1. Who We Are (Data Controller)
WA-Assistant("we", "our", "us") is the data controller responsible for your personal data. If you have any questions about this policy or your data, contact us at [email protected].
2. What Data We Collect
Account Data
- Email address and username (used for authentication)
- Google account name and profile (if you sign in with Google)
- Encrypted password hash (never the plaintext password)
- Account creation date and email verification status
Google Contacts Data (via Google People API)
- Google Contacts names, phone numbers, and contact photos (only if you choose the "Full Sync" pathway and link your Google account)
- This data is stored locally in our database to resolve WhatsApp phone numbers to contact names in your dashboard.
- We do not share your Google Contacts data with any third-party services, AI models, or advertisers.
WhatsApp Message Data
- Text content of WhatsApp messages sent and received via your connected account
- Contact names, phone numbers (JIDs), and conversation metadata
- Media file paths (we store references, not copies of media, which expire after 30 days)
- Message timestamps and delivery status
AI Processing Data
- Message history processed by our AI service provider to generate reply suggestions
- Only the most recent 20 messages in a conversation are sent at a time
- Our AI provider operates under a Data Processing Agreement and does not use your data to train models
Billing Data
- Stripe customer ID and subscription status (payment details are never stored by us)
- All payment processing is handled directly by Stripe
Usage Data
- Daily AI suggestion usage counts (for plan limit enforcement)
- App settings (persona, preferences)
Analytics
- Google Analytics 4 (GA4) for aggregate website usage statistics — only with your consent
- Google Ads conversion tracking — only with your consent
- No data is shared with third-party advertisers
3. Legal Basis for Processing
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account management | Contract performance (Art. 6(1)(b)) |
| WhatsApp message processing | Contract performance (Art. 6(1)(b)) |
| AI suggestion generation | Contract performance + Consent |
| Billing & subscription | Contract performance (Art. 6(1)(b)) |
| Analytics & advertising | Consent (Art. 6(1)(a)) |
| Security & fraud prevention | Legitimate interests (Art. 6(1)(f)) |
4. How We Use Your Data
- Providing the WhatsApp AI assistant service (generating reply suggestions)
- Authentication and account security
- Enforcing usage limits based on your subscription plan
- Sending transactional emails (verification, billing receipts)
- Responding to support requests
- Improving service security and preventing abuse
5. Data Retention
- Account data: Retained until you delete your account
- Messages and conversations: Retained until you clear them or delete your account
- Media files: Automatically deleted after 30 days
- Usage statistics: Retained for 12 months then automatically purged
- Audit logs: Retained for 12 months for security purposes
- Billing records: Retained for 7 years per accounting requirements
6. Your Rights (GDPR Articles 15–22)
As a data subject under GDPR, you have the following rights:
- Access (Art. 15): Request a copy of all data we hold about you
- Portability (Art. 20): Export your data as a JSON file from your account settings
- Erasure (Art. 17): Delete your account and all associated data from account settings
- Rectification (Art. 16): Correct inaccurate data via account settings
- Restriction (Art. 18): Request restriction of processing by contacting us
- Objection (Art. 21): Object to processing based on legitimate interests
- Withdraw consent: Withdraw analytics consent at any time via the cookie banner
To exercise these rights, contact us at [email protected] or use the self-service tools in your account settings.
7. Third-Party Services
- AI Provider — AI reply generation (third-party processor under DPA). Contact us for details.
- Stripe — Payment processing. Privacy policy
- Resend — Transactional email delivery. Privacy policy
- Google Analytics 4 — Website analytics (consent required). Privacy policy
- Cloudflare — DNS, DDoS protection, and TLS. Privacy policy
8. Data Security
- All data transmitted over HTTPS/TLS (HSTS enforced)
- Passwords stored as bcrypt hashes (never plaintext)
- Database bound to internal network only (no public exposure)
- WhatsApp session keys stored in isolated per-user directories
- Admin actions are logged in a tamper-resistant audit trail
- Automated media file expiry to minimise data retention
9. Cookies
We use the following cookies:
- Session cookie (
next-auth.session-token) — Essential. Required for authentication. HttpOnly, Secure, SameSite. - Consent cookie (
wa_cookie_consent) — Functional. Stores your analytics consent choice. - Google Analytics cookies (
_ga, _ga_*) — Analytics. Only set with your consent.
10. Changes to This Policy
We may update this policy periodically. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact & Complaints
For privacy-related requests, contact us at [email protected].
If you believe we have not handled your data correctly, you have the right to lodge a complaint with your national data protection authority. In Portugal: CNPD (cnpd.pt).
12. Google API Disclosures & Limited Use Compliance
WA-Assistant's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Your Google Contact data is exclusively used to populate contact names and avatars in your chat console. We do not sell, rent, or share this data with third parties, including AI models or advertisement networks.