Privacy Policy

1. Introduction and data controller

This Privacy Policy describes how Plugly processes personal data about you when you use our services, including our webshop widgets, our widgets that integrate with third-party platforms such as TikTok and Instagram (Meta), and our AI features.

The data controller is:

Bewise ApS (CVR: 38171658)
P. Nørkjærs Plads 4, 9800 Hjørring, Denmark
Email: info@plugly.io
Web: https://plugly.io

The policy applies to all visitors to plugly.io, users of the administration tool at app.plugly.io, as well as end users who view or interact with widgets displayed on our customers' websites.

For a large part of the data processed in the application itself on behalf of our customers (e.g. orders, product data, customer information and AI chat conversations), Plugly acts as data processor, and our customer (the company) is the data controller. This processing is governed by the separate Data Processing Agreement. This Privacy Policy describes the processing where Plugly itself is the data controller, and provides a general overview of how the service works.

2. Definitions

User: A person who has a Plugly account (typically a webshop owner or marketing manager).

End User: A visitor on a website where a Plugly widget is embedded.

Company: The company on whose behalf the user uses the application, and whose online solution is processed in the application.

Third-party Platform: External services such as TikTok and Instagram (Meta) that the user can connect to the application in order to fetch and display content.

AI Feature: Features in the application that use artificial intelligence, including AI chat, where an external AI provider is used.

Widget: The embeddable element displayed on the user's website, e.g. a search feature, a display of content from a third-party platform, or an AI chat.

Personal data: Any information that can directly or indirectly identify a natural person.

3. Data we collect

3.1 Data you provide to us

• Name, email address and password (when creating an account)
• Company information (company name, CVR number, billing address)
• Payment information (handled by our payment data processor - we do not store card numbers ourselves)
• Information you enter yourself, e.g. comments or support requests

3.2 Data we collect automatically

• Technical information: IP address, browser type, operating system, timestamp
• Usage data: which pages you visit in the administration tool, which features you use
• Widget statistics (impressions, clicks, conversion) - see section 12 about the use of a pseudonymous session ID for effectiveness measurement

3.3 Data from third-party platforms

When you as a user connect a TikTok or Instagram account to Plugly, we fetch data from the platform in question. This is described in more detail in section 4.

3.4 Data in AI features

When an end user uses an AI chat, the content of the conversation is processed. This is described in more detail in section 5.

4. Data from third-party platforms (TikTok, Instagram, Meta)

When a user connects an account from a third-party platform to Plugly, we act as data processor for the content we fetch on the user's behalf from those platforms. We only fetch data from accounts the user has explicitly connected and consented to via the platform's official OAuth flow.

4.1 TikTok Display API

Our TikTok widget uses the TikTok Display API (also called TikTok Login Kit / Content Posting API for display purposes). When you connect your TikTok account, we fetch and display the following data from your TikTok account:

• Profile information: username, profile picture, display name, follower count, video count (via scopes user.info.basic, user.info.profile, user.info.stats)
• Video metadata: video ID, title/description, thumbnail URL, embed link, video duration, creation time, view count, like count, comment count, share count, music information (via scope video.list)
• OAuth tokens: access_token (valid 24 hours) and refresh_token (valid 1 year) - stored encrypted and used solely to fetch data from your account

We do not fetch or store the video files themselves. Videos are always played via TikTok's official embed player. Only thumbnails are cached for performance reasons.

Use of TikTok data is subject to TikTok's Terms of Service and TikTok Developer Terms of Service.

4.2 Instagram API / Meta Platforms

Our Instagram widget uses the Instagram API with Instagram Login provided by Meta Platforms. When you connect your Instagram Business or Creator account, we fetch and display the following data:

• Profile information: username, profile picture, account type (BUSINESS/CREATOR), follower count, post count (via scope instagram_business_basic)
• Post metadata: post ID, type (IMAGE/VIDEO/CAROUSEL_ALBUM), media URL, thumbnail URL, caption, like count, comment count, permalink, creation time
• Carousel children: for posts with multiple media items we fetch the individual underlying images/videos
• OAuth tokens: long-lived access_token (valid 60 days, refreshable) - stored encrypted

Personal Instagram accounts are not supported; only Business and Creator accounts can be connected.

Use of Instagram/Meta data is subject to Meta's Terms of Service, Meta Platform Terms and Instagram Platform Policy.

4.3 What we do not collect

• We do not fetch private messages (DMs)
• We do not fetch Stories
• We do not fetch comments or other people's content that you have not posted yourself
• We do not track individual end users on the pages where the widget is displayed (no tracking cookies from the widget)
• We do not sell or share data from third-party platforms for any purpose other than operating the widget

5. AI features and AI chat

Plugly offers AI features, including an AI chat that the company can embed on its website and that end users can write to. To generate responses, we use an external AI provider, currently Google (Gemini via Google Cloud Vertex AI).

For AI chat conversations, Plugly acts as data processor on behalf of the company, which is the data controller. The processing is governed by the Data Processing Agreement. This section describes how the feature works.

5.1 How data is processed in the AI chat

• When an end user writes in the chat, the message and relevant context are sent to the AI provider for the purpose of generating a response and determining which of the application's own tools to use to look up data (e.g. order or product information).
• Processing at the AI provider takes place in an EU region.
• The end user can in principle write any information in the chat, including personal data. We encourage that sensitive personal data is not entered in the chat, and the company using the chat is responsible for informing its end users about this.

5.2 What we and the AI provider do not do

• The AI provider, on the paid service we use, does not use the submitted data to train or improve its models.
• We do not use the content of AI chat conversations to train our own AI models. We may use anonymised and aggregated data to improve the service, cf. section 6.
• The AI provider may store data for a limited period for operational and abuse-monitoring purposes in accordance with the provider's terms. The AI provider is listed in the list of data processors in section 7 and in the Data Processing Agreement.

6. Purposes and legal basis

We process personal data for the following purposes:

• Provision of the service (Article 6(1)(b) GDPR - performance of a contract): account creation, operation of widgets, storage of configuration
• Invoicing and bookkeeping (Article 6(1)(c) GDPR - legal obligation): the Danish Bookkeeping Act requires retention for 5 years
• Fetching and displaying content from third-party platforms (consent / contract): only after the user's explicit authorisation via OAuth
• Operation of AI features (data processing on behalf of the company): cf. section 5 and the Data Processing Agreement
• Operation, security and troubleshooting (Article 6(1)(f) GDPR - legitimate interest): logs and technical data
• Improvement of the service (Article 6(1)(f) GDPR - legitimate interest): aggregated, anonymised analyses
• Marketing and communication (consent): only if you have signed up for a newsletter or similar

7. Sharing of data and data processors

We do not share your personal data with others, apart from the following data processors that help us operate the service:

• Hetzner Online GmbH (Germany, EU) - hosting of the Plugly application and databases
• Frisbii (formerly Billwerk+ Denmark ApS) (Denmark, EU) - handling of payment, subscription and payment confirmations
• Google Ireland Ltd. (EU) - AI functionality (Gemini via Vertex AI), cf. section 5
• Simply.com A/S (Denmark, EU) - DNS and mail hosting for sending system and transactional emails from Plugly

We have entered into data processing agreements with all relevant data processors in accordance with the GDPR. We may also disclose data to authorities if we are legally obliged to do so.

8. Transfers outside the EU/EEA

Our data processors are, as a rule, located within the EU/EEA, and data is processed in the EU/EEA. Where a data processor exceptionally processes data outside the EU/EEA, this takes place on the basis of the EU Commission's Standard Contractual Clauses (SCCs) and/or the EU-US Data Privacy Framework, and we ensure that the recipient complies with the GDPR's data protection requirements.

9. Retention period

We retain data for as long as it is necessary for the purposes for which it was collected and as required by law:

• Account data: for as long as your account is active. Deleted or anonymised no later than 30 days after termination of the account or after a request for deletion. During this period, the account can be reopened with data intact.
• Billing data: 5 years, cf. the Danish Bookkeeping Act.
• AI chat conversations: deleted or anonymised no later than 12 months after they were completed, and upon termination of the account (cf. above). The processing takes place on behalf of the company, cf. the Data Processing Agreement.
• OAuth tokens from TikTok/Instagram: for as long as you have an active connection. Deleted within 24 hours after you disconnect the account.
• Cached content from TikTok (thumbnails) and Instagram (media): updated on an ongoing basis (typically every 60 minutes). Deleted within 24 hours after you disconnect the account, delete a widget, or when a post is removed on the original platform.
• Logs: max. 90 days.
• Aggregated analyses: may be retained indefinitely in anonymised form.

10. Your rights

Under the GDPR you have the following rights:

• Access: you can find out what information we process about you
• Rectification: you can have inaccurate information corrected
• Erasure ("the right to be forgotten"): you can have your information deleted, unless we are legally obliged to retain it
• Restriction: you can ask us to restrict the processing
• Data portability: you can have your data provided in a structured, commonly used and machine-readable format
• Objection: you can object to processing based on legitimate interest
• Withdrawal of consent: you can withdraw a consent at any time
• Complaint: you can complain to the Danish Data Protection Agency (see section 16)

To exercise your rights, please contact us at info@plugly.io. We respond to requests within 30 days.

Please note: if your request concerns data that we process on behalf of a company (data controller) - e.g. an AI chat conversation on a webshop - we will refer you to or coordinate with the company in question, which is responsible for that data.

11. Withdraw consent and delete data from TikTok/Instagram

You can at any time withdraw your consent for us to fetch data from your connected TikTok and Instagram accounts, and you can have all related data deleted.

11.1 Withdraw in Plugly

1. Log in to app.plugly.io
2. Go to "Apps" → select the widget (TikTok or Instagram)
3. Click "Disconnect account" or "Delete widget"
4. Within 24 hours the following are deleted: your OAuth tokens, all cached media and metadata, and any widget configurations

11.2 Withdraw directly with TikTok

1. Open the TikTok app or go to tiktok.com
2. Settings → Security and permissions → Manage apps
3. Find Plugly.io and tap "Remove access"

11.3 Withdraw directly with Instagram/Meta

1. Go to instagram.com/accounts/manage_access
2. Find Plugly.io and tap "Remove"

11.4 Request full deletion of data

To have all data - including account data, billing data (to the extent permitted by law) and data from third-party platforms - deleted, send a request to:

• Email: info@plugly.io
• Subject: "Data deletion request"
• Content: your email address, account name, and if possible the TikTok/Instagram username that has been connected

We confirm receipt within 3 business days and complete the deletion within 30 days.

11.5 Meta data deletion callback

For the Instagram/Meta integration, we have established a data deletion callback URL in accordance with the Meta Platform Terms: https://api.plugly.io/meta/data-deletion. When Meta sends a deletion request via this URL, we delete all data associated with the user in question within 30 days and confirm this back to Meta.

12. Cookies and tracking

On plugly.io and app.plugly.io we use:

• Necessary cookies for login session and CSRF protection - set without consent, as they are strictly necessary
• Statistics cookies for anonymised product analysis - only set after consent

In widgets embedded on our customers' websites, we do not use tracking cookies for marketing. We use only strictly technically necessary cookies/storage to remember display state (e.g. whether the user has opened a modal or a chat).

To measure widget effectiveness for the individual webshop, we use a pseudonymous session ID that makes it possible to see whether, for example, a search led to an order. We do not identify the end user by name, but a session ID is considered personal data (an online identifier). This measurement takes place on behalf of the webshop where the widget is embedded, and the webshop is the data controller for the processing, cf. the Data Processing Agreement. Counters of how many times our widget file is served (used for billing) are pure counts and do not contain personal data.

13. Data security

We take data protection seriously and have implemented appropriate technical and organisational security measures, including:

• Encryption in transit (TLS 1.2+) for all connections
• Encryption of sensitive data at rest (AES-256), including all OAuth tokens from TikTok and Instagram
• Access control and logging of administrator access
• Regular backups and recovery testing
• Vulnerability monitoring and updating of dependencies
• Restricted access for employees, only on a need-to-know basis

In the event of a data breach that poses a high risk to data subjects, we will notify the Danish Data Protection Agency within 72 hours and the affected users without undue delay.

14. Children

Plugly is a service for business customers and is not directed at children under 18. We do not knowingly collect personal data about children. If you discover that we have done so anyway, please contact us so that we can delete it.

15. Changes to the policy

We may update this policy from time to time. The version applicable at any given time is available at plugly.io/privacy. In the event of material changes, we will notify you via email or in the administration tool before the change takes effect.

16. Contact and complaints

If you have questions about this Privacy Policy or our processing of your information, please contact us:

Bewise ApS
Email: info@plugly.io

You have the right at any time to complain to the Danish Data Protection Agency about our processing of your personal data:

Datatilsynet
Carl Jacobsens Vej 35
2500 Valby, Denmark
Email: dt@datatilsynet.dk
Web: www.datatilsynet.dk