Privacy Policy

This Privacy Policy is version v2026-04, effective from April 26, 2026. It supersedes all previous versions. We will update the version number and effective date whenever we make material changes.

EEAB Studio Limited ("EEAB Studio", "we", "us", "our") operates an AI assistant platform that enables business owners to automate customer interactions across messaging channels including WhatsApp, Telegram, email, and webchat.

EEAB Studio Limited (License No. MC 13993) is a company incorporated in the Masdar City Free Zone, Abu Dhabi, United Arab Emirates, with registered address at Smart Station, Incubator Building, Masdar City, Abu Dhabi, UAE. For all privacy-related inquiries, contact us at ceo@eeabstudio.com.

This Privacy Policy applies to all our products and services, including: (a) the EEAB Studio web platform and onboarding form available at eeabstudio.com; and (b) the iOS mobile application "AI Assistant" (bundle identifier com.eeabstudio.aiassistant), which provides Business Owners with administrative access to their EEAB Studio Limited account on mobile devices.

Our platform processes two distinct categories of data, with different roles and responsibilities under data protection law.

3.1 From Business Owners ("Customers")

When you sign up as a business owner using our platform, we collect:

• Account credentials: email address; password (stored only as a one-way bcrypt hash, never in plaintext).
• Business profile: company name, phone number, business address, operating hours.
• Technical data: IP address, browser user-agent, device and session information.
• Mobile device data (when using the iOS app): operating system version, push notification token (an opaque identifier issued by Expo Push Service that allows us to deliver notifications to your device), and device-class indicator (physical device vs simulator). The App does not collect device advertising identifiers (IDFA) and does not use App Tracking Transparency.
• Mobile app preferences: local toggle states for notification preferences and human-takeover timeout, stored on your device only and not transmitted to our servers.
• Integration credentials: Telegram bot tokens, WhatsApp Business API credentials (via 360Dialog), email OAuth grants (via Nylas).
• Payment information: if and when you make payments, transactions are processed by Stripe (USA), a PCI-DSS compliant payment processor. We do not store full credit card details on our systems.

3.2 From End-Customers of Business Owners

When end-customers interact with the AI assistant deployed by a Business Owner, the following data may be processed:

• Messages sent by the end-customer via Telegram, WhatsApp, email, or webchat.
• Names, phone numbers, and email addresses, when provided.
• Conversation history with the AI assistant.

Important — roles under GDPR: For end-customer data, the Business Owner is the Data Controller and EEAB Studio Limited acts as a Data Processor (Article 28 GDPR). This relationship is governed by a Data Processing Agreement between EEAB Studio Limited and each Business Owner. End-customers wishing to exercise their data subject rights should contact the Business Owner whose service they used; we will assist the Business Owner in fulfilling such requests.

We use the data described above for the following purposes:

• Providing, operating, and maintaining the Service.
• Authenticating accounts and securing access.
• Generating AI responses to end-customer messages on behalf of Business Owners.
• Processing payments and managing subscriptions.
• Communicating with Business Owners about their account, billing, and support requests.
• Detecting and preventing fraud, abuse, and security incidents.
• Improving service quality through aggregated, anonymized analytics.
• Complying with legal obligations under applicable law.

This section provides additional disclosures specific to our iOS mobile application "AI Assistant" (bundle identifier com.eeabstudio.aiassistant), as required by Apple App Store guidelines.

5.1 What the App Sends to Our Servers

When you use the App, the following data is transmitted to our backend over HTTPS:

• Login credentials at sign-in (email and password). The password is verified against a one-way bcrypt hash on our servers and is never stored or logged.
• Authentication tokens for subsequent requests.
• Push notification token, sent once after you grant notification permission, so we can deliver alerts to your device.
• Manual reply text that you, as the Business Owner, type to send to your end-customers via the messaging channels you have connected.
• AI assistant queries that you type into the in-app AI tab (for example, "show inactive customers" or "business summary").
• Read requests for your business data: conversations, customers, appointments, scheduled messages, and similar resources.

5.2 Third-Party Services Specific to the App

The App itself integrates with the following third-party services. For all AI processing services (OpenAI, Pinecone), the App does not communicate directly; instead, your data is forwarded by our backend, which acts as an intermediary.

• Apple Push Notification service (Apple Inc., USA): used to deliver push notifications to your device. Apple receives encrypted payload data; the App itself sends nothing to Apple. See https://www.apple.com/legal/privacy/.
• Expo Push Service (Expo, USA): used by our backend to dispatch notifications to Apple Push Notification service. We send your push token and notification content (title, body, and a deep-link payload). See https://expo.dev/privacy.
• Expo Updates Service (Expo, USA): used to deliver over-the-air (OTA) JavaScript updates to the App, allowing us to ship bug fixes and minor improvements without a full App Store release. On each App launch, the App contacts Expo's update server (u.expo.dev) to check for available updates. We send only the App version, runtime version, and platform; no user data is transmitted. See https://expo.dev/privacy.

5.3 What the App Does NOT Do

We want to be explicit about what the App does not collect or transmit:

• The App does not contain any third-party analytics SDKs (such as Google Analytics, Firebase Analytics, Mixpanel, Amplitude, or similar).
• The App does not contain any third-party crash-reporting SDKs (such as Sentry, Crashlytics, Bugsnag, or similar).
• The App does not collect device advertising identifiers (IDFA, IDFV) and does not use App Tracking Transparency.
• The App does not access your device's camera, microphone, photo library, contacts, or location.
• The App does not communicate directly with OpenAI, Pinecone, or any other AI service provider; all AI requests are routed through our backend.

5.4 Data Stored on Your Device

The App stores the following data locally on your device, encrypted using the iOS Keychain:

• Authentication tokens (access token and refresh token).
• Tenant identifier — a non-personal identifier of your business account.
• Two user preferences: a notification toggle and a human-takeover timeout setting.

The App does not cache messages, customer data, business documents, or appointments on your device. All such data is held only in memory while the App is running and is cleared when the App is closed.

5.5 Account Deletion

You can delete your account and all associated data at any time from within the App, by going to Settings → Danger Zone → Delete Account. After confirmation, the deletion request is sent to our backend and your account, along with all conversations, customers, appointments, documents, and other tenant data, is permanently removed from our primary systems. Encrypted backups containing the deleted data are purged within 30 days.

5.6 Push Notifications

Push notifications are optional. We request permission after you sign in. If you decline, the App functions normally except that you will not receive real-time alerts about new customer messages or appointment changes. You can revoke push permission at any time from your device's iOS Settings → Notifications → AI Assistant.

5.7 Children's Use of the App

The App is intended for business use by adults aged 18 and over. It is not directed at children, and we do not knowingly process personal data of minors through the App. See Section 12 for more details on Children's Privacy.

We rely on the following third-party services to operate our platform. For each service, we describe what data is shared, where it is processed, and link to the provider's privacy policy.

We implement industry-standard technical and organizational measures to protect your data:

• Encryption in transit: HTTPS / TLS 1.2+ for all connections to our platform.
• Encryption at rest: database-level encryption and encrypted file storage on AWS S3.
• Passwords: bcrypt one-way hashing; we never store or transmit plaintext passwords.
• Authentication: JWT tokens with limited lifetime.
• Access control: role-based access for our staff, with audit logs of administrative actions.
• Backups: regular automated backups with a defined retention policy.
• Incident response: in the event of a personal data breach likely to result in a high risk to the rights and freedoms of affected individuals, we will notify them without undue delay, in accordance with Article 34 GDPR and Article 9 of the UAE PDPL.

Your data may be transferred to and processed in countries other than your own. The countries involved in our processing are:

• United States — for AI processing (OpenAI), vector storage (Pinecone), payment processing (Stripe), email integration (Nylas), and Google services.
• India (Mumbai region) — for document storage (AWS S3).
• Germany — for WhatsApp message delivery (360Dialog).
• United Arab Emirates — Telegram FZ-LLC and EEAB Studio Limited's own operations.

For transfers of personal data outside the European Economic Area (EEA), we rely on appropriate safeguards including, where applicable, the European Commission's Standard Contractual Clauses (SCCs) and the providers' own GDPR-compliant frameworks.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:

• Right of access (Article 15) — obtain confirmation of, and a copy of, the personal data we hold about you.
• Right to rectification (Article 16) — correct inaccurate or incomplete personal data.
• Right to erasure / right to be forgotten (Article 17).
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20).
• Right to object (Article 21) — object to processing based on our legitimate interests.
• Right to withdraw consent (Article 7(3)) — at any time, where processing is based on consent.
• Right to lodge a complaint with a supervisory authority in your country of residence.

To exercise any of these rights, contact us at ceo@eeabstudio.com. We will respond within 30 days.

Note for end-customers of Business Owners: For data processed under our role as Data Processor, please direct your request to the Business Owner who collected your data. We will assist the Business Owner in fulfilling your request.

If you are located in the United Arab Emirates, you have the following rights under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"):

• Right to be informed about the processing of your personal data.
• Right to request access to your personal data.
• Right to request correction of inaccurate personal data.
• Right to request erasure of your personal data.
• Right to restrict or stop processing.
• Right to request transfer of your personal data.
• Right to object to automated decisions, including profiling.

To exercise any of these rights, contact us at ceo@eeabstudio.com.

We retain personal data only as long as necessary for the purposes described in this Policy:

• Business Owner accounts: retained while the account is active. After account termination, data is deleted within 90 days, except where retention is required by law (for example, financial records for up to 7 years for tax and accounting purposes).
• End-customer messages and conversation history: retained according to the Business Owner's configuration. The default retention period is 12 months from the last interaction; the Business Owner may request earlier deletion at any time.
• Encrypted backups: up to 30 days after the data has been deleted from primary systems.
• Audit and security logs: 12 months.

Our Service is intended for business users only and is not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at ceo@eeabstudio.com and we will delete such data promptly.

We may update this Privacy Policy from time to time. When we do, we will:

• Update the version number and "Last Updated" date at the top of this page.
• Notify Business Owners by email if changes are material.

Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the changes. A history of previous versions is available upon request at ceo@eeabstudio.com.

For privacy-related questions, requests, or complaints, please contact: