Privacy Policy

Effective date: April 2026. This policy describes how WhatsJet ("we", "us") collects, uses, stores, and shares personal data when you use our WhatsApp marketing platform.

1. Who we are

WhatsJet is a multi-tenant software-as-a-service platform that connects businesses to the WhatsApp Business Platform via Meta's Cloud API. Each business ("Vendor") operates its own isolated tenant. Vendors are the data controllers for WhatsApp contact data stored on their tenant; WhatsJet is a data processor acting on their instructions.

2. Information we collect

From vendor admins:

Name, email address, mobile number, password hash, Facebook user id and access tokens (when OAuth is used to authorize WhatsApp Business Account access), preferred language, timezone, and audit log of sign-in events.

From WhatsApp contacts the vendor imports or messages:

Phone number (WhatsApp ID), first and last name, email, country, language code, any custom fields the vendor defines, group and label assignments, opt-in/opt-out state with timestamp, and the full inbound/outbound message history (text, media, templates, interactive buttons, delivery status updates).

From Meta / WhatsApp Cloud API webhooks:

Message id (wamid), delivery status (sent / delivered / read / failed), WhatsApp Business phone number id, and media payload metadata. We verify every webhook against the X-Hub-Signature-256 HMAC-SHA256 header to reject forged traffic.

3. How we use your data

(a) To deliver the messaging, campaign, chat, and analytics features of the service. (b) To run the auto-reply bot engine and, where vendors opt in, AI responses via OpenAI or Flowise. (c) To authenticate users, enforce plan limits, and prevent abuse. (d) To comply with Meta Platform Terms and applicable law. We never sell personal data, use it for cross-site advertising, or train machine learning models on vendor content.

4. Legal basis

For EU / EEA users: we process personal data under Article 6(1)(b) (contract performance) for vendor admins and Article 6(1)(f) (legitimate interest) for contact engagement analytics. Vendors are responsible for obtaining lawful consent (Article 6(1)(a)) from WhatsApp contacts before sending marketing templates.

5. Data storage and security

Data is stored in an encrypted PostgreSQL database. WhatsApp access tokens, payment gateway secrets, and webhook signing keys are encrypted at rest using the ASP.NET Core Data Protection API (AES-256) before being written to disk. All HTTP traffic uses TLS 1.2 or higher. Access tokens are never logged in plain text or transmitted to the browser. Multi-tenancy is enforced at the database layer via global query filters — one vendor cannot read another vendor's rows.

6. Data retention

Message logs are retained for 90 days by default. Completed data deletion request records are retained for 180 days for audit purposes. Audit logs are retained for 6 months. Vendors on the Ultimate plan can configure longer or shorter retention via their vendor settings. A nightly Hangfire job enforces these limits.

7. Sub-processors and outgoing webhooks

We forward inbound WhatsApp events to each vendor's configured outgoing-webhook endpoint only when the vendor explicitly enables it. Requests include an X-WhatsJet-Signature HMAC header the vendor's receiver can verify. Sub-processors: Meta Platforms Inc. (WhatsApp Business API), vendor-configured AI providers (OpenAI or Flowise, optional), and payment gateways (Stripe, PayPal, Razorpay, Paystack, YooMoney — optional, configured by the platform operator).

8. Your rights

You can (a) access your data via the Export Data button on the Settings page — the export includes your user record, connected Facebook pages, audit log, and, if you are a vendor admin, the entire vendor tenant dataset (contacts, messages, campaigns, templates, bot replies); (b) request deletion at any time through the same page, or by revoking WhatsJet from your Facebook account — the deletion is irreversible and hard-deletes every row associated with your vendor tenant; (c) correct or restrict processing by contacting us.

9. Meta data deletion callback

WhatsJet implements Meta's data deletion callback at /api/meta/data-deletion. When Meta notifies us that a Facebook user has requested deletion, we hard-delete the entire vendor tenant owned by that user: contacts, labels, groups, custom field values, campaigns, message logs and queue, bot replies and flows, WhatsApp templates, vendor settings (including encrypted tokens), subscriptions, team member accounts, and the vendor record itself. We return a confirmation code and a status URL at /deletion-status/{code} where the user can verify progress.

10. Children

WhatsJet is not directed to children under 13 (or 16 in the EU). We do not knowingly collect data from minors. Vendors must not use WhatsJet to message minors without verifiable parental consent as required by local law.

11. International transfers

WhatsApp Business platform is operated by Meta globally. Message content and delivery metadata are transmitted to Meta's infrastructure in the United States and other regions per Meta's privacy policy. WhatsJet's own servers are hosted in the region specified by the platform operator.

12. Changes to this policy

We will post material changes to this policy on this page and update the effective date above. For significant changes we will notify vendor admins by email.

13. Contact

Data protection questions, access requests, and erasure requests: privacy@whatsjet.com. Security vulnerabilities: security@whatsjet.com.