Privacy Policy

1. Who We Are

esek.io ("we", "our", "us") operates a business messaging platform that connects service providers ("Business Customers") with their customers ("End Users") via the WhatsApp Business Platform. We act as a Technology Provider under the Meta Business Platform and process data on behalf of our Business Customers in accordance with Meta's Platform Terms and Business Messaging guidelines. This policy explains how we collect, use, and protect personal data.

2. Data We Collect

We collect data from two audiences: Business Customers who register to use our platform, and End Users who communicate with those businesses via WhatsApp.

From Business Customers

• Account data: name, email address, and password hash of registered agents.
• Onboarding data: when a business connects via Meta Embedded Signup, we receive the WhatsApp Business Account ID, phone number ID, business verification status, and a scoped access token. We store only what is necessary to operate the integration.
• Usage data: log entries and error traces generated during normal operation.

From End Users (via WhatsApp conversations)

• Conversation data: WhatsApp phone number, display name, and messages exchanged through the platform.
• Media files: images, videos, documents, and audio messages sent or received via WhatsApp.

Optional device permissions

• Microphone (mobile apps): our iOS and Android apps may request microphone access only when you choose to record a voice message in chat; audio is sent like other messages and is not recorded in the background.

3. Legal Basis for Processing

• Contractual necessity: processing Business Customer data is required to provide the platform service under our terms.
• Legitimate interest: processing End User conversation data is necessary for Business Customers to communicate with their customers and for us to maintain platform reliability.
• Consent: where required by applicable law (e.g. optional microphone access), we rely on your explicit consent, which you may withdraw at any time.

4. How We Use Data

• To provide the messaging and booking service to connected businesses.
• To generate AI-assisted replies, signals, suggestions, images, and booking confirmations on behalf of the Business Customer. This includes the customer-facing AI surfaces — the Chat Agent (which drafts or sends replies to End Users on the business's behalf) and the silent Signal Capture pass that extracts quotes, commitments, and handoff brief fields from human-replied chats for the merchant's later review — and the merchant-facing surfaces: Copilot (in-app assistant, including real-time voice when enabled), Ads suggestions (campaign name and creative copy), and image generation for business assets (logo, catalog photos, ad creative).
• To send transactional email notifications (e.g. new conversation alerts).
• To improve platform reliability and diagnose technical issues.

We use WhatsApp Business Platform data strictly for the purposes described above. We do not use End User data for advertising, profiling, or any purpose unrelated to providing the messaging service.

5. Data Sharing

We do not sell personal data. Data may be shared with the following third-party processors:

• Meta (WhatsApp): messages are transmitted via the WhatsApp Business API.
• Third-party AI providers: we use third-party AI APIs to power the customer-facing Chat Agent, the silent Signal Capture pass on human-replied chats, the merchant-facing Copilot (including its voice mode), Ads suggestions (campaign name and creative copy), and image generation. The current provider is OpenAI; we may add or substitute additional providers (e.g. Anthropic) in the future. If we change the set of providers we use, we will update this policy and re-prompt for consent in-app before routing data to the new provider.
  
  The following categories of data are transmitted to the AI provider strictly to generate the requested response:
  • The text of messages being processed (End User WhatsApp messages, or the Business Customer's prompt to Copilot, or a text prompt for image generation).
  • Relevant conversation history needed for the model to produce a coherent reply.
  • Business context the assistant needs to answer (e.g. the Business Customer's catalog, hours, pricing, the customer thread the merchant is viewing, lead status, and the merchant-authored notes document used to tune the Chat Agent — most of which is information already publicly available about the business).
  • When voice mode is enabled in the merchant-facing Copilot, the microphone audio captured during an active voice session is streamed to the provider's realtime API for transcription and reply generation. Audio is not captured outside of an active voice session.
  End User phone numbers, display names, and other contact identifiers are not transmitted to the AI provider, except where they appear inside message text being processed (e.g. a customer typing their own number into a chat). Before any data is sent to the AI provider, the Business Customer is shown an in-app consent dialog that names the current provider, lists what is sent, and must be explicitly accepted. Consent can be withdrawn by reinstalling the app or by contacting us.
  
  The AI provider processes this data as our sub-processor under their API Data Processing Addendum. Per the providers' API terms in effect as of the "Last updated" date above, data submitted via the API is not used to train the providers' models and is retained only for the period needed to provide the service and for limited abuse-monitoring purposes. We have confirmed that each AI provider we use provides protection for this data substantially equivalent to that described in this policy.
• Infrastructure providers: Google Cloud Platform (US/EU regions) hosts our servers and databases.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our sub-processors (our AI provider and Google Cloud) operate. We rely on appropriate safeguards such as Standard Contractual Clauses and processor data protection agreements to protect data in transit.

7. Data Retention

• Conversation messages and media: retained for up to 12 months from the date of the last message in the conversation, or until the Business Customer deletes the conversation, whichever is sooner.
• Business Customer account data: retained for as long as the account is active.
• Upon account deletion: all associated data (account, conversations, media, onboarding tokens) is permanently removed within 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, or to object to or restrict certain processing. To exercise any of these rights, contact us or see our Data Deletion page for the deletion request process. We will respond within 30 days.

9. Children's Data

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Cookies

The web application uses only essential session cookies for authentication. No tracking or advertising cookies are used.

11. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt. Database access is restricted to authenticated services inside our private network. Access tokens received during Embedded Signup are stored encrypted and scoped to the minimum required permissions.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered Business Customers. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact

Questions about this policy? Contact us at privacy@esek.io.