Privacy Policy

Effective date: September 29, 2025

Applies to: The Facebook/Meta "WhatsApp Embedded Signup" flow used to connect a WhatsApp Business account (WABA) to our self‑hosted Chatwoot instance, and to any related websites, webhooks, APIs, and admin portals we provide (collectively, the Service).

Company: Karmel Plus Digital LTD

Registered address: Shufat, Jerusalem

Contact email: support@karmelplus.com

Contact phone: +972 58-630-0009

We build and operate tools that help businesses receive and reply to WhatsApp messages inside Chatwoot. We self‑host Chatwoot on our own infrastructure or on a cloud provider we control.

• Business Users (You): When you connect your WhatsApp Business Account and use our Service to communicate with your end customers, you act as the data controller for end‑customer personal data (e.g., chat content, phone numbers). We act as your data processor for that data.

• Our Website/App Visitors: For account signup, billing, support logs, telemetry, and security monitoring about you (our Business User), we act as the data controller.

• Meta / WhatsApp: Meta Platforms, Inc. (and its affiliates) provide the WhatsApp Business Platform and acts as an independent controller for data it processes under its own terms and policies.

• WhatsApp Business Account (WABA) IDs and metadata

• Linked phone numbers and capabilities (e.g., messaging, cloud calling if enabled by Meta)

• Message template metadata and quality status

• Business verification status and basic business profile fields

• Access tokens / system user tokens / app scopes granted during onboarding

• Conversation data: inbound/outbound messages, attachments/media, timestamps

• End‑customer identifiers: phone numbers, display names, profile photos (if provided by WhatsApp)

• Agent/teammate data: names, emails, roles, activity logs inside the helpdesk

• Operational logs: webhook deliveries, message delivery receipts, errors, and integration events

Admin account details, billing/contact details, plan usage, support interactions, audit events, and security/abuse prevention signals (e.g., IP, user‑agent, failed logins).

• To provide the Service: provision the WABA connection, sync templates, route messages into Chatwoot, send agent replies via WhatsApp APIs, and show delivery/read states.

• Security & abuse prevention: validate webhooks, detect misuse/spam, rate‑limit, and investigate incidents.

• Support & troubleshooting: review logs you share, reproduce errors, and improve reliability.

• Compliance: meet legal obligations (e.g., record‑keeping, responding to lawful requests).

• Communications: send onboarding tips, service announcements, or billing notices.

• We do not sell personal information. We do not use your end‑customer message content for advertising.

Where GDPR/UK GDPR applies, we rely on: Contract (to provide the Service to Business Users), Legitimate Interests (e.g., security, fraud prevention, improving reliability), and Consent where required (e.g., certain cookies/analytics, optional marketing).

Access tokens & onboarding artifacts: stored encrypted at rest and rotated/expired according to Meta policies and your configuration.

Conversation data: retained as long as your workspace/account is active or per your retention settings. You can request deletion earlier (see Section 11). Backups may persist for up to 30–90 days before automatic purge.

Operational logs: typically 90–365 days for security and diagnostics unless law requires longer.

We may share data with:

• Meta / WhatsApp Business Platform: to send/receive messages, sync templates and phone numbers, and process delivery events.

• Hosting/Sub‑processors: data centers and service providers we use for compute, storage, monitoring, email delivery, and error tracking. We maintain contracts and security reviews with such vendors.

• Legal & compliance: where required by law, to protect rights, safety, and prevent fraud or abuse.

• We do not allow third parties to use end‑customer message content for their own advertising or profiling.

We may process data in countries other than where you reside. Where applicable, we use legal transfer mechanisms (e.g., EU Standard Contractual Clauses) and implement technical and organizational measures to protect data during transfer and at rest.

We implement safeguards including encryption in transit (TLS) and encryption at rest for tokens and message content, access controls, network isolation for our self‑hosted Chatwoot, audit logging, and least‑privilege principles. No method of transmission or storage is 100% secure; you are responsible for securing your admin accounts, API keys, and agent access.

Depending on your location, you may have rights to access, correct, delete, restrict, or port certain personal data. Business Users are responsible for handling their end‑customers' requests; we assist as your processor. To exercise your rights for data we control (your admin/business data), contact us at support@karmelplus.com.

If you connected your WhatsApp Business account and want us to delete related data:

• Send an email to support@karmelplus.com with subject "Delete My Data – WhatsApp/Chatwoot" from your admin email.

• Include your workspace ID, WABA ID, and phone numbers to remove.

• We will confirm and delete the data associated with your account (including tokens and conversation data in our control) within 30 days, except where retention is required by law or you instruct otherwise.

For end‑customers: please contact the Business directly; we process their data on the Business's behalf.

Our Service is intended for business use and not for children. We do not knowingly collect personal information from children.

Our websites/apps may use strictly‑necessary cookies and optional analytics. Where required, we will present a consent banner. You can manage choices in your browser or device settings.

Our admin portals and documentation may contain links to third‑party sites (e.g., Meta Business settings). We are not responsible for their privacy practices.

We may update this policy from time to time. If changes are material, we will notify Business Users via email or in‑app notice. Continued use of the Service after the effective date means you accept the revised policy.

Questions or requests about this policy?

Email: support@karmelplus.com

Postal mail: Shufat, Jerusalem

• During Embedded Signup, we may request scopes required to:

• Manage WhatsApp Business Accounts and phone numbers you select

• Read/sync message templates

• Send and receive messages on your behalf

• Receive webhooks for delivery/read events and status updates

• You can review and revoke granted permissions in your Meta Business settings at any time.

We collect WABA metadata, phone numbers, templates, tokens, and message data necessary to provide WhatsApp messaging inside Chatwoot. We use it only to operate the Service, do not sell it, secure it with encryption and access controls, and honor deletion requests. See full policy above for details.