Legal & Policies

Privacy Policy

DijiStream brings the messages, leads, comments, reviews and orders from your connected platforms into one panel. This policy explains what data we handle, where it is stored (encrypted, in the EU), the role we play for each kind of data — controller for your account, processor for your workspace content — how you can delete it yourself at any time, and the rights you have under the UK GDPR, EU GDPR and CCPA.

Last updated 15 July 2026
Questions? Contact us

Your data stays yours

The messages, leads, contacts, comments, reviews and orders DijiStream ingests from your connected platforms belong to you. We process that content only on your instructions, as your processor — we never sell it, never use it for advertising, and never use it to train AI models.

Encrypted, and stored in the EU

Your workspace is hosted in the EU in a database encrypted at rest, and every connection secret you paste in is encrypted again with AES-256-GCM and never shown after saving. Everything travels over HTTPS.

We never see card numbers

Checkout and subscription billing run entirely on Shopify, and payments are processed by Shopify Payments. Your card details never reach our systems.

GDPR and CCPA rights

The UK GDPR, EU GDPR and California's CCPA apply. You can access, correct, export or erase your data, object to processing, and delete it yourself from the panel at any time — permanently, since we keep no backups. Email it@dijistream.com to exercise any right.

01

Introduction

This privacy policy explains how DijiStream handles your information. DijiStream is a customer relationship management (CRM) platform, sold as a monthly subscription, that gathers the incoming messages, leads, comments, reviews and orders from the third-party accounts you connect — such as Facebook, Instagram, Gmail, Google Business Profile, Google Ads, Google Calendar, TikTok, Shopify and WhatsApp — into a single panel, and lets you read, organise and reply to them through your own accounts. It is operated by PITIR TECH, the trading name of Ninu Limited, a company registered in the United Kingdom, and your workspace is hosted in the European Union.

This notice covers two things, and we keep them separate throughout:

  • The service — the DijiStream platform, where your workspace, connected accounts and ingested content live. For that content you are the controller and DijiStream acts as your processor.
  • The website — this Shopify storefront at dijistream.com, where you subscribe and manage billing. For this we are the controller.

Whichever part you are using, if you have any questions you can reach us at it@dijistream.com.

02

Our Role: Controller and Processor

For your workspace content, you are in charge. The messages, leads, contacts, comments, reviews and orders DijiStream ingests from your connected platforms belong to you. For that content, you (or your business) are the data controller and DijiStream acts as a data processor, handling it only on your documented instructions and never for our own purposes.

For account and billing data, we are the controller. Ninu Limited is the data controller for the information we need to run your subscription — your account details, billing records, and the data collected on this website.

03

Data We Process

In short: we handle four kinds of data — your account and billing details; the connection secrets you paste in (encrypted, and never shown again); the workspace content your connected platforms deliver into your panel; and standard usage and technical data. Each is described below.

Account and billing data

When you subscribe we process your name, email address, workspace and company details, subscription tier, and invoice and payment history. Payments themselves are handled entirely by Shopify Payments — we never see or store card numbers.

Connection secrets and metadata

To connect a platform, you provide the credential it needs — an API key, app password, or OAuth authorisation for that account. These secrets are encrypted a second time at the application layer with AES-256-GCM before they are stored, on top of the encryption already applied to our database, and they are never displayed back to anyone after saving. Alongside them we hold basic connection metadata — which accounts are connected, when they last synced, and their status — so the service can run.

Workspace content

Once a platform is connected, DijiStream ingests the items it delivers into your panel — incoming messages, leads, comments, reviews and orders — together with the contact details attached to them. This content belongs to you: we store and process it only so you can read, organise and respond to it, and we act on it strictly on your instructions.

Usage and technical data

As with any online service, we keep standard technical logs — IP addresses, browser and device type, and timestamps — to operate the service, keep it secure, and diagnose problems. This website also uses cookies and similar technologies, which are described in our Cookie Policy and in the cookies section below.

Connection secrets are write-only. Once saved, a credential is encrypted with AES-256-GCM and never shown again — not in the panel, not in an export, not in a support conversation. If you need to change one you replace it, and you can remove it at any time by disconnecting the account.

Sending your replies

When you reply to a lead, DijiStream sends your message through the provider for that channel — email replies go out through Amazon SES from your own address, authorised by DNS records you install on your domain, while SMS, WhatsApp and voice replies go through Twilio. DijiStream is strictly reply-only: it responds only to conversations that already arrived in your panel and cannot send cold or marketing outreach on your behalf. We process the content of your replies solely to deliver them.

04

The Website and Checkout

In short: this website is a Shopify storefront. To sell subscriptions and run the site, we and our providers process some personal data and use cookies and analytics.

The website at dijistream.com is hosted on Shopify and operates like any other subscription storefront: it presents the plans, takes you to checkout, and manages your subscription billing. As you browse, standard technical data is collected — IP address, browser and device type, pages viewed and referring URLs — to operate the site, keep it secure, measure traffic and support advertising.

Data controller: Ninu Limited (trading as PITIR TECH), United Kingdom. Registered office: 24 Southwark Street, Suite 1-3 Hop Exchange, London SE1 1TY, United Kingdom. Registered in England and Wales, company number 14620957. UK VAT GB 505649681.

05

Cookies and Consent

In short: the website uses cookies for essential functions, analytics, and advertising. Where required, you can set your preferences through the consent banner.

The website uses cookies and similar technologies to keep your session and checkout working, to understand how the site is used, and to measure advertising. Broadly, these fall into:

  • Essential cookies — needed for the store, checkout and subscription management to function.
  • Analytics cookies — used, where you allow them, to measure traffic and improve the site.
  • Advertising cookies — used, where you allow them, to measure and personalise ads.

Where consent is required, you can accept, reject, or adjust non-essential cookies through the cookie banner shown on the site, and change your choice at any time. Most browsers also let you block or delete cookies in their settings, though doing so may affect how parts of the site work. For the full list of cookies, their purposes and how long they last, see our Cookie Policy.

06

Subprocessors and Third Parties

In short: a small set of trusted providers host the service and handle checkout. Each processes data only as needed for its role, under its own contractual and privacy terms.

To operate DijiStream and this website, we rely on a small set of trusted providers. Each is bound by its own contract and data-protection terms, and each only receives the data needed for the specific role you enable:

  • Amazon Web Services (EU) — hosts the DijiStream platform and database in the European Union, and delivers the email replies you send through Amazon SES.
  • Shopify and Shopify Payments — run this storefront, checkout and subscription billing, store the related customer and order records, and process card payments so that card numbers never reach us. If you connect your own Shopify store, the same connector brings its orders and reviews into your panel.
  • Google — powers the connectors you can enable for Gmail, Google Ads, Google Calendar, Google Meet and Google Business Profile.
  • Meta — powers the Facebook and Instagram connectors.
  • TikTok — powers the TikTok Ads connector.
  • Twilio — delivers the SMS, WhatsApp and voice replies you send.

These are our sub-processors: they act on our documented instructions to deliver the features you switch on, and the connector providers exchange data only for the accounts you choose to connect. We do not sell your personal data. We do not use your workspace content for advertising or to train AI models, and we never share it with anyone except the sub-processors strictly needed to run the service on your instructions. We may disclose information where the law requires it, or in connection with a business transfer such as a merger or acquisition — in which case this policy, or one at least as protective, will continue to apply.

07

Data Retention and Deletion

In short: you control deletion, and we keep no separate backups — the copy in your panel is the only copy. Anything you delete in the panel is removed immediately and for good. If you cancel or are refunded, we hold your workspace for a 30-day grace period so you can reactivate or export it, then delete it permanently.

While your account is active, your workspace content and the encrypted connection secrets that power it are retained so the service can work. Deleting data is something you do yourself, directly in the panel, and you can do it at any time:

  • Delete individual items, or your whole workspace, whenever you choose.
  • Purge what a connected account imported. When you disconnect a data source, DijiStream offers to keep its data, delete the last 30, 60 or 90 days of it, or delete all of the data that account brought in. Before anything happens you see a preview of exactly what will be removed, and you must type a confirmation.
  • Delete your entire account at any time.

In-panel deletion is immediate and irreversible. When you delete an item, purge what a connected account imported, or delete your whole account from the panel, it happens straight away. Because we keep no separate backups of customer workspace data, once it is deleted it is gone for good — it cannot be restored by you, by our support team, or by anyone else, so export anything you want to keep before you delete.

Cancellation and refunds work differently. If you simply cancel your subscription, or it is cancelled following a refund, without deleting your account yourself, we keep your workspace for a 30-day grace period so you can reactivate or export it. After those 30 days it is permanently and irreversibly deleted, and because we hold no backups it cannot be recovered afterwards — so we recommend exporting anything you need before you cancel. We can help with any of this if you email it@dijistream.com.

Billing, order and tax records are held separately, by us and by Shopify, and we keep them only for as long as legal obligations such as accounting and tax rules require — typically several years in the UK. When any data is no longer needed and we are not required by law to keep it, we delete or anonymise it.

08

Your Rights (UK GDPR, EU GDPR and CCPA)

In short: if you are in the UK or EEA you have full data-protection rights over the personal data we hold about you as controller, and if you are in California you have comparable rights under the CCPA. You can exercise most of them yourself in the panel, or by emailing us.

Because Ninu Limited is UK-based, the UK GDPR applies, and the EU GDPR applies to people in the European Economic Area. For your account, billing and website data — where we are the controller — you have the right to:

  • Access the personal data we hold about you and receive a copy
  • Have inaccurate data corrected
  • Have your data erased, where the law allows
  • Receive your data in a portable format
  • Restrict or object to processing, including profiling for advertising
  • Withdraw consent at any time, where processing relies on consent

Many of these you can act on yourself: you can view and edit your account details, export your data, and delete your content or your whole account directly from the panel at any time. You can also email it@dijistream.com and we will action any request. We do not charge for this, and we respond within the time limits the law sets — one month under the UK and EU GDPR, which may be extended for particularly complex requests.

Legal bases. We rely on: performance of a contract (to provide the service and fulfil your subscription); legitimate interests (to run, secure and improve the service and site); consent (for non-essential cookies and any marketing); and legal obligations (such as tax and accounting records).

California residents (CCPA/CPRA). If you are in California, you have the right to know what personal information we collect and how we use it, to access and delete it, to correct it, and to opt out of its sale or sharing. We do not sell your personal information and we do not share it for cross-context behavioural advertising, and we will never discriminate against you for exercising your rights. To make a request, email it@dijistream.com.

Workspace content. Where you are the controller, a request from one of the people whose data you process — a customer, lead or reviewer — should be made to you, and we will assist you in finding, exporting, correcting or deleting their data within your workspace as your processor.

To exercise any right, email it@dijistream.com. If you are in the UK you may also complain to the Information Commissioner's Office (ICO) at ico.org.uk; if you are in the EEA you may complain to your local data protection authority.

09

Security

We protect your data with layered technical and organisational measures.

  • Encryption at rest. Your workspace lives in an Amazon RDS PostgreSQL database that is encrypted at rest with AES-256 using keys managed by AWS (AWS KMS). On top of that, the connection secrets you paste in — email app passwords, OAuth tokens and API keys — are encrypted a second time at the application layer with AES-256-GCM before they are stored, and are never displayed back after saving.
  • Encryption in transit. All traffic to and from the service and this website runs over HTTPS/TLS.
  • EU hosting. The platform runs on Amazon Web Services in the European Union (Stockholm region, eu-north-1) using managed compute and database services, so your workspace data is stored and processed in the EU.
  • Access control. Your data is reachable only through the authenticated panel, and only by you and the users you invite. Access is governed by role-based permissions set per resource, with sensitive fields masked, so people see only what their role allows.
  • Account protection. You can add two-factor authentication to your account — an authenticator app (TOTP) and/or a passkey (WebAuthn) — and the service uses CSRF protection and rate limiting to defend against common attacks.
  • Payments. Card payments are handled entirely by Shopify Payments to industry (PCI DSS) standards, so card data never touches our systems.

We do not use your workspace content to train AI models. No method of transmission or storage is ever completely secure, but we apply appropriate measures to protect the data we handle and review them regularly. If a personal-data breach occurs that affects you, we will notify the relevant supervisory authority within the time the law requires — 72 hours under the UK and EU GDPR — and will inform you without undue delay where the breach is likely to result in a high risk to your rights.

10

Children

DijiStream is a business tool intended for professional adults. The service is not directed to children, and we do not knowingly collect personal data from anyone under 18. If you believe someone under 18 has provided us with personal data, contact us at it@dijistream.com and we will delete it.

11

Changes to This Policy

We may update this privacy policy from time to time. When we do, we will change the "Last updated" date at the top of this page. If we make a material change — for example, adding a new subprocessor that handles workspace content — we will make it clear on the site or notify you by email. This policy is governed by the laws of England and Wales.

12

How to Contact Us

If you have any questions about this policy, want to exercise your data rights, or need an export or deletion of your workspace, email us. We reply within one business day, Monday to Friday, 9:00–18:00 UK time.

ProviderPITIR TECH (trading name of Ninu Limited, UK)
Emailit@dijistream.com
AddressNinu Limited, 24 Southwark Street, Suite 1-3 Hop Exchange, London SE1 1TY, United Kingdom

13

International Data Transfers

DijiStream is operated from the United Kingdom, and your workspace and its content are hosted on Amazon Web Services in the European Union (Stockholm region), so in normal operation your Workspace Content stays within the UK and the European Economic Area (EEA).

Some processing, however, involves organisations located outside the UK and EEA:

  • Shopify and Shopify Payments, which run this storefront, checkout, and subscription billing, may process personal data outside the UK and EEA.
  • The platforms and providers behind the connectors you switch on — such as Meta (Facebook, Instagram), Google (Gmail, Google Ads, Google Calendar, Google Meet, Google Business Profile), TikTok, and Twilio (SMS, WhatsApp and voice) — operate globally and process data on their own systems, in their own locations, under their own terms.

Where personal data for which we are responsible is transferred outside the UK or EEA, we rely on appropriate safeguards recognised under UK and EU law — such as the UK International Data Transfer Agreement (IDTA) or Addendum, the EU Standard Contractual Clauses, or a finding of adequacy for the destination country. You can ask us for more detail about the safeguards that apply by emailing it@dijistream.com.

14

Connected Platforms and the End-Customers You Serve

DijiStream works by bringing the conversations from accounts you already own into one panel. This creates two data relationships worth being clear about.

The platforms you connect are independent controllers. When you connect Facebook, Instagram, Gmail, Google Business Profile, Google Ads, Google Calendar, Google Meet, TikTok, Twilio (SMS, WhatsApp and voice), or Shopify, each platform decides for itself how it handles the data on its own systems, under its own privacy policy. We only receive what its API delivers into your workspace on your instruction, and we are not responsible for what a platform does on its side. When one of these providers processes data through our integration to deliver a feature you enabled — for example, Twilio sending your reply — it acts as our sub-processor for that step, as listed above.

You are the controller for the people whose messages we ingest. The customers, leads and reviewers whose messages, comments, orders and details flow into your workspace are your contacts, not ours. You decide why and how their data is processed; DijiStream simply holds and organises it for you as your processor. That means:

  • You are responsible for having a lawful basis to process their data and for giving them any privacy information they are entitled to.
  • If one of your contacts asks to access, correct or delete their data, that request is for you to answer as their controller, and we will help you action it within your workspace.

We never use your workspace content for our own purposes, never sell it, never use it for advertising, and never use it to train AI models.

15

Marketing and Service Communications

As the controller of your account data, we send you two kinds of message, and we treat them differently.

  • Service messages are part of running your subscription — things like sign-up confirmation, billing receipts, security alerts, renewal reminders, and important changes to the Service or these policies. You cannot opt out of these while you have an active account, because we need them to provide the Service.
  • Product and marketing messages — such as tips, new-feature announcements, and occasional offers — are only sent where you have agreed to receive them or where the law otherwise permits, and you can opt out at any time using the unsubscribe link in the message or by emailing it@dijistream.com. Opting out of marketing does not stop service messages.

We do not sell your personal data, and we do not share it with third parties for their own marketing.

Have a question about this policy?

Email us about your data, an export, or anything in this policy. We reply within one business day, Monday to Friday.