Privacy Policy

This Privacy Policy explains how WhatsApp AI SaaS ("we", "us") collects, uses, stores, and protects information when you use our Service. By using the Service, you consent to the practices described in this Policy.

Account information: email address, full name, and business details you provide during registration.

Business data: business name, hours, location, FAQs, and auto-messages you configure in the dashboard.

WhatsApp conversation data: We process WhatsApp messages on behalf of businesses that use our Service. This includes incoming messages from your customers and AI-generated replies sent on your behalf.

Usage data: log files, IP addresses, request timestamps, and error reports used for debugging and service improvement.

• To operate the AI assistant and deliver automated replies to your customers
• To improve AI accuracy using aggregated, anonymised conversation patterns
• To send service notifications (account alerts, system updates)
• To comply with legal obligations and enforce our Terms of Service

Conversation content is sent to Anthropic (Claude API) to generate AI replies. Anthropic processes this data on our behalf under their API terms and privacy policy. We do not use your data to fine-tune Anthropic's models. Please review Anthropic's Privacy Policy for details on how they handle API data.

We store conversation data (messages, customer records) for up to 365 days after the last activity. Account and business configuration data is retained for as long as your account is active. After account deletion, we purge all personal data within 30 days.

We do not sell your data. We share data only with:

• Anthropic — to generate AI replies (see Section 4)
• Twilio — to send and receive WhatsApp messages on your behalf
• Infrastructure providers (Railway, Vercel, Neon) — to host the Service; all are bound by data processing agreements
• Law enforcement — when required by applicable law

You have the right to:

• Access — request a copy of personal data we hold about you
• Correction — ask us to fix inaccurate data
• Deletion — request erasure of your account and associated data
• Portability — receive your data in a machine-readable format

To exercise any of these rights, email ginwan@nxora.dev. We will respond within 30 days.

You, as the business operating the Service, are the data controller for your customers' WhatsApp messages. We process that data as your data processor. You are responsible for having a lawful basis to process your customers' data and for informing them that their messages may be processed by AI.

We encrypt credentials at rest using AES-256 (Fernet). All data in transit is protected by TLS 1.2+. Access to production systems is limited to authorised personnel. Despite these measures, no system is 100% secure — please notify us immediately at ginwan@nxora.dev if you suspect a breach.

We use session cookies required for authentication (via Clerk). We do not use third-party advertising or tracking cookies.

The Service is not directed at children under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided data to us, contact us and we will delete it promptly.

We may update this Policy periodically. We will notify you via email at least 14 days before material changes take effect. Continued use of the Service constitutes acceptance of the revised Policy.

Privacy questions or requests: ginwan@nxora.dev