Privacy Policy

1. Who we are

RED PRESS WIRE LTD — a company registered in England & Wales, company number 17054431. Registered office: Suite 10560, 5 Brayford Square, London, United Kingdom, E1 0SG. The data controller for Wappfly customer data is RED PRESS WIRE LTD; contact privacy@wappfly.com for privacy matters.

2. Information we collect

• Account data — email address, hashed password, account creation date.
• Billing data — name, billing address, VAT number where applicable, payment-method tokens. Card numbers themselves are stored by our payment processor (Stripe), never on our servers.
• WhatsApp session data — the cryptographic credentials your WhatsApp account issues when you scan the pairing QR. We store these encrypted at rest so we can keep the session connected.
• Message metadata + content — sender/recipient JIDs, timestamps, status (queued/sent/read), and the body of messages sent and received via your linked WhatsApp lines. We treat this as confidential customer data.
• Usage data — API request counts, error logs, and server-side access logs. Used for quota enforcement and security.
• Cookies — a single first-party session cookie (wapper_sess) to keep you logged in. No third-party analytics or advertising cookies.

3. Why we use it (legal basis)

• Contract: to provide the service you signed up for — pairing WhatsApp, routing messages, delivering webhooks.
• Legitimate interest: to keep the service secure, detect abuse, prevent fraud, and improve the product.
• Legal obligation: to comply with tax law, accounting, and lawful requests from authorities.
• Consent: for any optional marketing emails — you can opt out at any time.

4. Who we share it with

We use a small number of trusted sub-processors. We do not sell personal data.

• Stripe — payment processing. Stripe handles card data directly under its own privacy policy.
• Hosting provider — servers in the EU/UK that store the database, logs, and queued media.
• WhatsApp / Meta Platforms, Inc. — by using Wappfly you connect to WhatsApp Web; messages necessarily transit Meta's infrastructure as the WhatsApp protocol requires.
• Authorities — when legally required by valid court order or subpoena.

5. How long we keep it

• Account + billing data: while your account is active, plus 6 years after closure for accounting/tax compliance.
• Message content: kept while the connected WhatsApp session exists; deleted when you delete the session.
• Server logs: 30 days rolling.
• Webhook delivery logs: 14 days rolling.

6. Your rights

Under UK/EU GDPR you have the right to: access your data, correct it, delete it, restrict or object to processing, port it elsewhere, and lodge a complaint with the Information Commissioner's Office (ICO). Under the CCPA, California residents additionally have the right to know, delete, and opt out of any sale of personal data — we do not sell personal data.

To exercise any of these, email privacy@wappfly.com from your account email. We aim to respond within 30 days.

7. International transfers

Our servers are located in the EU/UK. Where data is transferred to a third country (e.g. Stripe in the United States) we rely on Standard Contractual Clauses or the UK Addendum to ensure equivalent protection.

8. Security

Passwords are hashed with bcrypt; WhatsApp session credentials are stored encrypted; the dashboard is HTTPS-only and uses HttpOnly+Secure session cookies. We will notify affected users without undue delay in the unlikely event of a personal data breach, as required by GDPR.

9. Children

Wappfly is not intended for, and we do not knowingly collect data from, anyone under 16.

10. Changes to this policy

If we change this policy materially, we'll email registered users and update the "Last updated" date above. The change takes effect 14 days after notice.

Contact

RED PRESS WIRE LTD
Suite 10560, 5 Brayford Square
London, United Kingdom, E1 0SG
Company No. 17054431
privacy@wappfly.com