Privacy Policy

Last Updated: February 2026

Introduction

MTY Agentic Labs ("we," "our," or "us") is operated by Sand Palace and provides a multi-tenant SaaS platform that enables businesses to manage customer communications across WhatsApp, Messenger, and Instagram through Meta's APIs. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our platform.

Contact Information

Company: MTY Agentic Labs (operated by Sand Palace)

Email: privacy@agenticlabs.site

Location: Monterrey, Nuevo León, Mexico

Information We Collect

1. Meta Platform Data

When you connect your Meta business accounts to our platform, we collect and process:

WhatsApp Business Data:

  • Phone numbers (business and customer)
  • Message content (sent and received)
  • Message delivery status and timestamps
  • Business account metadata
  • Media files shared in conversations

Facebook Messenger Data:

  • User IDs (Page-scoped IDs)
  • Message content (sent and received)
  • Page metadata
  • Message delivery status and timestamps
  • Media files shared in conversations

Instagram Business Data:

  • Instagram user IDs
  • Direct message content (sent and received)
  • Business account metadata
  • Message delivery status and timestamps
  • Media files shared in conversations

OAuth Access Tokens:

  • Meta Platform access tokens (encrypted using Fernet symmetric encryption)
  • Token permissions and scopes
  • Token expiration information

2. Platform Account Data

  • Email addresses
  • Passwords (hashed using bcrypt)
  • Business name and information
  • Billing information (processed via Stripe)

3. Usage Data

  • Platform usage statistics
  • Error logs and debugging information
  • IP addresses (for security purposes)

How We Use Your Information

  • Facilitate messaging between businesses and their customers across WhatsApp, Messenger, and Instagram
  • Display messages in the platform inbox interface
  • Manage and maintain connected Meta business accounts
  • Authenticate users and maintain secure sessions
  • Process billing and subscription payments
  • Detect and prevent fraud or security threats
  • Comply with legal obligations and regulations

Data We Do NOT Collect or Use For

  • We do NOT use your data for advertising purposes
  • We do NOT sell your data to third parties
  • We do NOT use your messages for AI training without explicit consent
  • We do NOT share your data with other platform users

Data Storage and Security

Database: Neon PostgreSQL (cloud-hosted) with AES-256 encryption at rest and TLS 1.3 in transit.

Access Token Encryption: Meta access tokens encrypted using Fernet symmetric encryption with keys stored separately from data.

Security Measures: Industry-standard encryption, secure password hashing (bcrypt), role-based access control, OAuth 2.0 authentication, regular security updates.

Data Sharing and Third Parties

We share your data only with the following trusted third parties:

  • Meta (Facebook, Inc.) — Send and receive messages via WhatsApp, Messenger, and Instagram APIs
  • Stripe — Payment processing and subscription management
  • Cloudflare — CDN services and secure tunnel infrastructure
  • Neon — Database hosting and management

We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.

Data Retention

Messages and conversation history are retained as long as your business account is active. Upon account deletion, all associated data is permanently deleted within 30 days. Backups are purged within 90 days.

Meta Data Deletion Callback

We honor Meta's Data Deletion Callback requirements. When a user deletes their data on Meta's platforms, we receive a deletion request and delete all associated data within 30 days. A unique confirmation code is generated for tracking purposes.

Your Rights

Under GDPR and CCPA, you have the right to:

  • Access — Request a copy of all personal data we hold about you
  • Rectification — Correct inaccurate or incomplete personal data
  • Deletion — Request permanent deletion of your personal data
  • Data Portability — Export your data in a portable format
  • Restrict Processing — Limit how we process your personal data
  • Opt-Out — Opt out of non-essential data collection

To exercise any of these rights, contact us at privacy@agenticlabs.site. We will respond within 30 days.

Children's Privacy

Our platform is not intended for users under the age of 13. We do not knowingly collect personal information from children under 13.

Data Breach Notification

In the event of a data breach, we will notify you within 72 hours of discovery, including the nature of the breach, data affected, and remedial actions taken.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time. You will be notified via email at least 30 days before changes take effect. Continued use of the platform constitutes acceptance.

Contact

Email: privacy@agenticlabs.site

Response Time: Within 30 days

Available Languages: English, Spanish

Effective Date: February 1, 2026 | Version: 1.0 | Governing Law: Laws of Mexico