Privacy Policy — Mideye RCS OTP & Activation Chatbot

Effective date: December 9, 2025
Last updated: December 9, 2025

This Privacy Policy explains how Mideye AB ("Mideye," "we," "us," "our") collects and uses personal data when you interact with the Mideye RCS/RBM chatbot (the "Service"). The Service sends one-time passwords (OTPs) and, where applicable, activation links for Mideye+ apps to support secure login and onboarding for services protected by Mideye customers.

1. Who We Are (Controller)

Mideye AB is the data controller for processing described in this policy.

Contact details:
Mideye AB
Drottninggatan 96, 111 60 Stockholm, Sweden
Email: support@mideye.com
Phone: +46 8 54514700

2. What the Service Covers

The Service may be used for authentication or activation for any service that has implemented Mideye protection (customers of Mideye AB). This typically includes VPNs and login portals that you are authorized to access.

The chatbot is limited to:

  • sending OTPs for login verification, and
  • sending activation links for Mideye+ apps (if your organization uses them).

It is not a general support or marketing chatbot.

3. Personal Data We Process

When you use the Service, we may process:

  • Phone number
    Used to route messages and associate OTP/activation events with your account.
  • Message delivery and interaction metadata
    For example: timestamps, delivery status, message IDs, carrier/device capability indicators, and chatbot interaction events (e.g., OTP requested, activation link sent).
  • Security and fraud-prevention data
    Such as IP address or device/session identifiers where available through the protected service, attempt counters, and risk signals.
  • Minimal account/context identifiers from the protected service
    For example: a pseudonymous user ID, organization ID, or service identifier to ensure the right OTP or activation is sent.

We do not intentionally collect sensitive personal data (such as health, religion, political views) through this Service.

4. Why We Process Your Data (Purposes)

We process personal data to:

  • Send OTPs to verify your login.
  • Send activation links for Mideye+ apps where applicable.
  • Protect against fraud and unauthorized access (e.g., brute force, OTP abuse).
  • Operate, maintain, and improve reliability of messaging delivery.
  • Comply with legal obligations and carrier/RBM platform requirements.

5. Legal Bases (GDPR)

We rely on the following legal bases, depending on context:

  • Performance of a contract (Art. 6(1)(b)):
    To provide the login/activation security service you or your organization requested.
  • Legitimate interests (Art. 6(1)(f)):
    To secure accounts, prevent fraud, ensure service integrity, and keep audit trails.
    We balance these interests against your rights and use minimal data.
  • Legal obligation (Art. 6(1)(c)), where applicable:
    For compliance with laws, regulations, or lawful requests.

6. How Long We Keep Data (Retention)

We keep personal data only as long as necessary for the purposes above:

  • OTP and activation events: retained for a short period needed for verification, troubleshooting, and audit.
  • Security/fraud logs: retained longer where necessary to detect abuse and comply with obligations.
  • Aggregated/anonymous analytics: may be kept longer since they cannot identify you.

Exact retention periods can vary by customer configuration and legal requirements. We always aim to minimize retention.

7. Who We Share Data With

We may share limited data with:

  • Mideye customers (your organization/service provider)
    Only what's needed to authenticate your access and handle security events.
  • Messaging infrastructure providers
    RCS/RBM platform providers and mobile network operators/carriers to deliver messages.
  • Security and hosting providers
    Sub-processors that help operate, secure, and monitor the Service.
  • Authorities
    If required by law or valid legal process.

We do not sell your personal data.

8. International Transfers

Some sub-processors or carriers may process data outside Sweden/EEA.

When this happens, we ensure appropriate safeguards, such as:

  • EU Standard Contractual Clauses (SCCs), and/or
  • processing in countries approved by the European Commission.

9. Your Rights

Under GDPR (and similar laws), you have rights including:

  • Access to your personal data
  • Rectification of inaccurate data
  • Erasure (where legally permitted)
  • Restriction of processing
  • Objection to processing based on legitimate interests
  • Data portability (where applicable)

To exercise your rights, contact support@mideye.com.
We may need to verify your identity before responding.

You also have the right to complain to the Swedish Authority for Privacy Protection (IMY) or your local data protection authority.

10. Security Measures

We use appropriate technical and organizational measures, including:

  • encryption in transit where supported,
  • strict access controls,
  • logging and monitoring for abuse,
  • rate limits and OTP validity controls.

No system is 100% secure, but we work hard to protect your data.

11. Children

The Service is not intended for children. If you are under the age of digital consent in your country, do not use the Service.

12. Changes to This Policy

We may update this policy to reflect improvements or legal changes.
We will update the "Last updated" date when changes occur.

13. Chatbot-Specific Privacy Link (RBM Requirement)

This page is the chatbot-specific Privacy Policy for the Mideye RCS OTP & Activation Chatbot.
Direct link: https://www.mideye.com/pp