Plain-English explanation of what data we collect, why, and how you can control it.
Last updated: May 22, 2026
TalkForce, Inc. ("TalkForce", "we", "our", or "us") operates the website https://talkforce.ioand the TalkForce conversational commerce platform, including any mobile apps, APIs, and related services (collectively, the "Service").
We are the data controller for personal data collected through the Service. Questions about this policy can be sent to privacy@talkforce.io.
When you register or use our Service we collect: name, email address, phone number, company name, job title, and billing address.
To deliver our inbox and AI-agent features we process: message content sent and received through connected channels (WhatsApp, Instagram, Facebook Messenger, email), conversation metadata (timestamps, channel, read/delivery status), and contact profiles created from inbound messages.
We automatically collect: IP address, browser type, device identifiers, pages viewed, features used, error logs, and session duration. This data is used solely for security and product improvement.
Payment card details are processed directly by Stripe, our PCI-DSS Level 1 certified payment processor. We only store a masked card number, expiry, and transaction reference.
Data you upload to TalkForce — product catalogs, contact lists, workflow configurations, AI training examples — is stored and processed as part of delivering the Service.
We use personal data to:
We do notsell personal data to third parties. We do not use your customers' messaging data to train AI models for purposes outside of providing your contracted Service.
For users in the European Economic Area (EEA), we process data under the following lawful bases:
| Purpose | Legal Basis |
|---|---|
| Delivering the Service | Performance of contract |
| Billing & payments | Performance of contract |
| Marketing emails | Consent (opt-in) |
| Security & fraud prevention | Legitimate interest |
| Product analytics | Legitimate interest |
| Legal compliance | Legal obligation |
We share data with the following categories of third-party service providers solely to operate the Service. All sub-processors are bound by data processing agreements requiring GDPR-equivalent protections.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel | Web hosting & edge network | USA / Global |
| Railway | Backend infrastructure | USA |
| Supabase / PostgreSQL | Database storage | USA |
| Upstash Redis | Caching & queues | USA / EU |
| Google Cloud (Gemini) | AI completions & embeddings | USA / EU |
| Mistral AI | AI fallback completions | EU (France) |
| Meta Platforms | WhatsApp / Instagram / Facebook messaging delivery | USA |
| Clerk | Authentication & SSO | USA |
| Stripe | Payment processing | USA |
| LiveKit | Real-time voice (WebRTC) | USA |
| Vercel Blob | File storage | USA / Global |
TalkForce is an official Meta Business Solution Provider (BSP). When you connect a WhatsApp Business Account, Instagram, or Facebook Page through our platform:
We keep personal data for as long as your account is active or as needed to provide the Service:
Depending on your jurisdiction you may have the right to:
Request a copy of all personal data we hold about you.
Ask us to correct inaccurate or incomplete data.
Request that we delete your personal data ("right to be forgotten").
Receive your data in a machine-readable format.
Object to processing based on legitimate interest.
Ask us to restrict processing while a dispute is resolved.
To exercise any right, email privacy@talkforce.io. We will respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority (e.g., the ICO in the UK, or the CNIL in France).
To delete your TalkForce account and all associated personal data:
Upon receiving a deletion request we will remove all personal data within 30 days, except where retention is required by law (e.g., billing records).
We use the following categories of cookies:
| Type | Purpose | Required |
|---|---|---|
| Strictly necessary | Session management, authentication, security (CSRF) | Yes |
| Functional | Remember preferences (language, theme) | No |
| Analytics | Aggregate page-view and feature-usage stats | No |
| Marketing | Not used | N/A |
We implement industry-standard security measures including TLS 1.3 for data in transit, AES-256 encryption for sensitive data at rest, role-based access controls, SOC 2 Type II audit compliance, and regular penetration testing by independent third parties.
In the event of a data breach that affects your personal data we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.
The Service is not directed to children under 16. We do not knowingly collect personal data from anyone under 16. If you believe we have collected data from a child, please contact us and we will delete it promptly.
Your data may be processed outside of your country of residence, including in the United States. When we transfer data from the EEA, UK, or Switzerland, we use appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email and/or a prominent notice on the Service at least 30 days before the change takes effect. The "Last updated" date at the top of this page reflects the most recent revision.
For any questions, requests, or complaints regarding this Privacy Policy: