Peekly

Peekly

← Back

Peekly Privacy Policy

Version: 1.1

Effective Date: June 2025

Peekly is a sub-product of Tiltely LLC ("Peekly", "we", "us", or "our"), a company registered in Wyoming, USA. Peekly provides chatbot services to businesses, allowing them to integrate intelligent automated support and interaction on their websites and third-party messaging platforms, including WhatsApp. This Privacy Policy outlines how we collect, use, protect, and share personal data through Peekly's services, including how we comply with the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable data protection laws.

Notice at Collection

Peekly collects personal data as described below, including data provided by End Users interacting with the chatbot and data collected for our own internal purposes (e.g., service improvement). By interacting with our service, you acknowledge and consent to the collection and processing of your personal data as described in this Privacy Policy.

Peekly provides the underlying infrastructure but does not control what data Clients choose to collect. Peekly disclaims responsibility for any data voluntarily provided by End Users in violation of applicable laws or Client's stated policies.

1. Introduction

Peekly is committed to safeguarding personal data and ensuring transparency in our data processing practices. This policy applies to personal data processed by Peekly on behalf of business clients ("Clients") and, where applicable, directly from users who interact with Peekly ("End Users"), whether through website chat widgets or third-party messaging platforms such as WhatsApp.

Data Roles:

  • When Peekly collects and processes personal data on behalf of a Client (e.g., via website chatbot interaction or WhatsApp messaging), Peekly acts as a Data Processor, and the Client is the Data Controller.
  • When Peekly collects data for its own purposes (e.g., analytics, internal testing, or service improvements), Peekly acts as the Data Controller.

2. Types of Data Collected

Peekly does not independently verify or monitor the legality, accuracy, or appropriateness of the data entered by End Users during interactions. All data collection is governed by the Client's configuration and intended use and therefore the Client's sole responsibility.

Peekly may process the following categories of data, including but not limited to:

From End Users (via Client websites and messaging platforms):

  • Chat interactions and user-generated content (messages typed into the chatbot, which may contain personal data)
  • Names or contact information (if entered)
  • Phone numbers (collected automatically when End Users interact via WhatsApp or other messaging platforms)
  • Preferences or custom fields configured by the Client
  • Technical data (IP address, device type, browser, location estimate — where available depending on the channel)

From Clients (business customers):

  • Name, business contact details
  • Payment and billing information
  • Account activity and service usage

3. How We Use Data

Peekly does not engage in automated decision-making that produces legal or similarly significant effects on individuals.

We process personal data:

  • On behalf of Clients, to provide chatbot responses, store transcripts, or trigger automated workflows across all supported channels including website and WhatsApp (Processor role)
  • For internal purposes, such as service performance monitoring, support, analytics, and AI model improvements (Controller role, only where legally permitted and anonymized if possible)

When End Users interact with the Peekly chatbot, their input messages may be sent to third-party service providers, including OpenAI, for AI-powered response generation. When End Users interact via WhatsApp, messages are sent and received through Meta's WhatsApp Business Platform (WhatsApp Cloud API). This processing is necessary to provide, maintain, and optimize the chatbot service. We do not use End User data for marketing or unrelated profiling. Certain data, such as chatbot inputs, are necessary to provide the service. If you do not provide this data, we may be unable to fulfill your request.

4. Legal Basis for Processing (GDPR)

We process personal data in accordance with Article 6 of the General Data Protection Regulation (GDPR), and we disclose the specific legal basis applicable to each processing purpose:

  • Contractual Necessity: We process personal data when it is necessary to perform our obligations under a contract. This includes:

    • Creating and managing Client accounts
    • Providing the chatbot service and responding to user interactions across all supported channels
    • Handling billing and payment operations

  • Legitimate Interests: We process certain personal data to pursue our legitimate interests, provided that these interests are not overridden by your fundamental rights and freedoms. These legitimate interests include:

    • Ensuring platform security and integrity
    • Preventing misuse or fraud
    • Analyzing performance and usage to improve service functionality
    • Maintaining internal logs and technical records

    We do not rely on legitimate interests where data subjects would reasonably expect a different level of protection or where the processing involves sensitive data. To withdraw consent, End Users may contact us at contact@tiltely.com, or where applicable, use the chatbot interface or account portal to manage preferences.

  • Consent: Where required by law, we rely on your consent to process personal data. This applies to:

    • Sending marketing communications (if implemented in the future)
    • Using non-essential cookies or tracking tools (subject to ePrivacy and regional regulations)

  • Consent is obtained explicitly and may be withdrawn at any time without affecting the lawfulness of processing based on consent before its withdrawal.

  • Legal Obligation: In limited cases, we may process personal data as necessary to comply with our legal obligations, such as responding to lawful requests from public authorities or complying with applicable financial or regulatory requirements.

Where we act as a Data Processor on behalf of a Client, we rely on the Client to determine the appropriate lawful basis for processing End User data. As such, the Client remains responsible for ensuring that all data collected through their use of Peekly complies with the applicable legal bases under the GDPR or other relevant data protection laws.

Where Peekly is a Controller, we rely on:

  • Consent (if required, e.g., for analytics or marketing)
  • Contractual necessity (e.g., providing services to Clients)
  • Legitimate interests (e.g., service improvements), where these do not override End User rights

As a Processor, we only process data on the documented instructions of our Clients.

Peekly has conducted a Legitimate Interests Assessment (LIA) for applicable processing activities and determined that such processing does not override the data subject's rights or reasonable expectations.

4A. Client Responsibilities

Peekly provides chatbot infrastructure as a Data Processor, but Clients are ultimately responsible for how personal data is collected and used on their websites and connected messaging platforms. When using Peekly, Clients must:

  • Ensure a valid legal basis (such as consent or legitimate interest) is in place for collecting and processing End User data.
  • Provide appropriate privacy notices on their websites and, where applicable, within messaging platform interactions, informing End Users about how data is processed, including the use of third-party services like Peekly.
  • Configure chatbot interactions responsibly, especially when requesting sensitive or personal information (e.g., names, emails, payment details).
  • Comply with applicable data protection laws, such as the GDPR, CCPA, and others, including honoring End User rights (e.g., deletion or access requests).
  • Comply with the terms, policies, and usage guidelines of any third-party messaging platform integrated with Peekly, including Meta's WhatsApp Business Platform Terms and Commerce Policy.
  • Maintain data accuracy and configure retention policies that align with the principle of storage limitation under Article 5(1)(e) GDPR. Clients must ensure End User data is deleted within a clearly defined retention schedule.
  • Inform Peekly promptly if a data subject makes a request regarding their data that relates to our services.
  • Clients using Peekly to process personal data on their websites or messaging platforms must also agree to our Peekly Data Processing Addendum (DPA). This DPA governs the roles, responsibilities, and safeguards in compliance with GDPR, CCPA, and other data protection laws. The DPA is legally binding upon the Client's use of the Service, regardless of separate signature.

Clients are considered the Data Controllers for all data collected through their websites, messaging platform integrations, and chatbot experiences. Peekly processes data only under the Client's documented instructions. Peekly shall not be considered a Joint Controller for any data collected, stored, or processed through chatbot configurations defined solely by the Client.

Peekly disclaims any liability arising from a Client's failure to fulfill these responsibilities. In the event of a privacy dispute between a Client and an End User, the Client assumes full responsibility as the Data Controller.

5. Sharing and Disclosure

Peekly may share personal data with third-party service providers strictly for operational and support purposes. These subprocessors act only on Peekly's documented instructions and do not use the data for their own purposes. The categories and purposes include:

  • AI Processing Providers (e.g., OpenAI): To process user chatbot input and generate AI responses. Only the message content is shared, not account identifiers unless included by the user.
  • Vector Database Providers (e.g., Pinecone): To store semantic representations (embeddings) of chatbot conversations for session continuity and contextual memory. Stored data is pseudonymized where feasible.
  • Messaging Platform Providers (e.g., Meta Platforms, Inc.): To send and receive messages through third-party messaging platforms such as WhatsApp. When a Client enables WhatsApp integration, End User messages are transmitted through Meta's WhatsApp Cloud API. Meta may independently process certain data (such as phone numbers and message metadata) in accordance with its own privacy policy.
  • Cloud Hosting and Infrastructure Providers: To support delivery and security of the Peekly service.
  • Analytics and Monitoring Tools: For service performance optimization, subject to consent if required by law.

All such subprocessors are bound by contractual safeguards as outlined in the Peekly Data Processing Addendum (DPA), which is incorporated by reference.

Peekly may also share data with:

  • Legal authorities, if required by law
  • Entities involved in business transfers, e.g., mergers or acquisitions

We do not sell personal data. Peekly and Tiltely disclaim responsibility for the actions, security practices, or failures of third-party subprocessors beyond their contractual and legal obligations. Clients are responsible for reviewing and accepting the use of these subprocessors before engaging Peekly's services.

6. Data Retention

  • End User Data: Retained based on Client configuration or as long as needed for service provision. Peekly and Tiltely are not responsible for data lost or deleted due to Client misconfiguration, retention settings, or failure to back up essential records.
  • Client Data: Peekly retains personal data only for as long as necessary to fulfill the purpose for which it was collected, or as required by law. Data retention configurations are available to Clients and must be configured responsibly.

End User data is retained for up to 12 months after last interaction, unless configured differently by the Client. The default is 90 days. Peekly retains certain logs, such as access and modification, including chatbot interaction timestamps, API access events, and administrative actions, for up to 5 years for auditing and regulatory compliance. Logs are stored securely and accessible only by authorized personnel.

Clients may request deletion of data at any time by contacting us at contact@tiltely.com.

The following table summarizes the key data retention periods applied by Peekly in accordance with Article 5(1)(e) of the GDPR:

Data Type Retention Duration Deletion or Expiry Criteria
Consent Records 5 years Consent withdrawn or expired
Chat History Up to 12 months After 1 year, or earlier upon user request
Backups with user data Up to 6 months Auto-deleted on schedule (rolling purge)
Access Logs 5 years Policy-based removal
Processing Logs 2 years Retained for accountability; not auto-deleted
Subprocessor Contracts Contract duration + 5 years Deleted after contract end
Erasure Request Logs 5 years (meta only) Never (no personal data stored)
Export Copies 1 year Deleted after access is fulfilled

7. International Data Transfers

As a U.S.-based company, Peekly may transfer personal data to the United States and other countries where we or our subprocessors operate. Peekly uses the European Commission's Standard Contractual Clauses (SCCs) 2021/914/EU as the basis for data transfers to subprocessors outside the EEA. Peekly and Tiltely shall not be held liable for data protection failures caused by foreign subprocessors acting beyond our oversight or control, provided such subprocessors were properly vetted and disclosed.

8. Your Rights (as an End User)

If Peekly is acting as a Processor, please contact the website or business (the Controller) to exercise your rights.

If we are the Controller, you have the right to:

  • Access your data
  • Request correction or deletion
  • Object to or restrict processing
  • Data portability
  • Withdraw consent (where applicable)

You can contact us at contact@tiltely.com to exercise your rights.

Peekly retains anonymized metadata (e.g., timestamps, request type) of user rights requests for up to 5 years to demonstrate compliance under GDPR Article 30.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local Data Protection Authority. EU users may lodge complaints through https://edpb.europa.eu/about-edpb/board/members_en

8A. Your U.S. State Privacy Rights

Residents of certain U.S. states, including California, may have rights regarding their personal data under state-specific privacy laws such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), and similar laws in other jurisdictions.

These rights may include:

  • The right to know what personal data we collect and how we use it
  • The right to request access to or deletion of your personal data
  • The right to opt out of the sale or sharing of personal information (we do not sell personal data)
  • The right to correct inaccurate information
  • The right not to be discriminated against for exercising your privacy rights

If Peekly is acting as a Data Processor, End Users must contact the business or website where they interacted with the Peekly chatbot (the Data Controller) to exercise these rights.

If Peekly is acting as the Data Controller, you may contact us at contact@tiltely.com. We will verify your identity before fulfilling any requests.

9. Data Security

Peekly follows industry-standard security practices. However, by using Peekly, Clients and End Users acknowledge that no platform can guarantee absolute security and agree not to hold Peekly or Tiltely liable for security breaches beyond Peekly's direct control. Peekly and Tiltely shall not be held liable for any unauthorized access, data loss, or data breach resulting from external cyberattacks, hacking attempts, or other malicious actions beyond our reasonable control. Peekly's obligation is limited to notifying the Client. The Client remains responsible for fulfilling any End User notifications or regulatory filings required under applicable laws.

In the event of a personal data breach, we will notify affected individuals and relevant authorities in accordance with applicable data protection laws, where Peekly acts as the Controller.

10. Subprocessors

Peekly uses trusted third parties to process data securely on our behalf. A full list of subprocessors is included in the Peekly Data Processing Addendum (DPA) and is updated regularly.

11. Children's Privacy

Peekly does not knowingly collect data from children under 13. It is the Client's responsibility to ensure Peekly is not deployed on websites or messaging platforms targeting children or collecting data from minors in violation of applicable laws.

12. Changes to This Policy

Clients are responsible for reviewing this Privacy Policy regularly. Continued use of Peekly services constitutes acceptance of any updates or changes. Peekly disclaims liability for Clients failing to inform their End Users of such changes. Peekly will provide advance notice of material changes to this Privacy Policy either through its website or directly to Clients where required by law. Clients are responsible for ensuring their End Users are informed of any such updates.

13. Contact Us

For any questions or privacy-related concerns, please contact:

Email: contact@tiltely.com

Data Controller Contact (for GDPR-related inquiries): Tiltely LLC, acting as Peekly's legal entity

Email: contact@tiltely.com

14. Global Data Protection Compliance

Peekly complies with the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA), and other applicable privacy laws globally, including data protection laws in the United States, Canada, Brazil (LGPD), and Australia (Privacy Act).

We have tailored our practices to ensure that End Users and Clients worldwide are informed of their rights and have control over their data. If you reside in a jurisdiction with specific data protection laws, you may have rights such as access, correction, deletion, or restriction of processing, as described in this Privacy Policy.

Peekly makes no guarantees regarding uninterrupted service, real-time data availability, or error-free operation. To the maximum extent permitted by applicable law, Peekly and Tiltely shall not be held liable for damages, data loss, or system unavailability caused by unforeseen outages, force majeure events, or third-party service failures beyond their reasonable control.

Peekly shall not be held liable for any direct or indirect damages resulting from Client misconfiguration, unlawful chatbot deployment, or failure to comply with regional data privacy laws.