Privacy Policy

Last updated: 10/07/2026  ·  Version 1.0

1. Who we are

WapFlow is a SaaS virtual receptionist platform via WhatsApp for small and medium service businesses (barbershops, beauty salons, clinics, wellness studios and others), developed and operated by SYS INFORMATION TECHNOLOGY LTDA (Brazilian tax ID / CNPJ 49.780.808/0001-28), registered in Ribeirão Preto/SP, Brazil ("we", "our" or "Data Controller").

For the purposes of the General Data Protection Regulation (GDPR — EU 2016/679), WapFlow acts as data controller in relation to data of Plan Holders (businesses/merchants) and, in certain contexts, as data processor in relation to information about end clients of those businesses.

Data Controller Contact

SYS INFORMATION TECHNOLOGY LTDA — CNPJ 49.780.808/0001-28

Registered office: Ribeirão Preto/SP, Brazil

Email: now@wapflow.me

Website: wapflow.me

2. What data we collect

2.1 Plan Holder data (contracting businesses)

  • Full name of the responsible person and business name
  • Email address and business phone number
  • Payment data (processed by Stripe — we do not store card details)
  • WhatsApp Business phone number linked to the platform
  • Usage and interaction data with the admin dashboard
  • Opening hours, offered services and business settings

2.2 End client data (of contracting businesses)

  • Name and WhatsApp phone number
  • Appointment history (service, date, time, responsible staff member)
  • Service preferences declared in conversations
  • WhatsApp communication opt-out status

The textual content of WhatsApp conversations is not stored on our servers beyond what is necessary to process the message intent in real time. We do not store message logs containing PII (personally identifiable information).

2.3 Technical and usage data

  • IP addresses and HTTP headers (for security and rate limiting)
  • System event logs (without message content)
  • Performance metrics and technical errors

3. Purposes and legal bases for processing

Purpose Legal Basis (GDPR)
Provision of the WhatsApp appointment booking service Performance of contract (Art. 6.1.b)
Account management, billing and support Performance of contract (Art. 6.1.b)
Sending appointment confirmation and reminder notifications Legitimate interest (Art. 6.1.f)
Security, fraud prevention and legal compliance Legal obligation (Art. 6.1.c) / Legitimate interest (Art. 6.1.f)
Natural language processing by AI to interpret messages Performance of contract (Art. 6.1.b)
Product improvement and performance analysis Legitimate interest (Art. 6.1.f)

4. Sharing data with third parties

We do not sell or rent personal data. We share data only with the following sub-processors, strictly necessary for the provision of the service:

M

Meta Platforms (WhatsApp Business API)

WhatsApp message transmission. Data is processed in accordance with Meta's Data Policy.

Location: USA · Safeguard: Standard Contractual Clauses (SCCs)

AI

OpenAI / Abacus.AI (AI Processing)

Message intent interpretation. Only the minimum context necessary is sent, without direct identifiers beyond what is required for the conversation context. See OpenAI's Privacy Policy.

Location: USA · Safeguard: Standard Contractual Clauses (SCCs)

$

Stripe (Payments)

Subscription payment processing. Card details are processed directly by Stripe. See Stripe's Privacy Policy.

Location: USA · Safeguard: SCCs · PCI DSS certified

G

Google (Calendar — optional feature)

If the professional enables the integration, WapFlow creates, updates and deletes events on their Google Calendar (service name, client name, date and time), mirroring bookings made via WhatsApp. We do not read or access any other pre-existing events on the user's calendar. See Google's Privacy Policy.

Location: USA · Safeguard: Standard Contractual Clauses (SCCs)

H

Hetzner Cloud (Infrastructure)

Application server and database. Data stored on servers in Germany (EU), covered by GDPR directly.

Location: Germany (EU) · GDPR applies directly

5. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA). In these cases, we ensure that transfers are carried out with appropriate safeguards, in particular through Standard Contractual Clauses (SCCs) approved by the European Commission, or other equivalent legal mechanisms recognised under GDPR.

6. Data retention

Data category Retention period
Account and plan holder data While account is active + 90 days after closure
Appointment records 5 years (tax and contractual obligations)
End client data of businesses While business account is active + 90 days
Payment records (Stripe) 7 years (legal tax obligation)
Technical and access logs 90 days
WhatsApp communication opt-outs Indefinitely (to honour the request)

7. Your rights

Under the GDPR, data subjects have the following rights, exercisable by contacting us as indicated in section 1:

Access

Request a copy of the personal data we process about you.

Rectification

Correct inaccurate or incomplete data.

Erasure

Request deletion of your data, subject to legal retention obligations.

Data portability

Receive your data in a structured, machine-readable format.

Objection

Object to processing based on legitimate interest.

Restriction

Restrict processing of your data in certain circumstances.

Withdraw consent

Where processing is based on consent, you may withdraw it at any time.

Lodge a complaint

Submit a complaint to the supervisory authority in your EU member state.

We respond to rights requests within 30 days (extendable by a further 60 days in complex cases, with prior notification).

8. Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or disclosure, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data
  • API tokens and authentication keys stored encrypted in the database
  • Two-factor authentication (2FA) available for all users
  • HMAC-SHA256 signature validation on all incoming webhooks
  • Rate limiting to prevent brute-force attacks
  • Tenant data isolation — each business accesses only its own data
  • Regular backups with secure retention

In the event of a data breach posing a risk to the rights and freedoms of data subjects, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by the GDPR.

9. Cookies and tracking technologies

WapFlow uses strictly necessary cookies for the operation of the admin dashboard (authentication session, CSRF protection). We do not use third-party tracking cookies, behavioural advertising or analytics tools that individually identify users.

Cookie Purpose Duration
wapflow_session Authentication session (strictly necessary) Session / 2 hours
XSRF-TOKEN CSRF protection (strictly necessary) Session
locale Language preference Session

10. Minors

WapFlow is a service intended exclusively for businesses and professionals. We do not intentionally collect personal data from individuals under 18 years of age. If you believe data from a minor has been provided, please contact us immediately so we can arrange deletion.

11. WhatsApp Business API integration (Meta)

WapFlow uses Meta's WhatsApp Business API to send and receive messages on behalf of contracting businesses. By using our service, businesses confirm that they:

  • Have obtained appropriate consent from their clients for WhatsApp communication
  • Comply with WhatsApp Business Policies
  • Honour opt-out requests (STOP) from their clients
  • Do not use the platform to send spam or unsolicited messages

Messages sent through the Meta platform are processed by Meta in accordance with its own data policy. WapFlow does not have access to the content of end-to-end encrypted messages.

12. Changes to this policy

We may update this Privacy Policy periodically. When we do, we will update the "Last updated" date at the top of this page and notify registered users by email for any substantial changes. We recommend reviewing this policy regularly.

13. Contact and complaints

To exercise your rights or submit questions or complaints about the processing of your personal data, contact us:

SYS INFORMATION TECHNOLOGY LTDA — Privacy Team

CNPJ 49.780.808/0001-28 · Ribeirão Preto/SP, Brazil

Email: now@wapflow.me

Response time: up to 30 days

You also have the right to lodge a complaint directly with the competent data protection authority:

  • European Union: The data protection authority of your EU member state of residence
  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk