Privacy Policy

1. Introduction

Tromsø AI ("we", "us", "our", or "Company") operates the tromso.ai website and Facebook Messenger Bot (collectively, the "Service"). This page informs you of our policies regarding the collection, use, and disclosure of personal data when you use our Service and the choices you have associated with that data.

2. Data Collection

We collect the following types of data:

2.1 Messages and Conversations

• Direct Messages: Text messages sent to us via Facebook Messenger
• Comments: Public comments on our Facebook page posts
• Reviews: Public reviews and ratings on our Facebook page
• Page Mentions: Public mentions of our Facebook page

2.2 User Identifiers

• Facebook User ID: Unique identifier assigned by Facebook
• Message Metadata: Timestamp, message ID, interaction type

2.3 Automatic Data

• Interaction logs: Type of interaction (message, comment, review)
• Response data: Timestamps of our responses
• Error logs: Technical errors for debugging purposes

3. Data Usage

We use collected data for the following purposes:

• Service Delivery: To respond to your messages, comments, and reviews with AI-powered guidance about Tromsø
• Conversation Context: To maintain conversation history for up to 30 minutes per session to provide contextual responses
• Service Improvement: To analyze interactions and improve our bot's responses
• Technical Support: To debug issues and ensure the service operates properly
• Compliance: To comply with legal obligations and Facebook's Platform Policies

4. Data Retention

We retain your data as follows:

• Conversation History: Stored in memory only for the duration of your session (maximum 30 minutes of inactivity)
• Audit Logs: Retained for up to 30 days for compliance and debugging purposes
• Message Content: Not stored permanently; messages are processed and then discarded
• Automatic Deletion: All personal data is automatically deleted after 30 days

Note: Messages sent via Facebook Messenger remain in your Facebook account and are subject to Facebook's own privacy policies.

5. Third-Party Services

We use third-party services that may collect or process data:

• Anthropic Claude API: Your messages are sent to Anthropic's Claude API to generate AI responses. Anthropic processes this data according to their Privacy Policy: https://www.anthropic.com/privacy
• Facebook/Meta: All data flows through Facebook's systems. Facebook processes this data according to their Data Policy: https://www.facebook.com/privacy/explanation
• Supabase: Audit logs may be stored in Supabase's PostgreSQL database. Supabase's Privacy Policy: https://supabase.com/privacy

6. Your Rights

You have the following rights regarding your data:

6.1 Right to Access

You can request a copy of all data we have collected about you by sending a request to privacy@tromso.ai

6.2 Right to Deletion

You can request deletion of your data at any time. Send a request to privacy@tromso.ai with your Facebook User ID or the email address associated with your account. We will delete all stored data within 7 business days.

6.3 Right to Portability

You can request your data in a portable format. We will provide this in JSON format within 7 business days.

6.4 Right to Object

You can object to certain processing of your data. Contact us at privacy@tromso.ai

7. Data Security

The security of your data is important to us, but remember that no method of transmission over the Internet or method of electronic storage is 100% secure. We implement the following security measures:

• HTTPS/TLS encryption for all data in transit
• HMAC-SHA256 signature verification for all webhook payloads from Facebook
• Environment-based API key management (keys not stored in code)
• 30-minute session timeout for conversation data
• Automatic deletion of data after 30 days

8. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal data, we will immediately delete such information and terminate the child's use of the Service.

9. International Data Transfers

Your data may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that differ from your country. By using our Service, you consent to the transfer of your data to countries outside your country of residence, which may include countries that do not have data protection laws equivalent to those in your country.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on the Service and updating the "Last updated" date at the top of this page. Your continued use of the Service after such modifications will constitute your acknowledgment of the modified Privacy Policy and your agreement to abide and be bound by the modified Privacy Policy.