Privacy Policy

For the purposes of UK GDPR and EU GDPR we are the Data Controller for personal information described in this Policy.

• Provide and maintain the Services – e.g. retrieve messages, send automated replies, display dashboards and analytics.
• Improve and develop new features – aggregate, anonymise or pseudonymise logs to train our AI models and enhance user experience.
• Security & fraud prevention – verify accounts, detect abuse, enforce our terms.
• Customer support – respond to enquiries and troubleshoot issues.
• Marketing (with consent) – send product updates; you may opt out at any time.
• Legal compliance – satisfy legal obligations, e.g. accounting records.

• Service providers – hosting (AWS EU-London), payment processing (Stripe), email (Postmark); bound by confidentiality agreements.
• Integrated platforms – Meta Platforms, when we process or write data back to Messenger / Instagram on your behalf.
• Legal authorities – only if required to comply with a legitimate court order or applicable law.
• Business transfers – if we are involved in a merger, acquisition or asset sale, subject to equivalent safeguards.

We never sell personal data to third parties.

Where data is transferred outside the UK or European Economic Area we rely on a valid transfer mechanism such as adequacy regulations or Standard Contractual Clauses approved by the European Commission/ICO.

• Maintain session authentication;
• Remember interface preferences;
• Compile anonymised analytics.

You can control cookies via your browser settings; however, blocking essential cookies may impair service functionality.

Subject to jurisdiction you may have the right to:

• Access a copy of your data;
• Correct inaccurate data;
• Delete or restrict processing;
• Object to processing based on legitimate interests;
• Data portability (structured, machine-readable format);
• Withdraw consent at any time (without affecting prior processing);
• Complain to the ICO or your local supervisory authority.

Exercising your rights: Email info@fiko.net or use the in-app "Request my data" option.

• TLS 1.3 encryption in transit; AES-256 at rest.
• OAuth 2.0 short-lived access tokens exchanged for long-lived page tokens stored encrypted.
• Role-based access control; least-privilege principle for employees.
• Annual penetration testing and continuous vulnerability scanning.

No system is 100% secure. If you believe your account or data has been compromised, please contact us immediately.

Fiko is intended for business users aged 18 years or older. We do not knowingly collect information from children. If we learn that we have inadvertently processed data from a child, we will delete it promptly.

We may update this Policy periodically. Significant changes will be notified via email or in-app banner. Continued use of the Services after an update constitutes acceptance of the revised Policy.

You can permanently delete your profile, all stored data and the Facebook/Instagram permissions we hold for you inside the Fiko dashboard:

1. Sign in at https://app.fiko.net and go to My Profile → Delete Account (bottom of the page).
2. Click Delete Account and confirm. Your access tokens are revoked instantly and your workspace, conversations and related personal data are queued for erasure within 24 hours.
3. A confirmation email will be sent to the address on file.

Alternative method: remove the "Fiko" app from your Facebook settings. Our system receives a de‑authorisation callback and will schedule deletion with the same 24‑hour SLA.

If you cannot access your dashboard, email info@fiko.net with subject "Data Deletion Request – <Page or IG username>" and we will erase your data within 30 days and confirm by email.