, you have the right to lodge a complaint with your local data-protection authority (in the EU, that's your national DPA).

09Compliance

The frameworks we follow.

Aecendion is designed to be aligned with:

  • The EU General Data Protection Regulation (GDPR) and the UK GDPR — for any individuals in those jurisdictions.
  • Meta Platform Terms and the Developer Policies governing Messenger, Instagram, and WhatsApp Business APIs — including data-deletion obligations and prohibited-use rules.
  • California Consumer Privacy Act (CCPA / CPRA) rights for California residents — including the right to know and the right to delete. We do not sell personal information.
10Cookies

Cookies & similar technology.

We use the minimum cookies needed to keep you signed in and to keep the app working: an authentication session cookie (set by Supabase Auth) and a small set of functional preferences (UI state, theme). We don't use third-party advertising or cross-site tracking cookies.

You can clear these at any time from your browser; you'll be signed out as a result.

11Children

Not built for under-13s.

Aecendion is a B2B product. We do not knowingly collect data from anyone under 13, and our service is not directed at children. If you believe a child has provided us data, contact support@aecendion.com and we will delete it.

12Law enforcement

When governments come asking.

If a public authority — a law-enforcement agency, court, regulator, or government department, whether in Sri Lanka or elsewhere — asks us to disclose personal data we hold, we follow the principles below before responding:

  • Legality review. Every request is reviewed in writing to confirm it is issued under valid legal authority — a properly served Sri Lankan court order, subpoena, or statutory notice; for non-Sri Lankan authorities, a Mutual Legal Assistance Treaty request or equivalent recognised process. Requests that lack a clear legal basis, that arrive through informal channels, or that are not in writing are not actioned.
  • Right to challenge. Where a request appears unlawful, overbroad, facially invalid, or in conflict with our users' rights, we will challenge it through the appropriate legal channels — filing objections, requesting narrower scope, or seeking judicial review — and we will not disclose data while a good-faith challenge is pending unless ordered to.
  • Data minimisation. When we do disclose, we disclose only the specific data fields needed to respond to the specific request, for the specific users named, for the specific timeframe identified — and nothing more.
  • Documentation. We keep an internal log of every request received, the legal basis cited, who reviewed it, the decision made, what (if anything) was disclosed, and the date. The log is retained for at least six years.
  • User notice. Where lawfully permitted, we notify the affected user of the request before disclosure so they have a chance to seek their own legal remedy. We comply with gag orders only where they are themselves lawfully issued.

Aecendir (Pvt) Ltd does not provide direct, bulk, or unsupervised access to user data to any government or law-enforcement entity. Formal requests should be sent in writing to support@aecendion.com.

13Changes & contact

When this document changes.

We update this policy when we change how we handle data. Substantive changes are flagged via email to active account holders at least 14 days before they take effect; minor clarifications are reflected in the "Last updated" date at the top of this page.

For privacy questions, data requests, or anything else covered here, email support@aecendion.com.

Data & privacy enquiries

Have a question, or want your data back?

We answer privacy and data-deletion requests from a real human, usually within two business days. Please include the email address registered with Aecendion, and (if applicable) the Facebook user ID you want associated.

support@aecendion.com →