1. Information We Collect
waAgent.ai, a WhatsApp CRM platform, collects minimal personal data necessary to deliver our services. This includes: – Account Data: Name, email, phone number, and WhatsApp Business Account details (e.g., WABA ID, phone_number_id) provided during Meta SDK onboarding. – Usage Data: WhatsApp messages, media (e.g., images via S3), chat history, and interaction logs (e.g., broadcasts sent via Twilio) for inbox and analytics. – Technical Data: IP address, device info, and cookies for site functionality and security. We do not collect sensitive data (e.g., financial info) unless required for billing via integrated gateways. All data is processed with user consent during signup.
2. How We Use Your Information
Your data powers core CRM features: – Service Delivery: Enable inbox replies, broadcasts, and templates (e.g., POST /whatsapp/message/template via Twilio). – Personalization: Tailor analytics dashboards (e.g., engagement metrics) and proactive notifications. – Communications: Send service updates or opt-in marketing (e.g., via approved templates). – Improvement: Aggregate anonymized insights (e.g., delivery rates) to enhance app performance, without re-identification. Data is used solely for these purposes; no unrelated profiling or sales.
3. Data Sharing
We prioritize privacy and never sell your data. Sharing occurs only with: – Service Providers: Twilio (messaging), AWS S3 (media storage), Contabo (backend hosting)—bound by DPAs ensuring GDPR/CCPA compliance. – Meta: During SDK integration for WABA registration; limited to necessary assets (e.g., phone_number_id). – Legal Requirements: As detailed in §8.2, only upon verified authority requests, with minimization. No sharing with third parties for advertising without explicit opt-in. International transfers (e.g., to US providers) use Standard Contractual Clauses.
4. Data Security
Security is foundational: – Encryption: In-transit (HTTPS/TLS) and at-rest (AES-256 on S3/Contabo). – Access Controls: Role-based (e.g., SUPER_ADMIN vs. MEMBER) with JWT tokens; audit logs for all actions. – Breach Response: Notify affected users within 72 hours per GDPR; regular penetration testing. – Media Handling: S3 signed URLs for previews; auto-delete after 30 days. We comply with ISO 27001 standards and monitor for threats via tools like Cloudflare.
5. Data Retention
Data is retained only as needed: – Account/Usage Data: Until account deletion + 30 days for backups. – Messages/Media: 30 days post-chat (S3 auto-purge); longer for legal holds. – Analytics: Anonymized aggregates retained indefinitely for trends. Users can request deletion via support@waagent.ai; we honor within 30 days, except legal obligations.
6. Your Rights
Under GDPR/CCPA, you have rights to: – Access/Rectify: View/update data via Settings > Profile. – Delete/Port: Request erasure/portability (e.g., export chats) at privacy@waagent.ai. – Object/Restrict: Opt-out of processing (e.g., broadcasts) or analytics. – Withdraw Consent: Anytime via account settings; no penalty. We respond within 30 days. For EU/CA users, DPO: dpo@orangetoolz.com.
7. Cookies and Tracking Technologies
We use essential cookies for login/persistence and analytics (e.g., Google Analytics opt-in) to track usage patterns. No tracking pixels. Manage via browser settings or our Cookie Consent banner. Third-party cookies (e.g., Meta SDK) are limited to onboarding.
8. Third-Party Links
Links to Meta/Twilio docs or payment gateways (e.g., Stripe) are for reference. We control none outside our platform; review their policies separately.
9. Children’s Privacy
waAgent.ai is for business users 18+. We do not knowingly collect data from children under 16. If discovered, we delete immediately and notify guardians.
10. International Data Transfers
As a global PWA, data may transfer to US/EU/APAC (e.g., Twilio US, Contabo Germany). Safeguards: SCCs, adequacy decisions. EU data stays in EU where possible.
11. Updates to This Policy
We update for legal/tech changes; notify via email/app. Continued use post-30 days implies acceptance. Last updated: October 27, 2025
12. Requests from Public Authorities
waAgent.ai reviews all requests for personal data: – Legality Review: Vetted by legal team within 72 hours (e.g., warrant required). – Challenging: Object/appeal unlawful requests via counsel. – Minimization: Disclose only essentials (e.g., redacted data). – Documentation: Logged securely (Contabo, 6-year retention) with reasoning. Contact privacy@waagent.ai for inquiries.