MasEase Privacy Policy

This Privacy Policy explains how MasEase (the 'Controller') collects, uses, shares, and protects personal data when providing its website, landing pages, and web application services (the 'Service').

This notice is designed to meet the transparency requirements of Articles 12-13 GDPR and applies to visitors, account holders, and integration users in the EEA/UK.

If a Data Protection Officer (DPO) is appointed, DPO contact details will be published here; otherwise a privacy contact is provided as above.

• Account data: name, email, business details, role, and authentication identifiers (e.g., Google sign-in).
• Billing and payments: subscription tier, tax information, and payment transaction metadata processed by our payment provider (card data is not stored by us).
• Meta Platform data (when you connect Facebook, Instagram, or WhatsApp): Page-scoped user IDs (PSIDs) and Instagram-scoped user IDs (IGSIDs) of individuals who message your connected Page or account; message content sent to and from those Pages; page metadata (Page ID, Page name, access tokens); read receipt signals; and, where applicable, Instagram Business account identifiers. This data is processed solely to operate the automated booking and lead-qualification service on behalf of the connecting business (the Page owner). MasEase does not use Meta Platform data for advertising, profiling, or any purpose beyond delivering the Service to the business that connected the integration.
• Usage and device data: IP address, device/browser type, pages viewed, time on page, engagement metrics and event logs, collected via our application platform (e.g., Supabase) and limited diagnostics.
• Notifications data: device tokens for push or in-app alerts where enabled.

We do not intentionally collect special category data; where such data is present in imported leads, processing is limited to providing the Service and minimized by design.

MasEase connects to Facebook Pages, Instagram Business accounts, and WhatsApp Business accounts via Meta's Graph API. When a business user connects their account, MasEase requests the following permissions on their behalf:

• pages_messaging — to send and receive messages on the connected Facebook Page
• pages_show_list — to allow the business user to select which Page to connect
• instagram_business_messaging — to send and receive Instagram Direct Messages
• message_reads — to receive read receipt signals for messages on connected Instagram accounts

Data accessed under these permissions is processed on behalf of the business (the Page owner), not for MasEase's independent purposes. MasEase acts as a data processor for the business in respect of message content and contact identifiers originating from Meta platforms.

Retention: Meta Platform message data and associated contact identifiers are retained for as long as the business account is active on MasEase, and deleted within 30 days of account termination or upon a valid deletion request.

Data deletion: If you are an individual who has messaged a MasEase-connected Facebook Page or Instagram account and wish to request deletion of your data, you may submit a request via Facebook's platform or directly to the business you messaged. MasEase provides a data deletion callback endpoint required by Meta at https://staging.masease.com/api/meta/data-deletion. Upon receiving a verified deletion request, MasEase will delete all associated records within 30 days and provide a confirmation code for tracking.

Human access to messages: Where a business user activates human handoff mode, team members of that business may read message content within the MasEase admin interface. MasEase staff do not access message content except as required for technical support, with explicit business account holder consent.

No data sold or shared with third parties: Meta Platform data is never sold, rented, or shared with third parties outside the processors listed below, and is never used for cross-context advertising.

We share personal data with trusted service providers acting under written data processing terms, solely for the purposes described:

• Platform/hosting and database: Supabase (infrastructure, authentication, storage, EU region).
• Payments: Stripe (payment processing, subscription management).
• Authentication and sign-in: Google (OAuth sign-in).
• Meta Platforms, Inc.: Graph API access for Facebook, Instagram, and WhatsApp integrations — MasEase operates as a Meta Business Partner accessing the API on behalf of connected business accounts.
• Professional advisors and authorities where legally required (e.g., tax authorities, courts).

A current list of core processors and sub-processors is available on request and may be updated as our stack evolves.

Individuals in the EEA/UK have rights under GDPR: access, rectification, erasure, restriction, portability, objection to processing based on legitimate interests, and the right to withdraw consent at any time (without affecting prior processing).

Requests can be submitted to the contact above. We respond without undue delay and in any event within one month of receipt; where necessary due to complexity or number of requests, we may extend by up to two further months and will notify within the first month with reasons.

If concerns remain, a complaint may be lodged with a supervisory authority in the EU/EEA/UK where residence, work, or the alleged infringement occurs.

Rights relating to Meta Platform data: If your data was processed as a result of messaging a MasEase-connected Facebook Page or Instagram account, you may exercise your rights (including erasure) by contacting the business directly or by using Facebook's built-in data controls. MasEase will honour deletion requests received via Meta's callback mechanism within 30 days.