Privacy Policy
Last updated: April 30, 2026
1. Introduction
This Privacy Policy describes how Asistian SAPI de CV (Asistian, we, us, or our) collects, uses, and protects your information when you interact with our services. Asistian is a Mexican company, and its processing of personal data is governed primarily by Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), its Regulations, and related guidelines. In addition, Asistian aligns its practices with applicable North American and international data-protection standards, including the GDPR, the CCPA, and the LGPD.
Our CRM platform integrates with multiple communication channels, including Facebook Messenger, Instagram Direct Messages, WhatsApp Business, and other messaging platforms, to help businesses manage customer relationships. By using our services or interacting with businesses that use our platform, you agree to the collection and use of information in accordance with this Privacy Policy.
2. Information We Collect
2.1 Information You Provide
Information you provide includes: (i) name and contact information, such as email and phone number; (ii) messages and communications sent through messaging platforms; (iii) business information and preferences; (iv) appointment and booking details; and (v) any other information you choose to provide.
2.2 Information from Meta Platforms (Facebook, Instagram, WhatsApp)
When you communicate with businesses using our platform through Meta's services, we may collect the following.
Facebook Messenger: Facebook user ID, profile name, profile picture, message content, timestamps, and delivery and read receipts.
Instagram Direct: Instagram user ID, username, profile picture, message content, media attachments, and message timestamps.
WhatsApp Business: phone number, WhatsApp ID, profile name, message content, media attachments, delivery status, and read receipts.
2.3 Automatically Collected Information
We also collect: (i) IP address and device information; (ii) browser type and version; (iii) usage patterns and analytics; (iv) technical logs and error reports; and (v) data from cookies and similar tracking technologies.
3. How We Use Your Information
We use the collected information to: (i) provide and improve our CRM services; (ii) process and respond to your messages and inquiries; (iii) manage customer relationships and lead generation; (iv) send automated responses and notifications on behalf of businesses; (v) schedule and manage appointments and bookings; (vi) provide AI-powered assistance for customer inquiries; (vii) analyze usage patterns to improve our services; (viii) comply with legal obligations; and (ix) prevent fraud and ensure security.
4. Meta Platforms Integration
Our platform integrates with Meta's family of services to enable businesses to communicate with their customers. This section describes how we handle data from each Meta platform.
4.1 Facebook Messenger
When you interact with a business through Facebook Messenger, we receive and store your messages and basic profile information; we may use AI-powered responses to provide immediate assistance; your conversations are stored securely in our CRM system; message content may be analyzed to improve service quality; and your data is processed in accordance with Meta's Platform Terms.
4.2 Instagram Direct Messages
When you message a business through Instagram, we receive your Instagram username, profile picture, and message content; media files you send are stored securely; your conversation history is maintained for customer service purposes; and we comply with Instagram's API Terms of Use and Platform Policy.
4.3 WhatsApp Business
When you communicate with a business through WhatsApp, we receive your phone number, profile name, and message content; message templates may be used for business-initiated communications; media files and documents you share are stored securely; delivery and read receipts are tracked for reliability; and we comply with the WhatsApp Business Policy and Meta's Platform Terms.
4.4 Meta Platform Data Use Commitment
We are committed to using data obtained from Meta platforms responsibly: we only access data necessary to provide our CRM services; we do not sell data obtained from Meta platforms to third parties; we do not use Meta platform data for advertising purposes unrelated to our service; we comply with Meta's Data Use Restrictions and Platform Terms; and we promptly delete data when requested by users or when no longer needed.
5. Google API Services and Workspace Integration
Asistian integrates with Google Workspace APIs to provide email and calendar functionality on behalf of business users. This section describes how we handle data obtained from Google APIs.
5.1 Google API Scopes We Request
When a business user connects their Google account to Asistian, we request the following OAuth scopes: gmail.send, calendar.readonly, and calendar.events.
gmail.send is used only to send messages composed or approved by the user through our platform, such as appointment confirmations, replies to customer inquiries, and quote follow-ups. We do not read, modify, label, archive, or delete any existing emails in the user's Gmail account.
calendar.readonly is used only to check the user's free/busy availability when scheduling appointments through our AI receptionist, in order to prevent double-bookings.
calendar.events is used only to create, update, or cancel calendar events that correspond to appointments confirmed through Asistian's chat flows.
Authentication scopes (openid, userinfo.email, userinfo.profile) are requested solely to identify the user during the OAuth flow.
5.2 Limited Use Compliance
Asistian's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, data obtained from Google APIs is used only to provide or improve user-facing features that are prominent in Asistian's platform, such as sending emails and scheduling appointments; is not transferred to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users; and is not used or transferred for serving advertising, including retargeting, personalized, or interest-based advertising.
Google Workspace data is not used to train generalized or third-party artificial intelligence or machine learning models. It is processed only in real time to fulfill the immediate user request and is not used as training data for any AI model, including the OpenAI models we use for other features of our platform.
Google API data is not read by humans, except: (i) with the user's affirmative consent for specific messages; (ii) as necessary for security purposes, such as investigating abuse; (iii) to comply with applicable law; or (iv) when the data has been aggregated and anonymized for internal operations.
5.3 Data Storage and Retention
OAuth refresh tokens are encrypted at rest using AES-256 and stored in our secure infrastructure. Calendar event metadata created by Asistian is retained as part of the appointment record for the duration of the business-customer relationship. Sent email content is retained as part of the conversation history with the corresponding customer. When a user disconnects their Google account or deletes their Asistian account, all OAuth tokens are revoked and deleted within 30 days.
5.4 Revoking Access
Users may revoke Asistian's access to their Google account at any time by disconnecting the integration in Asistian's Settings → Integrations panel, or by visiting myaccount.google.com/permissions and removing Asistian from the list of connected applications.
6. AI and Automated Processing
Our platform uses artificial intelligence to enhance customer service, including: automated responses, where AI assistants may respond to your messages to provide immediate assistance; sentiment analysis, where message content may be analyzed to understand customer sentiment; conversation summarization for business users; and booking assistance, where AI can help schedule appointments based on availability. You can request to speak with a human representative at any time during an automated conversation.
7. Data Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share your information with the business you are contacting through our platform; with service providers, such as cloud hosting, AI, and payment providers, under strict confidentiality agreements; when required by law, court order, or government request; to protect the rights, property, or safety of our users or the public; and in connection with a merger, acquisition, or sale of assets.
7.1 Third-Party Services We Use
We use the following third-party services: Meta Platforms (Facebook Messenger, Instagram, WhatsApp Business API); OpenAI (AI-powered conversation assistance); Google (calendar integration and email services); Amazon Web Services (cloud storage and hosting); Twilio (SMS and messaging services); and Stripe and other payment providers (card payment processing).
8. Data Security
We implement appropriate technical and organizational measures to protect your information, including: encryption of data in transit (TLS/SSL) and at rest (AES-256); regular security assessments and penetration testing; role-based access controls limiting data access to authorized personnel; secure cloud infrastructure with industry-standard certifications; regular security training for our team; and incident response procedures for potential data breaches.
9. Data Retention
We retain your information for as long as necessary to provide our services, comply with legal and regulatory obligations, resolve disputes, enforce our agreements, and maintain business records as required by law.
Specific retention periods apply: customer data remains available for export during the 30 days following account cancellation; after that period, data is deleted from active systems within a maximum of 60 additional days, unless the law requires retention; encrypted backups may retain copies for up to 90 additional days for operational security and are deleted automatically upon cycling; and billing and tax records (CFDI) are retained for 5 years, as required by the Mexican Federal Tax Code. Aggregated and anonymized analytics data may be retained indefinitely.
10. Your Rights and Choices
You have the following rights regarding your personal information: access to a copy of the personal data we hold; correction of inaccurate information; deletion of your personal information; portability, to receive your data in a machine-readable format; objection to certain types of processing; restriction of processing; and withdrawal of consent at any time where processing is based on consent.
10.1 How to Exercise Your Rights
To exercise any of these rights, contact us at hola@asistian.com. We will respond to your request within 20 business days, in accordance with Mexico's LFPDPPP, or within the timeframes required by other applicable laws.
10.2 Data Deletion for Meta Platform Users
If you have interacted with a business through Facebook Messenger, Instagram, or WhatsApp, you can request deletion of your data by contacting the business directly, by contacting us at the email address above, or by using your platform settings on Facebook, Instagram, or WhatsApp to manage data sharing.
11. Cookies and Tracking
We use cookies and similar technologies for the following purposes: essential cookies, required for platform functionality and security; analytics cookies, which help us understand how users interact with our platform; and preference cookies, which remember your settings. You can control cookie settings through your browser preferences; disabling certain cookies may affect platform functionality.
12. Third-Party Services
Our services integrate with third-party platforms, each governed by its own privacy policy, including Meta (Facebook, Instagram, WhatsApp), Google, OpenAI, Amazon Web Services, Twilio, and Stripe. We encourage you to review their respective privacy policies.
13. Children's Privacy
Our services are not intended for children under 13 years of age (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.
14. International Data Transfers
Your information may be transferred to and processed in countries other than your own, including the United States. We ensure appropriate safeguards are in place, including standard contractual clauses, data processing agreements with our service providers, and encryption and security measures for data in transit.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Privacy Policy on this page and updating the Last updated date. For significant changes, we may provide additional notice, such as email notification.
16. Contact Us
If you have questions about this Privacy Policy, our data practices, or wish to exercise your rights, please contact us:
Asistian SAPI de CV
Bulevar Morelos 307, Floor 2, Hermosillo, Sonora, Mexico
Email: hola@asistian.com · Phone & WhatsApp: +52 800 461 1234
17. Compliance
This Privacy Policy is designed to comply with applicable data-protection laws and platform requirements. As a Mexican company, Asistian is governed primarily by Mexico's Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its Regulations. Asistian also aligns its practices with the General Data Protection Regulation (GDPR) of the European Union, the California Consumer Privacy Act (CCPA), and the Lei Geral de Proteção de Dados (LGPD) of Brazil, as well as with the Meta Platform Terms and Developer Policies and the WhatsApp Business Policy.
18. Meta Platform Specific Disclosures
In accordance with Meta's Platform Terms, we disclose the following.
18.1 Data We Access
We access user messages sent to businesses through Facebook Messenger, Instagram Direct, and WhatsApp Business; basic profile information (name and profile picture) as provided by Meta; and page and account information for connected businesses.
18.2 How We Use Meta Platform Data
We use Meta platform data to enable businesses to receive and respond to customer messages, to provide AI-assisted responses on behalf of businesses, to track conversation history for customer service purposes, and to send approved template messages via the WhatsApp Business API.
18.3 Data Deletion
Users can request deletion of their data by contacting us. We provide a data deletion callback for Meta platforms and will process deletion requests within 20 business days. To verify the status of a deletion request, users may contact us with their confirmation code.