Need the Data Processing Agreement (DPA)?

1. Introduction

WaQtor ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our SaaS platform at https://waqtor.app and https://app.waqtor.app ("Service").

WaQtor is a product owned and operated by DXBMark Ltd, a company registered in London, United Kingdom.

This Policy applies to: visitors to our marketing website, registered users and team members of the WaQtor application, and contacts whose data is managed by our customers (see Section 9).

By accessing our Service or creating an account, you accept the practices described in this Policy.

2. Data Controller

For personal data you provide directly to us (registration, billing, account settings), WaQtor acts as the Data Controller under GDPR Article 4(7).

For personal data about WhatsApp contacts that our customers upload through the platform, WaQtor acts as a Data Processor on behalf of the customer. See Section 9.

3. Data We Collect

3.1 Account Registration Data

First name, last name, email address, company name, country and phone number, password (stored as one-way bcrypt hash — never in plain text), account creation timestamp and IP address.

3.2 Profile Data

Profile avatar image (up to 2 MB), display name and role within your workspace.

3.3 Billing and Payment Data

Subscription plan, billing cycle, invoice history; payment method type (brand, last 4 digits) — stored by Stripe, not WaQtor; billing address and tax information.

3.4 Usage and Activity Data

Actions performed within the platform (audit log), login times, IP addresses, and browser/device information, feature usage patterns (for product improvement), API request logs (retained for 90 days).

3.5 Customer Data (tenant-managed)

Contact lists (names, phone numbers, custom attributes), outbound campaign messages and Messages History (see note below), media files (images, PDFs) attached to messages and campaigns, campaign and automation flow configurations, WhatsApp instance connection data. Note: 'Messages History' refers exclusively to marketing and campaign messages sent by you to your contacts, stored solely to allow you to review your sent communications and verify message delivery receipts. WaQtor does not access, read, or analyse the content of your messages. Incoming messages from contacts' WhatsApp accounts are processed in real-time for delivery routing and are not retained. WaQtor does not inspect or store data from connected WhatsApp Instances beyond what is strictly required to maintain the API connection, which is encrypted per tenant.

3.6 Technical Data (automatically collected)

IP address and approximate location (country/city level), browser type, version, and operating system, referring URL and pages visited on our marketing site, cookies and similar tracking technologies (see our Cookie Policy).

3.7 Cookie Consent Records

Whether analytics and marketing cookies were accepted or declined, timestamp of consent decision, policy version in effect at time of consent, IP address and user agent (authenticated users only).

⚠We collect only the data necessary to provide and improve the Service and do not collect excessive or irrelevant information (data minimisation, GDPR Article 5(1)(c)).

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

Purpose	Legal Basis (GDPR Art. 6)
Providing and operating the Service	Contract (6(1)(b))
Account creation and authentication	Contract (6(1)(b))
Billing and subscription management	Contract (6(1)(b))
Transactional emails	Contract (6(1)(b))
Security monitoring and fraud prevention	Legitimate interest (6(1)(f))
Maintaining audit logs	Legal obligation / LI (6(1)(c/f))
Product analytics and improvement	Legitimate interest (6(1)(f))
Marketing emails and product updates	Consent (6(1)(a)) — opt-out any time
Complying with legal obligations	Legal obligation (6(1)(c))

⚠We rely on legitimate interests only where such interests are not overridden by your data protection rights, and after careful balancing assessment.

5. Data Retention

Data Type	Retention Period
Account data	Duration of account + 30 days after deletion
Message history	Trial: 30d / Starter: 90d / Pro: 180d / Enterprise: 365d
Media assets	Trial: 7d / Starter: 30d / Pro: 90d / Enterprise: 180d
Audit logs	365 days (platform-configurable, min 90 days)
Billing records	7 years (tax/legal compliance)
Cookie consent records	3 years from consent date
Server access logs	90 days
Terminated accounts	Customer Data deleted within 30 days of termination

⚠Hard floors (cannot be overridden): Message history is never deleted before 30 days. Audit logs are never deleted before 90 days.

⚠Media linked to active campaigns or templates is protected and will not be deleted until the campaign completes or the template is removed.

⚠You are solely responsible for maintaining backups of your data. WaQtor does not guarantee data recovery once deletion has occurred.

⚠We recommend exporting any records you may need for legal, financial, or operational purposes before the applicable retention period expires. WaQtor cannot recover permanently deleted data.

6. Data Sharing and Disclosure

We do not sell, rent, or monetize personal data in any form.

6.1 Subprocessors

Subprocessor	Purpose	Data shared
Stripe	Payment processing	Name, email, billing address
Cloudflare	CDN, DDoS protection	IP addresses, request headers
Evolution API / WhatsApp	Message delivery	Phone numbers, message content
OpenRouter	AI processing (message generation)	Text inputs provided by users (message content)
Configured SMTP Providers	Transactional email delivery	Email address, delivery metadata, and message template payload

6.2 Legal Requirements: We may disclose your data if required by law, court order, or governmental authority.
6.3 Business Transfers: In the event of a merger or acquisition, you will be notified at least 30 days before any transfer with the option to delete your account.
6.4 Aggregate Data: We may share aggregated, anonymized data that does not identify individuals.
6.5 Subprocessor Locations: Subprocessors may process data in multiple jurisdictions depending on their infrastructure.
6.6 AI Provider Scope: AI providers (such as OpenRouter) are used only when AI features are actively used by the customer. Such processing is limited to user-provided inputs and is not used for model training.
6.7 Configured SMTP Providers: Configured email delivery providers (SMTP-based) used for transactional emails such as account notifications, billing communications, and security alerts. These providers are configured and controlled by WaQtor and process only the minimum data required to deliver such communications.
6.8 Evolution API Integration: WaQtor integrates with the Evolution API, a multi-provider WhatsApp integration layer that supports both WhatsApp Web-based connectivity and official WhatsApp Business API integrations. Depending on configuration, message delivery may involve interaction with third-party platforms such as Meta (WhatsApp). Such platforms may process message data in accordance with their own policies.

7. Data Security

Data Encryption: Data is protected using strong encryption mechanisms, including encryption in transit and encryption of sensitive credentials and secrets. Additional access controls and tenant isolation mechanisms are applied at the application and database level.
Encryption in transit: TLS 1.2+
Encryption at rest: AES-256 — database and backup storage
Row-Level Security: Database isolation between tenants at PostgreSQL level
Role-Based Access Control (RBAC): With JWT authentication
Audit logging: All sensitive operations logged with user, IP, and timestamp
Password hashing: bcrypt (exceeds OWASP recommendations)
WhatsApp Instance data: Connection credentials for WhatsApp Instances are encrypted and stored in isolated per-tenant storage. WaQtor staff cannot access these credentials under normal operational circumstances.

⚠In the event of a data breach, we will notify affected users and relevant supervisory authorities as required by applicable law (within 72 hours under GDPR). Notifications will be provided via email and in-app alerts where applicable.

⚠Audit logs are used strictly for security, compliance, and dispute resolution purposes.

⚠Access to customer data is restricted to authorized personnel and is permitted only where necessary for administration, technical support, security, or legal compliance purposes. All such access is subject to logging and internal controls.

8. Your Rights (GDPR)

Right	How to exercise
Access — obtain a copy of your personal data	Email info@waqtor.app
Rectification — correct inaccurate data	Account Settings or email us
Erasure ("right to be forgotten")	info@waqtor.app or delete account
Restriction — restrict processing	Email info@waqtor.app
Portability — machine-readable data export	Email info@waqtor.app
Objection — object to legitimate interest	Email info@waqtor.app
Withdraw consent (consent-based only)	Unsubscribe link or email us
Complaint — lodge with supervisory authority	Contact your national DPA

⚠We will respond within 30 days. We may verify your identity before processing.

9. Data Controller / Processor Distinction

Tenant Responsibilities

Tenants are responsible for: obtaining lawful consent from contacts before adding them to WaQtor; complying with WhatsApp opt-in requirements and anti-spam laws; providing their contacts with a valid Privacy Notice. A Data Processing Agreement (DPA) is available at https://waqtor.app/en/legal/dpa and forms part of the agreement between WaQtor and the customer.

When tenants use WaQtor to manage contacts and send messages:

Tenant (Customer) = Data Controller: determines purposes and means of processing.
WaQtor = Data Processor: processes data only as instructed to provide the Service.
Legal basis (processor side): As a data processor, WaQtor processes Customer Data only on documented instructions from the customer.

10. International Data Transfers

WaQtor operates within private cloud infrastructure. Where personal data is transferred outside the EEA, we implement Standard Contractual Clauses (SCCs) and additional technical safeguards such as encryption and access controls.

11. Children's Privacy

The Service is not directed at individuals under 18. If you believe a child has provided personal data, contact info@waqtor.app and we will promptly delete it.

12. Third-Party Links

Our Platform may contain links to third-party websites. This Privacy Policy does not apply to those external sites.

13. Cookies

We use cookies as described in our Cookie Policy. You can manage preferences using the cookie consent banner or your browser settings.

Category	Purpose	Can be declined?
Necessary	Authentication, security, session management	No
Analytics	Usage patterns (data may be anonymized or pseudonymized where possible)	Yes
Marketing	Personalised content and retargeting (if applicable to your account)	Yes

14. Consent Management

14.1 Cookie Consent

A banner is presented on your first visit. Your preferences are stored in your browser and, for registered users, on our server for GDPR audit proof.

14.2 Implied Consent at Account Creation

By creating a WaQtor account, you confirm you have read and accepted these Terms and this Privacy Policy.

14.3 Marketing Consent

You may withdraw marketing consent at any time using the unsubscribe link in any email or by emailing info@waqtor.app.

15. Automated Decision-Making

WaQtor does not make automated decisions that produce legal or similarly significant effects on individuals. AI features require human review before sending.

WaQtor's AI-assisted composition features operate only on content you actively provide in the message editor. The AI does NOT read, scan, or process your Messages History, incoming messages from contacts, or any WhatsApp Instance data. AI suggestions are generated based solely on your real-time input and require your explicit approval before any message is sent.

WaQtor does not use customer data, message content, or any user-generated information to train or improve artificial intelligence models. AI-powered features operate through third-party providers under strict data protection controls. Inputs are processed solely for real-time functionality and are not stored or reused beyond the scope of the requested operation.

16. GDPR & Legal Basis for Retention

WaQtor is committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws.

Purpose limitation (Article 5(1)(e)): Each data category is retained only for the period necessary for its stated purpose:
- Audit logs → security monitoring and annual billing dispute resolution (max 365 days)
- Message content → service delivery and user access (max 30–365 days by plan)
- Billing records → legal financial obligation (7 years)
Minimum 90-day audit floor: A 90-day minimum retention for security logs is maintained to preserve evidence for ongoing legal proceedings or active disputes, consistent with Article 17(3)(e) GDPR.
Your rights: You may request access, rectification, or erasure of your personal data at any time by contacting info@waqtor.app. Erasure requests are fulfilled within 30 days, subject to legal retention obligations.
Data transfers: Data is processed and stored within infrastructure subject to standard contractual clauses where applicable.

17. Changes to This Policy

We will notify you of material changes by email (at least 30 days before they take effect) and via an in-app notice.

18. Contact Us

General inquiries / Privacy / GDPR rights	info@waqtor.app
Billing & Subscriptions	billing@waqtor.app
Technical Support & Complaints	support@waqtor.app
Enterprise & Sales	sales@waqtor.app
Website	https://waqtor.app