Saya

Privacy Policy

Last updated: April 28, 2026

Saya Mongolia LLC ("Saya", "we", "our") operates the Saya e-commerce intelligence platform at saya.mn ("Service"). This Privacy Policy explains what data we collect, why we collect it, how we use it, how long we retain it, and the rights you have over it.

Our Service is built for online merchants and integrates with third-party platforms including Meta (Facebook & Instagram), Google, payment providers, and SMS gateways. When you connect a third-party platform we act as a data processor on behalf of the merchant who owns that account.

1. Data we collect

1.1 Account & merchant data

  • Email address, full name, phone number (for sign-in & support).
  • Organization name, billing plan, payment method metadata.
  • Audit logs of significant administrative actions.

1.2 Meta Platform data

When a merchant connects their Facebook Page or Instagram Business account we receive and store:

  • Page metadata — page id, name, category, profile picture, list of page roles you hold.
  • Page Access Tokens — encrypted at rest with AES-256-GCM and never written to logs.
  • Inbound comments & messages — the text body, sender id, sender display name, timestamps, attachments.
  • Outbound replies — text and timestamps of replies our operators or AI-assisted drafts send to your customers.
  • Ad Library data (public) — ad creatives, copy, targeting summaries, spend bands, and reach statistics for competitive intelligence dashboards.

We do not collect ad-account financial data, friends lists, profile photos beyond your page's public profile, or any non-page-related personal Meta data.

1.3 Customer-of-merchant data

When a person comments on a merchant's Facebook Page or sends a Messenger DM, we capture the comment/message content, the platform-issued sender id, the display name as shown by Meta, and any phone number the user voluntarily includes in their message in order to create a draft sales order. This data is stored only for the merchant who owns the page and is never shared with other merchants.

1.4 Technical telemetry

  • IP address, browser user-agent, device type (login & security audit only).
  • Server logs (without sensitive payloads) for 30 days.
  • Aggregated, non-identifying performance metrics.

2. How we use your data

  • To provide the Service: showing your Page's comments and DMs in our inbox, drafting replies, suggesting orders, and sending CAPI events back to Meta on the merchant's behalf.
  • To detect phone numbers in customer messages and create pending sales orders so the merchant can fulfill them quickly.
  • To provide AI-assisted draft responses (the merchant approves before sending).
  • To bill merchants and prevent abuse.
  • To comply with legal obligations.

We never sell your personal data. We never use the content of your comments or messages to train large language models.

3. Sharing & sub-processors

We rely on the following sub-processors strictly to operate the Service:

  • Meta Platforms, Inc. — webhook delivery, Conversion API, Graph API.
  • Cloudflare / Caddy — TLS termination & CDN.
  • Anthropic & Google AI — AI draft generation (data is sent ephemerally; not used for model training per their enterprise terms).
  • QPay LLC — payment processing for merchant subscriptions.
  • Resend / SMS gateway — transactional email and SMS delivery.

We do not share customer-of-merchant data with third parties other than the merchant who owns the page and the sub-processors above.

4. Retention

  • Comments, messages, and orders are retained while the merchant's subscription is active and for 12 months after cancellation, after which they are anonymized.
  • Page Access Tokens are revoked and deleted immediately when a merchant disconnects their page.
  • Server access logs are retained for 30 days.
  • Billing records are retained for 7 years to comply with tax law.

5. Your rights (data subject requests)

  • Access — request a copy of all personal data we hold about you.
  • Correction — ask us to correct inaccurate data.
  • Deletion — request erasure (see Data Deletion Instructions).
  • Portability — request export in a machine-readable format.
  • Withdrawal — disconnect your Facebook Page at any time from Admin → Settings → Channels; doing so revokes our access immediately.

To exercise any right, email support@saya.mn. We respond within 30 days.

6. Security

  • All traffic is encrypted with TLS 1.2+.
  • Page Access Tokens and SMS gateway credentials are encrypted at rest with AES-256-GCM.
  • Production secrets are managed exclusively via environment variables, never committed to version control.
  • Sensitive payloads (tokens, full phone numbers, message bodies) are never written to application logs.
  • Multi-tenant isolation is enforced at the database query layer; cross-tenant data access is treated as a P0 security incident.

7. Children

The Service is not directed at children under 13 (or under the age of digital consent in your jurisdiction). We do not knowingly collect data from children.

8. International transfers

Our primary infrastructure is hosted in Europe (Frankfurt). Sub-processors may process data in the United States and other regions. Where transfers occur we rely on Standard Contractual Clauses or equivalent safeguards.

9. Changes to this Policy

We will notify merchants by email and post a banner in the dashboard at least 14 days before any material change takes effect. Continued use of the Service after the effective date constitutes acceptance.

10. Contact

Saya Mongolia LLC
Ulaanbaatar, Mongolia
support@saya.mn

Монгол хэлээр (хураангуй)

Saya нь таны Facebook Page-ийн коммент, Messenger мессеж, утасны дугаар зэрэг өгөгдлийг зөвхөн уг Page-ийг эзэмшдэг бизнест үйлчлэх зорилгоор хадгалдаг. Бүх access token-ыг шифрлэн хадгалж, эмзэг өгөгдлийг логонд бичдэггүй. Та өгөгдлөө устгуулах, татаж авах, засуулах эрхтэй — холбоо барих: support@saya.mn. Дэлгэрэнгүй мэдээлэл дээрх англи хувилбараас уншина уу.