Privacy Policy
Version 1.0 · Effective: 15 April 2026 · Last updated: 15 April 2026
Messagio ("we", "us", "our") is committed to protecting your personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679 – "GDPR") and the Greek Law 4624/2019. This Privacy Policy explains what personal data we collect, how we use it, on what legal basis, and what rights you have.
1. Data Controller
The data controller responsible for processing your personal data is:
- Mariza Katsantoni, sole proprietor (ατομική επιχείρηση), trading as "Messagio"
- VAT number (ΑΦΜ): 076937952
- Tax Office (ΔΟΥ): ΚΕΦΟΔΕ Αθηνών
- Contact email: hello@bigg.gr
- Website: https://messagio.app
Data Protection Officer (DPO)
Mariza Katsantoni acts as our Data Protection Officer. You may contact the DPO for any privacy-related inquiries at hello@bigg.gr.
2. Scope of This Policy
This policy applies to:
- Visitors to messagio.app and its subdomains
- Registered account holders ("Tenants" / "Customers") of the Messagio platform
- Team members invited by our Customers
When end-users (for example, your Customer's customers who chat through our widget) interact with our platform, our Customer is the data controller for those interactions and we act as data processor. The relationship between us and our Customer is governed by our Data Processing Agreement.
3. Personal Data We Collect
3.1 Information you provide
- Account data: full name, email address, password (hashed), company name, phone number, avatar image (optional)
- Billing data: company billing name, billing email, billing address, VAT number, tax office, business activity. Payment card details are processed directly by Stripe and never stored on our servers.
- Content: messages, attachments, contact details, knowledge-base documents, AI agent configuration, and any other data you upload or create inside the platform
- Support communications: correspondence with our support team
3.2 Information collected automatically
- Technical data: IP address, browser type and version, operating system, device identifiers, referrer URL, pages visited, timestamps
- Authentication data: login timestamps, session tokens, JWT claims
- Analytics data: aggregated usage statistics via Google Analytics 4 (only if you consent to analytics cookies)
3.3 Information from third parties
- Google OAuth: if you sign up with Google, we receive your name, email, and profile picture from Google
- Meta (Facebook/Instagram): if you connect a Facebook Page or Instagram account, we receive the access tokens and basic page/account information needed to send and receive messages on your behalf
- Email providers (Gmail): if you connect a Gmail account, we receive OAuth tokens and access the emails you authorize
4. How We Use Your Data and the Legal Basis
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Providing the platform and its features (account management, messaging, AI auto-reply, conversations, integrations) | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and issuing invoices | Performance of a contract + Legal obligation (tax law) (Art. 6(1)(b), (c)) |
| Sending service-related emails (password reset, verification codes, billing notifications) | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention, abuse detection, platform security | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications (newsletters, product updates) | Consent (Art. 6(1)(a)) — you may unsubscribe at any time |
| Analytics and product improvement | Consent (Art. 6(1)(a)) via cookie banner |
| Complying with legal obligations (accounting, responding to authorities) | Legal obligation (Art. 6(1)(c)) |
5. AI Processing
Messagio uses third-party AI providers (OpenAI and Anthropic) to power its "Melina AI" auto-reply agent, knowledge-base search and classification. When an AI feature is invoked:
- The relevant conversation context is sent to the AI provider's API to generate a response
- Your data is NOT used to train any AI model. We use these providers' API tiers where input/output are explicitly excluded from model training
- AI providers may retain API inputs for up to 30 days for abuse monitoring, after which they are deleted
- AI responses are generated in real time and are clearly labelled as AI-generated where applicable
For more details, see our AI Disclosure.
6. Data Storage and Location
Our servers are hosted on Google Cloud in the European Union (Frankfurt, Germany — region europe-west3). Your data is stored and processed on servers physically located within the EU.
Some of our sub-processors (e.g. OpenAI, Stripe) may process data in the United States. These transfers are protected by:
- The EU-US Data Privacy Framework (DPF), to which Google, Stripe and OpenAI are certified, and/or
- Standard Contractual Clauses (SCCs) approved by the European Commission under Implementing Decision (EU) 2021/914
See the full list of sub-processors and their safeguards in our Sub-processors List.
7. Data Retention
- Account data: retained for the lifetime of your account
- Conversations and messages: retained for 12 months after a conversation is closed or after account deletion, then permanently deleted
- Billing records and invoices: retained for 10 years to comply with Greek and EU accounting/tax law (Law 4308/2014)
- Login and audit logs: retained for 12 months, then deleted
- Marketing consents: retained until withdrawal of consent, plus 3 years for evidence of consent (as recommended by the EDPB)
- Legal acceptance records (DPA/Terms/Privacy): retained for the lifetime of your account plus 5 years as evidence
- Deletion requests: once submitted, your account enters a 30-day grace period and is then permanently and irreversibly deleted
8. Sharing Your Data
We share data only with:
- Sub-processors that help us deliver the service (see Sub-processors List). All sub-processors are bound by written data processing agreements and appropriate safeguards
- Competent authorities, when required by law, court order, or to prevent fraud and protect our rights
- Acquirers, in the event of a merger, acquisition or sale of business assets — in which case we will notify you in advance and you will retain all GDPR rights
We do not sell your personal data to third parties.
9. Your Rights Under GDPR
You have the following rights at no cost:
- Right of access (Art. 15) — obtain a copy of your personal data
- Right to rectification (Art. 16) — correct inaccurate data
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data
- Right to restrict processing (Art. 18)
- Right to data portability (Art. 20) — receive your data in a machine-readable format
- Right to object to processing based on legitimate interests (Art. 21)
- Rights in relation to automated decision-making (Art. 22) — we do not use solely-automated decisions that produce legal effects
- Right to withdraw consent at any time (Art. 7(3))
- Right to lodge a complaint with the Hellenic Data Protection Authority (see Section 14)
You can exercise most rights directly inside your account dashboard under Settings → Privacy & Data, or by emailing hello@bigg.gr. We will respond within one month as required by Art. 12(3) GDPR.
10. Security
We implement appropriate technical and organizational measures to protect your data, including:
- TLS 1.2+ encryption for data in transit
- Encryption at rest (AES-256) on Google Cloud volumes
- Bcrypt password hashing
- Role-based access control and tenant isolation
- JWT-based authentication with short-lived tokens
- Regular security updates and dependency monitoring
- Incident response procedures including breach notification within 72 hours (Art. 33 GDPR)
11. Cookies and Similar Technologies
We use cookies and local storage to operate the platform, remember your preferences, and (with your consent) analyse usage. See the Cookie Policy for details. You can manage your preferences at any time via the "Cookie Preferences" link in the site footer.
12. Children
Messagio is not directed to children. Users must be at least 18 years of age. We do not knowingly collect personal data from persons under 18. If you believe a minor has provided data to us, please contact us and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to account holders by email and/or via an in-app banner at least 30 days before they take effect. The effective date at the top indicates the latest version.
14. Contact and Complaints
For any question about this policy or to exercise your rights, contact:
- Email: hello@bigg.gr
- Post: Mariza Katsantoni, Athens, Greece (full address available on request)
You also have the right to lodge a complaint with the Hellenic Data Protection Authority:
- Kifissias 1-3, 115 23 Athens, Greece
- Phone: +30 210 6475 600
- Website: www.dpa.gr