Privacy & Security

WaFlowhandles real conversations between you and your customers. We treat that data as yours — here's exactly what we collect, why, and the concrete steps we take to keep it from leaking.

Last updated: June 2026

What we collect

To run the service, WaFlow stores:

  • Account information — your name, email, and business profile (name, type, timezone, operating hours).
  • WhatsApp conversations — the messages exchanged between your business and your customers, including customer phone numbers and profile names, so the AI can reply and your team can follow up.
  • Leads — contact details and intent the AI extracts from conversations, so you can convert and follow up.
  • Integration credentials — your WhatsApp Cloud API access token, stored encrypted (see below).
  • Usage & billing data — conversation counts and subscription state, used to meter your plan.

How we use it

We use your data solely to operate the product you signed up for: generating AI replies, capturing leads, routing chats to your team, showing analytics, and billing your plan. We do not sell your data, and we do notuse your customers' conversations to train shared or third-party AI models. AI replies are generated per request and are scoped to your business only.

How we keep your data from leaking

Security isn't a checkbox for us — these are mechanisms built into how the product works:

Credentials encrypted at rest

Your WhatsApp Cloud API access token is encrypted with AES-256-GCM before it ever touches the database. GCM is authenticated encryption, so a tampered value fails to decrypt rather than silently corrupting. Even if a database backup leaked, the token is unusable without our separately-held encryption key.

Every webhook is signature-verified

Incoming WhatsApp events are rejected unless they carry a valid HMAC-SHA-256 signature computed over the exact bytes Meta sent, using a shared app secret. Unsigned or tampered payloads are turned away before any data is stored, so no attacker can inject fake messages into your inbox.

Strict tenant isolation

Every business's data is tagged with a tenant ID that is attached automatically and enforced at four layers — the data model, the indexes, the query layer, and the verified session. A query simply cannot return another business's conversations, leads, or settings. There is no code path that lets one customer see another's data.

Authenticated access only

The dashboard sits behind authenticated sessions (Clerk). Your tenant identity is resolved from a verified session on the server on every request — it can't be spoofed by editing a cookie or a request parameter.

Encrypted in transit

All traffic — between your browser, our servers, Meta's WhatsApp API, and our database — travels over TLS. Data is never sent in the clear over the network.

Deletion that actually deletes

Records are soft-deleted by default so accidental removals can be recovered, and we support permanent erasure on request for compliance (e.g. GDPR right-to-be-forgotten). When you leave, your data leaves with you.

Third parties we rely on

We use a small set of trusted infrastructure providers to run the service. Each receives only the data needed for its function:

  • Meta (WhatsApp Cloud API) — message delivery, as the channel your customers message you on.
  • OpenAI — generates AI replies. Conversation content is sent per request to produce a reply and is not used to train shared models.
  • MongoDB Atlas — encrypted, managed database hosting.
  • Clerk — authentication and session management.
  • Razorpay — payment processing. Card and UPI details are handled by Razorpay; we never see or store your full payment credentials.

Your rights

You can access, correct, export, or delete your data at any time. To request permanent erasure or a data export, contact us and we'll action it. When you delete your account, your business's data is removed.

Contact

Questions about privacy or security? Contact us or email thewaflowapp@gmail.com. We'll keep this page updated as the product evolves.