Privacy Policy

The short version

• We only collect the data we genuinely need to run the service.
• We never sell your data, your customers' data, or your conversations.
• We never use your customer conversations to train public AI models.
• Your data is encrypted in transit (TLS 1.3) and at rest (AES‑256).
• You can export everything or delete your account at any time.

1. Who we are

WhatAReply Inc. ("WhatAReply", "we", "us") provides software that helps businesses run their WhatsApp Business communications. This policy explains what we do with personal data.

2. Data we collect

Account data — your name, email, password (hashed), business name, billing details. You give us this when you sign up.

Workspace data — your contacts, messages, templates, campaigns, settings, and uploaded files. You give us this as you use the product.

Customer conversation data — when your customers message your WhatsApp number, those messages flow through our servers so we can deliver them to your inbox and (if you've enabled it) reply with AI.

Usage data — basic technical logs (IP address, browser, pages visited, errors) so we can keep the service running and secure.

3. How we use your data

• To run the product you signed up for.
• To send you account, billing and product emails.
• To improve reliability and security (anonymous, aggregated diagnostics only).
• To comply with the law if we ever have to.

We do not use your conversations to train any third‑party or public AI model. Your customer messages are private to your workspace.

4. Sub-processors

We use a small number of trusted vendors to run the service:

• DigitalOcean — hosting & database
• Meta (WhatsApp Business) — messaging delivery
• OpenAI / Anthropic / Google (your choice) — AI replies, when you turn the AI on
• Mailtrap / SES — transactional email delivery
• Stripe — payments (we never see your card)

Each one is contractually bound to handle your data only on our instructions.

5. Your rights

Wherever you live, you can:

• Get a copy of your data — export from inside the app any time.
• Correct anything that's wrong — edit it inside the app, or email us.
• Delete your account — it wipes your workspace within 30 days.
• Object to processing or ask us to stop — email privacy@whatareply.com.

If you're in the EU, UK or California you also have rights under GDPR / UK GDPR / CCPA — same as above, just spelt out in legalese.

6. Data retention

We keep your workspace data for as long as your account is active. If you cancel, we delete it within 30 days (backups within 90 days). Some billing records we have to keep for tax law — usually 7 years.

7. Where your data lives

By default your data is stored on servers in the United States. Business plan customers can request EU or India residency. Either way, transfers between regions use standard contractual clauses approved by the European Commission.

8. Security

Encrypted at rest with AES‑256, encrypted in transit with TLS 1.3. Tenant API keys and access tokens are encrypted with a per‑install key. Passwords are bcrypt-hashed. We log every admin action and review them regularly. See our security page for the longer version.

9. Cookies

We use essential cookies (login session, CSRF token) and an anonymous analytics cookie to count page visits. We do not run advertising trackers. Cookies are first‑party only.

10. Changes

If we materially change this policy, we'll email you and post a notice in the app at least 30 days before it takes effect.

11. Contact

Privacy questions, deletion requests, or anything else: privacy@whatareply.com. A real person reads every email.