Privacy Policy

1. About klikodoo

klikodoo (klikodoo.id) is a SaaS (Software as a Service) platform that enables businesses ("Users") to manage multi-channel customer communications from a single unified dashboard. Our platform integrates with WhatsApp, Facebook Messenger, Instagram Direct Messages, Shopee, TikTok Shop, and other channels.

In this Privacy Policy, "we", "us", or "klikodoo" refers to the operator of klikodoo.id. "You" refers to any person accessing or using our platform — including business owners (account holders) and customer service agents (sub-users).

2. Data We Collect

2.1 Account & Registration Data

• Name, email address, phone number
• Company name, business address, city
• Profile picture (optional)
• Password (stored as bcrypt hash — never in plain text)
• Subscription plan and billing records

2.2 Communication Data

• Messages received and sent via connected channels (WhatsApp, Messenger, Instagram DM, Shopee, TikTok Shop)
• Conversation threads, timestamps, and read/unread status
• Contact information of your customers (name, phone number, as provided through the channel)
• Media files (images, documents, audio) exchanged in conversations

2.3 Platform Integration Data

• OAuth access tokens and refresh tokens from connected platforms (Facebook, Instagram, Shopee, TikTok Shop)
• Page IDs, account IDs, and shop IDs associated with connected accounts
• Profile metadata (page name, profile picture, follower count) from connected social accounts

2.4 Usage & Technical Data

• Log data: IP address, browser type, operating system, pages visited, timestamps
• Session data stored in encrypted cookies
• Error logs and crash reports (for debugging)
• Feature usage analytics (which features are used, frequency)

2.5 Payment Data

Payment processing is handled by third-party payment gateways (Midtrans, Xendit). We do not store credit card numbers or full payment credentials. We store transaction references, payment status, and subscription history.

3. Third-Party Platform Integrations

klikodoo connects to multiple third-party platforms on your behalf. Each platform has its own terms and privacy policies. By connecting these platforms, you authorize klikodoo to access data as described below.

4. Meta Platform Permissions

klikodoo requests the following Meta platform permissions when businesses connect their Facebook or Instagram accounts. All permissions are used strictly for the described purposes and in compliance with Meta's Platform Policy.

instagram_business_basic

Used to retrieve the connected Instagram Business account's profile metadata — account ID, username, display name, and profile picture — for display in the klikodoo dashboard so agents can identify which account they are managing.

instagram_business_manage_messages

Used to receive and respond to Instagram Direct Messages on behalf of the connected Instagram Business account. This enables the core unified inbox functionality — incoming DMs appear in real-time, and agents can reply without switching to the Instagram app.

instagram_manage_messages

Used identically to instagram_business_manage_messages to ensure compatibility with Instagram accounts connected via the Facebook Login for Business flow. Only used for Instagram Business and Creator accounts that have explicitly authorized our app via OAuth.

instagram_business_manage_comments

Used to receive notifications of comments on posts belonging to the connected Instagram Business account, and to allow agents to reply to those comments from within klikodoo.

instagram_business_content_publish

Used to publish image posts, video posts, Reels, and carousel posts to Instagram Business accounts from klikodoo's Social Compose feature. Also used to schedule posts for future publication.

pages_show_list

Used to retrieve the list of Facebook Pages managed by the authenticated user during the OAuth onboarding flow, so the user can select which Page(s) to connect to klikodoo.

pages_manage_metadata

Used to subscribe klikodoo's webhook endpoint to receive real-time notifications of incoming Messenger messages and Instagram DMs from connected Facebook Pages.

pages_messaging

Used to receive incoming Facebook Messenger messages from customers and to send replies on behalf of the connected Facebook Page via the Send API.

pages_read_engagement

Used to read Page follower counts, recent posts, and engagement metrics for display in the klikodoo Social Analytics dashboard.

business_management

Required by Meta as a dependency for pages_messaging in Tech Provider apps. Used to verify the connecting user has appropriate business management roles for the assets they are connecting.

Human Agent Tag

klikodoo uses the HUMAN_AGENT message tag to allow customer service agents to respond to conversations that have exceeded the standard 24-hour messaging window (up to 7 days). This tag is used exclusively for genuine human-to-customer support responses. It is never used for automated bot replies, promotional messages, or marketing content.

5. Marketplace Integrations

Shopee

When you connect a Shopee shop to klikodoo via Shopee Open Platform OAuth, we access:

• Shop ID and shop profile information (name)
• Incoming chat messages from buyers in your Shopee shop
• OAuth access token (stored encrypted, used to send replies on your behalf)

We do not access Shopee financial data, product listings, or order details beyond what is contained in chat messages.

TikTok Shop

When you connect a TikTok Shop seller account via TikTok Shop Partner OAuth, we access:

• Seller Open ID and shop name
• Incoming chat messages from buyers (type 14 webhook events)
• New conversation notifications (type 13 webhook events)
• OAuth access token and refresh token (stored encrypted)

TikTok Shop is integrated with Tokopedia in certain regions. Connecting your TikTok Shop account may provide access to messages from both platforms through the same credentials.

We do not access TikTok social media content, personal TikTok profiles, or any data outside the TikTok Shop seller messaging scope.

6. WhatsApp Data

klikodoo supports two WhatsApp integration methods:

WhatsApp Web (Baileys)

The WhatsApp Web integration uses an unofficial WhatsApp Web protocol library. By using this integration, you accept that this is not an officially supported Meta/WhatsApp integration. Messages are transmitted through your connected device session. We store message content to power the inbox. Use of this method is at your own risk and subject to WhatsApp's Terms of Service.

Meta WhatsApp Cloud API

The official WhatsApp Cloud API integration uses Meta-approved credentials. Data handling is governed by Meta's Platform Policy in addition to this Privacy Policy. We store incoming and outgoing message content, phone numbers, and media files as necessary to operate the inbox.

7. How We Use Your Data

• Provide the service: Displaying messages, routing conversations to agents, enabling replies
• Account management: Authentication, subscription management, billing
• Notifications: Real-time alerts for new messages, system notifications
• Analytics: Aggregated usage statistics to improve the platform (never sold to third parties)
• Support: Diagnosing issues, responding to support tickets
• Security: Detecting fraud, abuse, and unauthorized access
• Legal compliance: Meeting obligations under applicable laws

We do not use your data or your customers' message data for advertising, training AI models on your private conversations, or any purpose beyond operating the platform.

8. Data Sharing & Disclosure

We do not sell your data. We share data only in the following limited circumstances:

• Third-party platforms you connect: When you send a reply, we transmit that message to the relevant platform (Meta, Shopee, TikTok) on your behalf.
• Payment processors: Transaction data is shared with Midtrans and/or Xendit solely for payment processing.
• Cloud infrastructure: We use cloud hosting and storage providers. Data is processed under data processing agreements (DPAs).
• Legal requirements: We may disclose data if required by law, court order, or to protect the rights and safety of our users.
• Business transfers: In the event of a merger or acquisition, user data may be transferred as part of that transaction with prior notice.

9. Data Retention

• Account data: Retained for the duration of your subscription and up to 30 days after account deletion, to allow recovery.
• Message data: Retained while your account is active. Deleted within 30 days of account deletion.
• OAuth tokens: Retained while the integration is connected. Immediately invalidated and deleted when you disconnect an account.
• Payment records: Retained for 7 years as required by Indonesian financial regulations.
• Logs: System logs are retained for up to 90 days for security and debugging purposes.

You may request deletion of your data at any time by contacting us at privacy@klikodoo.id or by deleting your account from the Settings page.

10. Security

We implement industry-standard security practices to protect your data:

• All data in transit is encrypted via TLS 1.2+
• Passwords are hashed using bcrypt with appropriate salt rounds
• OAuth access tokens are stored encrypted at rest
• Sessions use cryptographically signed cookies with HTTPOnly and Secure flags
• CSRF protection on all state-changing requests
• Regular security updates and dependency audits
• Access to production data is restricted to authorized personnel only

Despite our efforts, no security system is impenetrable. In the event of a data breach that affects your rights and freedoms, we will notify you as required by applicable law.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@klikodoo.id. We will respond within 30 days.

Meta Data Deletion

If you connected a Facebook or Instagram account to klikodoo and wish to request deletion of all associated data, you may:

1. Disconnect the account from klikodoo Settings → Social Accounts → Disconnect
2. Email privacy@klikodoo.id with subject "Meta Data Deletion Request"
3. Or revoke app access directly from your Facebook Settings → Apps and Websites

Upon receiving a deletion request, we will remove all associated tokens, messages, and account data within 30 days and confirm by email.

12. Cookies

klikodoo uses the following types of cookies:

• Session cookies: Essential for authentication and maintaining your logged-in state. These are HTTPOnly and cannot be accessed by JavaScript.
• CSRF tokens: Security cookies that protect against cross-site request forgery attacks.
• Preference cookies: Store your language and theme preferences (e.g., site_lang).
• Analytics cookies: We may use privacy-respecting analytics to understand platform usage. No personal data is shared with advertising networks.

We do not use third-party advertising cookies or tracking pixels for ad targeting. You can disable cookies in your browser settings, but this will prevent you from logging in to the platform.

13. Children's Privacy

klikodoo is a business-to-business (B2B) SaaS platform intended for use by businesses and their employees. It is not directed at children under 13 (or under 16 in applicable jurisdictions). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@klikodoo.id.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Send an in-app notification and/or email to registered account holders
• For significant changes, request re-acceptance before continued use

Your continued use of klikodoo after the effective date of the updated policy constitutes your acceptance of the changes.

15. Contact Us