Privacy Policy

1. Introduction

Waiflow ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our WhatsApp Business Platform services.

By using Waiflow, you agree to the collection and use of information in accordance with this policy.

2. Data We Collect

2.1 Personal Information

We collect the following personal information when you create an account:

Email Address: Used for account creation, authentication, and communications
Name: Your display name within the platform
Password: Securely hashed and stored for authentication
Profile Picture: Optional avatar image

2.2 WhatsApp Data

Through our integration with WhatsApp Business API, we may collect:

Contacts: Phone numbers, names, profile pictures, and contact information
Messages: Message content, timestamps, and metadata
Media Files: Images, videos, documents, and other media shared in conversations
Group Information: Group names, participants, and group messages
Presence Data: Online status and typing indicators

2.3 Business Data

If you use our CRM features, we collect:

Leads and Deals: Customer information, deal values, and pipeline stages
Campaigns: Marketing campaign details and recipient lists
Templates: Message templates and quick replies
Labels and Tags: Organizational categories for contacts and messages

2.4 Technical Data

We automatically collect:

IP Address: For security and analytics purposes
Device Information: Browser type, operating system, and device identifiers
Usage Data: Pages visited, features used, and time spent
Cookies: Small text files stored on your device for functionality and analytics

2.5 AI Processing Data

When AI features are enabled, we may process:

Message Content: Text content of messages for generating reply suggestions
Contact Data: Contact information and interaction history for lead scoring and qualification
Audio Messages: Voice messages for transcription to text
Campaign Data: Campaign content and responses for A/B testing analysis

Important: All AI processing is performed using self-hosted models running on our own infrastructure. Your data is never transmitted to external AI service providers (such as OpenAI, Google, or others) and is not used for AI model training.

2.6 Group Monitoring Data

If you use group monitoring features, we collect:

Group Messages: Messages matching your configured keywords or patterns
Match Metadata: Timestamps, group identifiers, and sender information for matched messages
Monitoring Rules: Your configured keywords, patterns, and auto-labeling rules

3. How We Use Your Data

3.1 Service Provision

We use your data to:

Provide and maintain our WhatsApp Business Platform services
Process and deliver messages through WhatsApp
Manage your contacts and conversations
Enable CRM features for lead and deal management
Provide customer support and respond to inquiries

3.2 Communication

We may use your email to:

Send account notifications and security alerts
Communicate about service updates and new features
Respond to your questions and support requests
Send marketing communications (with your consent)

3.3 Analytics and Improvement

We analyze usage data to:

Understand how users interact with our platform
Improve our services and user experience
Develop new features and functionality
Identify and fix technical issues

3.4 Security

We use data for security purposes to:

Detect and prevent fraudulent activity
Protect against unauthorized access
Comply with legal obligations

3.5 AI-Powered Features

We process your data through AI models to:

Generate contextual message reply suggestions
Score and qualify leads based on interaction patterns
Transcribe audio messages to text
Analyze campaign performance and optimize A/B tests

AI processing is performed solely for the purpose of providing these features to you. AI models are self-hosted and do not share your data externally. You can disable AI features at any time through your account settings (available on Business plan).

4. Data Storage and Security

4.1 Data Storage

Your data is stored on secure servers located in the European Union, ensuring compliance with GDPR requirements for data residency. We maintain appropriate technical and organizational measures to protect your personal data in accordance with GDPR Article 32.

4.2 Data Retention

We retain your data for as long as necessary to:

Provide our services to you
Fulfill our legal obligations
Resolve disputes and enforce our agreements
Support legitimate business interests

When you delete your account, we permanently remove your data within 30 days, subject to legal retention requirements. You may also configure custom data retention policies per data type through your account settings, enabling automatic deletion of aged data.

4.3 Encryption

We implement comprehensive encryption measures to protect your personal data:

Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS). API communications, webhook payloads, and inter-service communications are similarly encrypted.
Encryption at Rest: All personal data stored in our databases is encrypted at rest using AES-256 encryption. Database backups, file storage, and media files are encrypted using server-side encryption.
Password Security: User passwords are never stored in plaintext. All passwords are hashed using bcrypt with per-user salts before storage. We do not have access to your plaintext password.
Token Security: Authentication tokens (JWT) are signed using strong cryptographic keys and have configurable expiration periods. API keys are hashed before storage.
Payment Data: We do not store credit card numbers, CVVs, or complete payment details on our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.

4.4 Access Controls and Authentication

Multi-Tenant Isolation: Every database query is filtered by tenant identifier, ensuring strict data separation between accounts. Users of one account cannot access data belonging to another account under any circumstances.
Role-Based Access: Team members are assigned roles (Owner, Member) with corresponding permission levels. Administrative functions are restricted to account owners.
Session Management: User sessions are managed via secure, signed tokens with configurable expiration. Sessions can be revoked at any time.
Rate Limiting: API endpoints are protected by rate limiting to prevent abuse, brute-force attacks, and denial-of-service attempts.
IP Logging: All authentication events, consent actions, and sensitive operations are logged with IP addresses for audit and security purposes.

4.5 Infrastructure Security

Network Security: Our infrastructure uses private networks, firewalls, and reverse proxies to restrict unauthorized access. Only necessary ports and services are exposed.
Container Isolation: Services run in isolated containers with minimal privileges, reducing the attack surface.
Automated Backups: Data is backed up regularly with encrypted backups stored separately from production systems.
Monitoring and Alerting: We monitor our infrastructure for anomalies, unauthorized access attempts, and security events.

4.6 Security Practices

Secure Development: We follow security best practices in software development, including input validation, output encoding, parameterized queries, and protection against OWASP Top 10 vulnerabilities.
Dependency Management: Third-party dependencies are regularly reviewed and updated to address known security vulnerabilities.
Incident Response: We maintain an incident response procedure to detect, contain, and remediate security incidents promptly. See Section 11 (Data Breach Notification) for our notification obligations.

                Security Limitation: While we implement industry-standard security measures and continuously work to protect your data, no method of electronic storage or transmission over the Internet is 100% secure. We cannot guarantee absolute security of your data. In the event of a security incident, we will notify you and the relevant supervisory authorities in accordance with our obligations under GDPR Articles 33 and 34.
            

5. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

5.1 Right to Access

You have the right to request a copy of all personal data we hold about you. You can export your data at any time through your account settings or by contacting us.

5.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. Contact us with the details of the information you want corrected.

5.3 Right to Erasure (Right to be Forgotten)

You can request deletion of your personal data. We offer a 30-day grace period during which you can cancel the deletion request. After this period, your data will be permanently deleted.

5.4 Right to Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Our data export feature provides this capability.

5.5 Right to Restrict Processing

You can request that we limit the processing of your personal data under certain circumstances, such as when you contest the accuracy of the data.

5.6 Right to Object

You can object to the processing of your personal data, particularly for marketing purposes. We will stop processing unless we have compelling legitimate grounds.

5.7 Right to Withdraw Consent

You can withdraw your consent at any time through your account settings. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

5.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you reside or work.

6. Cookie Policy

6.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide you with a better experience by remembering your preferences and understanding how you use our service.

6.2 Types of Cookies We Use

Essential Cookies: Required for the website to function properly
Analytics Cookies: Help us understand how visitors use our website
Preference Cookies: Remember your settings and preferences
Marketing Cookies: Used to deliver relevant advertisements (with consent)

6.3 Managing Cookies

You can control and manage cookies through your browser settings. Please note that disabling essential cookies may affect the functionality of our website. You can also manage your cookie preferences through our cookie consent banner.

7. Third-Party Services

7.1 Stripe (Payment Processing)

We use Stripe to process payments. When you make a payment, your payment information is securely transmitted to Stripe. We do not store your complete credit card information on our servers. Stripe's privacy policy applies to their processing of your data.

View Stripe Privacy Policy

7.2 WhatsApp Business API

Our service integrates with WhatsApp Business API to send and receive messages. Your WhatsApp data is processed according to WhatsApp's terms and privacy policy. We act as a data processor for WhatsApp communications.

View WhatsApp Privacy Policy

7.3 Cloud Storage

We may use third-party cloud storage services to store your data. These services provide secure, scalable storage with appropriate data protection measures.

7.4 Self-Hosted AI Models

Our AI features are powered by self-hosted open-source models running on our own infrastructure. Unlike cloud-based AI services, your data remains within our infrastructure and is not transmitted to any external AI provider. No user data is used for training or fine-tuning AI models.

7.5 API and Webhook Integrations

If you use API keys to access our Service programmatically or configure webhook integrations, data may be transmitted to endpoints you specify. You are responsible for the security and privacy practices of any third-party systems you integrate with through our API.

8. Data Sharing

8.1 We Do Not Sell Your Data

We do not sell, rent, or trade your personal data with third parties for their marketing purposes.

8.2 Service Providers

We may share your data with trusted third-party service providers who assist us in operating our platform, conducting our business, or servicing you. These providers have access to your data only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose.

8.3 Legal Requirements

We may disclose your personal data if required to do so by law or in response to valid requests by public authorities, including to meet national security or law enforcement requirements.

8.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new owner. We will notify you before your data is transferred and becomes subject to a different privacy policy.

8.5 Data Processing Agreement

When you use the Service to process personal data of your contacts and customers, we act as a data processor on your behalf. A Data Processing Agreement (DPA) is available within your account settings that governs our obligations, including: sub-processor disclosures, data security measures, breach notification procedures, data subject rights handling, and audit rights. The DPA must be accepted before processing third-party personal data through the Service.

9. International Data Transfers

Your data is primarily stored and processed within the European Union. If we transfer your data outside the EU, we ensure appropriate safeguards are in place to protect your data, including:

Standard contractual clauses approved by the European Commission
Binding corporate rules
Adequacy decisions by the European Commission

10. Children's Privacy

Our services are not intended for individuals under the age of eighteen (18). We do not knowingly collect personal information from individuals under 18. If we discover that we have collected personal information from a person under 18, we will take steps to delete such information immediately. If you believe a minor has provided us with personal data, please contact us at [email protected].

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

Notify the Supervisory Authority: Within 72 hours of becoming aware of the breach, as required by GDPR Article 33
Notify Affected Users: Without undue delay when the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34
Provide Information: Including the nature of the breach, categories of data affected, approximate number of affected individuals, likely consequences, and measures taken to address and mitigate the breach
Document the Breach: Maintain a complete record of all breaches, including circumstances, effects, and remedial actions, regardless of whether notification is required

You can monitor breach reports and their status through the compliance dashboard in your account settings.

12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

12.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected the information, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share the information.

12.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions permitted by law.

12.3 Right to Opt-Out of Sale or Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

12.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. We will not deny you services, charge you different prices, or provide a different level of service for exercising your rights.

12.5 Exercising Your Rights

To exercise your California privacy rights, contact us at [email protected] or use the data export and deletion features in your account settings. We will respond to verifiable consumer requests within 45 days.

13. Additional Regional Privacy Rights

13.1 United Kingdom (UK GDPR)

If you are a resident of the United Kingdom, you have equivalent rights to those described in the GDPR section above under the UK General Data Protection Regulation. References to "supervisory authority" include the UK Information Commissioner's Office (ICO).

13.2 Brazil (LGPD)

If you are a resident of Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the right to access, correction, anonymization, portability, deletion, and information about sharing of your personal data. To exercise your LGPD rights, contact us at [email protected].

13.3 Other Jurisdictions

Regardless of your location, we are committed to protecting your personal data and will respond to data subject requests in accordance with the most protective applicable standard. If your jurisdiction provides additional privacy rights not listed above, please contact us and we will work to accommodate your request.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on our website and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically.

15. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Email

[email protected]

Privacy Team

If you have specific concerns about how we process your personal data, you can contact our Privacy Team at [email protected]. We will respond to all privacy inquiries within 30 days.

GDPR Requests

To exercise your GDPR rights, you can:

Use the data export feature in your account settings
Request account deletion through your account settings
Manage your consent preferences in your account settings
Contact us directly at [email protected]

We will respond to your request within 30 days of receipt, in accordance with GDPR requirements.

16. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

Contractual Necessity: Processing necessary to provide our services under our user agreement
Legal Obligation: Processing required to comply with applicable laws
Legitimate Interests: Processing for our legitimate business interests, such as security and fraud prevention
Consent: Processing based on your explicit consent, particularly for marketing communications

17. Account Deletion

You can request deletion of your account and all associated data at any time. The deletion process includes:

Request: Submit a deletion request with email and password confirmation
Grace Period: 30-day grace period during which you can cancel the request
Permanent Deletion: After the grace period, all data is permanently deleted
Scope: Deletion includes user profile, contacts, messages, campaigns, and all associated data

Note: If you are the only owner of a tenant, the entire tenant and all its data will be deleted. If there are other team members, only your user account will be removed.

18. Data Export

You can export all your personal data in a structured, machine-readable JSON format. The export includes:

User profile information
Tenant and team member details
All contacts and their metadata
Message history (up to 1000 most recent messages)
Campaigns and campaign messages
Deals and deal history
Message templates and quick replies
User preferences and consent history

To export your data, go to your account settings and click "Export Data". The export will be downloaded as a JSON file.

19. Consent Management

You can manage your consent preferences at any time through your account settings:

Terms of Service Consent: Required to use our services
Privacy Policy Consent: Required to use our services
Cookie Consent: Manage cookie preferences
Marketing Consent: Opt-in to receive marketing communications

All consent changes are logged for audit purposes. You can withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal.

20. Audit Logging

We maintain comprehensive audit logs of all GDPR-related operations, including:

Account deletion requests and confirmations
Data export requests and completions
Consent grants and revocations
IP addresses and user agents for all operations

These logs help us ensure compliance with GDPR requirements and provide accountability for data processing activities.

21. Links to Other Websites

Our service may contain links to other websites not operated by us. We have no control over the content, privacy policies, or practices of these third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

22. Severability

If any provision of this Privacy Policy is found to be unlawful, void, or unenforceable, that provision will be deemed severable from this Privacy Policy and will not affect the validity and enforceability of any remaining provisions.

23. Governing Law

This Privacy Policy is governed by the laws of the State of Israel. However, your privacy rights under the GDPR, UK GDPR, CCPA, LGPD, or other applicable data protection laws are protected regardless of the governing law. If you are a consumer in the European Union, nothing in this Privacy Policy deprives you of mandatory protections under the law of your country of residence.

24. Acknowledgment

By using Waiflow, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree with this policy, please do not use our service.