Privacy Policy

Last updated: 2026-05-19

Coauths Co., Ltd. ("Coauths", "we", "us") operates coauths.com and the CRM Messaging application (the "Service"), our unified messaging CRM for clinics. This Privacy Policy explains how we collect, use, store, share, and protect information when a clinic connects messaging channels and processes patient communications through the Service.

For data flowing through a connected clinic, the clinic is the data controller and Coauths acts as the data processor on the clinic’s behalf.

1. Information We Process

Depending on how a clinic uses the Service, we process the following categories of information:

  • Account information: clinic staff names, email addresses, and role assignments used to sign in to the Service.
  • Channel credentials: OAuth tokens and API keys for the messaging platforms a clinic connects (e.g. Facebook, Instagram, WhatsApp, LINE, Zalo, KakaoTalk, WeChat, TikTok, Telegram), stored encrypted at rest.
  • Message content: inbound and outbound messages, including text, images, files, and attachments exchanged on the connected channels.
  • End-user identifiers from each platform: for example Facebook page-scoped user IDs (PSID), Instagram-scoped IDs, WhatsApp phone numbers, and similar platform identifiers, together with the display name and profile picture the platform exposes.
  • Patient records: when a clinic links a conversation to a patient in its CRM, the associated patient profile fields the clinic chooses to store.
  • Operational metadata: timestamps, delivery and read status, webhook events, and error logs used to run the Service reliably.

2. How We Use Information

  • Deliver and receive messages on behalf of the connecting clinic.
  • Display conversations, contacts, and history in the clinic’s inbox.
  • Provide operational observability such as delivery health and error tracking.
  • Maintain audit trails required for healthcare and consumer-protection compliance.
  • Optionally translate inbound messages for clinic staff using an AI language model, processing only the message text required for that translation.

3. Meta Platform Data (Facebook & Instagram)

When a clinic connects a Facebook Page or Instagram Business account, we access Meta messaging data only with that clinic’s explicit authorization through Facebook Login (OAuth). We request the minimum permissions needed to read and reply to messages the clinic receives.

Specifically, we request pages_show_list, pages_messaging, pages_manage_metadata, instagram_basic, and instagram_manage_messages — used solely to list the clinic’s connected Pages, receive incoming messages, and send the clinic’s replies from the inbox.

Meta data we process includes page-scoped / Instagram-scoped user IDs, message content, the sender’s display name and profile picture, and message timestamps and delivery status. We use this data solely to display incoming messages in the clinic inbox and to send the clinic’s replies.

We do not use Meta Platform data for advertising, we do not sell it, and we do not share it with third parties except the infrastructure sub-processors described below that are required to operate the Service.

4. Sharing & Sub-processors

We do not sell personal data. We share data only as needed to operate the Service:

  • Messaging platforms (Meta, LINE, Zalo, Kakao business service providers, Tencent/WeChat, TikTok, Telegram) — strictly to deliver and receive the messages a clinic instructs us to send.
  • Infrastructure sub-processors — our application hosting provider (Vercel) and our managed database provider (DigitalOcean), which store and process data on our behalf under their own security and privacy commitments.

5. Data Retention

Message and conversation data are retained for as long as the connecting clinic maintains its account or as required by the clinic’s regulatory obligations (in Korea, medical-record retention rules under the applicable Medical Service Act and related regulations may apply).

Operational webhook audit records are retained for 30 days by default. When a clinic disconnects a channel or closes its account, associated channel credentials are deleted and message data is removed or anonymized within a commercially reasonable period.

6. Your Rights & Data Deletion

You may request access to, correction of, or deletion of your personal data. Because the clinic operating a channel is the data controller, most requests should be directed to that clinic. We will assist controllers in fulfilling such requests.

For data linked to your Facebook or Instagram account, you may also revoke the Service’s access from your Facebook settings and use Meta’s data deletion flow. Deletion requests routed by Meta are handled at our data deletion endpoint: https://crm.coauths.com/api/auth/meta-data-deletion

7. Data Security

We protect data with encryption in transit (TLS) and encryption at rest for sensitive fields such as channel credentials. Access to production systems is restricted to authorized personnel, and we apply per-user permission controls, rate limiting, and request-validation safeguards within the Service.

8. International Transfers

Coauths is based in the Republic of Korea. Where data is processed by our sub-processors in other regions, we rely on those providers’ contractual and technical safeguards to protect the data consistent with applicable law.

9. Children’s Privacy

The Service is intended for use by clinics and their staff, not by children. We do not knowingly collect personal data directly from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by updating the "Last updated" date above and, where appropriate, by additional notice.

11. Contact

For questions about this Privacy Policy or our data practices, contact us using the details below.

Coauths Co., Ltd.

717-ho, 7F, 9-1 Gugal-ro 60beon-gil, Giheung-gu, Yongin-si, Gyeonggi-do, 16972, Republic of Korea

Privacy contact: jonathan@coauths.com