Privacy Policy

Last updated: March 6, 2026

This Privacy Policy explains how Nazh Lawrenze Romero ("I", "my") collects, uses, and handles information when you interact with Ace Bot Test, my automated Facebook Messenger assistant (the "Service").

Note: This bot is currently in a testing phase and is not yet connected to the official Ace Apparel Facebook Page. It is being used to validate functionality and behaviour before a full production deployment.

1. Information I Process

When you send a message to Ace Bot Test, the following data is handled:

• Facebook Profile Information — your first name and last name, retrieved from the Facebook Graph API to personalise responses. This is not written to a database.
• Page-Scoped User ID (PSID) — a Facebook-assigned identifier unique to your interaction with my Page. Stored in a Redis database (Upstash) to manage conversation state (e.g. whether you have been welcomed, whether an admin has taken over the chat). Session records expire automatically after 90 days of inactivity.
• Message Content — the text of your messages is processed in real time to generate a response. If your message contains a sensitive keyword (such as a refund or complaint request), the message text, your name, and your PSID are included in an email alert sent to me as the admin. That email is retained in my inbox until manually deleted.
• Message IDs — unique identifiers assigned by Facebook to each message are stored in Redis for up to 5 minutes to prevent duplicate processing of retried deliveries. They are automatically deleted after this window.

2. How I Use Your Information

• To provide automated customer support responses through the bot.
• To route sensitive inquiries (e.g. refunds, complaints) to me as the human admin for follow-up via Facebook Page Inbox.
• To maintain conversation state (e.g. whether you have already been welcomed, whether an admin currently has the thread) across sessions using a persistent Redis database.
• To prevent abuse — message IDs are stored in Redis for up to 5 minutes to avoid processing duplicate deliveries from Facebook's servers.

3. Third-Party Services

This Service relies on the following third-party platforms, each with their own privacy practices:

• Meta / Facebook — all Messenger conversations are subject to Meta's Privacy Policy. I receive webhook events from Meta's servers and send responses via the Messenger Send API.
• Google Gemini AI — for messages that do not match a product in my catalogue, your message text is sent to Google's Gemini API to generate a response. This is subject to Google's Privacy Policy. I do not instruct Google to train on your data, but I cannot guarantee Google's handling of API inputs beyond their published terms.
• Gmail (Google) — admin alert emails are sent and received via Gmail. These emails may contain your name, PSID, and message content as described in Section 1.
• Upstash (Redis) — session state (your PSID and conversation flags) and message deduplication IDs are stored in a Redis database hosted by Upstash. Session data is retained for up to 90 days of inactivity and then automatically deleted. Message IDs are retained for up to 5 minutes. See Upstash's Privacy Policy.
• Render — this bot is hosted on Render's cloud platform. Server logs may contain request metadata such as IP addresses and timestamps. See Render's Privacy Policy.

4. Data Retention

• Session data (PSID, conversation state, rate-limit counters) — stored in a Redis database (Upstash) and automatically deleted after 90 days of inactivity. Each time you interact with the bot, the 90-day expiry clock resets.
• Message deduplication IDs — stored in Redis for up to 5 minutes, then automatically deleted.
• Admin email alerts — retained in my Gmail inbox until I manually delete them. If you want a copy of or deletion of any alert containing your information, contact me at the address below and I will action it within 7 days.
• Facebook conversation history — governed by Meta's data retention policies, not mine.

5. Data Deletion

To remove your conversation history with the bot, you can delete the thread directly within the Facebook Messenger app. To request deletion of your session data stored in Redis or any admin alert email containing your personal information, contact me at nlawrenzer@gmail.com and I will delete it within 7 days. Note that session data also expires automatically after 90 days of inactivity without any action required on your part.

6. Children's Privacy

This Service is not directed at children under the age of 13. I do not knowingly collect personal information from children. If you believe a child has interacted with this Service, please contact me and I will take appropriate action.

7. Changes to This Policy

I may update this Privacy Policy from time to time. Changes will be reflected by updating the "Last updated" date at the top of this page. Continued use of the Service after any changes constitutes acceptance of the updated policy.

8. Contact

For any questions about this Privacy Policy or to make a data request, contact me at: nlawrenzer@gmail.com