Privacy & Security
WaFlowhandles real conversations between you and your customers. We treat that data as yours — here's exactly what we collect, why, and the concrete steps we take to keep it from leaking.
Last updated: June 2026
What we collect
To run the service, WaFlow stores:
- Account information — your name, email, and business profile (name, type, timezone, operating hours).
- WhatsApp conversations — the messages exchanged between your business and your customers, including customer phone numbers and profile names, so the AI can reply and your team can follow up.
- Leads — contact details and intent the AI extracts from conversations, so you can convert and follow up.
- Integration credentials — your WhatsApp Cloud API access token, stored encrypted (see below).
- Usage & billing data — conversation counts and subscription state, used to meter your plan.
How we use it
We use your data solely to operate the product you signed up for: generating AI replies, capturing leads, routing chats to your team, showing analytics, and billing your plan. We do not sell your data, and we do notuse your customers' conversations to train shared or third-party AI models. AI replies are generated per request and are scoped to your business only.
How we keep your data from leaking
Security isn't a checkbox for us — these are mechanisms built into how the product works:
Credentials encrypted at rest
Your WhatsApp Cloud API access token is encrypted with AES-256-GCM before it ever touches the database. GCM is authenticated encryption, so a tampered value fails to decrypt rather than silently corrupting. Even if a database backup leaked, the token is unusable without our separately-held encryption key.
Every webhook is signature-verified
Incoming WhatsApp events are rejected unless they carry a valid HMAC-SHA-256 signature computed over the exact bytes Meta sent, using a shared app secret. Unsigned or tampered payloads are turned away before any data is stored, so no attacker can inject fake messages into your inbox.
Strict tenant isolation
Every business's data is tagged with a tenant ID that is attached automatically and enforced at four layers — the data model, the indexes, the query layer, and the verified session. A query simply cannot return another business's conversations, leads, or settings. There is no code path that lets one customer see another's data.
Authenticated access only
The dashboard sits behind authenticated sessions (Clerk). Your tenant identity is resolved from a verified session on the server on every request — it can't be spoofed by editing a cookie or a request parameter.
Encrypted in transit
All traffic — between your browser, our servers, Meta's WhatsApp API, and our database — travels over TLS. Data is never sent in the clear over the network.
Deletion that actually deletes
Records are soft-deleted by default so accidental removals can be recovered, and we support permanent erasure on request for compliance (e.g. GDPR right-to-be-forgotten). When you leave, your data leaves with you.
Third parties we rely on
We use a small set of trusted infrastructure providers to run the service. Each receives only the data needed for its function:
- Meta (WhatsApp Cloud API) — message delivery, as the channel your customers message you on.
- OpenAI — generates AI replies. Conversation content is sent per request to produce a reply and is not used to train shared models.
- MongoDB Atlas — encrypted, managed database hosting.
- Clerk — authentication and session management.
- Razorpay — payment processing. Card and UPI details are handled by Razorpay; we never see or store your full payment credentials.
Your rights
You can access, correct, export, or delete your data at any time. To request permanent erasure or a data export, contact us and we'll action it. When you delete your account, your business's data is removed.
Contact
Questions about privacy or security? Contact us or email thewaflowapp@gmail.com. We'll keep this page updated as the product evolves.