Privacy Policy
Last updated: April 12, 2026
Overview
This Privacy Policy explains how Jeva Technologies OPC ("Gabbex", "we", "us") processes information when you use our AI assistants, messaging integrations (such as Meta Messenger and WhatsApp), e-commerce integrations (such as Shopify), embedded widgets, dashboards, and related services (collectively, the "Services").
Gabbex's role depends on the context of processing:
- As a data processor: When processing personal data on behalf of Operators (businesses that use our platform), Gabbex acts as a data processor under GDPR Article 28 and as a "service provider" under the CCPA. In this role, Gabbex processes personal data solely on documented Operator instructions and does not determine the purposes or means of processing.
- As a data controller: When Gabbex independently collects data from account holders, website visitors, or in connection with its own business operations (e.g., billing, support, security), Gabbex acts as an independent data controller.
Operators are the data controllers who determine the purposes and means of processing end-user personal data within their deployments. Operators are responsible for ensuring they have a lawful basis for such processing under applicable law.
Defined terms used in this Policy: "Operators" means businesses that access the Services under a subscription or service agreement. "End users" or "data subjects" means individuals who interact with an Operator's Gabbex-powered assistant. "You" or "your" may refer to Operators, end users, or website visitors depending on context.
Contact for legal notices and rights requests:
Jeva Technologies OPC (d/b/a Gabbex)
Email: hello@gabbex.com
Information We Collect
- Account & Business Data: name, email, organization, billing details, and subscription information.
- Usage & Technical Data: IP address, browser type, device type, approximate geolocation, access logs, and session identifiers.
- Conversation Data: messages, AI responses, and knowledge sources configured by Operators.
- Communications: support and sales inquiries submitted via email or in-product channels.
- Messaging Integrations (e.g., Meta Messenger, WhatsApp): webhook data such as Page-Scoped User IDs (PSIDs), basic profile information, and message content.
- E-commerce Integrations (e.g., Shopify): store data such as customer names, order information, and product data, processed only as required to support the assistant functionality requested by the Operator.
- Lead Data: contact details (e.g., name, email, phone) collected only when voluntarily provided by end users or required to fulfill a request within a conversation.
Where Gabbex acts as a processor, we collect and process data strictly on behalf of the Operator that connected the integration and only to operate the functionality instructed by that Operator. We do not use Operator or end-user personal data for Gabbex's own product improvement, analytics, or model development purposes.
Sensitive Personal Data
The Services are not intended to collect, process, or store sensitive categories of personal information — such as Social Security Numbers, financial account numbers, health or medical records, biometric data, or government-issued identification numbers — as defined under applicable law (including GDPR Article 9 and CCPA "sensitive personal information").
Operators and end users should avoid submitting sensitive personal information through the Services. Where such data is submitted by an end user or included in an Operator-configured deployment, Gabbex will process it solely on the Operator's documented instructions in its capacity as a data processor. Operators are responsible for establishing a lawful basis — including any required explicit consent under GDPR Article 9(2) — for the collection and processing of sensitive personal information within their deployments.
How We Use Information
Where Gabbex acts as a data processor, we process personal data only for purposes specified in the Operator's instructions or as required to operate the Services under the applicable subscription agreement. We do not use such data for any independent purpose, including cross-customer analytics, product improvement, or AI model development.
Where Gabbex acts as a data controller (e.g., for account management, billing, and security), we use information to:
- Provide, operate, and improve the Services
- Authenticate users and prevent fraud or abuse
- Monitor performance and reliability
- Send transactional communications and service updates
- Comply with legal obligations
- Support billing, subscription management, and customer communications
In either role, we do not sell personal data to third parties or use it for cross-context behavioral advertising.
AI Processing
Conversation data may be processed by Gabbex and its sub-processors (such as AI model inference providers) to generate responses and operate the Services. Gabbex uses commercially reasonable efforts to require AI model inference sub-processors to contractually commit that Operator and end-user data will not be used to train or fine-tune their foundation models, and will not be shared for any purpose unrelated to delivering the requested service. These commitments are enforced through contractual obligations to the extent available and enforceable under the terms of each sub-processor agreement. Gabbex cannot independently audit each sub-processor's internal model training practices and makes no absolute guarantee beyond the contractual restrictions it puts in place.
- Operator and end-user data is used only to provide the Services as instructed by Operators
- Personal data is not sold to third parties
- Gabbex does not use Operator or end-user data for its own AI model training or cross-customer inference
- Sub-processors are contractually restricted from using data for purposes unrelated to the Services, to the extent such restrictions are commercially available and enforceable
AI Output Accuracy & Operator Responsibility
AI-generated responses are probabilistic and may be incomplete, inaccurate, outdated, or unsuitable for a given purpose. Gabbex does not warrant the accuracy, completeness, or fitness for purpose of any AI-generated output.
Operators are responsible for:
- Validating AI-generated outputs before using them to inform business decisions, customer communications, or automated workflows;
- Ensuring end users are informed that they are interacting with an AI-powered assistant where required by applicable law; and
- Implementing appropriate human review processes where AI outputs may affect legal rights, financial outcomes, medical decisions, or other consequential matters.
AI outputs generated by the Services should not be relied upon as a substitute for qualified professional advice in legal, medical, financial, or regulatory matters without independent human verification.
Automated Decision-Making
Gabbex's AI generates conversational responses based on Operator-configured knowledge sources and instructions. Gabbex does not independently make final automated decisions that produce legal or similarly significant effects on individuals. The logic governing outcomes — such as qualifying leads, routing inquiries, or triggering actions — is configured and controlled by the Operator. Operators are responsible for ensuring their deployments comply with applicable laws governing automated decision-making, including GDPR Article 22 and equivalent requirements under applicable state laws, including providing any required disclosures to end users.
Data Isolation
Each Operator's data is logically isolated within the Services. Gabbex does not share, combine, or use personal data across Operator accounts for any purpose.
Sharing
- Service providers / sub-processors: cloud hosting, AI model inference providers, analytics, billing, and messaging infrastructure, each bound by data processing agreements
- Legal compliance: when required by applicable law, court order, or to protect the rights, safety, or property of Gabbex, its Operators, end users, or the public; Gabbex will notify the affected Operator of such requests where legally permitted to do so
- Business transfers: in connection with a merger, acquisition, or sale of assets; personal data transferred in such events will remain subject to confidentiality protections equivalent to those in this Policy, and affected Operators will be notified where feasible
Gabbex does not sell personal data to third parties and does not share personal data for cross-context behavioral advertising as defined under the CCPA/CPRA.
Sub-processors
Gabbex engages trusted third-party sub-processors to help deliver the Services, including providers of cloud hosting, AI model inference, analytics, payment processing, and messaging infrastructure. All sub-processors are bound by data processing agreements that require them to protect personal data consistently with this Policy and applicable law, and to process data only as instructed.
A current list of sub-processors is available upon written request by emailing hello@gabbex.com. Before engaging a new sub-processor that will process Operator personal data, Gabbex will provide reasonable advance notice — and at least 30 days' prior written notice where required by applicable law or the governing service agreement — via email or in-product notification.
Operators may raise a documented objection to a new sub-processor in writing within the applicable notice period. Objection rights are not absolute: Gabbex will work in good faith to accommodate legitimate concerns, but retains the right to proceed with engaging the sub-processor if the objection cannot be resolved. If an Operator's objection is unresolvable and the sub-processor is material to the Services, either party may terminate the affected portion of the Services in accordance with the applicable subscription agreement.
Operator Responsibilities for Third-Party Integrations
When an Operator connects a third-party integration to Gabbex (including but not limited to Meta Messenger, WhatsApp, SMS providers, or Shopify), the Operator represents and warrants, as a condition of using the integration, that:
- They have obtained all necessary rights, permissions, and authorizations from the applicable third-party platform to share data with Gabbex;
- They have a lawful basis under applicable law to process and transfer the data flowing through the integration;
- They have provided adequate disclosures and, where required by applicable law, obtained consent from their end users regarding the processing of data through Gabbex; and
- Their use of the integration complies with the terms of service of the applicable third-party platform and all applicable laws.
Gabbex processes integration data in its capacity as a data processor, acting on the Operator's instructions. This section does not limit Gabbex's obligations as a processor under applicable data protection law, including obligations relating to security, sub-processor management, and data subject request assistance.
Data Processing Agreement (DPA)
For Operators subject to GDPR, CCPA, or other regulations that require a formal data processing agreement, Gabbex offers a standard Data Processing Agreement (DPA) consistent with GDPR Article 28 requirements. The DPA governs Gabbex's obligations as a data processor, including sub-processor management, security standards, audit rights (subject to reasonable notice and confidentiality terms), and assistance with data subject requests.
To request a DPA, email hello@gabbex.com with the subject line "DPA Request".
Cookies
We use cookies and similar tracking technologies on our website and Services. The table below describes each category. You can manage cookie preferences via your browser settings or our cookie consent manager. Strictly necessary cookies cannot be disabled as they are required for the Services to function.
| Category | Purpose | Example cookies | Duration |
|---|---|---|---|
| Strictly Necessary | Authentication, session management, security, and core service operation | Session tokens, CSRF tokens | Session / up to 30 days |
| Functional | Remember user preferences (e.g., language, widget state) | Preference cookies | Up to 12 months |
| Analytics | Understand how visitors use the site; improve performance | Google Analytics (_ga, _gid) | Up to 24 months |
| Advertising / Marketing | Measure ad campaign effectiveness | [e.g., Meta Pixel _fbp if used] | Up to 90 days |
Retention & Deletion
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by applicable law. The following table describes our default retention periods, the trigger for deletion, and the legal basis for retention:
| Data Category | Default Retention | Deletion Trigger | Legal Basis for Retention |
|---|---|---|---|
| Conversation data | 30–90 days (configurable by Operator) | Expiry of retention window or Operator deletion request | Service delivery; Operator instruction |
| Account & business data | Duration of active subscription + 3 years | Account closure + 3-year period elapsed | Contractual obligation; legitimate interests (dispute resolution) |
| Billing & financial records | 7 years from transaction date | Statutory retention period elapsed | Legal obligation (tax and financial regulations) |
| Security & access logs | Up to 12 months | Retention period elapsed, unless required for ongoing investigation | Legitimate interests (security, fraud prevention) |
| Lead data | Duration of active account | Account closure or Operator deletion request | Service delivery; Operator instruction |
| Backup and disaster recovery copies | Up to 90 days after primary deletion | Backup rotation cycle | Legitimate interests (business continuity) |
Operators can delete data or disconnect integrations at any time from the Gabbex dashboard. Upon disconnection, Gabbex will cease processing new data from that integration. Copies of data in backup systems will be purged in accordance with standard backup rotation schedules, as described above.
Security & Data Breach
Gabbex implements reasonable technical and organizational measures — including encryption in transit and at rest, access controls, and periodic security reviews — designed to protect personal information against unauthorized access, loss, or disclosure. These measures are calibrated to the nature and risk level of the data processed. No system can guarantee absolute security, and Gabbex does not warrant that the Services are free from all security vulnerabilities.
In the event of a confirmed personal data breach affecting Operator or end-user data, Gabbex will notify affected Operators without undue delay and, where feasible, within 72 hours of becoming aware of the incident, consistent with GDPR Article 33 obligations applicable to processors and applicable breach notification laws. Gabbex's notification to the Operator satisfies Gabbex's processor-level obligation to inform the relevant controller. Operators, as data controllers, are responsible for assessing the risk, determining whether regulatory or individual notification is required, and fulfilling any notification obligations to supervisory authorities and end users under the laws applicable to their business and jurisdiction.
Your Rights
Depending on your jurisdiction, you may have certain rights regarding your personal information. To exercise any of these rights, please email hello@gabbex.com with the subject line "Privacy Rights Request", and include your account email address and a description of the request.
We will take reasonable steps to verify your identity before processing your request. We will respond within 45 days. If we need additional time, we will notify you within the initial 45-day period and may extend by up to an additional 30 days as permitted by applicable law.
We will not discriminate against you for exercising your privacy rights.
Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require written proof of authorization and may take reasonable steps to verify your identity directly with you.
Note for end users of Operator deployments: If you interacted with an AI assistant deployed by an Operator (e.g., a business's chatbot), that Operator is the data controller for your personal data. Please direct data subject rights requests to the Operator in the first instance. Gabbex will provide reasonable assistance to Operators in responding to verified end-user requests as required by applicable law and our agreements with Operators.
Do Not Sell or Share My Personal Information
Gabbex does not sell your personal information as defined under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
Gabbex does not share personal information for cross-context behavioral advertising as defined under the CPRA.
If you have questions about our data practices or wish to confirm this in writing, please email hello@gabbex.com with the subject line "Do Not Sell or Share Request".
Your California Privacy Rights (CCPA/CPRA)
This section applies to California residents. Under the CCPA and CPRA, you have the rights listed below. Where Gabbex processes your personal data solely as a service provider on behalf of an Operator, some rights may need to be exercised directly with that Operator as the business that collected your data.
Categories of Personal Information Collected
| CCPA Category | Examples collected | Why collected | Retention | Third-party categories shared with |
|---|---|---|---|---|
| Identifiers | Name, email, IP address, user ID, device ID | Account management, service delivery, security | Account lifetime + 3 years | Hosting providers, analytics providers |
| Customer Records | Billing address, payment card type (last 4 digits; full card data handled by payment processor) | Billing and subscription management | 7 years (legal obligation) | Payment processors |
| Commercial Information | Subscription plan, purchase history, token usage | Service delivery, billing, customer support | Account lifetime + 3 years | Billing providers |
| Internet / Network Activity | Browser type, pages visited, clickstream data, session logs | Analytics, security, performance monitoring | Up to 24 months | Analytics providers |
| Geolocation | Approximate location derived from IP address | Fraud prevention, compliance with regional laws | Up to 12 months | Hosting providers |
| Inferences | Account preferences, usage patterns derived from activity | Service improvement, customer support | Account lifetime | None |
| Professional / Employment Information | Company name, role, industry (if provided) | Account management, product personalization | Account lifetime | CRM / support tool providers |
| Sensitive Personal Information | Login credentials (hashed passwords). We do not intentionally collect other categories of sensitive personal information such as SSNs, financial account numbers, health data, or precise geolocation. | Authentication and account security | Account lifetime | None |
CCPA/CPRA Consumer Rights
- Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, our purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request that we delete your personal information, subject to certain exceptions (e.g., legal obligations, security, fraud prevention, or ongoing service delivery).
- Right to Correct: You may request correction of inaccurate personal information we hold about you.
- Right to Data Portability: You may request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
- Right to Opt Out of Sale / Sharing: As stated above, Gabbex does not sell or share personal information for cross-context behavioral advertising. No opt-out action is required, but you may confirm our practices by contacting us.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to purposes permitted under the CPRA. Gabbex uses sensitive personal information (login credentials) only for authentication and security, consistent with the CPRA's permitted purposes.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To exercise these rights, email hello@gabbex.com with the subject line "Privacy Rights Request". We will respond within 45 days (extendable once by 30 days with prior notice).
Multi-State Privacy Rights
Residents of states with active consumer privacy laws may have rights similar to those described in the California section above. These states include Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. Available rights typically include:
- Right to access and confirm personal data we process about you
- Right to delete personal data
- Right to correct inaccurate personal data
- Right to data portability
- Right to opt out of profiling for decisions that produce legal or similarly significant effects
- Right to opt out of targeted advertising (Gabbex does not conduct targeted advertising using your personal data)
To exercise these rights, email hello@gabbex.com with the subject line "Privacy Rights Request" and identify your state of residence. We will respond within the timeframe required by your state's applicable law (typically 45 days, extendable by an additional 45 days with prior notice). If we deny your request, we will provide reasons and you may appeal the decision by replying to our denial notice.
International Transfers
Gabbex is operated by Jeva Technologies OPC, incorporated in the Philippines. The Philippines is considered a third country under the GDPR. When we transfer personal data from individuals located in the EEA, UK, or other jurisdictions with data transfer restrictions to the Philippines or to sub-processors in other third countries, we implement appropriate safeguards as required by applicable law.
For transfers of EEA or UK personal data, Gabbex relies primarily on Standard Contractual Clauses (SCCs) as approved by the European Commission (and their UK equivalent, the International Data Transfer Agreement (IDTA)), supplemented where necessary by additional technical and organizational measures (such as encryption and access controls) to address risks arising from the legal environment in the destination country. All sub-processors receiving EEA or UK personal data are bound by SCCs or equivalent transfer mechanisms.
For transfers originating from the United States or other jurisdictions, Gabbex implements data processing agreements with sub-processors that impose data protection obligations equivalent to those in this Policy. Operators with specific transfer mechanism requirements (e.g., Binding Corporate Rules or jurisdiction-specific addenda) may request additional documentation by contacting hello@gabbex.com.
Children
The Services are not directed to children under 13 years of age, and Gabbex does not intentionally collect personal information from children under 13. For end users in certain jurisdictions, the applicable age threshold may be higher (e.g., 16 years under GDPR for certain processing activities).
For Operators deploying Gabbex assistants to end users: Operators are responsible for complying with the Children's Online Privacy Protection Act (COPPA) and applicable children's privacy laws in their jurisdiction for any deployment that may interact with children. If a deployment may be accessed by children under 13, the Operator must obtain appropriate verifiable parental consent before collecting any personal information through that deployment.
If Gabbex becomes aware that it has inadvertently collected personal information from a child under 13 through its own platform (not via an Operator's deployment), it will take commercially reasonable steps to delete that information promptly and, where applicable, notify the relevant Operator. To report a concern, please email hello@gabbex.com.
Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice by email to registered account holders (where feasible) and by posting a notice on our website. Your continued use of the Services after the effective date of any update constitutes your acknowledgment of the revised Policy. The "Last updated" date at the top of this page reflects the most recent revision.
Governing Law
This Privacy Policy is governed by and construed in accordance with the laws of the Republic of the Philippines, without regard to conflict of law principles. This clause does not limit the rights of data subjects in jurisdictions with mandatory protections that cannot be contractually waived, including EU/EEA data subjects under the GDPR, UK data subjects under the UK GDPR, or California residents under the CCPA/CPRA. Those protections apply to the extent required by the applicable law of the relevant jurisdiction.
Contact
For privacy questions or to exercise your rights, contact us at: hello@gabbex.com
Jeva Technologies OPC (d/b/a Gabbex)
Subject line: Privacy Rights Request