Privacy Policy

Introduction

This Privacy Policy describes how CipherHQ LLC, doing business as Waaiio (“Waaiio,” “we,” “us,” or “our”), collects, uses, discloses, and protects personal information when you use our website at waaiio.com, our WhatsApp automation platform, dashboard, APIs, and related services (collectively, the “Services”).

Waaiio operates in the United States, Canada, Nigeria, Ghana, and the United Kingdom. This policy is designed to comply with the California Consumer Privacy Act (CCPA/CPRA), the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Nigeria Data Protection Regulation (NDPR), and the Ghana Data Protection Act, 2012 (Act 843).

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

1. Information We Collect

1.1 Business Owners (Data Controllers)

When you register for a Waaiio account, we collect:

• Full name and email address
• Phone number
• Business name, category, address, and operating country
• Payment credentials (processed by third-party payment gateways; we do not store card numbers)
• Business logo and branding assets you upload
• Subscription plan and billing history

1.2 End Customers

When customers interact with a business through Waaiio’s WhatsApp automation, we process:

• Name and phone number (provided via WhatsApp)
• Email address (when optionally provided)
• Booking, reservation, and appointment details
• Order history and preferences
• Payment transaction amounts and gateway references (no card numbers)
• WhatsApp conversation messages, timestamps, and media (images, audio) exchanged with the business
• E-signature records for contracts
• Event ticket purchase history

1.3 Website Visitors

When you visit our website, we may collect:

• IP address and approximate location (country/region)
• Browser type, operating system, and device information
• Pages visited, referral source, and session duration
• Cookie and localStorage identifiers (see our Cookie Policy)

1.4 Information Collected Automatically

• Analytics data: We use PostHog to collect anonymized usage events, page views, and feature interactions.
• Error monitoring: Sentry captures error logs, stack traces, and performance metrics. These may include request metadata but not message content.
• AI processing logs: When our AI features (powered by Anthropic Claude) process messages for intent detection or language translation, we log usage metrics (token counts, costs) but do not store the raw message content in AI provider systems beyond the processing window.

2. How We Use Your Information

We use personal information for the following purposes:

• Service delivery: Processing bookings, orders, payments, tickets, and reservations on behalf of businesses.
• WhatsApp messaging: Delivering automated and manual messages between businesses and their customers via the WhatsApp Business API.
• AI-powered features: Natural language understanding for intent detection, language translation, and smart booking (via Anthropic Claude).
• Payment processing: Facilitating transactions through Stripe, Paystack, Flutterwave, Square, and PayPal.
• Account management: Authentication, authorization, and account security.
• Communications: Sending transactional emails (booking confirmations, payment receipts, password resets) via Resend.
• Analytics and improvement: Understanding usage patterns to improve our Services (via PostHog).
• Error monitoring and debugging: Identifying and resolving technical issues (via Sentry).
• Legal compliance: Meeting our obligations under applicable laws and regulations.
• Fraud prevention: Detecting and preventing fraudulent activity, abuse, and security incidents.

3. Legal Basis for Processing (GDPR / UK GDPR / NDPR)

Where GDPR, UK GDPR, or NDPR applies, we process personal data on the following legal bases:

• Performance of a contract: Processing necessary to deliver our Services to business owners who have subscribed to a plan.
• Legitimate interests: Analytics, fraud prevention, platform security, and product improvement, where these interests are not overridden by data subject rights.
• Consent: Non-essential cookies, marketing communications, and optional data collection where we request and obtain explicit consent.
• Legal obligation: Processing required to comply with applicable laws, such as tax reporting, anti-money laundering, and responding to lawful requests from authorities.

For end customers whose data is processed through our platform, the business owner is the data controller and determines the legal basis for processing. Waaiio acts as a data processor on their behalf (see our Data Processing Agreement).

4. Who We Share Data With

We do not sell your personal information. We share data only with the following categories of service providers, each bound by data processing agreements:

We may also disclose information when required by law, to protect our rights, or in connection with a merger, acquisition, or sale of assets (with prior notice where legally required).

5. Data Retention

We retain personal data as follows:

• Account data: Retained for the duration of your account plus 30 days after deletion.
• Booking and order data: Retained for 3 years after the last transaction for business reporting and dispute resolution.
• Payment records: Retained for 7 years to comply with tax and financial reporting obligations.
• WhatsApp conversation logs: Retained for 2 years from the date of the last message, then automatically purged.
• Analytics data: Aggregated and anonymized; retained indefinitely in aggregate form.
• Error logs: Retained for 90 days.

Business owners may request earlier deletion of their data and their customers’ data by contacting us (see Section 10 below).

6. Your Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following rights:

• Right to know: You may request the categories and specific pieces of personal information we have collected about you, the sources of that information, the purposes for collection, and the third parties with whom we share it.
• Right to delete: You may request that we delete your personal information, subject to certain legal exceptions.
• Right to correct: You may request that we correct inaccurate personal information.
• Right to opt-out of sale or sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is necessary.
• Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights.
• Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond what is necessary to provide our Services.

To exercise your CCPA rights, email privacy@waaiio.com or use the account deletion feature in your dashboard settings. We will verify your identity and respond within 45 days.

Right to appeal: If we deny your CCPA request in whole or in part, you have the right to appeal the decision. To submit an appeal, email privacy@waaiio.com with the subject line “CCPA Appeal” within 30 days of receiving our denial. We will review your appeal and respond within 60 days. If you are not satisfied with the outcome of the appeal, you may contact the California Attorney General’s office to file a complaint.

7. Your Rights Under GDPR, UK GDPR, and NDPR

If you are located in the European Economic Area, the United Kingdom, or Nigeria, you have the following rights:

• Right of access: Obtain a copy of your personal data and information about how it is processed.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
• Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
• Right to object: Object to processing based on legitimate interests, including profiling.
• Right to restrict processing: Request limitation of processing in certain circumstances.
• Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to lodge a complaint: You may file a complaint with your local supervisory authority (e.g., the ICO in the UK, the NITDA in Nigeria, or the Data Protection Commission in Ghana).

To exercise these rights, contact privacy@waaiio.com. We will respond within 30 days (or as required by applicable law).

8. Ghana Data Protection Act (Act 843)

If you are located in Ghana, the Data Protection Act, 2012 (Act 843) provides you with rights similar to those described in Section 7, including the right to access, correct, and delete your personal data. Waaiio is committed to processing data in accordance with Act 843 and the regulations issued by the Data Protection Commission of Ghana.

8A. Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada

If you are located in Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation provide you with the following rights:

• Right of access: You may request access to your personal information held by Waaiio, including information about how it has been used and to whom it has been disclosed.
• Right to correction: You may request correction of any inaccurate or incomplete personal information.
• Right to withdraw consent: You may withdraw your consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice.
• Right to challenge compliance: You may challenge our compliance with PIPEDA by contacting our Privacy Officer (see Section 16 below) or by filing a complaint with the Office of the Privacy Commissioner of Canada.

Waaiio collects, uses, and discloses personal information only for purposes that a reasonable person would consider appropriate in the circumstances, and only with meaningful consent. We limit collection to what is necessary for the identified purposes and retain personal information only as long as necessary to fulfill those purposes.

To exercise your rights under PIPEDA, contact privacy@waaiio.com. We will respond within 30 days.

9. International Data Transfers

Our primary infrastructure is hosted in the United States. Personal data collected from users in the EEA, UK, Nigeria, Ghana, and Canada may be transferred to and processed in the United States and other jurisdictions where our service providers operate. We protect these transfers using:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for UK-originating transfers
• EU-US Data Privacy Framework certification (where applicable)
• Contractual protections with all sub-processors requiring equivalent safeguards

10. How to Exercise Your Rights

You can exercise your privacy rights through the following methods:

• Self-service: Use the account deletion feature in your dashboard under Settings > Account to delete your account and all associated data.
• Email: Send a request to privacy@waaiio.com with your name, email address, and the specific right you wish to exercise.
• Authorized agent: You may designate an authorized agent to submit a request on your behalf. We may require verification of the agent’s authority.

We will verify your identity before processing any request and respond within the timeframes required by applicable law (typically 30 to 45 days).

11. Children’s Privacy

Our Services are not directed to individuals under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child without appropriate parental consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact privacy@waaiio.com.

12. Data Security

We implement industry-standard technical and organizational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• Row-level security (RLS) policies enforcing strict data isolation between businesses
• Bcrypt password hashing via Supabase Auth
• HMAC signature verification on all payment gateway webhooks
• Rate limiting on API endpoints
• CSRF protection via origin header validation
• Regular access reviews and least-privilege access controls
• Automated vulnerability scanning and dependency updates

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

13. Cookies and Tracking Technologies

We use cookies and similar technologies as described in our Cookie Policy. Non-essential cookies are only set after you provide explicit consent via our cookie banner. You can manage your preferences at any time through the “Your Privacy Choices” link in our footer.

14. Do Not Track Signals

Our Services do not currently respond to “Do Not Track” (DNT) browser signals, as there is no industry-standard protocol for DNT. However, we honor cookie consent preferences as described in our Cookie Policy and support the Global Privacy Control (GPC) signal where technically feasible.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by updating the “Last updated” date at the top of this page and, where appropriate, by email or in-app notification. Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated policy.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy inquiries: privacy@waaiio.com
• Data Protection Officer: dpo@waaiio.com
• Legal inquiries: legal@waaiio.com
• Company: CipherHQ LLC (d/b/a Waaiio)
• Mailing address: CipherHQ LLC, 2986 Brubeck Ter, Ijamsville, MD 21754, United States