Legal

Privacy Policy

Last updated: 6 July 2026

1. Who we are

WACRS ("we", "us") provides a customer-relationship and messaging platform built on the official WhatsApp Business (Cloud) API, available at wacrs.com. For account data, WACRS is the data controller. For the contacts and conversations our customers manage inside their workspaces, the customer is the controller and WACRS acts as a processor on their instructions.

2. Data we collect

From account holders

  • Account details: name, email address, password (hashed), workspace name.
  • Billing details processed by our payment provider (we never store card numbers).
  • WhatsApp Business API credentials you connect (access tokens and app secrets are stored encrypted with AES-256-GCM and used only server-side).
  • Usage and diagnostic logs needed to operate and secure the service.

Processed on behalf of account holders

  • Contacts (names, phone numbers, emails, tags, custom fields) uploaded or captured via inbound messages.
  • Message content and delivery metadata exchanged through the connected WhatsApp number, including media.
  • Campaign, automation and satisfaction-survey activity relating to those contacts.

3. How we use data

  • To provide the service: routing messages, storing conversations, running campaigns and automations you configure.
  • To secure the service: authentication, webhook signature verification, rate limiting, audit logging of administrative actions.
  • To communicate with you: transactional email such as welcome messages and team invitations.
  • To improve the service using aggregated, non-identifying usage statistics.

We do not sell personal data. We do not use your customers' message content for advertising or to train AI models.

4. Sub-processors

We rely on a small set of infrastructure providers to run WACRS:

  • Supabase — database, authentication and file storage.
  • Meta Platforms (WhatsApp Business API) — message transmission. Message content necessarily passes through WhatsApp.
  • Razorpay — subscription payments.
  • Resend — transactional email.
  • Anthropic — optional AI features (template drafting); only the prompts you submit to the AI tools are sent, never your inbox.
  • Hosting providers for our application servers.

5. Opt-outs and end-customer rights

Recipients can reply STOP to any number managed through WACRS; the platform records the opt-out and automatically excludes them from campaigns and sequences until they reply START. End customers may also exercise privacy rights (access, correction, deletion) with the business messaging them; we support our customers in fulfilling such requests.

6. Retention and deletion

Workspace data is retained while the account is active. When an account is deleted, its contacts, conversations, campaigns and settings are deleted from the production database; residual copies in encrypted backups expire on the backup rotation schedule. You may request deletion at any time via the contact below.

7. Security

  • Encryption in transit (TLS) everywhere; sensitive credentials encrypted at rest (AES-256-GCM).
  • Row-level tenant isolation — each workspace's data is inaccessible to any other workspace.
  • Webhook payloads verified with HMAC signatures; administrative actions recorded in an audit log.
  • Role-based access (owner / admin / agent / viewer) inside each workspace.

8. Cookies & analytics

The app uses strictly necessary cookies for authentication sessions. The marketing site may load analytics (e.g. Google Analytics, Meta Pixel) configured by the platform operator; these can be identified in your browser's developer tools and controlled via standard cookie/browser settings.

9. Children

WACRS is a business tool and not directed at children under 18. We do not knowingly collect children's data.

10. Changes & contact

We'll post updates to this policy on this page with a new "last updated" date. Questions or requests: [email protected].