HattoriHattori

Privacy Policy

Last updated: May 13, 2026

Hattori (the "Service", "we") is an AI agent that automatically replies to customer messages in Instagram Direct and Telegram on behalf of a seller. This policy describes what data we collect, how we use it, and your rights.

1. Data Controller

The data controller is the owner of the specific shop that connected Hattori to their Instagram account or Telegram bot. Hattori acts as a data processor on their behalf.

2. What We Collect

  • Message content between the customer and the shop (text, voice, metadata).
  • Public Instagram/Telegram profile of the customer (username, display name, avatar).
  • Shop ID, conversation ID, message timestamps.
  • AI metrics (tokens used, processing time, classified intent).
  • Seller credentials (email, bcrypt-hashed password) — only for admin panel sign-in.
  • Session technicals: auth cookies, IP address on admin login.

3. How We Use Data

  • So the AI can reply to customers in the shop's voice.
  • To show the seller their conversation history and leads in the admin panel.
  • To compute analytics (volume, lead conversion, AI cost).
  • To send the seller Telegram alerts about hot leads.

We do not use customer data for ads, retargeting, or sale to third parties.

4. Cookies

We use only essential cookies for admin panel authentication (a JWT token in a regular cookie with sameSite=lax and secure flags in production). We don't use ad or analytics cookies.

5. Third Parties

To operate the AI we share message content with:

  • OpenAI (US) — AI reply generation and Whisper voice transcription.
  • Meta (US) — receiving and sending Instagram Direct messages.
  • Telegram (international) — receiving/sending messages and alerts.

These services are sub-processors with their own privacy policies.

6. International Data Transfer

OpenAI and Meta servers are located in the US. By connecting a shop to Hattori, the seller confirms that they have notified their customers or otherwise established a lawful basis for transferring personal data internationally.

7. Retention

We keep messages and metadata while the shop is active. After a shop is disconnected or an account is deleted, all related data is removed within 30 days. Backups are purged within 90 days.

8. Children's Privacy

The Service is not intended for individuals under 13 (or 16 in jurisdictions with a higher threshold). We do not knowingly collect data from minors. If we learn we hold such data, we will delete it promptly.

9. Your Rights

You may:

  • Request a copy of the data we store about you.
  • Request deletion (right to be forgotten).
  • Withdraw consent to processing.

Email privacy@hattori.uz with subject "Data deletion request" and your Instagram/Telegram username. We reply within 30 days.

10. Security

Data is transmitted over HTTPS. Passwords are bcrypt-hashed. Instagram tokens are AES-256-encrypted at rest. Production server SSH is key-only.

11. Changes

We will notify sellers by email of any material changes and update the date at the top of this document.

12. Contact

Questions — privacy@hattori.uz.