Who we are
Jae Labs, based in Kingston, Jamaica, operates Agent Jae. Jae Labs is the data controller for personal data we process via the service. Contact: team@agentjae.ai.
What we process
The data Agent Jae touches, and what stays off the table.
From WhatsApp conversations:
- WhatsApp phone number and profile name.
- Messages and media sent in the conversation thread.
- Timestamps and read receipts.
- Opt-in and opt-out records, including the consent text shown.
- Automation logs (when an AI reply was sent vs. a human handoff).
Account data: your email and name, plus login and security events.
What we don't collect: full payment card numbers, bank account numbers, government identification numbers, biometric data, or other sensitive identifiers. If one of these arrives in a thread, we do not extract, store, or further process it.
How we use it
Deliver replies. Run the service. Nothing else.
- Compose and deliver replies inside the WhatsApp thread.
- Send opted-in Message Templates outside the 24-hour customer service window.
- Detect abuse, ensure security, and maintain service reliability.
- Respond to lawful requests from a Jamaican court or competent authority.
AI training stance. Conversation data is not used to train, fine-tune, or improve any AI or machine-learning system, ours or any third party's. This obligation is contractually enforced with our subprocessors (see §5). Per Meta's WhatsApp Business Solution Terms, Business Solution Data may not be used to create, develop, train, or improve any machine learning or artificial intelligence system. We do not.
Operational scope. Agent Jae is a structured business assistant — it answers product, booking, and listing queries, schedules, and routes leads. It is not a general-purpose chatbot. Out-of-scope queries return a fallback that hands off to a human.
WhatsApp messaging rules — opt-in, opt-out, escalation
How consent is collected, honored, and how an end user reaches a human.
Opt-in. Agent Jae only messages people who have given explicit WhatsApp opt-in. Opt-in is collected separately from SMS or email consent — past consent on those channels does not carry over. The opt-in record (timestamp, source/channel, the consent text shown) is retained as audit proof.
Opt-out. Anyone can opt out at any time by replying STOP, blocking the number, or asking in any reasonable phrasing. The same channel is used for withdrawing consent. We remove the user from active outreach within 24 hours.
24-hour customer service window. Free-form replies are sent only inside the 24-hour window after the user's most recent message. Outside that window, only Meta-approved Message Templates are used.
AI labeling. Agent Jae is an AI assistant. Replies are AI-composed unless a human takes over.
Human escalation. Any user can reach a human by typing "agent" or "human" in the thread, or by emailing team@agentjae.ai.
Subprocessors
The named third parties that touch your data.
We use the following subprocessors. Each operates under a data-processing agreement that requires them to process data only on our instructions, prohibits use of conversation data for training their own systems, and prohibits use for advertising.
| Subprocessor | Role | Location | Notes |
|---|---|---|---|
| Meta Platforms, Inc. | WhatsApp Cloud API processor (transports messages) | Global · Meta data centers | Cloud API does not use API data for ad targeting; ≤30-day automatic message retention. |
| OpenRouter Inc. | AI gateway · routes inference requests to the provider below | United States | No-training default; routing pinned to xAI for v1; signed DPA with no-training clause. |
| xAI Corp. | LLM inference · composes replies | United States | xAI commercial API does not train on inputs by default; contractually enforced via OpenRouter DPA. |
| Vercel, Inc. | Hosting (this site) + Web Analytics | United States | Anonymized analytics; no WhatsApp message data is routed through Vercel. |
| Google LLC (Google Cloud Platform) | Application backend · encrypted storage of opt-in records, message persistence | United States | Standard GCP processor terms. Region confirmed before publishing the privacy URL to Meta. |
Subprocessors marked United States process data outside Jamaica. We rely on the standard data-processing agreements provided by each subprocessor, which incorporate contractual safeguards for cross-border transfers consistent with international good practice and the Eighth Standard of the Jamaica Data Protection Act, 2020.
We do not sell data. We do not use conversation data for advertising. We do not build profiles on WhatsApp users for our own purposes.
How long we keep things
| Category | Retention |
|---|---|
| WhatsApp messages held by us | Retained for active operational use; deleted within 30 days of a deletion request. |
| Meta-side retention (Cloud API) | Automatic ≤30-day cap, run by Meta. We do not control this clock. |
| Audit logs (opt-in proof, security events) | 12 months unless a longer retention is legally required. |
Your rights, security, and breach notice
Enforceable rights under the DPA, plus how we keep things and what happens if something goes wrong.
Your rights under the Jamaica DPA, 2020:
- Access (s7). Receive a copy of the data we hold.
- Rectification (s11). Correct inaccurate data.
- Erasure (s11). Have your data deleted, subject to the retention rules in §6.
- Restriction of processing (s8). Pause processing while a request is being reviewed.
- Withdraw consent. By the same channel used to give it.
- Solely automated decisions (s12). Where a decision affecting you is taken solely by automated processing and produces a significant effect, you may request human review by emailing team@agentjae.ai or by typing "human" in the WhatsApp thread.
How to exercise them. Email team@agentjae.ai with the subject "Privacy request". We respond within 30 days. If unresolved, you may complain to the Office of the Information Commissioner of Jamaica.
Deletion requests specifically: see our Data Deletion page for the request format.
Children. Agent Jae is a workplace tool for licensed business professionals. We do not knowingly collect data from anyone under 18.
Security. All traffic uses TLS; data at rest is encrypted with industry-standard ciphers; production access is gated by SSO and logged.
Breach notice. If a breach affects you, we tell you and the Office of the Information Commissioner within 72 hours of confirming it.
Contact · Jae Labs
Jae Labs · Kingston, Jamaica
team@agentjae.aiv2.1 · Effective 01 May 2026 · Last updated 02 May 2026