Privacy Policy
Last updated: 5 July 2026
This Privacy Policy describes how our WhatsApp CRM platform ("the Platform", "we", "us") collects, uses, stores, and protects information when you and your end-customers interact with our service. By accessing or using the Platform you agree to this policy.
1. Who We Are
The Platform is a B2B SaaS application that enables businesses ("Users") to manage customer communications over WhatsApp and other messaging channels, track sales orders, and run marketing automation. We act as a data processor on behalf of our Users (who are the data controllers) for their end-customer data.
2. Information We Collect
2.1 Account & Team Data
- Name, email address, and hashed password of team members (agents, admins).
- Organization name, plan, and account settings.
- Two-factor authentication secrets (stored encrypted).
- Session tokens and audit log entries (who did what, when).
2.2 End-Customer Data (processed on behalf of Users)
- WhatsApp phone numbers, display names, and profile pictures (as provided by the Meta Business API).
- Full message content of WhatsApp conversations — text, images, audio, documents, and other media sent or received through the Platform.
- Contact attributes: email, address, tags, labels, lifecycle stage, lead score, and any custom fields added by the User.
- Sales order records: products ordered, quantities, amounts, delivery addresses, and order status.
- Purchase history and reorder cycle data derived from order records.
- Conversation metadata: timestamps, read/unread status, assigned agent.
2.3 Usage & Technical Data
- IP addresses, browser type, and operating system of team members logging in.
- Server logs and error reports (via Sentry, if configured).
- API request logs for audit and debugging purposes.
3. How We Use Your Information
- Providing the service — routing WhatsApp messages, storing conversations, powering the sales order and contact management modules.
- AI-assisted features — message summaries, automated replies, intent detection, and lead scoring are processed by OpenAI's API. Only the minimum necessary message content is sent; no data is used to train OpenAI's models under our API agreement.
- Analytics & reporting — aggregated dashboards, top-product/top-customer reports, and reorder predictions shown to authenticated Users.
- Broadcast messaging — Users may trigger bulk WhatsApp messages to their contacts. All such messages are sent via the Meta Business API under the User's approved WhatsApp Business Account.
- Security & compliance — rate limiting, authentication, audit logging, and automated backups.
- Support & debugging — error logs and anonymised telemetry help us fix bugs and improve reliability.
4. Legal Basis for Processing (GDPR)
Where the GDPR applies, we rely on:
- Contractual necessity — processing required to deliver the service described in our Terms of Service.
- Legitimate interests — security monitoring, fraud prevention, and product improvement.
- User consent — for optional features such as AI processing, where disclosed.
Users are responsible for ensuring they have an appropriate legal basis (e.g. consent, legitimate interest) to collect and process their end-customers' data.
5. Third-Party Services & Sub-Processors
| Sub-processor | Purpose | Data transferred |
|---|---|---|
| Meta Platforms (WhatsApp Business API) | Message delivery and receipt | Phone numbers, message content, media |
| OpenAI | AI features (summaries, intent, auto-reply) | Selected message content |
| MySQL / Cloud database host | Primary data storage | All platform data |
| Sentry (optional) | Error monitoring | Stack traces, request URLs (no message body) |
| Google Sheets API (optional) | Contact & order sync | Contact and order fields selected by the User |
6. WhatsApp & Meta Policy Compliance
The Platform operates via the Meta Business API. All message sending is subject to WhatsApp Business Policy and Meta Platform Terms. Users must:
- Only message contacts who have opted in to receive communications via WhatsApp.
- Honor opt-out requests promptly.
- Not use the Platform to send spam, misleading information, or content prohibited by Meta's policies.
7. Data Retention
- Conversation messages — retained while the account is active. Deleted within 30 days of account termination unless a longer retention is required by law.
- Contact & order data — retained while the account is active. Deleted or anonymised within 30 days of account termination.
- Audit logs — retained for 12 months for security and compliance purposes.
- Backups — encrypted backups retained for up to 30 days; then automatically purged.
- Users may export their data at any time via the Admin → Backups feature.
8. Data Security
- All data in transit is encrypted via TLS 1.2+.
- Passwords are hashed with bcrypt; 2FA secrets are encrypted at rest.
- Access is restricted by role: agents can only see conversations assigned to their organization; admin features require explicit role grants.
- Rate limiting and HMAC webhook verification protect the API layer.
- Security events are logged and available in the Admin → Audit Logs view.
9. Your Rights
If you are an end-customer of one of our Users, please contact that User (the business you interacted with on WhatsApp) to exercise your rights over your personal data — they are the data controller.
If you are a User (team member or admin) of the Platform, you have the right to:
- Access — request a copy of your personal data we hold.
- Correction — update inaccurate information via the account settings.
- Deletion — request deletion of your account and associated personal data.
- Portability — export your data in JSON or CSV format via Admin → Backups.
- Objection — opt out of any processing based on legitimate interests.
To make a request, contact us at the email address provided to you during onboarding.
10. Cookies & Local Storage
The Platform uses:
- Authentication cookie (
token) — an HttpOnly, Secure JWT cookie used to maintain your login session. This is strictly necessary and does not require consent. - LocalStorage — used to remember your UI theme preference (light/dark) and certain UI state (e.g. sidebar collapse). No personal data is stored.
We do not use advertising cookies or third-party tracking pixels.
11. International Data Transfers
Data may be processed in countries outside your own (including through sub-processors listed above). Where transfers occur outside the EEA, we rely on appropriate safeguards such as Standard Contractual Clauses or the recipient's adequacy decision.
12. Children's Privacy
The Platform is intended for business use and is not directed at individuals under 18. We do not knowingly collect personal data from minors.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, the "Last updated" date at the top of the page will change. For material changes, we will notify admin users via email or an in-app notice at least 14 days before the change takes effect.
14. Contact Us
If you have questions about this Privacy Policy or wish to exercise your rights, please contact the organization that provided you access to this Platform, or raise a request via your account's Admin settings.