Privacy Policy

WhatsApp Commerce ("we", "our", "the platform") is a multi-tenant SaaS platform that enables businesses to automate their WhatsApp ordering workflows. We provide a dashboard, automation tools powered by n8n, and a REST API connecting to Meta's WhatsApp Business API.

This Privacy Policy applies to:

• Business clients — companies and individuals who register for an account on our platform
• End customers — the customers of our business clients who interact via WhatsApp
• Visitors — anyone who visits our website

Business client account data

• Name, email address, and password (hashed with bcrypt, never stored in plain text)
• Business name, city, country, currency, and timezone
• WhatsApp Business phone number and Meta API credentials (access token stored encrypted)
• Subscription tier, billing status, and payment history via Stripe — we never store card numbers
• Product catalogue: names, descriptions, prices, category names, and product images

End customer data (processed on behalf of business clients)

• WhatsApp phone number — used to identify the customer within a business's account only
• Order history: items ordered, quantities, total amounts, and timestamps
• Customer name if provided during the ordering flow
• Free-text messages sent to the business bot (processed in real time, not stored long-term)

Technical and usage data

• Server logs: IP addresses, request paths, HTTP status codes, response times — retained 30 days
• JWT session tokens — stored in browser sessionStorage only, never on our servers
• n8n workflow execution logs — retained 30 days then automatically deleted

Business client data is used to:

• Authenticate users and maintain secure sessions
• Provision and configure your WhatsApp automation workflow
• Display your dashboard (orders, analytics, product management)
• Process subscription payments and send invoices via Stripe
• Send service notifications (subscription renewals, security alerts)
• Provide technical support when requested

End customer data is used to:

• Process orders placed via WhatsApp and display them in the business client's dashboard
• Generate analytics for the business client (order counts, revenue, peak times)
• Enable the business client to respond to and fulfil orders

We never use data to:

• Send marketing communications to end customers
• Share data between different business clients — strict tenant isolation at database level
• Train AI or machine learning models
• Sell or rent data to any third party

Infrastructure

All data is stored on an Oracle Cloud Infrastructure virtual machine. We use Docker containers for service isolation, PostgreSQL for persistent data, and Redis for ephemeral session caching.

Security measures

• Passwords: Hashed with bcrypt (12 salt rounds) — irreversible, never stored as plain text
• JWT tokens: Short-lived (1 hour), signed with a secret key, transmitted over HTTPS only
• API credentials: WhatsApp access tokens stored encrypted using AES-256
• Tenant isolation: PostgreSQL Row-Level Security (RLS) enforces that each business can only access their own data — enforced at the database level, not just application code
• Transport: All connections use HTTPS/TLS
• Network: Database, cache, and internal services are not exposed to the internet

Meta Platforms / WhatsApp Business API

Required to send and receive WhatsApp messages. Meta's own Privacy Policy governs their handling of message metadata.

Stripe

Used for subscription billing. Stripe receives the business client's email and billing details. We never see or store payment card numbers. Governed by Stripe's Privacy Policy.

Oracle Cloud Infrastructure

Our hosting provider. All data at rest resides on Oracle Cloud servers. Governed by Oracle's Privacy Policy.

n8n (self-hosted)

Our automation engine runs entirely on our own servers. No data leaves our infrastructure through n8n.

As a platform built on the WhatsApp Business API, we operate under Meta's Business Tools Terms and WhatsApp's Business Policy.

• End customer phone numbers are used exclusively to fulfil orders — never for cross-platform marketing
• Message content is processed in real time to extract order information. Full conversation history is not retained
• Business clients are responsible for obtaining appropriate consent from their customers for WhatsApp-based ordering
• We do not use WhatsApp message content to build user profiles or for advertising targeting

• Account data: Duration of subscription plus 30 days after cancellation
• Order data: Duration of subscription. Business clients can export at any time
• Server logs: 30 days, then automatically deleted by log rotation
• n8n execution logs: 30 days
• Stripe billing records: As required by financial regulations (typically 7 years)
• Backups: 30-day rolling retention

After account deletion, all personal data is permanently removed from active databases within 30 days.

Under GDPR and applicable Moroccan data protection law, you have the right to:

• Access: Request a copy of all personal data we hold about you
• Rectification: Correct inaccurate data — most fields are editable directly in your dashboard
• Erasure: Request deletion of your account and all associated data
• Portability: Export your orders, products, and customer data as CSV from the dashboard
• Restrict processing: Limit how we use your data while a dispute is resolved
• Object: Object to processing based on legitimate interests

We use browser sessionStorage (not cookies) to store your JWT authentication token:

• The token is stored locally in your browser, never on our servers
• It is automatically cleared when you close the browser tab
• It expires after 1 hour regardless, requiring re-authentication

We use a dark mode preference stored in localStorage (darkMode) containing only a true/false value — no personal information.

We do not use tracking cookies, advertising cookies, or any third-party cookies.

Our platform is intended for business use only. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has registered for an account, please contact us and we will delete the account and all associated data.

When we update this Privacy Policy:

• The "Last updated" date at the top of this page will change
• For material changes affecting your rights, we will notify active business clients by email at least 14 days before the changes take effect
• Continued use of the platform after the effective date constitutes acceptance

• Email: [email protected]
• Response time: Within 30 days for formal requests
• Languages accepted: English, French, Arabic

You also have the right to lodge a complaint with your national data protection authority.