Privacy Policy

Last updated: 12 May 2026 · Data controller: Oğuzhan Solmaz (sole proprietor operating the Mesajly product)

This Privacy Policy describes how Mesajly collects, uses, stores, and shares personal data when you use our unified customer communication workspace (Instagram, WhatsApp Business, Gmail, CRM, messaging, automation, and related features).

A Turkish version with additional regulatory context is published at our Turkish Privacy Notice.

Google Account & Gmail (OAuth)

If you connect Gmail, Mesajly requests this Gmail API scope for sending only: https://www.googleapis.com/auth/gmail.send

We use Gmail data only:

To send messages you initiate from Mesajly (including attachments you choose)
To preserve reply threading headers (In-Reply-To / References) for messages sent from Mesajly
Inbound email reception is handled by forwarding infrastructure, not Gmail read scopes
To store OAuth tokens and sync state so integration works until you disconnect

Google user data handled under this integration is restricted as described below under Limited Use of Google User Data.

1. Categories of Personal Data We Process

Account/workspace: name, email, company/workspace name (Supabase Auth), security credentials we do not retain in plain text beyond what the auth provider manages.
Team management data: invited teammate email addresses, assigned workspace role, invitation status, acceptance timestamps, and workspace membership activity metadata used to operate multi-user access.
Instagram (Meta): business account identifiers, tokens, messaging content and sender identifiers tied to scopes you authorize (published in detail in Turkish notice).
WhatsApp Business (Meta via Facebook Login): messaging identifiers, message content associated with linked phone numbers/workspaces under granted permissions.
Gmail (Google): as summarized in the box above plus refresh tokens or access tokens retained for provisioning the connected mailbox.
CRM and user-created content: contacts you add, templates, annotations, pipelines, outbound messages authored in Mesajly.
Optional AI; when you activate AI-assisted features, text you explicitly send us is processed via our AI provider solely to produce in-app outputs (not for third-party ads).
Operational: limited technical logs, hosting metadata, transactional email delivery (notification provider), and telemetry needed to secure the service.

2. Purpose and Legal Basis

We process data to deliver contractual features (billing, onboarding, integrations you enable), safeguard the service, fulfil legal bookkeeping requirements, and—with your actions—provide optional integrations and AI-assisted tools visible in the Mesajly interface. We do not sell your personal message content to data brokers or use it for off-platform advertising profiling.

3. Limited Use of Google User Data

Mesajly's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. In plain terms:

Google user data accessed via Gmail API is used only to provide Mesajly's user-facing email features tied to your connected inbox.
We do not use Google users' Gmail data for serving ads from Mesajly, including personalization or remarketing sourced from Gmail content.
We do not sell Google users' Gmail content to advertising platforms or data brokers.
Human access occurs only within permitted exceptions—for example aggregated internal operations, security/abuse mitigation, complying with applicable law—or when technically necessary—and not routinely for inspecting private mail unrelated to resolving an incident.
Transfers beyond these purposes follow the allowances in the Limited Use provisions (delivery of user-visible features with appropriate consent/security, mergers with notice where required, etc.).

4. Sharing and Subprocessors

We delegate infrastructure and providers only as reasonably needed—for example Meta (Instagram/WhatsApp), Google (when you connect Gmail), hosting (e.g., Vercel), databases/real-time (Supabase), payment processing (when used), transactional email vendor, operational monitoring. Agreements with vendors require appropriate safeguards. See Turkish notice for granular tables when needed for regional compliance statements.

5. Storage, Encryption, Security

We enforce HTTPS/TLS across the client connection. Sensitive integration secrets—including OAuth secrets where activated—may be stored using strong encryption-at-rest workflows. Access is segmented by authenticated workspace memberships and server-side authorization checks mirroring CRM ownership.

6. Retention

Data is retained while your subscription/workspace is active. After cancellation or instructed deletion workflows, conversational content is removed within the windows described in Turkish policy (subject to lawful holds). Gmail tokens cease to function when revoking/disconnecting the integration inside Mesajly.

7. Rights for European or Turkish Residents

You may withdraw consent for optional integrations anytime by disconnecting in Settings → Integrations or mailing our privacy desk. Regulatory requests pertaining to Türkiye (KVKK) may be lodged per KVKK Aydınlatma.

8. Transparency & Homepage Link

This Privacy Policy publicly appears at /privacy-policyon Mesajly's production homepage domain. Maintain the identical URL inside Google Cloud OAuth consent screen configuration whenever Google requests brand verification parity. In-product disclosures for Gmail appear on Ayarlar → Entegrasyonlar before you start Google authorization.

9. Cookie Notice

See Cookie Policy.

10. Questions

Reach us at iletisim@mesajly.com for privacy and security questions.

Meta and Google services remain subject to those companies' own policies alongside this Mesajly policy.