Darto Privacy Policy

Last update: 2026-03-27
Owner: David Chicano
Contact email: [email protected]
Country: Spain

Darto is a SaaS platform for businesses that automates customer communication and operational workflows through messaging channels and optional integrations. This policy explains what data we access, how we use it, who we share it with, how we protect it, and how users can request deletion.

1. Data we process

1.1 Account and business data

  • Business account name, email address, and login data.
  • Business information entered by the user or publicly available, such as business name, address, opening hours, or descriptions.
  • Assistant settings, connected integrations, and operational preferences.

1.2 Messaging and service usage data

  • Messages sent and received through connected channels such as WhatsApp Business and Instagram.
  • Operational and technical data needed to run the service, including logs, IP addresses, internal metrics, and error records.

1.3 Optional integration data

If the business owner chooses to connect a third-party integration in Darto, we may access and process the minimum data needed to configure that integration and provide the requested functionality. Depending on the integration, this may include account or business identifiers, configuration data, availability data, operational data, and other information needed to query or perform actions authorized by the user.

2. How we use data

We use the above data only for the following purposes:

  • Create and manage the business account in Darto.
  • Provide the contracted product functionality.
  • Process customer conversations and generate AI-assisted replies or actions.
  • Connect, maintain, and reconfigure third-party integrations authorized by the business.
  • Query or perform operations in the relevant integration only when the user has chosen to connect it and the requested functionality requires it.
  • Display synchronized information to the business within the app.
  • Detect failures, prevent abuse, maintain security, and troubleshoot technical issues.
  • Comply with legal and regulatory obligations.

Third-party integrations are used only when the business chooses to connect them and authorizes their use within Darto.

3. Data sharing and third parties

We share data only when necessary to provide the service or when required by law.

3.1 Service providers and processors

  • Supabase: infrastructure, database, and operational storage.
  • OpenAI, Anthropic, Google Gemini, and DeepSeek: AI processing when needed to generate responses or execute assistant-driven functionality inside Darto.
  • Meta Platforms: connected messaging channels such as WhatsApp Business and Instagram.
  • The third-party provider or external service corresponding to the integration connected by the business, only when needed to query data or perform the requested functionality.

We share with each provider only the minimum data necessary for that purpose.

3.2 What we do not do

  • We do not sell personal data or data obtained through third-party integrations to third parties.
  • We do not share integration data with third parties for advertising purposes.
  • We do not access a third-party integration without prior authorization from the relevant user or business.

We may also disclose information if necessary to comply with a legal obligation, respond to a valid request from a competent authority, or protect the security of the service.

4. Data storage and protection

We apply reasonable technical and organizational measures to protect personal data and data processed through integrations:

  • Encrypted transmission over HTTPS/TLS.
  • Storage on Supabase-managed infrastructure with provider security controls.
  • Access controls at the application and database level.
  • Restricted access to systems and credentials only for authorized service components.
  • Data minimization and processing limited to the purposes described in this policy.
  • Server-side storage of integration credentials or tokens when needed to maintain an authorized connection; they are not exposed to the business’s end customers.

5. Retention, disconnect, and deletion

We retain data for as long as needed to provide the service, keep an integration active, troubleshoot issues, comply with legal obligations, or handle legitimate claims.

For third-party integrations generally:

  • While the integration remains active, Darto retains the connection and configuration data needed to operate that integration.
  • If the business disconnects an integration from within the Darto app, Darto deletes the integration link and associated synchronized data needed for that connection, and Darto stops accessing that integration from that point onward.
  • Users may also request deletion of their data by emailing [email protected].

We may retain limited technical logs or backup copies for a reasonable period when required for security, fraud prevention, service continuity, or legal compliance.

We process personal data on the following legal bases:

  • Performance of the contract with the business user.
  • User consent when connecting services or third-party integrations that require authorization.
  • Legitimate interest for security, abuse prevention, technical maintenance, and service operations.
  • Compliance with legal obligations.

7. User rights

You may request access, rectification, deletion, restriction, objection, or portability of your data by writing to [email protected].

You may also revoke access to an integration by disconnecting it from Darto and, where the provider supports it, later revoking the app’s access from your account with that provider.

8. International transfers

Some providers used by Darto may process data outside the European Economic Area. In those cases, we apply reasonable safeguards, including standard contractual clauses or other appropriate protections where applicable.

9. AI processing

When an assistant feature needs to use business data, conversation data, or data from a third-party integration to answer a request or perform an authorized action, Darto may process the minimum data needed to interpret the request, retrieve relevant information, and return a useful response.

Darto does not sell data obtained through third-party integrations and does not use it for advertising.

10. Provider-specific information

Some integrations or providers may require additional, provider-specific information about the data accessed, how it is used, how it is stored, or how it is deleted. In those cases, Darto may publish provider-specific annexes or sections without changing the general structure of this policy.

10.1 Google Calendar

If the business owner chooses to connect Google Calendar through OAuth, Darto may access and process the following categories of Google user data:

  • The email address of the connected Google account.
  • The list of calendars available in that account during setup, including identifiers, names, descriptions, time zone, access role, and whether a calendar is primary.
  • The calendar selected by the user for use with Darto, including its ID and name.
  • The OAuth permissions granted and the tokens required to keep the connection active.
  • Availability data for the selected calendar through free/busy queries.
  • Event data from the selected calendar when needed to provide the requested functionality, including title, description, location, start and end date/time, time zone, event status, recurrence, and, when present on the event itself, attendee or organizer information.

Darto uses this Google data only to:

  • show available calendars during setup;
  • let the user select the calendar that will be connected to Darto;
  • check availability;
  • list or retrieve events;
  • create, update, or cancel user-authorized events;
  • respond inside Darto to appointment-management requests.

Darto does not request access to Google services unrelated to the integration authorized by the user.

If the business connects Google Calendar, Darto shares with Google only the data needed to authenticate the OAuth connection and read from or write to the calendar authorized by the user.

Darto does not use data obtained from Google Workspace APIs to develop, improve, or train generalized AI or machine learning models.

If the user requests deletion of their data or disconnects Google Calendar from Darto, Darto deletes the integration link and stops accessing the calendar from that point onward, subject to limited retention that may be required for legal, security, or backup reasons.

11. Changes to this policy

We will publish any update to this policy at this same URL: https://www.darto.app/privacy