Privacy Policy

Last updated: May 21, 2026 · Effective: May 21, 2026

Who we are

This Privacy Policy describes how JONRALLS LLC, operating under the trade name Kavanah Media (“Kavanah Media,” “we,” “us,” or “our”), collects, uses, and shares information in connection with our hosted messaging platform service (the “Service”).

For questions about this policy, contact us at contact@kavanahmedia.com.

What the Service does

Kavanah Media operates a hosted Chatwoot platform that allows ministry and nonprofit organizations (“Clients”) to receive and respond to messages from their audiences across Facebook Messenger, Instagram Direct, WhatsApp, email, and website chat — all in a single interface. We operate the platform; our Clients use it to communicate with their own audiences.

How we relate to Meta Platforms

Our Clients connect their own Facebook Pages, Instagram Business accounts, and WhatsApp Business numbers to our platform. When they do, we receive messages, sender identifiers, attachments, and related metadata from Meta Platforms (Facebook, Instagram, WhatsApp) on behalf of our Client, route those messages into the Client’s hosted Chatwoot instance, and allow the Client’s team to respond.

We act as a data processor for our Clients with respect to messages and end-user data received from Meta Platforms. Our Clients are the data controllers and are responsible for the lawful basis on which they communicate with their end users.

Information we collect from Meta Platforms

When a Client connects a Meta Platform asset to our Service, we receive:

• Message content sent to or from the connected Page, account, or WhatsApp number, including text, images, video, audio, files, and reactions
• Sender identifiers (Facebook Page-Scoped IDs, Instagram-Scoped IDs, WhatsApp phone numbers) and publicly available profile information (name, profile picture) for end-users who message the Client
• Message metadata (timestamps, delivery and read receipts, message status)
• Page, account, and number metadata (the connected asset’s name, ID, category, and similar identifying information)

We receive this information only via official Meta APIs that the Client has authorized.

Information we collect directly from Clients

To provide the Service, we collect from Clients:

• Account information (name, email address, organization name)
• Authentication credentials (passwords are stored hashed; multi-factor authentication secrets are stored encrypted)
• Service usage records (when team members log in, which inboxes they access, which conversations they handle) for security and audit purposes
• Billing information (payment-method handling is performed by our payment processor; we do not store full payment card details on our infrastructure)

How we use information

We use the information described above solely to provide the Service:

• Routing incoming messages from Meta Platforms to the Client’s Chatwoot instance
• Sending the Client’s outbound responses back through Meta Platforms
• Storing conversation history in the Client’s instance so their team can reference past exchanges
• Operating, maintaining, and securing the platform
• Detecting and preventing abuse, spam, and policy violations
• Communicating with Clients about their account, service updates, and security matters

What we do NOT do with this information:

• We do not sell it
• We do not use it for advertising
• We do not use it to train artificial intelligence or machine learning models
• We do not share it with any third party except as described below

Sub-processors

We use the following sub-processors to operate the Service:

• Amazon Web Services, Inc. — cloud infrastructure (compute, storage, email delivery, secret management) in the AWS US West (Oregon) region
• Cloudflare, Inc. — edge caching and DDoS protection for certain Client-facing surfaces

The Chatwoot software itself is deployed and operated entirely on our own infrastructure; we do not transfer data to Chatwoot Inc.

Data location and international transfers

Data is stored and processed in the United States, in the AWS US West (Oregon) region. Client and end-user data does not leave the United States in the normal course of operation.

Retention

• Active Client data and conversation history — retained for the duration of the Client’s account and for 30 days after account termination, after which it is permanently deleted from our active systems.
• Backups — encrypted backups are retained on a rolling schedule (up to 30 days for daily backups, up to 1 year for monthly backups) and are deleted on the same schedule.
• Audit logs — retained for up to 1 year for security and compliance purposes.
• Aggregated or anonymized analytics that cannot identify any individual may be retained indefinitely.

Your rights

If you are an end-user who has sent a message to one of our Clients through a Meta Platform, you have the right to:

• Access the personal data we hold about you
• Request deletion of your personal data
• Request correction of inaccurate data
• Object to specific processing
• Receive a copy of your data in a portable format

Because we act as a processor on behalf of our Client, requests are most efficiently handled by contacting the Client directly. You may also contact us at contact@kavanahmedia.com and we will route the request to the relevant Client and respond within 30 days.

Detailed instructions for requesting deletion are at /data-deletion-instructions.

Children

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that we have collected such information, we will delete it.

Security

We employ industry-standard measures to protect data:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for backups and attachment storage
• Multi-factor authentication enforced for administrative access
• Scoped, minimum-privilege IAM credentials for all service integrations
• Regular security scanning and patching
• Audit logging of administrative actions

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify affected Clients without undue delay.

Meta Platform compliance

This Service operates in compliance with Meta’s Platform Terms, Developer Policies, WhatsApp Business Messaging Policy, and Commerce Policies. We require our Clients to comply with the same.

Changes to this Policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent change. For material changes, we will notify Clients by email at least 30 days before the change takes effect.