WAPI Logo

Privacy Policy

At WAPI, we are committed to protecting your privacy and ensuring the security of your personal and business data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our WhatsApp Business API Gateway platform ("Service"). By using our Service, you consent to the data practices described in this policy.

Information We Collect

1.1 Account Information: When you register for our Service, we collect:

  • Business name and contact details
  • Email address and phone number
  • Billing and payment information
  • Account credentials and authentication data
  • Company registration details (if applicable)

1.2 WhatsApp Business Account Data: To provide our Service, we collect and process:

  • WhatsApp Business Account (WABA) credentials and configuration
  • Phone Number IDs and Display Numbers
  • Access tokens and API keys
  • Business profile information

1.3 Message Data: When you send messages through our platform, we process:

  • Recipient phone numbers
  • Message templates and content
  • Template parameters and variables
  • Message delivery status and metadata
  • Timestamps and message identifiers

1.4 Usage and Technical Data: We automatically collect:

  • API usage logs and request/response data
  • IP addresses and device information
  • Browser type and operating system
  • Access times and referring websites
  • Error logs and performance metrics

1.5 Audit and Security Data: For security and compliance purposes, we maintain:

  • Immutable audit logs of all system actions
  • Authentication attempts and security events
  • Account modifications and configuration changes
  • API key usage and access patterns

How We Use Your Information

We use the information we collect for the following purposes:

2.1 Service Delivery:

  • Providing and maintaining our WhatsApp API Gateway service
  • Processing and delivering WhatsApp messages on your behalf
  • Managing your account and providing customer support
  • Authenticating users and ensuring secure access
  • Implementing retry logic and message delivery optimization

2.2 Security and Fraud Prevention:

  • Detecting and preventing security threats and unauthorized access
  • Monitoring for suspicious activity and policy violations
  • Maintaining system integrity and protecting against abuse
  • Enforcing our Terms of Service and usage policies

2.3 Service Improvement and Analytics:

  • Analyzing usage patterns to improve our Service
  • Developing new features and functionality
  • Troubleshooting technical issues and debugging
  • Optimizing performance and reliability

2.4 Communication and Support:

  • Responding to your inquiries and support requests
  • Sending service announcements and important updates
  • Notifying you of changes to our Service or policies
  • Providing documentation and technical assistance

2.5 Legal Compliance:

  • Complying with applicable laws, regulations, and legal processes
  • Enforcing our legal rights and contracts
  • Maintaining records for compliance and audit purposes
  • Responding to lawful requests from authorities

Data Security and Encryption

We implement industry-leading security measures to protect your data:

3.1 Encryption at Rest:

  • AES-256-GCM Encryption: All sensitive data is encrypted using military-grade AES-256-GCM encryption
  • Master Key Protection: Encryption keys are securely managed and never stored alongside encrypted data
  • Encrypted Fields: WhatsApp credentials, access tokens, and message payloads are always encrypted
  • Key Versioning: Support for key rotation without service interruption

3.2 Encryption in Transit:

  • All data transmitted over HTTPS with TLS 1.2+ encryption
  • Secure API communication with certificate validation
  • Protected connections to WhatsApp Business API endpoints

3.3 Access Controls:

  • Multi-tier API key authentication (System and Tenant keys)
  • Role-based access control (RBAC) for different operations
  • Tenant data isolation in multi-tenant architecture
  • Regular security audits and penetration testing

3.4 Monitoring and Incident Response:

  • 24/7 security monitoring and threat detection
  • Immutable audit logs for forensic analysis
  • Automated alerting for suspicious activities
  • Incident response procedures and data breach protocols

Data Sharing and Disclosure

We do not sell, rent, or trade your personal information. We only share your data in the following limited circumstances:

4.1 Service Providers:

  • WhatsApp/Meta: Message data is transmitted to WhatsApp Business API to deliver your messages
  • Cloud Infrastructure: Data is hosted on secure cloud infrastructure providers
  • Payment Processors: Billing information is processed through secure payment gateways
  • All service providers are contractually bound to protect your data and use it only for specified purposes

4.2 Legal Requirements:

  • When required by law, regulation, or legal process
  • To enforce our Terms of Service or protect our rights
  • To detect, prevent, or address fraud, security, or technical issues
  • To protect the safety and rights of our users or the public

4.3 Business Transfers:

  • In the event of a merger, acquisition, or sale of assets, your data may be transferred
  • You will be notified of any such change and your choices regarding your data
  • The acquiring entity will be bound by this Privacy Policy

4.4 With Your Consent: We may share your information with third parties when you explicitly consent to such sharing.

Data Retention

5.1 Message Data:

  • Active messages are retained in "hot" storage during processing
  • Finalized messages (sent/failed) are archived to "cold" storage
  • Retention periods vary based on your subscription plan (typically 30-90 days)
  • Archived data is automatically deleted after the retention period expires

5.2 Account Data:

  • Account and configuration data is retained while your account is active
  • Upon account termination, data is retained for 30 days for recovery purposes
  • After 30 days, all account data is permanently deleted

5.3 Audit Logs:

  • Audit logs are retained for compliance and security purposes
  • Minimum retention period: 12 months
  • Extended retention may apply for regulatory compliance (e.g., GDPR, POPIA)

5.4 Legal Holds:

  • Data may be retained longer if required for legal proceedings
  • Backup copies may persist in our systems for up to 90 days

Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

6.1 Access and Portability:

  • Request access to your personal data
  • Receive a copy of your data in a structured, machine-readable format
  • Export your data before account termination

6.2 Correction and Updates:

  • Update your account information through the dashboard
  • Request correction of inaccurate or incomplete data
  • Modify your WhatsApp Business Account configuration

6.3 Deletion (Right to be Forgotten):

  • Request deletion of your personal data
  • Terminate your account and remove associated data
  • Note: Some data may be retained for legal compliance purposes

6.4 Restriction and Objection:

  • Request restriction of processing in certain circumstances
  • Object to processing based on legitimate interests
  • Opt out of marketing communications (if applicable)

6.5 Withdraw Consent:

  • Withdraw consent for data processing (where consent is the legal basis)
  • This does not affect the lawfulness of processing before withdrawal

To exercise your rights: Contact us at privacy@wapi.co.za . We will respond to your request within 30 days as required by applicable law.

Compliance with Data Protection Laws

7.1 GDPR (General Data Protection Regulation):

  • We comply with GDPR requirements for EU/EEA residents
  • Legal basis for processing: Contract performance and legitimate interests
  • Data Protection Officer contact: dpo@wapi.co.za
  • EU representative available upon request

7.2 POPIA (Protection of Personal Information Act):

  • We comply with South African data protection laws
  • Information Officer contact: info.officer@wapi.co.za
  • Processing is lawful, reasonable, and transparent

7.3 International Data Transfers:

  • Data may be transferred to and processed in countries outside your jurisdiction
  • We ensure appropriate safeguards through standard contractual clauses
  • WhatsApp/Meta's data processing terms apply to message delivery

7.4 Data Processing Agreements:

  • We act as a data processor for customer data
  • Data Processing Agreements (DPAs) available upon request
  • We process data only according to your instructions

Cookies and Tracking Technologies

8.1 Types of Cookies We Use:

  • Essential Cookies: Required for authentication and security
  • Performance Cookies: Help us understand how you use our Service
  • Functional Cookies: Remember your preferences and settings

8.2 Third-Party Tracking:

  • We do not use third-party advertising or tracking cookies
  • Analytics data is anonymized and aggregated
  • No personal data is shared with advertising networks

8.3 Managing Cookies:

  • You can control cookies through your browser settings
  • Disabling essential cookies may affect Service functionality
  • Most browsers allow you to refuse or delete cookies

Children's Privacy

Our Service is intended for business use only and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information. If you believe we have collected information from a child, please contact us immediately at privacy@wapi.co.za.

Data Breach Notification

In the event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovering the breach
  • Report the breach to relevant data protection authorities as required by law
  • Provide details about the nature of the breach and affected data
  • Outline steps taken to mitigate the breach and prevent future occurrences
  • Offer guidance on protecting yourself from potential harm

Security Contact: Report security vulnerabilities to security@wapi.co.za

Third-Party Services and Links

11.1 WhatsApp Business API:

  • Our Service relies on WhatsApp Business API provided by Meta Platforms, Inc.
  • Message delivery is subject to WhatsApp's privacy policy and terms
  • We are not responsible for WhatsApp/Meta's data practices
  • Review WhatsApp's privacy policy at: https://www.whatsapp.com/legal/business-policy

11.2 External Links:

  • Our Service may contain links to third-party websites
  • We are not responsible for the privacy practices of external sites
  • We encourage you to review their privacy policies

11.3 Service Providers:

  • We carefully vet all service providers for security and compliance
  • Data Processing Agreements are in place with all processors
  • Service providers are prohibited from using data for their own purposes

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

Notification of Changes:

  • We will update the "Last updated" date at the top of this policy
  • Material changes will be communicated via email to registered users
  • Notice may also be displayed through the Service dashboard
  • Continued use after changes constitutes acceptance of the updated policy

Important: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

WAPI Privacy Team

General Privacy Inquiries:

info@wapi.co.za

Your Privacy Matters: By using the WAPI Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. We are committed to maintaining the highest standards of data protection and security.