Privacy Policy
Last updated: 13 June 2026
This Privacy Policy describes how the operator of this deployment (“we”, “us”) collects, uses, stores, and protects information when you interact with our WhatsApp Business number that is operated using this self-hosted WhatsApp ⇄ Google Drive bridge application (the “Service”).
1. Who we are
The Service is a self-hosted application that connects a WhatsApp Business Platform (Cloud API) number with a Google Drive account that belongs to the operator of this deployment. We are the data controller for any personal information you share with us through this WhatsApp number. You can contact us at casumitahuja15@gmail.com.
2. Information we collect
When you message our WhatsApp Business number, we may receive and store:
- Your WhatsApp phone number and WhatsApp profile name (as provided by Meta's webhook).
- The name you tell the bot when prompted during intake.
- The text of messages you send to the number, and our automated replies.
- Documents and media (PDFs, images, audio, video) you choose to send to the number for storage.
- Conversation state (which step of the menu you are in) so the bot can continue the conversation correctly.
- Technical metadata such as message timestamps and message IDs supplied by Meta.
We do not ask for, and do not knowingly collect, government IDs, financial account numbers, or other special-category data unless you voluntarily send them as part of a document.
3. How we use your information
- To respond to your inquiry and route your conversation through our menu.
- To file the documents you send into a Google Drive folder owned by the operator of this deployment, under a sub-folder named after you, so we can serve you.
- To let our staff reply to you manually when you ask to speak to a person.
- To maintain the security and integrity of the Service (e.g. rate-limiting, logs).
We do not use your information for advertising, do not sell it, and do not share it with third parties for their own marketing.
4. Where your data is stored
- Messages, names, phone numbers, conversation state are stored in a private Supabase (PostgreSQL) database that we control. Row-level security is enabled and only our server-side service role can read the data.
- Documents and media you send are uploaded to a Google Drive folder owned by the operator of this deployment. They are not stored on any third-party server other than Google's.
- API tokens and credentials needed to operate the Service (WhatsApp access token, Google refresh token) are stored encrypted-at-rest in the same Supabase database.
5. Third parties involved
Operating a WhatsApp-based service necessarily involves the following processors. Each has their own privacy policy:
- Meta Platforms, Inc. — delivers WhatsApp messages and provides the Cloud API webhook. WhatsApp Privacy Policy.
- Google LLC — stores the documents you send, in Google Drive. Google Privacy Policy.
- Supabase, Inc. — hosts the database that stores conversation data. Supabase Privacy Policy.
- Vercel, Inc. — hosts the application server that receives webhooks. Vercel Privacy Policy.
6. Use of Google user data
Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Drive access is used solely to upload and organise documents received over WhatsApp into the connected Drive account; we do not transfer Google user data to others, do not use it for advertising, and do not allow humans to read it except where necessary for security or with the user's explicit consent.
7. Retention
We keep conversation records and uploaded documents for as long as the underlying client relationship is active and as long as is necessary to comply with our professional and legal obligations. You can ask us to delete your data at any time (see Section 9).
8. Security
We use industry-standard practices to protect your data: encrypted connections (HTTPS) for all transport, encryption at rest in Supabase and Google Drive, admin access gated behind a registered email plus PIN with brute-force lock-out, and role-based access keys that are never exposed to the browser.
9. Your rights
Depending on where you live, you may have the right to:
- Access the personal data we hold about you.
- Ask us to correct or delete it.
- Withdraw consent and stop interacting with the bot at any time.
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email casumitahuja15@gmail.com from the phone number or email you used with us. We will respond within 30 days.
10. Children
The Service is intended for users aged 18 and over. We do not knowingly collect personal information from children. If you believe a child has sent us data, please email us and we will delete it.
11. International transfers
Because we use Google, Meta, Supabase, and Vercel, your data may be processed on servers located outside your country, including in the United States and the European Union. These providers maintain industry-standard safeguards such as Standard Contractual Clauses.
12. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects when it was last revised. Material changes will be highlighted on this page.
13. Contact
For any privacy question or request, contact the operator of this deployment at casumitahuja15@gmail.com.