Privacy Policy

1. Who We Are

esek.io ("we", "our", "us") operates a business messaging platform that connects service providers ("Business Customers") with their customers ("End Users") via the WhatsApp Business Platform. We act as a Technology Provider under the Meta Business Platform and process data on behalf of our Business Customers in accordance with Meta's Platform Terms and Business Messaging guidelines. This policy explains how we collect, use, and protect personal data.

2. Data We Collect

We collect data from two audiences: Business Customers who register to use our platform, and End Users who communicate with those businesses via WhatsApp.

From Business Customers

• Account data: name, email address, and password hash of registered agents.
• Onboarding data: when a business connects via Meta Embedded Signup, we receive the WhatsApp Business Account ID, phone number ID, business verification status, and a scoped access token. We store only what is necessary to operate the integration.
• Usage data: log entries and error traces generated during normal operation.

From End Users (via WhatsApp conversations)

• Conversation data: WhatsApp phone number, display name, and messages exchanged through the platform.
• Media files: images, videos, documents, and audio messages sent or received via WhatsApp.

Optional device permissions

• Microphone (mobile apps): our iOS and Android apps may request microphone access only when you choose to record a voice message in chat; audio is sent like other messages and is not recorded in the background.

3. Legal Basis for Processing

• Contractual necessity: processing Business Customer data is required to provide the platform service under our terms.
• Legitimate interest: processing End User conversation data is necessary for Business Customers to communicate with their customers and for us to maintain platform reliability.
• Consent: where required by applicable law (e.g. optional microphone access), we rely on your explicit consent, which you may withdraw at any time.

4. How We Use Data

• To provide the messaging and booking service to connected businesses.
• To enable AI-assisted replies and booking confirmations.
• To send transactional email notifications (e.g. new conversation alerts).
• To improve platform reliability and diagnose technical issues.

We use WhatsApp Business Platform data strictly for the purposes described above. We do not use End User data for advertising, profiling, or any purpose unrelated to providing the messaging service.

5. Data Sharing

We do not sell personal data. Data may be shared with the following third-party processors:

• Meta (WhatsApp): messages are transmitted via the WhatsApp Business API.
• OpenAI: conversation context is sent to OpenAI's API solely for generating automated replies. No End User phone numbers are included in AI requests unless required by the conversation context.
• Infrastructure providers: Google Cloud Platform (US/EU regions) hosts our servers and databases.

6. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States, where our sub-processors (OpenAI, Google Cloud) operate. We rely on appropriate safeguards such as Standard Contractual Clauses and processor data protection agreements to protect data in transit.

7. Data Retention

• Conversation messages and media: retained for up to 12 months from the date of the last message in the conversation, or until the Business Customer deletes the conversation, whichever is sooner.
• Business Customer account data: retained for as long as the account is active.
• Upon account deletion: all associated data (account, conversations, media, onboarding tokens) is permanently removed within 30 days.

8. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, delete, or port your personal data, or to object to or restrict certain processing. To exercise any of these rights, contact us or see our Data Deletion page for the deletion request process. We will respond within 30 days.

9. Children's Data

Our service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Cookies

The web application uses only essential session cookies for authentication. No tracking or advertising cookies are used.

11. Security

All data is transmitted over TLS. Passwords are hashed with bcrypt. Database access is restricted to authenticated services inside our private network. Access tokens received during Embedded Signup are stored encrypted and scoped to the minimum required permissions.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email to registered Business Customers. Continued use of the platform after changes constitutes acceptance of the updated policy.

13. Contact

Questions about this policy? Contact us at privacy@esek.io.