Privacy Policy

1. Who we are

Silon is a multi-channel customer-messaging platform operated by KUWAITNET ("Silon," "we," "us" or "our"). Our principal place of business is Kuwait City, Kuwait. We provide Silon as software-as-a-service at silon.tech and as a self-hosted product that businesses run on their own infrastructure.

When you use Silon on our cloud, we are the data controller of operator-account data and a data processor for the message content and metadata our customers send and receive through us. When a customer runs Silon on their own servers (self-hosted), we are not the controller or processor of any data in that deployment — our customer is — and this policy applies only to data we hold about their account with us (licensing, support, billing).

2. Scope of this policy

This policy covers:

• the silon.tech website and any subdomain operated by us;
• the Silon application accessible at your tenant subdomain (e.g. acme.silon.tech) when hosted by us;
• the Silon REST API and webhooks;
• communications between Silon and end-users on integrated channels (WhatsApp, Messenger, Instagram, Telegram, SMS, email, web push, voice) that are routed through our cloud infrastructure on behalf of a business customer.

It does not cover the privacy practices of the businesses that use Silon to communicate with their own customers. Those businesses are independent controllers of the data they collect from their end-users and have their own privacy policies; please refer to them for questions about how a specific business uses your data.

3. Information we collect

a. Operator account data

When a business signs up an operator on Silon (an employee who will use the Live Desk, send campaigns, or manage settings), we collect:

• name, email address, phone number (optional);
• username, hashed password, multi-factor authentication state;
• role within the tenant (owner, admin, operator), permissions, language and timezone preferences;
• tenant subdomain, company name, billing contact.

b. Channel credentials

To send and receive messages on each channel, the business connects channel credentials to their Silon tenant. We store these credentials encrypted at rest, scoped to a single tenant database. Examples: WhatsApp Cloud API access tokens, Facebook Page access tokens, Instagram access tokens, Telegram bot tokens, SMS gateway API keys, SMTP credentials, web-push VAPID keys, voice carrier API keys.

c. Message content and metadata

We store the content of messages (text, attachments, voice notes, reactions) sent and received through Silon, together with metadata required to deliver them: sender and recipient identifiers (phone numbers, email addresses, Meta user IDs, Telegram chat IDs), delivery and read receipts, timestamps, channel, template used, and conversation thread state.

d. Contacts and audience data

When a business uploads contacts, segments or audiences for campaigns, we store those records in their isolated tenant database: name, phone number, email, channel-specific identifiers, opt-in / opt-out state, and any custom fields the business has chosen to attach.

e. Usage and diagnostic data

We log technical information needed to operate the service: IP addresses, browser/user-agent, HTTP request paths and timestamps, application errors and stack traces, API call metadata, and infrastructure-level metrics. We use Sentry for error monitoring.

f. Billing data

If the business pays us through our cloud, we collect billing contact, invoicing address, tax ID and payment-method identifiers. We do not store full payment card numbers; card processing is handled by our payment provider.

4. Meta Platform data (Facebook, Instagram, WhatsApp)

Silon integrates with Meta's platforms via the WhatsApp Business Cloud API, the Messenger Platform API and the Instagram Messaging API. When a business connects one of these channels:

• We receive an access token from Meta authorising Silon to send and receive messages on behalf of the business's WhatsApp Business Account, Facebook Page or Instagram Professional Account.
• We receive webhook events from Meta for each inbound message, status update or event the business has subscribed to. These include the end-user's Meta-scoped identifier (PSID / IGSID / WhatsApp phone number), the message content, timestamps and any media attachments.
• We may read profile information that Meta exposes for the end-user (display name, profile picture URL, locale) solely to display the conversation correctly to the operator.

Use of Meta Platform data is governed by the Meta Platform Terms and the Developer Policies. We:

• only use Meta data to provide and improve the Silon service for the business that connected the channel;
• do not sell, license or otherwise transfer Meta data to data brokers, ad networks or any third party for advertising or monetisation;
• do not use Meta data to enrich profiles for advertising or to build look-alike audiences;
• keep Meta data only as long as needed for the service, or as required by law (see Retention below);
• honour deletion requests from Meta, the business and the end-user.

When a business disconnects WhatsApp, Messenger or Instagram from Silon — or when Meta revokes our access token — we stop receiving new events for that integration immediately. Existing messages remain in the tenant database until the business or end-user requests deletion or the retention period expires.

5. How we use information

We use the information described above to:

• operate the Silon platform — route messages, deliver campaigns, run the Live Desk inbox, store templates, generate reports;
• authenticate operators and protect accounts from unauthorised access;
• provide customer support when the business asks for help with a specific conversation or send;
• maintain audit trails of operator actions for the business's compliance needs;
• monitor system health, debug errors, and improve performance and reliability;
• send service-related emails (incidents, security advisories, invoice receipts, important product changes);
• comply with our legal obligations and enforce our terms of service.

We do not use end-user message content to train AI models or to advertise to anyone. AI features inside Silon (conversation summaries, suggested replies) run on the business's own messages within their own tenant and are not used to improve models for any other customer.

6. Legal basis for processing

Where the GDPR or comparable laws apply, we rely on the following legal bases:

• Contract — to provide Silon to the business that has signed up.
• Legitimate interest — to operate, secure and improve the service, and to communicate service-related information to operators.
• Consent — where required (for example, certain cookies, or marketing emails to prospects who ask to be contacted).
• Legal obligation — where we are required to retain data to comply with applicable law.

For end-user data routed through Silon, the legal basis is established by the business that operates the conversation, acting as the controller. We act on their documented instructions as a processor.

7. How we share information

We do not sell personal data. We share information only in the following circumstances:

• With the business operating the conversation. End-user data is by definition shared with the business that the end-user is messaging — that is the point of the service.
• With sub-processors who provide infrastructure or supporting services under written agreements (see below).
• With channel providers. Meta, Telegram, SMS carriers, email providers, voice carriers and push providers receive whatever they need to deliver the message you are sending through them.
• For legal reasons — if required by a valid legal request from a competent authority, or to protect the rights, safety or property of Silon, our customers or the public.
• In a business transaction — if Silon is involved in a merger, acquisition, or sale of assets, data may be transferred subject to standard confidentiality protections and prior notice to affected customers.

8. Sub-processors

We use a short list of trusted sub-processors to run the service. Each is bound by a written data-processing agreement requiring confidentiality, security and processing only on our documented instructions.

• Amazon Web Services (AWS) — infrastructure hosting (EU and Middle East regions).
• Meta Platforms, Inc. — WhatsApp, Messenger and Instagram message delivery.
• Telegram FZ-LLC — Telegram bot message delivery.
• Regional SMS carriers — SMS delivery (varies by destination).
• Email delivery providers — SMTP / transactional email.
• Sentry — application error monitoring.
• Payment processor — card and invoice payments (for SaaS customers only).

An up-to-date list is available on request to privacy@silon.tech.

9. Data retention

• Operator accounts — kept for the lifetime of the tenant. When a tenant is closed, accounts are deleted within 30 days unless retention is required by law.
• Message content and metadata — retained for as long as the business keeps the tenant active, subject to the business's own retention configuration. When a tenant is closed, message data is deleted within 30 days.
• Channel credentials — deleted immediately when the business disconnects a channel; otherwise retained for the lifetime of the tenant.
• Logs and diagnostic data — retained for up to 90 days, then automatically purged. Aggregated, non-identifying metrics may be retained longer.
• Billing records — retained for the period required by the applicable tax / accounting law (typically 5-10 years).

On verified request, we will delete data sooner where we are legally able to do so. See section 11.

10. Your rights

Depending on where you live, you may have the right to:

• access the personal data we hold about you;
• request correction of inaccurate data;
• request deletion ("right to be forgotten");
• request restriction of processing or object to processing based on legitimate interests;
• request portability of data you have provided to us;
• withdraw consent at any time where processing is based on consent;
• lodge a complaint with your local data protection authority.

If you are an end-user who has messaged a business through Silon, the business is the primary controller of your data. We will route your request to them and assist as a processor. You can also contact us directly using the details below and we will respond within 30 days.

11. How to request deletion

You can request that we delete personal data about you in any of the following ways:

• Email privacy@silon.tech from the address the data is associated with, with the subject line "Data deletion request". Include your full name and, if you are an end-user, the business you messaged and the channel and identifier (phone number, Facebook user ID, Instagram username, Telegram username, email address) you used. We will verify your identity before acting.
• If you are a Silon operator with an active account, ask your tenant owner to delete your operator profile from the Settings → Users screen.
• If you connected Silon to your Facebook or Instagram account through Facebook Login and wish to disconnect that connection, you can remove Silon from your account at facebook.com/settings?tab=business_tools. Once removed, Meta will notify us and we will delete the access tokens and the user profile data we received through that integration within 30 days, except where retention is required by law.

We will confirm completion of your request by email. If we are unable to delete certain records — for example because of a legal retention obligation — we will tell you why and what records remain.

12. Security

We follow industry-standard security practices to protect data:

• TLS 1.2+ for all data in transit;
• encryption at rest for databases, backups and channel credentials;
• per-tenant database isolation — each business's data lives in its own database, not a shared table with a tenant-id column;
• role-based access control inside the application, with audit logs of operator actions;
• least-privilege access for our staff, with multi-factor authentication required on all administrative systems;
• regular dependency and image scanning, and prompt patching of known vulnerabilities.

No system can be 100% secure. If we become aware of a breach affecting your data, we will notify you and the relevant authority as required by law and without undue delay.

13. International data transfers

Silon's primary infrastructure is hosted in AWS regions in the European Union and the Middle East. Some sub-processors (notably channel providers like Meta) may process data in other regions, including the United States. Where data is transferred outside of the jurisdiction in which it was collected, we rely on the appropriate safeguards — standard contractual clauses, adequacy decisions, or equivalent — required by the originating jurisdiction's law.

14. Children's privacy

Silon is a business tool. It is not directed at children under 13 (or under 16 in jurisdictions where that is the applicable age of consent). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@silon.tech and we will delete it.

15. Cookies and tracking

Silon uses a small number of strictly-necessary cookies to keep operators signed in, maintain CSRF protection and remember language and theme preferences. We do not use third-party advertising or cross-site tracking cookies on the silon.tech website or inside the application. We do not embed third-party social-media buttons or pixels that would share visitor data with social platforms.

If we ever add analytics or marketing cookies, we will update this policy and ask for consent where required.

16. Changes to this policy

We may update this policy from time to time to reflect changes to the service, the law, or our practices. The current version is always available at this URL. The "Last updated" date at the top of the page tells you when it was most recently changed. Material changes will be communicated to active operators by email before they take effect.

17. Contact us

Questions, requests, complaints — all welcome at:

• Email: privacy@silon.tech
• General inquiries: hello@silon.tech
• Postal: KUWAITNET, Kuwait City, Kuwait