← Back

Privacy Policy

Last updated: 2026-07-01

Caye is a product of TropiTech Solutions, a Bahamian company. This policy explains what data we collect, how we use it, and your rights over it. Plain language, no lawyer traps.

Who this policy covers

Two groups of people show up in Caye:

  • Operators — the business owner or staff who sign up for Caye to answer their customer inquiries (e.g. a tour operator, restaurant owner).
  • End customers— the people messaging the operator's WhatsApp, email, or social accounts. Caye reads and replies on the operator's behalf.

What we collect

From operators:

  • Name, email, phone number, business name, timezone
  • Authentication credentials (via Google, Facebook, or email)
  • Payment information (handled by Stripe — we never see your card)
  • Your voice-and-tone samples so Caye replies in your style
  • Your business hours, service catalog, pricing, and blackout dates

From end customers (via connected channels):

  • Message content sent to the operator's WhatsApp, email, Instagram, or Facebook accounts
  • Name, phone number, email address if provided in the message
  • Booking or reservation details when captured through a conversation
  • Metadata: timestamps, thread IDs, delivery status

How we use it

  • To let Caye read incoming messages and draft or send replies on the operator's behalf
  • To book, reschedule, or cancel appointments and reservations in the operator's system
  • To notify the operator when Caye needs a call (via their own WhatsApp)
  • To bill the operator's subscription
  • To detect abuse, spam, or misuse of the platform
  • To improve accuracy and reliability of Caye's replies over time

We do not sell your data. We do not use end-customer messages to train third-party AI models. We do not share operator or end-customer contact data with advertisers.

Who we share with

We use a small number of infrastructure providers who process data on our behalf under contract:

  • Anthropic — the model provider that generates reply drafts. Message content is sent to Anthropic only for the duration of a single reply generation; Anthropic does not train on our API traffic.
  • Supabase — our database and authentication host (encryption at rest and in transit).
  • Vercel — application hosting.
  • Stripe — subscription billing and payment processing.
  • Meta Platforms (WhatsApp Business, Messenger, Instagram) — messaging channel providers when an operator connects those channels.
  • Zoho, Google (Gmail) — email channel providers when an operator connects those accounts.
  • Cron-job.org — scheduled polling of connected inboxes.

We may also disclose data if required by law, court order, or to protect the rights, property, or safety of TropiTech, our users, or the public.

How long we keep it

  • Operator account data: for the life of the subscription and up to 90 days after cancellation.
  • Message logs: 12 months rolling, then deleted unless the operator has explicitly asked us to retain longer for audit purposes.
  • Billing records: 7 years, as required for tax and financial audit compliance.
  • Backups: encrypted, rotated on a 30-day cycle.

Your rights

You can:

  • Request a copy of the data we hold on you
  • Correct inaccurate data
  • Request deletion (see Data Deletion Instructions)
  • Withdraw consent for us to process your data at any time (this will end your ability to use Caye)
  • File a complaint with the Bahamas Data Protection Commissioner if you believe we've mishandled your data

Email lamar@tropitech.org to exercise any of these rights. We'll respond within 30 days.

Security

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is limited to TropiTech staff on a need-to-know basis and logged. Payment card data never touches our servers — Stripe handles that end-to-end.

International transfers

TropiTech Solutions operates from the Bahamas. Some of our providers store data in the United States, European Union, and other regions. When we transfer data across borders, we rely on standard contractual clauses and the providers' own compliance frameworks (GDPR, CCPA, and equivalents).

Children

Caye is a business tool. We do not knowingly collect data from anyone under 16. If you believe a child's data has ended up in our system, email us and we'll delete it immediately.

Changes to this policy

When we materially change how we handle data, we'll email active operators before the change takes effect. The “Last updated” date above always reflects the current version.

Contact

TropiTech Solutions
Attn: Privacy
Eleuthera, The Bahamas
lamar@tropitech.org