Privacy Policy
1. Introduction and Data Controller
This Privacy Policy explains how Jakiagency ("Jakiagency", "we", "us", "our") collects, uses, shares and safeguards personal data of individuals who interact with our services, including our website jakiagency.com and the conversational AI (chatbot) solutions we operate on behalf of our clients on Facebook Messenger, Instagram Direct, and WhatsApp Business.
Jakiagency is a sole proprietorship (individual activity) registered in Lithuania. For the purposes of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Lithuanian Law on Legal Protection of Personal Data, Jakiagency acts as a data controller for the personal data it determines the purposes and means of processing for, and as a data processor when processing personal data on behalf of business clients (for example, a dental clinic using our chatbot to manage patient inquiries).
Where a business client defines the purposes of processing (for example, which patient data is collected and how long it is retained), that client is the controller and Jakiagency acts as their processor under a written data processing agreement. For certain health-related processing, Jakiagency and the clinic may act as joint controllers under Article 26 GDPR.
1.1 Controller identity and contact
JakiagencyOwner: Vasaris Knizleris
Individual activity certificate / Tax ID: 50602010158
S. Konarskio g. 18-55, Vilnius, 03124, Lithuania
Website: https://jakiagency.com
Email: team@jakiagency.com
1.2 Data Protection contact
A formal Data Protection Officer (DPO) is not mandatory for Jakiagency under Article 37 GDPR, as we do not meet the criteria requiring appointment. Vasaris Knizleris is the designated contact point for all data protection matters and handles data subject requests personally. All privacy enquiries, rights requests, and complaints can be sent to team@jakiagency.com.
2. Data We Collect
We collect personal data from several distinct sources. The following subsections describe each source and the categories of data involved.
2.1 Data from Meta platforms (Facebook, Messenger, Instagram, WhatsApp)
When a user interacts with a chatbot we operate on a Meta platform, we receive the following categories of data through the Meta Graph API, Messenger Platform, Instagram Messaging API, or WhatsApp Business Platform, as applicable:
- Platform identifiers: Page-Scoped User ID (PSID), Instagram-Scoped ID (IGSID), WhatsApp phone number, or other opaque platform identifiers provided by Meta.
- Public profile information: first name, last name, profile picture, locale, time zone (only where provided by Meta and required for the service).
- Message content: text, attachments, stickers, voice notes, images, and other media sent to or from the chatbot.
- Message metadata: timestamps, delivery status, message IDs, conversation context, and language.
- WhatsApp-specific data: phone number, display name, opt-in status, and template message identifiers.
- Facebook Login data (only where a user explicitly authenticates via Facebook Login on our client's surface): email address and the specific permissions the user has granted.
We do not access a user's friends list, contacts, photos, or any Meta data beyond what is strictly necessary to deliver the requested chatbot service.
2.2 Data from the website (jakiagency.com)
- Strictly necessary cookies: session cookie and CSRF-protection cookie required for the site to function securely. No third-party analytics, advertising, or tracking cookies are used.
- Contact form submissions: name, email address, company, and the content of the message you send us.
- Server and security logs: IP address, user agent, requested URL, HTTP status, and timestamp, retained for a short period to protect the service against abuse.
2.3 Data from chatbot interactions
- Conversation content (questions asked, answers given).
- Appointment preferences (preferred date, time, service type).
- Language and communication preferences.
- Chatbot-assigned session identifiers and conversation state.
- Where applicable, information you provide voluntarily such as name, phone number, or email for follow-up.
2.4 Special categories of data — health information (GDPR Article 9)
When our chatbot is operated for a healthcare client (for example, a dental clinic), users may voluntarily share information that qualifies as a special category of personal data under Article 9 GDPR, including:
- Symptoms, pain descriptions, or dental complaints;
- Treatment history or ongoing care;
- Medication or allergy information relevant to the appointment;
- Other health-related details shared in the course of the consultation or booking.
Health data is processed only when strictly necessary to deliver the healthcare-related service requested by the user, and only under a lawful basis set out in Section 4 (typically explicit consent under Article 9(2)(a) and/or provision of healthcare under Article 9(2)(h) on behalf of the clinic). Additional safeguards apply to this data (see Section 11).
3. How We Use Data
We use personal data only for the specific, lawful purposes listed below. We do not use personal data for profiling that produces legal or similarly significant effects, and we do not use it for behavioural advertising.
- Answering patient and customer inquiries sent through Messenger, Instagram, or WhatsApp (including routing the conversation to human staff where needed).
- Scheduling, rescheduling, and cancelling appointments with the relevant healthcare client.
- Sending transactional messages such as appointment confirmations, reminders, and follow-up questions, where allowed by Meta's rules and by the user's opt-in.
- Identifying urgent or safety-related cases so that human staff can intervene quickly.
- Operating, maintaining, and securing our chatbot infrastructure, including preventing abuse, spam, and unauthorized access.
- Improving the quality of our chatbot using aggregated or anonymized data only; individual conversations are not used to train third-party foundation models without a specific, separate legal basis.
- Responding to data subject requests and complying with legal obligations (accounting, tax, responding to lawful requests from authorities).
- Communicating with business prospects and clients who contact us through jakiagency.com.
4. Legal Basis
We rely on the following legal bases under Article 6 GDPR, and — for health data — Article 9 GDPR:
| Purpose | Legal basis |
|---|---|
| Responding to messages you send to the chatbot; booking and managing appointments. | Performance of a contract or steps taken at your request prior to entering a contract — Article 6(1)(b). |
| Processing health-related information you voluntarily share. | Your explicit consent — Article 9(2)(a); and/or provision of healthcare by or on behalf of a health professional bound by confidentiality — Article 9(2)(h). |
| Sending marketing or non-transactional messages. | Your prior, specific, informed consent — Article 6(1)(a); you may withdraw consent at any time. |
| Security, abuse prevention, and operational integrity of the chatbot and website. | Our legitimate interests in operating a safe service, balanced against your rights and freedoms — Article 6(1)(f). |
| Accounting, tax, and legal record-keeping. | Compliance with a legal obligation — Article 6(1)(c). |
| Responding to contact form messages from business prospects. | Legitimate interest in replying to business enquiries, or steps prior to entering a contract — Article 6(1)(b) / (f). |
Where we rely on legitimate interests, we have carried out a balancing test and concluded that our interests do not override your fundamental rights. You can request details of this assessment at any time.
5. Data Sharing
We share personal data only with the following categories of recipients, and only to the extent necessary for the purposes described in this policy. We do not sell personal data, and we do not share it for third-party advertising.
- Meta Platforms Ireland Ltd. — as the operator of Facebook, Messenger, Instagram, and WhatsApp, Meta transports and temporarily stores messages exchanged through its platforms. Meta's own processing is governed by the Meta Privacy Policy and the WhatsApp Privacy Policy.
- Our healthcare clients (for example, a dental clinic) — when the chatbot is deployed for a clinic, patient messages and appointment data are shared with the clinic. The clinic is either the sole controller (with Jakiagency acting as its processor) or a joint controller with Jakiagency for specifically defined processing activities, as set out in our written arrangement with that clinic.
- Infrastructure subprocessors — carefully selected cloud hosting, database, messaging API, and AI model providers that we use to run the chatbot. All subprocessors are bound by written agreements containing GDPR-compliant terms and appropriate confidentiality and security obligations.
- Professional advisors — accountants, lawyers, and auditors, bound by confidentiality duties, where strictly necessary.
- Competent authorities — where we are legally required to disclose data, for example in response to a valid court order or lawful request from a supervisory authority.
A current list of subprocessors is available on request by emailing team@jakiagency.com.
6. Data Retention Periods
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Specific retention periods:
| Data category | Retention period |
|---|---|
| Chatbot conversation history (including Meta platform IDs and message content) | Up to 24 months from the last interaction, or shorter if required by the healthcare client's own retention policy. |
| Health data shared in chatbot conversations | Kept only for the period needed by the healthcare client to deliver the service and to comply with Lithuanian medical record-keeping rules; thereafter deleted or returned to the client. |
| Appointment records | As defined by the healthcare client (typically aligned with Lithuanian patient record retention rules). |
| Website contact form submissions | 24 months from the last contact, unless a business relationship continues. |
| Website server and security logs | Up to 90 days. |
| Accounting and tax records | 10 years, as required by Lithuanian law. |
| Data deletion request log (proof that a request was handled) | 3 years from completion of the request. |
When retention periods expire, data is either securely deleted or irreversibly anonymized.
7. Your Rights Under GDPR
Regardless of the Meta platform you use to interact with us, you have the following rights in relation to personal data we process about you:
- Right of access (Article 15) — obtain confirmation whether we process your personal data and receive a copy of it.
- Right to rectification (Article 16) — have inaccurate or incomplete data corrected.
- Right to erasure / "right to be forgotten" (Article 17) — have your data deleted in the cases set out in GDPR (see Section 8 for the practical procedure).
- Right to restriction of processing (Article 18) — ask us to limit how we process your data in certain circumstances.
- Right to data portability (Article 20) — receive the data you provided to us in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible.
- Right to object (Article 21) — object to processing based on our legitimate interests, including any form of profiling.
- Right to withdraw consent (Article 7(3)) — withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing already carried out.
- Right to lodge a complaint with a supervisory authority (Article 77) — in particular with the Lithuanian State Data Protection Inspectorate (see Section 15), or with the supervisory authority in your EU/EEA country of residence.
To exercise any of these rights, email team@jakiagency.com. We may ask for information to verify your identity before acting on your request. We will respond without undue delay, and in any event within one (1) month, which may be extended by a further two (2) months for complex or numerous requests — in which case we will inform you of the extension and the reasons for the delay.
8. Data Deletion Procedure
This section is the official Data Deletion Instructions URL for Meta Developer Platform. It is permanently available at https://jakiagency.com/privacy-policy#data-deletion.
8.1 How to request deletion of your data
To request deletion of the personal data Jakiagency holds about you, send an email to team@jakiagency.com with the subject line "Data Deletion Request", including:
- The Meta platform(s) you used to interact with us (Facebook / Messenger, Instagram, or WhatsApp), or a statement that your request concerns our website.
- The identifier you used on that platform (for example, your Facebook or Instagram handle, the phone number used on WhatsApp, or the email you used on our website).
- A brief description of the data you want deleted (for example, "all chatbot conversations with the dental clinic X").
We may request additional information strictly necessary to verify that the request comes from you, in order to prevent unauthorized deletion.
8.2 Response timeframe
We will acknowledge your request within five (5) business days and complete the deletion within a maximum of thirty (30) days of verification, in line with GDPR Article 12(3). If we cannot honour the request in full (for example, because we are legally required to retain certain records such as accounting data), we will explain which data remains and on what legal basis.
8.3 Revoking app permissions directly on Meta platforms
You can also revoke the permissions the chatbot received from you, independently of contacting us:
- Facebook / Messenger: open Facebook → Settings & Privacy → Settings → Apps and Websites → find the application associated with the chatbot → Remove. You may additionally choose to delete the message thread from your Messenger inbox.
- Instagram: open Instagram → Settings and activity → Apps and websites → select the connected application → Remove. You can also open the conversation with the business and use Delete chat.
- WhatsApp Business: open the chat with the business → tap the business name → Block and/or Report business. To stop receiving further messages, you may also remove your opt-in from within the chat.
Revoking permissions or blocking a business on a Meta platform stops future data flow from Meta to us, but does not automatically delete the data we already hold. To have that data deleted, please also send a Data Deletion Request as described in Section 8.1.
10. International Data Transfers
Because Meta Platforms Ireland Ltd. and some of our infrastructure subprocessors are part of international groups, personal data may be transferred outside the European Economic Area (EEA), including to the United States.
Such transfers are carried out only where one of the following safeguards under Chapter V GDPR applies:
- An adequacy decision by the European Commission, including the EU-US Data Privacy Framework for transfers to certified US organizations (Meta Platforms, Inc. is a participant in the DPF);
- Standard Contractual Clauses approved by the European Commission, supplemented by technical and organizational measures where needed after a transfer impact assessment;
- Your explicit consent, for occasional and specific transfers not covered by the above.
You can request a copy of the safeguards in place for a given transfer by writing to team@jakiagency.com.
11. Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful access, loss, alteration, or disclosure, in line with Article 32 GDPR. These measures include, in particular:
- Encryption in transit using TLS 1.2 or above for all communications with our servers and with Meta APIs.
- Encryption at rest for databases and backups holding personal data.
- Strict access controls (least-privilege, individual accounts, strong authentication).
- Audit logging of administrative access to personal data.
- Regular security updates of systems and dependencies.
- Written confidentiality commitments from anyone authorized to access personal data.
- Formal incident response procedures, including notification of the supervisory authority within 72 hours as required by Article 33 GDPR.
Additional measures for health data: access to health-related messages is restricted to a minimum number of authorized personnel, stored in logically segregated areas, and subject to additional monitoring. Pseudonymization is applied wherever it is compatible with delivering the service to the healthcare client.
12. Children's Privacy
Our services are not directed at children under the age of 16. Under Article 8 GDPR as transposed in Lithuania, a child must be at least 16 years old to consent to the processing of their personal data by an information society service; below that age, consent must be given or authorized by the holder of parental responsibility.
We do not knowingly collect personal data from children under 16. If you believe that a child under 16 has provided personal data to us, please contact team@jakiagency.com and we will delete the data without undue delay.
13. Specific Provisions for Meta Platforms
We use the official developer APIs provided by Meta. Our use of information received from Facebook, Instagram, Messenger, and WhatsApp — and our transfer of information to any third party — complies with the Meta Platform Terms, the Meta Developer Policies, and — for WhatsApp — the WhatsApp Business Messaging Policy.
13.1 Facebook and Messenger
Our chatbot integrations with Facebook Pages and Messenger use, as applicable, the following permissions from the Facebook Graph API and Messenger Platform:
pages_messaging— to send and receive messages between the Page and users who have initiated contact.pages_manage_metadata— to subscribe the Page to webhooks and manage the messaging configuration.pages_show_list— to display the list of Pages the administrator can connect to the chatbot.pages_read_engagement(where required) — to read metadata about Page engagement strictly to route messages correctly.
We use data obtained through these permissions only to provide the chatbot service described in this policy, and only within Meta's 24-hour messaging window and allowed message tags. We do not use the data for advertising or for any secondary purpose.
13.2 Instagram (Graph API)
Our Instagram integrations use, as applicable:
instagram_basic— to read basic profile information of the business account.instagram_manage_messages— to send and receive Instagram Direct messages on behalf of the business account.pages_show_listandpages_manage_metadata— as required by Meta to connect the Instagram Professional account to the linked Facebook Page.
We access Instagram data only for the purposes of operating the chatbot and only for accounts that have explicitly connected Jakiagency's application.
13.3 WhatsApp Business API
Our WhatsApp integrations use the official WhatsApp Business Platform (Cloud API or On-Premises API), with permission whatsapp_business_messaging and related permissions such as whatsapp_business_management where needed. We respect:
- The 24-hour customer service window: free-form messages are sent only within 24 hours of the user's last message to the business.
- The opt-in requirement: template messages are sent only to users who have given prior, explicit opt-in to receive them.
- WhatsApp's Commerce and Business Messaging Policies, including restrictions on the types of content that can be sent.
Users can opt out at any time by replying "STOP" (or the equivalent in their language), by blocking the business in WhatsApp, or by contacting us at team@jakiagency.com.
13.4 Compliance statement
Jakiagency confirms that it complies with all applicable Meta and WhatsApp developer terms, including but not limited to the Meta Platform Terms, the Meta Developer Policies, the Instagram Platform Policy, and the WhatsApp Business Messaging Policy. We do not sell, license, or purchase data obtained from Meta platforms, and we do not use it to build user profiles for advertising or discriminatory purposes.
14. Policy Changes
We may update this Privacy Policy from time to time to reflect changes in our services, in applicable law, or in Meta's platform requirements. When we make changes, we will update the "Last updated" date at the top of this page. For material changes, we will provide additional notice — for example, a banner on jakiagency.com and, where we have your email address and it is appropriate, a direct email — at least thirty (30) days before the changes take effect, where feasible.
Your continued use of our services after a revised policy takes effect constitutes acceptance of the updated policy, to the extent permitted by law.
15. Contact and Complaints
If you have any questions, concerns, or complaints about this Privacy Policy or about how we handle your personal data, please first contact us:
Jakiagency (Vasaris Knizleris)S. Konarskio g. 18-55, Vilnius, 03124, Lithuania
Email: team@jakiagency.com
You also have the right to lodge a complaint with the competent data protection supervisory authority. In Lithuania, this is:
Valstybinė duomenų apsaugos inspekcija(State Data Protection Inspectorate of the Republic of Lithuania)
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
Website: https://vdai.lrv.lt
Email: ada@ada.lt
If you reside in another EU/EEA country, you may also contact the supervisory authority in your country of residence or place of work.
16. Effective Date
This Privacy Policy is effective as of 20 April 2026.