Log in Start for free
Product Pricing Resources Log in

Privacy Policy

Last Updated: January 11, 2026

1. INTRODUCTION

BIGG (“we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the BIGG AI Chatbox service (“Service”).

Our Service complies with:

  • General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679
  • Greek Law 4624/2019 on the protection of personal data
  • ePrivacy Directive (Directive 2002/58/EC)
  • Meta Platforms Inc. Developer Policies

2. DATA CONTROLLER

BIGG
Website: wearebigg.com
Email: morfis.spiros@gmail.com

3. DATA WE COLLECT

3.1 Information You Provide Directly

  • Account Information: Name, email address, password (encrypted)
  • Payment Information: Processed by Stripe (not stored on our servers)
  • Business Information: Company name, phone number, website
  • Profile Data: Profile picture, job title, preferences

3.2 Data from Third-Party Integrations

  • Facebook/Instagram: Messages, usernames, profile pictures of your customers (via Facebook Graph API)
  • Email Inboxes: Email content, senders, recipients (if you connect email)
  • Chatwoot Platform: Conversation data, message metadata, contact information

3.3 Automatically Collected Data

  • Technical Data: IP address, browser type, device information, operating system
  • Usage Data: Pages visited, features used, time spent, interactions
  • Cookies: Session cookies, preference cookies, analytics cookies

4. PURPOSE AND LEGAL BASIS FOR PROCESSING

Purpose Legal Basis (GDPR) Data Categories
Provide the Service Contract Performance (Art. 6(1)(b)) Account data, messages, conversations
Process payments Contract Performance (Art. 6(1)(b)) Payment information (via Stripe)
Customer support Legitimate Interest (Art. 6(1)(f)) Account data, support tickets
Improve services Legitimate Interest (Art. 6(1)(f)) Usage data, analytics
Security and fraud prevention Legitimate Interest (Art. 6(1)(f)) IP address, logs, security events
Legal obligations Legal Obligation (Art. 6(1)(c)) All data as required by law
Marketing (with opt-in) Consent (Art. 6(1)(a)) Email, name, preferences

5. DATA SHARING AND DISCLOSURE

5.1 Service Providers (Data Processors)

We share data with trusted service providers who process data on our behalf:

  • Chatwoot: Self-hosted platform (data on our servers in EU/US)
  • Stripe: Payment processing (PCI-DSS Level 1 certified)
  • Meta Platforms: Facebook/Instagram API integration
  • AWS (Amazon Web Services): Cloud hosting infrastructure
Important: All service providers are contractually bound by Data Processing Agreements (DPAs) that comply with GDPR requirements.

5.2 Legal Requirements

We may disclose data when required by law or to:

  • Comply with legal processes (court orders, subpoenas)
  • Enforce our Terms of Service
  • Protect rights, property, or safety of us, our users, or others
  • Investigate potential violations or fraud

6. INTERNATIONAL DATA TRANSFERS

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure appropriate safeguards through:

  • Standard Contractual Clauses (SCCs): EU Commission approved clauses
  • Adequacy Decisions: Transfers to countries with adequate protection
  • Binding Corporate Rules: For transfers within corporate groups

7. DATA SECURITY

We implement appropriate technical and organizational measures to protect your data:

7.1 Technical Measures

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC), multi-factor authentication
  • Network Security: Firewalls, intrusion detection systems, DDoS protection
  • Regular Updates: Security patches and software updates

7.2 Organizational Measures

  • Staff training on data protection
  • Confidentiality agreements with employees and contractors
  • Regular security audits and penetration testing
  • Incident response and breach notification procedures

8. DATA RETENTION

We retain your data for as long as:

  • Your account remains active
  • Necessary to provide our services
  • Required by legal, tax, or accounting obligations (typically 5-10 years)
  • Necessary for legitimate business purposes (e.g., fraud prevention)
Data Category Retention Period Reason
Account data Duration of account + 30 days Service provision
Conversation data Duration of account + 90 days Service provision, user request
Payment records 7 years after last transaction Tax and legal obligations

9. YOUR RIGHTS UNDER GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

You can request a copy of your personal data. We will provide this within 30 days, free of charge for the first request.

9.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete data.

9.3 Right to Erasure – “Right to be Forgotten” (Article 17)

You can request deletion of your data when:

  • Data is no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing and there are no overriding legitimate grounds
  • Data was unlawfully processed

9.4 Right to Restriction of Processing (Article 18)

You can request restriction of processing in certain circumstances.

9.5 Right to Data Portability (Article 20)

You can receive your data in a structured, commonly used, machine-readable format (JSON, CSV).

9.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

9.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing.

How to Exercise Your Rights:
Email: morfis.spiros@gmail.com
Subject: “Data Subject Request – [Your Right]”
We will respond within 30 days (extendable by 2 months for complex requests).

9.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority:

  • Greek DPA: Hellenic Data Protection Authority (www.dpa.gr)
  • EU DPA List: edpb.europa.eu/about-edpb/board/members_en

10. COOKIES AND TRACKING TECHNOLOGIES

10.1 Types of Cookies We Use

Cookie Type Purpose Duration
Essential Authentication, security Session/1 year
Functional Remember preferences 1 year
Analytics Usage statistics 2 years

11. CHILDREN’S PRIVACY

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children.

12. FACEBOOK/INSTAGRAM SPECIFIC DISCLOSURES

12.1 Data from Facebook/Instagram

When you connect your Facebook Page or Instagram account:

  • We receive messages sent to your Page/account
  • We access basic profile information of people messaging you (name, profile picture, user ID)
  • We can send messages on your behalf when you reply through our platform

12.2 Your Control

  • You can disconnect your Facebook/Instagram account anytime
  • You control which pages/accounts are connected
  • You can review Facebook permissions at facebook.com/settings

13. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the updated policy on this page
  • Updating the “Last Updated” date
  • Sending email notification for significant changes

14. CONTACT US

For questions about this Privacy Policy or to exercise your rights, contact us:

Data Protection Contact:
Email: morfis.spiros@gmail.com
Website: wearebigg.com

15. SUPERVISORY AUTHORITY

Hellenic Data Protection Authority
Address: Kifisias Ave. 1-3, 11523 Athens, Greece
Phone: +30 210 6475600
Email: contact@dpa.gr
Website: www.dpa.gr

This Privacy Policy is provided in English. Greek translation available upon request.