Smagle — AI-powered business management

Privacy Policy

Last updated: May 2, 2026 · Effective date: May 2, 2026

1. Plain-language summary

Smagle is a business management platform. Two groups of people interact with us: business owners who use Smagle to run their business, and the clients of those businesses, who receive invoices, appointment reminders, receipts, and similar messages.

  • We collect the information needed to operate the platform — account info, business data, payment data, and messages exchanged with the AI Business Manager.
  • We do not sell your data. We do not share it with advertisers.
  • We use sub-processors (Stripe, AWS, Meta/WhatsApp, Telegram, email providers) to deliver the service.
  • You can export or delete your data at any time. Contact privacy@smagle.com.

2. Who we are

Smagle is operated by Smagle Inc. ("Smagle," "we," "us"), a company incorporated in Canada. Our registered address and CRA business number are available on request. We are the data controller for information described in this policy.

3. Information we collect

3.1 From business owners (our customers)

  • Account information: name, email, phone number, password (hashed), business name, business type, location.
  • Business operations data: customer records, invoices, estimates, appointments, products, inventory, time entries, expenses, projects, team members.
  • Payment information: handled by Stripe; we receive metadata (last 4 digits, transaction IDs, status) but do not store full card numbers.
  • Communications: messages exchanged with the AI Business Manager across web, WhatsApp, Telegram, and the client portal.
  • Usage data: log-ins, features used, pages visited, errors encountered.

3.2 From clients of our customers

When a business owner adds you as a customer in Smagle, we may store:

  • Your name, email, phone number, and address (provided by the business).
  • Records of invoices, appointments, and payments related to that business.
  • Messages you send through that business's client portal or to its WhatsApp/Telegram Business Manager.

The business owner is the data controller for client records they enter. Smagle processes this data on their behalf. If you are a client and want your information removed, please contact the business directly. You may also email us at privacy@smagle.com and we will assist.

4. How we use information

  • Operate the platform: authenticate accounts, run the AI Business Manager, send invoices and reminders.
  • Process payments: facilitate transactions through Stripe Connect.
  • Provide support: respond to questions, troubleshoot issues, communicate service-related notices.
  • Improve the product: analyze usage patterns to improve features. We do not use individual customer data to train third-party AI models.
  • Comply with law: meet tax, accounting, and regulatory obligations.
  • Prevent abuse: detect and prevent fraud, spam, and policy violations.

6. How we share information

We share information only with sub-processors necessary to deliver the platform, and only with the data minimum required for the function in question.

  • Amazon Web Services (AWS): hosting, database, file storage. Region: us-east-1 with backups in Canada-central where applicable.
  • Stripe: payment processing and Stripe Connect onboarding for businesses that accept payments.
  • Meta (WhatsApp Business Cloud API): when you connect WhatsApp. See section 7.
  • Telegram: when you connect Telegram. See section 8.
  • Email providers (Amazon SES, Resend): transactional and marketing email delivery.
  • Anthropic: the AI Business Manager uses Anthropic's Claude API for natural-language understanding. See section 12.
  • Analytics: aggregate, privacy-preserving analytics (no personal-identifier resale).

We do not sell personal information. We do not share data with advertisers, data brokers, or marketing networks.

7. WhatsApp Business channel

This section applies if you, or a business you transact with, connects WhatsApp Business to Smagle. It is included to comply with Meta's WhatsApp Business Solution Terms and Cloud API requirements.

7.1 What we do

When a business owner connects their WhatsApp Business Account to Smagle through Meta's authorization flow, we receive and store:

  • The owner's WhatsApp Business Account ID and Phone Number ID issued by Meta.
  • An access token, encrypted at rest, used solely to send and receive messages on the owner's behalf.
  • The verified business display name.
  • A mapping between the WhatsApp phone numbers of the owner's authorized users and their Smagle user accounts.

7.2 Inbound messages

When a business owner messages their Smagle Business Manager via WhatsApp, the message text and metadata (sender phone, timestamp) are received via Meta's webhook and processed by our AI agent to fulfill the request. Conversations are retained as part of the business's chat history and may be reviewed by the business owner.

7.3 Outbound messages to a business's clients

When a business sends a WhatsApp message to one of its clients (for example, an invoice notification or appointment reminder), Smagle transmits the message to Meta's WhatsApp Business Cloud API on the business's behalf. Outbound messages outside the 24-hour customer service window use only Meta-approved utility templates. We do not send marketing or promotional WhatsApp messages on behalf of any business without explicit, documented opt-in from the recipient.

7.4 What Meta receives

Meta receives message content and metadata necessary to deliver messages between the business and its clients. Meta's privacy policy applies to any data Meta processes: whatsapp.com/legal/business-policy.

7.5 Your rights as a recipient

  • You may opt out of WhatsApp messages from any Smagle-connected business by replying STOP to a message from that business. The business is required to honor opt-outs and we will block further outbound sends to your number from that business.
  • You may request deletion of your message history with a specific business by contacting that business directly, or by emailing privacy@smagle.com.
  • Inbound messages you send are stored only in association with the business you sent them to; they are not aggregated across businesses.

7.6 Limits on our use

  • We do not use WhatsApp data for advertising.
  • We do not aggregate WhatsApp data across unaffiliated businesses for analytics.
  • We do not provide WhatsApp data to third parties except Meta for the purpose of message delivery.
  • We do not retain WhatsApp messages longer than necessary for the business's operating records (see section 14).

8. Telegram channel

When a business connects a Telegram bot to Smagle, we store the bot token and bot username. Telegram's servers handle message delivery and metadata; we receive only message text and sender ID for the purpose of routing the message to the AI Business Manager. Telegram's privacy policy applies to data Telegram processes: telegram.org/privacy.

9. Payments and Stripe

Payments are processed by Stripe. When a business owner uses Stripe Connect, the owner agrees to Stripe's Connected Account Agreement and is the merchant of record for transactions on their account. We receive metadata (transaction IDs, last 4 digits, payment status) and do not have access to full card numbers or banking credentials.

Stripe's privacy policy: stripe.com/privacy.

10. Email and notifications

Transactional emails (invoices, receipts, appointment reminders) are sent through Amazon SES and Resend. Marketing emails are sent only to users who opt in and can be unsubscribed via the link in every message.

11. Cookies and analytics

We use first-party cookies for essential platform function (authentication, session management). We use privacy-preserving analytics to understand aggregate usage patterns. We do not use third-party advertising cookies. You can manage cookies through your browser settings; disabling essential cookies will prevent the platform from functioning.

12. AI Business Manager and your data

The AI Business Manager processes your messages using Anthropic's Claude API. Messages are sent to Anthropic for the sole purpose of generating a response to your request. Per our agreement with Anthropic, your inputs and outputs are not used to train Anthropic's general models.

The AI may access data within your tenant (customers, invoices, appointments, etc.) when needed to answer a question or take an action you requested. It does not access data from other tenants.

13. Security

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Sensitive credentials (API tokens, OAuth tokens) are encrypted at rest using AES-256 with AWS KMS-managed keys.
  • Passwords are stored as bcrypt hashes; we do not have access to your password.
  • Per-tenant database isolation prevents cross-tenant data access at the application layer.
  • We monitor production systems 24/7 for security events and operate a documented incident response process.
  • SOC 2 Type 2 audit is scoped for completion in 2027.

14. Data retention

  • Active accounts: data retained as long as your account is active.
  • Cancelled accounts: we retain account data for 90 days after cancellation, then delete it (except where required by law to retain longer, e.g., tax records).
  • Chat history (web, WhatsApp, Telegram, portal): retained for 24 months by default; you can delete history at any time from the AI Business Manager settings.
  • Backups: encrypted backups retained for 30 days for disaster recovery.

15. Your rights

Depending on your location, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Request deletion of your information (subject to legal retention obligations).
  • Export your data in a portable format.
  • Withdraw consent for optional uses such as marketing email.
  • Lodge a complaint with the Office of the Privacy Commissioner of Canada or your local data protection authority.

To exercise any of these rights, email privacy@smagle.com. We will respond within 30 days.

16. Children

Smagle is not intended for use by children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

17. International transfers

Smagle is operated from Canada. Our primary infrastructure is in AWS us-east-1 (United States). When you use Smagle outside Canada or the United States, your data may be transferred to and processed in these regions. We rely on Standard Contractual Clauses and equivalent safeguards where required by GDPR / UK GDPR.

18. Changes to this policy

We may update this policy from time to time. Material changes will be communicated via email to account holders at least 30 days before taking effect. Continued use of Smagle after the effective date constitutes acceptance of the revised policy. The current version is always available at this URL.

19. Contact us

For privacy questions, requests, or complaints:

For service status, see our status page. For terms of service, see our terms.