1. Responsible party

Moonrock International Ltd.
Diagorou 3
1097 Nicosia
Zypern
E-Mail: [email protected]

Represented by: Maria Camila Zapata Alzate (Director)

2. Data Protection Officer

A data protection officer is not required under Article 37 of the GDPR.
For data protection inquiries, please use: [email protected]

3. Processing of personal data when visiting our website

3.1. Server-Logfiles

When you visit our website clonu.ai, technically necessary data is automatically collected by the hosting provider:

• IP address
• Date and time of the request
• Page/file accessed
• Browser type and version
• Operating system
• Referrer URL

Purpose: Ensuring technical operation, security (Art. 6 para. 1 lit. f GDPR).
Storage period: max. 30 days.

3.2. Cookies

Our website only uses cookies that are technically necessary, e.g. for:

• Login sessions
• Language settings
• Security

We do not use any tracking, analysis, or marketing cookies.

Legal basis: Art. 6 (1) (f) GDPR
A cookie banner is not legally required, as no cookies requiring consent are set.

4. Registration and use of our service (Clonu.ai)

A customer account is required to use our software.

4.1. Data processed when creating an account

• Name or alias
• Email address
• Password (hashed)
• Language settings
• Payment information (see section 6)

Purpose: Provision of our SaaS service
Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

4.2. Connection with WhatsApp

Our users connect their own WhatsApp account to our system. In doing so, we process:

• connected phone number
• technical authentication data (session tokens)
• bot settings configured by the user
• incoming and outgoing chat messages

Important:

• We use this data exclusively for the provision of the chatbot service.
• No evaluation for marketing or analysis purposes takes place.
• We only store chat content to the extent necessary for functionality and automation.

Legal basis: Art. 6 para. 1 lit. b GDPR (contract fulfillment)

4.3. Order processing for the user’s WhatsApp contacts

Messages from sex workers’ clients (end customers) contain personal data of third parties.
With regard to this data, we act as a processor within the meaning of Art. 28 GDPR.

We provide users with a data processing agreement (DPA) upon request.

4.4. Storage periods

• User account data: until the account is deleted
• Chat data: only for as long as technically necessary; can be deleted by users at any time
• Payment information: in accordance with tax law requirements (up to 10 years)

5. Use of our chatbot system

All messages received via WhatsApp are processed by our server to generate automated responses.

We do not control the content of the messages, except for technical processing purposes.

No automated decision-making within the meaning of Art. 22 GDPR takes place.

6. Payment processing

Payments are made manually via our website.

We process:

• Payment status
• Booked term (day/week)
• Invoice data

Depending on the payment method used, external payment service providers may be involved. They only receive the data necessary for payment processing.

Legal basis: Art. 6 (1) (b) GDPR (fulfillment of payment)

We will include information on specific payment providers upon request.

7. Disclosure of data

We only disclose personal data if:

• this is necessary for the performance of a contract (Art. 6(1)(b) GDPR)
• there is a legal obligation to do so (Art. 6(1)(c) GDPR)
• we have legitimate interests (Art. 6(1)(f) GDPR)

the user has given their consent (Art. 6 (1) (a) GDPR)

• Possible recipients:
• Hosting provider (EU)
• Payment service providers
• WhatsApp / Meta Platforms Inc. (indirectly through the user’s use of the service)

8. Data transfer to third countries

The use of WhatsApp may result in data being transferred to the USA or other third countries.

This does not happen directly through us, but through the user’s decision to use WhatsApp as a communication channel.

We expressly point out that Meta’s privacy policy applies to WhatsApp.

9. Your rights as a data subject

You have the following rights:

• Access (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection (Art. 21 GDPR)
• Complaint to a supervisory authority (Art. 77 GDPR)

Competent data protection authority in Cyprus:
Office of the Commissioner for Personal Data Protection

https://www.dataprotection.gov.cy

10. Deletion of data

We delete personal data as soon as:

• the purpose of processing has been achieved
• there are no legal retention obligations
• users request deletion, insofar as this is technically possible

11. Data security

We use technical and organizational measures (TOMs), including:

• SSL/TLS encryption
• Access and role restrictions
• Encrypted storage of sensitive data
• Regular security updates

12. Changes to this privacy policy

We reserve the right to update the privacy policy to reflect technical or legal changes.
The current version is available at any time at clonu.ai.