Legal / Privacy
Privacy Policy
Last updated — June 17, 2026
CMA Technology Consultants FZCO (referred to as "CMA Technology Consultants FZCO", "we", "us", or "our") operates the Thynker brand, including this website (https://thynker.com) and our software products such as JamboContact and any other Thynker-branded services, websites, applications, APIs, and hosted features (together, the "Services"). This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information in connection with the Services.
1. Scope and who this policy applies to
This Privacy Policy applies to personal information we collect through the Services, including when you visit Thynker websites, create an account, talk to a salesperson, sign a statement of work, use Thynker software, integrate with a third-party service through the Services, or otherwise interact with us.
It also applies to end-user personal information that our customers ("Customers") submit, process, or store through Thynker software products on their own behalf. Where Thynker acts as a processor for Customer end-user data, the Customer is the data controller and our commitments to that data are also set out in our Data Processing Addendum (DPA), which is incorporated into our customer agreement.
2. Information we collect
We collect personal information from a few different sources. The categories below describe what we collect and the typical source.
- —Account and contact information — name, email, phone, role, organisation, billing details, and authentication credentials that you provide when you sign up, request a demo, talk to sales or support, or sign an agreement.
- —Customer Content — form submissions, contact records, conversation messages, uploaded files, attachments, knowledge-base sources, prompts, routing rules, templates, branding, and configuration that you or your users provide while using Thynker software products.
- —Usage and technical data — IP address, browser and device information, referrer, pages viewed, request logs, timestamps, error logs, telemetry, and product interaction data used for security, debugging, analytics, abuse prevention, and product improvement.
- —Communications — support requests, feedback, emails, call recordings (where you have been notified), and other messages you send to us.
- —Payment and transaction data — limited billing, subscription, invoice, and payment-status information provided by our payment processors or billing providers. We do not collect or store full payment-card numbers.
- —Integration and third-party data — data you choose to connect through integrations (e.g. email, calendar, CRM, messaging, storage, AI providers). That data is governed by both this policy and the third party's terms.
3. How we use information
We use personal information for the following purposes. We rely on the legal bases described in Section 5 when applicable law requires a basis.
- —Provide, operate, maintain, secure, and improve the Services.
- —Authenticate users, enforce access controls, and prevent fraud and abuse.
- —Process leads, conversations, email, workflows, automations, and AI-assisted features on behalf of our Customers.
- —Respond to inquiries, deliver support, and communicate operational, security, and product updates.
- —Manage billing, subscriptions, taxes, and accounting.
- —Monitor performance, investigate incidents, debug, and improve reliability, security, and user experience.
- —Comply with legal obligations and respond to lawful requests from public authorities.
- —Establish, exercise, or defend legal claims.
4. AI processing and model training
Thynker software products use AI and machine-learning features to generate drafts, classifications, summaries, suggested replies, routing suggestions, extracted fields, and similar outputs. To make those features work, Customer Content may be sent to AI or model providers acting on our behalf (for example, large language model providers we have engaged as subprocessors).
We do not use Customer Content to train third-party foundation models, and we configure our AI providers to opt out of training use wherever that control is available. We may use Customer Content and technical data to operate, secure, debug, and improve the Services themselves — for example, evaluating routing quality, detecting abuse, and improving safety — and we use aggregated or de-identified data for product analytics.
Thynker is not the source of truth for any AI-generated output. AI outputs may be inaccurate or incomplete, and our Customers are responsible for reviewing and approving AI-generated content before it is sent to their end users.
5. Legal bases for processing
Where applicable law (for example the EU/UK GDPR or similar regimes) requires a lawful basis, we rely on the following:
- —Performance of a contract — to provide the Services you or your organisation have asked us to provide.
- —Legitimate interests — to operate, secure, and improve the Services; to prevent abuse; to communicate with existing customers; and to support our business operations, where our interests are not overridden by your rights.
- —Compliance with legal obligations — to meet regulatory, tax, accounting, and law-enforcement requirements.
- —Consent — for marketing communications, non-essential cookies, and any processing that requires opt-in consent under applicable law. You may withdraw consent at any time without affecting prior processing.
6. Controller and processor roles
CMA Technology Consultants FZCO is the data controller for personal information collected about our own staff, prospects, customers, website visitors, and other people we interact with directly.
Where a Customer uses a Thynker software product (including JamboContact) to collect, store, or process personal information about the Customer's own end users (for example, leads submitted through the Customer's forms), the Customer is the data controller and CMA Technology Consultants FZCO acts as a data processor (or "service provider" / "intermediary" under other frameworks). In that role we process Customer Content only on the Customer's documented instructions, as further described in the DPA.
7. How we share information
We do not sell personal information. We share personal information only as described below.
Current subprocessors
A current list of subprocessors used by Thynker (including for JamboContact and other Thynker software) is published at https://thynker.com/subprocessors. We will give Customers reasonable advance notice of new or replaced subprocessors as set out in the DPA.
- —Subprocessors — with vendors that help us operate the Services, such as hosting, storage, databases, authentication, email delivery, monitoring, analytics, AI / model providers, payment processing, customer support tools, and professional advisors. Each subprocessor is bound by confidentiality and data-protection obligations no less protective than those in this policy.
- —Customer instructions — where a Customer instructs us to share information (for example via integrations, webhooks, or outbound messages), we share it on the Customer's behalf and at their direction.
- —Corporate transactions — in connection with a merger, acquisition, financing, reorganisation, bankruptcy, or sale of all or part of our business, in which case we will require the recipient to honour this policy.
- —Legal and safety — where we believe in good faith that disclosure is necessary to comply with law, enforce our agreements, protect our rights or the safety of users or others, or respond to lawful government requests.
- —With your consent — for any other purpose disclosed at the time of collection.
8. International data transfers
CMA Technology Consultants FZCO is established in the United Arab Emirates, and we and our subprocessors may process personal information in countries other than the one in which it was originally collected, including the UAE, the European Economic Area, the United Kingdom, the United States, and other jurisdictions where our providers operate.
Where personal information is transferred across borders, we rely on appropriate safeguards — such as the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful transfer mechanisms — and we assess the legal environment in the destination country before transfer.
9. Data retention
We retain personal information for as long as reasonably necessary to provide the Services, maintain security and operational integrity, comply with law, resolve disputes, enforce agreements, and support legitimate business needs.
Customer Content
We retain Customer Content for the term of the customer agreement and a reasonable transition period afterwards, unless a longer or shorter retention period is required by law or agreed in writing. Customers may export or delete their Customer Content at any time through the product or by contacting us.
Account and billing data
We retain account, billing, and tax records for the period required by applicable accounting and tax law (typically 6–8 years, depending on jurisdiction).
Marketing and analytics data
We retain marketing and analytics data for as long as you remain a subscriber to marketing communications or as needed to demonstrate compliance with applicable law.
10. Security
We use reasonable administrative, technical, and organisational measures designed to protect personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit, access controls and least-privilege principles, authentication controls, monitoring, segregation of environments, and vendor risk management.
No system is perfectly secure, and we cannot guarantee absolute security. Where we become aware of a personal-data breach affecting your information, we will notify you and applicable regulators in accordance with applicable law.
11. Your rights and choices
Depending on where you live, you may have some or all of the following rights with respect to your personal information:
How to exercise your rights
Email [email protected] with enough information for us to verify your identity and locate your records. We will respond within the timeframes required by applicable law. If you are an end user of a Customer using Thynker software, please contact that Customer directly — they control your data and we will assist them in fulfilling your request.
- —Access — request a copy of the personal information we hold about you.
- —Correction — request that we correct inaccurate or incomplete information.
- —Deletion — request that we delete your personal information, subject to legal exceptions.
- —Portability — receive your information in a structured, commonly used, machine-readable format.
- —Restriction or objection — restrict or object to certain processing of your personal information.
- —Withdrawal of consent — where we rely on consent, withdraw it at any time without affecting prior lawful processing.
- —Opt-out of marketing — unsubscribe from marketing communications via the link in those messages or by contacting us.
- —Complaint — lodge a complaint with a data-protection authority in your jurisdiction.
12. Region-specific notices
European Economic Area, United Kingdom, and Switzerland
CMA Technology Consultants FZCO acts as controller for personal information collected directly through the Services. Our EU/UK representative details (if appointed) are listed on our contact page. You may also lodge a complaint with your local data-protection authority.
United Arab Emirates
We comply with the UAE Personal Data Protection Law and applicable free-zone regulations where relevant. Our main establishment is the DMCC free zone in Dubai.
United States — California
Under the California Consumer Privacy Act (CCPA/CPRA), California residents have additional rights, including the right to know, delete, correct, and limit the use of sensitive personal information. We do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under California law.
South Africa
We comply with the Protection of Personal Information Act (POPIA). You may lodge a complaint with the Information Regulator.
13. Cookies and similar technologies
We use cookies and similar technologies on Thynker websites to operate the site, remember preferences, measure performance, and (with your consent where required) support marketing. You can control cookies through your browser settings and through any cookie preferences we make available.
14. Children
The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe we have collected information from a child in error, please contact us so we can delete it.
15. Third-party links and integrations
Thynker websites and software may contain links to, or integrate with, third-party services that we do not control. We are not responsible for the privacy practices of those third parties. We encourage you to review their policies before providing your information.
16. Changes to this policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date above. For material changes, we will provide reasonable notice — for example by email or through the Services. Your continued use of the Services after the updated policy becomes effective means you acknowledge the revised policy.
17. Contact
Questions about this Privacy Policy, our processing activities, or to exercise your rights, please contact us.
Please reach us at [email protected].
18. Legal entity and address
The data controller for personal information collected through the Services is CMA Technology Consultants FZCO, Unit No: UT-12-CO-349, DMCC Business Centre, Level No 12, Uptown Tower, Dubai, United Arab Emirates.