Privacy Policy
This Privacy Policy describes how HiveThread ("we", "us", or "our") collects, uses, and protects information when merchants and their end-customers use the HiveThread service ("the Service"). HiveThread is operated by Funsquare Pty Ltd, an Australian company based in New South Wales. We are committed to handling personal information responsibly and in accordance with the Australian Privacy Act 1988 (Cth) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Who We Are
HiveThread is a unified-inbox platform that helps small businesses ("merchants") receive and reply to customer messages from Facebook Messenger, Instagram Direct Messages, SMS (via Twilio), and an embeddable webchat widget, all in one shared inbox. The application is hosted at app.hivethread.io.
For privacy enquiries, contact us at hello@hivethread.io.
This policy covers two groups of people:
- Merchants — the businesses (and their team members) who sign up for a HiveThread account to manage customer conversations.
- End-customers — the people who contact a merchant through Messenger, Instagram, SMS, or the merchant's website, and whose messages are routed through the Service to the merchant's inbox.
2. Information We Collect
We collect only the data necessary to operate the Service.
From merchants (when you sign up and use the app)
| Data | Purpose | Storage |
|---|---|---|
| Name, email address, hashed password | Create your account, authenticate sessions, send transactional alerts | Encrypted in transit, hashed (passwords) in our PostgreSQL database |
| Organisation name, timezone, business hours, team settings | Deliver the inbox and configure routing, notifications, and auto-responders for your team | PostgreSQL database |
| Facebook Page ID / name, Instagram Business account ID / name, Meta API access tokens | Fetch and send messages on your behalf via the Messenger and Instagram Messaging APIs once you connect these channels | Tokens encrypted at rest (AES-256-GCM) before being stored in the channel config |
| Twilio Account SID, auth token, phone number | Send and receive SMS on your behalf once you connect a Twilio sub-account | Encrypted at rest (AES-256-GCM) in the channel config |
| Billing contact and payment status (when paid plans launch in Phase 2) | Process subscription charges and comply with Australian tax and accounting obligations | Metadata in our database; payment card data is handled by our payment processor and never touches our servers |
| Server logs (IP address, user agent, request path, timestamps) | Security, debugging, abuse prevention | Application logs on Railway, retained for up to 90 days |
From end-customers (when they message a merchant)
| Data | Purpose | Storage |
|---|---|---|
| Display name and profile photo URL (from Meta, for Messenger and Instagram messages) | Show the contact in the merchant's inbox so an agent can identify the sender | PostgreSQL database (contact record) |
| Phone number (from Twilio, for SMS) | Identify the conversation and allow the merchant to reply | PostgreSQL database (contact record) |
| Platform-specific external identifiers (Meta PSID, IG-scoped ID, Twilio phone number) | Match incoming messages to the correct contact and thread | PostgreSQL database |
| Message content and attachments (text, images, media URLs) | Deliver the message to the merchant and allow them to reply | Message body in PostgreSQL; media attachments in Cloudflare R2 object storage |
| Timestamps, message status, delivery receipts | Display conversation history and delivery state | PostgreSQL database |
| Webchat visitor data (name and email if voluntarily provided, plus widget session ID) | Allow a returning visitor's conversation to be continued | PostgreSQL database |
We do not collect: browsing history outside the webchat widget, third-party tracking cookies, marketing cookies, advertising identifiers, or any data from end-customers beyond what is needed to deliver their message to the merchant.
3. How We Use Your Information
We use the data we collect solely to:
- Deliver the core inbox service — store, display, and allow agents to reply to messages from Messenger, Instagram, SMS, and webchat.
- Authenticate merchant users and maintain secure sessions (via Auth.js session cookies).
- Send transactional notifications (new-message alerts via email and web push) to merchant team members.
- Monitor service health and diagnose errors.
- Prevent abuse, spam, and security incidents.
- Comply with legal and regulatory obligations (for example, responding to lawful requests from authorities, or retaining billing records for Australian tax purposes).
We do not sell, rent, or share personal information with third parties for advertising or marketing purposes. We do not train AI models on merchant or end-customer message content.
4. Meta Platform Disclosures
We use Meta's Messenger Platform and Instagram Messaging API to receive and send messages on behalf of our merchants. When a merchant connects their Facebook Page or Instagram Business account to HiveThread:
- We request only the permissions needed to read and reply to messages (for example,
pages_messagingandinstagram_business_manage_messages). - We store the Meta access token encrypted at rest, and we use it only to read and send messages on behalf of the merchant.
- We receive end-customer profile data (display name, profile picture URL, platform-scoped ID) from the Meta APIs strictly for the purpose of displaying the conversation in the merchant's inbox.
- Merchants can disconnect the Meta integration at any time from the HiveThread settings. Disconnecting revokes our access token and stops new messages from being ingested. Historical messages already stored in the merchant's inbox are retained until deleted by the merchant or until the account is closed (see Section 7).
Your use of the Meta integration is also subject to Meta's own terms and privacy policy. See Meta's privacy policy at facebook.com/privacy/policy.
5. Twilio and SMS Disclosures
SMS messaging in HiveThread is delivered via Twilio Inc. When a merchant connects a Twilio sub-account to HiveThread, inbound and outbound SMS messages pass through Twilio's network. Twilio acts as a separate data processor and its handling of SMS data is governed by Twilio's privacy policy.
Merchants are responsible for ensuring they have a lawful basis (including, where required, prior express consent) to send SMS messages to their end-customers, in compliance with the Australian Spam Act 2003 and, for U.S. recipients, the Telephone Consumer Protection Act (TCPA).
6. Third-Party Processors (Sub-Processors)
We rely on a small number of trusted third parties to operate HiveThread. Each is bound by its own terms and privacy policy:
- Meta Platforms Ireland Ltd — Messenger Platform and Instagram Messaging API. Meta Privacy Policy
- Twilio Inc. — SMS delivery and receipt. Twilio Privacy Policy
- Railway Corp. — application hosting, managed PostgreSQL database, managed Redis cache/queue. Railway Privacy Policy
- Cloudflare, Inc. — DNS, CDN, TLS, and R2 object storage (used for message media attachments). Cloudflare Privacy Policy
- Resend — transactional email (account alerts, password resets, new-message notifications). Resend Privacy Policy
We do not currently use any separate analytics, advertising, tag-management, or session-replay services. If that changes, this policy will be updated before the service is enabled.
7. Data Retention
- Messages, contacts, and conversation history are retained for the lifetime of the merchant's account. When a merchant deletes their account, all conversation data is permanently deleted within 30 days.
- Media attachments in Cloudflare R2 follow the same lifecycle as the parent message: deleted within 30 days of account deletion.
- Application server logs are retained for up to 90 days, then deleted.
- Billing and tax records (once paid plans launch) are retained for 7 years as required by Australian taxation law.
- Backups may temporarily contain deleted data for up to 30 additional days before they themselves roll off.
A merchant may request earlier deletion at any time by contacting hello@hivethread.io.
8. Data Security
We use industry-standard safeguards:
- All traffic to and from HiveThread is encrypted in transit using TLS.
- Passwords are hashed using a modern password-hashing algorithm (never stored in plain text).
- Third-party credentials — Meta access tokens, Twilio auth tokens — are encrypted at rest using AES-256-GCM before being written to the database.
- Access to production infrastructure is restricted to authorised Funsquare personnel and protected by strong authentication.
- The database is hosted on managed infrastructure with automated backups and encryption at rest.
No system is perfectly secure. In the event of a data breach affecting personal information, we will notify affected parties and the Office of the Australian Information Commissioner (OAIC) in line with the Notifiable Data Breaches scheme under the Australian Privacy Act.
9. Your Rights
Depending on where you are located, you may have some or all of the following rights in relation to the personal information we hold about you:
- Access — request a copy of the personal information we hold about you.
- Correction — ask us to correct inaccurate or incomplete data.
- Deletion — ask us to delete personal data we hold about you, subject to legal retention obligations.
- Data portability — receive your data in a machine-readable format.
- Objection — object to certain types of processing.
- Complaint — lodge a complaint with a supervisory authority.
These rights are available under the Australian Privacy Act (Australian Privacy Principles 12 and 13) and, where applicable, the EU GDPR (Articles 15–20).
To exercise any of these rights, contact hello@hivethread.io. We will respond within 30 days. In most cases, end-customers who want their data deleted should first contact the merchant they messaged — the merchant controls the inbox data. We will assist merchants in actioning those requests.
You may also lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au, or with your relevant EU data protection authority.
10. Cookies
The HiveThread application uses only session cookies required to keep merchants signed in (via Auth.js). We do not use tracking cookies, advertising cookies, or third-party analytics cookies. The embeddable webchat widget stores a local session identifier in the visitor's browser so that a returning visitor can continue their conversation; it does not set any tracking cookies.
11. Children's Privacy
HiveThread is a business tool and is not directed at children. Merchant accounts require users to be at least 18 years old. We do not knowingly collect personal information from children under 13. End-customers who message a merchant through one of the supported channels are presumed to be in compliance with the age requirements of the underlying platform (Meta, Twilio, or the merchant's own website).
12. International Transfers
HiveThread is operated from Australia, and our primary infrastructure is provided by Railway and Cloudflare, which operate globally distributed data centres. Personal data may be processed in the United States and other jurisdictions in which our sub-processors operate. We rely on the safeguards provided by each sub-processor (including standard contractual clauses where applicable) to protect personal data during international transfers.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify merchants of material changes by email or through the app. The "Last updated" date at the top of this page will reflect the most recent change. Continued use of the Service after an update means you accept the revised policy.
14. Contact Us
For any privacy-related questions, data requests, or concerns, please contact:
HiveThread (Funsquare Pty Ltd)
Email: hello@hivethread.io
Based in New South Wales, Australia