Privacy Policy

1. Corporate Identity

Chatofy is an advanced WhatsApp automation platform designed to empower businesses to streamline customer communications, build interactive workflows, and tightly integrate with Google Sheets. We process all personal information in rigorous compliance with prominent data protection regulations (including GDPR, CCPA, and DPDPA), prioritizing user control, platform transparency, and strict data security.

2. Terminology

• Platform: Encompasses all Chatofy-owned properties, including our website, application dashboard, APIs, and functional integrations.
• WhatsApp Data: User contacts, message histories, and interaction metrics processed specifically through the WhatsApp Business API.
• Google User Data: Any information retrieved via Google OAuth permissions that you explicitly authorize.
• Personal Data: Any identifiable information that can be linked directly or indirectly back to you.
• Third-Party Services: External infrastructure providers and software ecosystems we connect to (e.g., Meta/WhatsApp, Google).

3. Information We Collect

3.1 Account Credentials

• Full name and primary email address
• Contact phone number (utilized primarily for account verification)
• Corporate identity and business profile metrics (optional)
• Authentication credentials (securely hashed and encrypted)
• Custom dashboard configurations and user preferences

3.2 Financial and Billing Records

• Designated billing contact name and email
• Physical billing address and operational country
• Active subscription tier and pricing details
• Historical transaction logs and generated invoices

3.3 Platform Usage Metrics

• Connecting IP addresses and localized device profiles
• Browser classifications and underlying operating systems
• Navigational tracking (pages visited and tools leveraged)
• Session durations and access timestamps
• API call volumes and automation execution metrics

3.4 Technical Diagnostic Data

• System log files and crash diagnostic reports
• Server performance and latency metrics
• Tracking identifiers stored in temporary cookies
• Macro-level analytics (always aggregated and stripped of personal identifiers)

4. WhatsApp Business Data Processing

4.1 Connection Data

Upon linking your official WhatsApp Business profile, our system logs:

• The unique WhatsApp Business Account ID (WABA)
• The dedicated Phone Number ID
• Public Business Profile metadata (display name, physical address, business description)
• Secure access tokens required to operate the API

4.2 Communications and Contacts

Operating the API requires us to transiently process:

• Contact Profiles: Phone numbers, display names, and profile avatars.
• Payload Content: The raw text, incoming media files, and timing of individual messages.
• Conversation States: Delivery receipts, read statuses, active thread tracking, and applied custom tags.
• Custom Variables: Any user-defined database fields you attach to contact profiles.

4.3 Utilization of WhatsApp Data

We process the aforementioned data strictly to:

• Render live conversations accurately within the Chatofy dashboard.
• Trigger and execute your customized logic flows and automation sequences.
• Push or pull data from your connected Google Sheets.
• Generate accurate delivery, open, and response-rate analytics.
• Maintain a searchable archive of your business interactions.
• Feed context to AI models (if you have explicitly activated chatbot features).

4.4 Data We Cannot and Do Not Access

• End-to-end encrypted consumer messages outside the scope of the sanctioned Business API.
• Personal, non-business WhatsApp application accounts.
• Your device's underlying contact book (unless explicitly uploaded).
• Native WhatsApp payment gateway or transaction data.

4.5 Data Lifecycle for WhatsApp

• Active Accounts: Conversation histories are preserved as long as the account remains in good standing.
• Terminated Accounts: Data is completely eradicated from primary servers within 30 days of closure.
• Cold Storage: Encrypted system backups may harbor residual data for an additional 30-day cycle before being permanently overwritten.

5. Google User Data & OAuth Integrity

5.1 Approved OAuth Scopes

To facilitate our Google Sheets integration, we request specific API scopes during authorization:

• https://www.googleapis.com/auth/spreadsheets – Enables read/write access to sheet contents.
• https://www.googleapis.com/auth/drive.file – Grants access exclusively to files instantiated or opened via our application.
• https://www.googleapis.com/auth/userinfo.email – Verifies your identity.
• openid – Standardizes the authentication protocol.

5.2 Permitted Google Data Access

• The primary email address bound to the account.
• The specific names and unique IDs of your spreadsheets.
• Structural metadata (tab labels, header columns).
• The literal cell data residing within mapped rows and columns.

5.3 Operational Use of Google Data

• Securely verifying your identity during the login phase.
• Generating an interface menu of available spreadsheets for linking.
• Scanning sheets to locate targeted rows for automated updates.
• Writing incoming WhatsApp messages or extracted variables back into your sheets.
• Ensuring consistent bidirectional synchronization.

5.4 Restricted Google Data

We are technologically and policy-bound from accessing:

• Your Gmail inbox, drafts, or sent correspondence.
• Unrelated Google Drive media (PDFs, images, independent docs).
• Google Calendar appointments, raw Contacts lists, or Google Photos.
• Any spreadsheet you haven't explicitly linked to a Chatofy automation.

5.5 Token Handling

• Live access tokens expire quickly (typically 1 hour) and are seamlessly refreshed.
• Long-lived refresh tokens are heavily encrypted at rest.
• Token transit is strictly bound to HTTPS/TLS tunnels.
• All tokens are cryptographically shredded within 24 hours if you sever the integration.

5.6 Revoking Access

You wield ultimate control over this connection. You may sever our access instantly via:

• The Chatofy Dashboard: Navigate to Settings → Integrations → Disconnect Google.
• Google's Native Security Hub: Navigate to your Google Account's Third-Party Permissions panel.

6. Core Purposes of Data Processing

6.1 Primary Utility

• Service Delivery: Empowering WhatsApp message routing and Google Sheets synchronization.
• Account Maintenance: Validating logins, processing subscription renewals, and dispatching critical system alerts.
• Support Operations: Diagnosing user errors, answering technical queries, and delivering customer service.
• Platform Evolution: Auditing aggregate behavior to patch software bugs and engineer superior features.
• Security Assurance: Quarantining abusive actors, mitigating fraudulent signups, and repelling cyber threats.
• Regulatory Fulfillment: Adhering to regional tax codes, honoring legal subpoenas, and enforcing our terms of service.

6.2 Optional Marketing

Subject to your explicit consent, we may occasionally dispatch:

• Major feature announcements and platform updates.
• Best-practice guides and automation tutorials.
• Targeted promotional discounts (which feature an immediate, one-click unsubscribe mechanism).

6.3 Absolute Data Restrictions

Under no circumstances will we:

• Auction, lease, or broker your personal information to external data markets.
• Repurpose your private WhatsApp dialogues for ad-targeting algorithms.
• Expose your Google Sheets data to marketing networks.
• Scrape your private chat logs to train foundational AI models (unless you purposefully engage a specific AI-agent feature).
• Snoop into your data for reasons disconnected from core platform functionality.

7. Information Sharing Framework

7.1 Essential Sub-Processors

To keep the platform operational, we share necessary data fragments with vetted infrastructure partners, including:

• Enterprise cloud hosting environments (e.g., AWS, GCP).
• Transactional email delivery gateways.
• Aggregated, cookie-less analytics trackers.
• Ticketing systems for customer support.

All utilized sub-processors operate under rigid Data Processing Agreements (DPAs) that legally forbid them from exploiting your data.

7.2 External Service APIs

• Meta Platforms: Phone numbers and message payloads must physically traverse Meta's servers to reach end-users.
• Google Infrastructure: Authentication tokens and cell data must communicate with Google's servers to modify your spreadsheets.
• LLM Providers: If utilizing our AI auto-responder features, specific chat prompts may be processed by entities like OpenAI.

7.3 Mandatory Legal Disclosures

We will unseal and surrender data if legally compelled to:

• Obey binding court orders, warrants, or subpoenas.
• Defend our intellectual property or physical infrastructure.
• Aid in the investigation of profound fraud or cyber-terrorism.
• Protect the physical safety of any individual.

7.4 Corporate Reorganization

In the event Chatofy is acquired, merges with another entity, or declares bankruptcy, your data databases will likely transfer to the new controlling entity. Users will be formally alerted via email prior to any such structural handover.

8. Data Security Blueprint

8.1 Our Protective Protocols

• Cryptography: TLS 1.3 for data actively moving across the internet; AES-256 for data anchored in our databases.
• Access Hierarchy: Strict role-based permissioning—our engineers cannot access your data without documented clearance and a valid support reason.
• Network Fortification: Enterprise firewalls, proactive DDoS mitigation, and continuous vulnerability patching.
• Surveillance: 24/7 anomaly detection, massive audit logging, and automated breach alerts.
• Structural Isolation: Multi-tenant database design ensuring one client's data never leaks into another's interface.

8.2 User-Side Security

Platform security is a shared responsibility. You are obligated to:

• Utilize complex, unpredictable passwords.
• Activate Two-Factor Authentication (2FA) if available.
• Never broadcast or share your login credentials with unverified staff.
• Ensure you properly terminate sessions on shared computers.
• Immediately alert us if you suspect your account has been compromised.

8.3 Absolute Disclaimer of Invulnerability

Despite our aggressive security posture, the internet is fundamentally imperfect. We cannot philosophically or legally guarantee that determined state-level actors or novel zero-day exploits will never breach our defenses. Using cloud-based software means accepting these inherent, baseline risks.

9. Data Lifecycle and Retention

Note: Upon the expiration of these timelines, data is either securely fragmented into oblivion or irreversibly anonymized for macro-analytics.

10. Global Privacy Rights

10.1 Statutory Entitlements

Depending on your geographic jurisdiction (such as regions governed by GDPR or CCPA), you are likely entitled to the following liberties:

• The Right to Access: You may demand a complete dossier of the personal data we hold concerning you.
• The Right to Rectification: You may demand we fix glaring errors in your profile.
• The Right to Erasure: You may invoke the "Right to be Forgotten" to have your non-essential data wiped.
• The Right to Portability: You may request your core data be exported into a universally readable format (like CSV or JSON).
• The Right to Restriction: You may pause our ability to process your data while a dispute is ongoing.
• The Right to Withdraw Consent: You may retract permission for optional data usage (like marketing) instantly.

10.2 Exercising These Rights

To invoke any of these legal mechanisms, you can:

• Utilize the self-service deletion and export tools housed inside the Chatofy Dashboard.
• Email our compliance officer directly at contact@chatofy.com.

We are legally obligated to process valid requests within a 30-day window. If identity verification proves complex, we may extend this window slightly, but you will be notified.

11. Cross-Border Data Traversals

Operating a global SaaS platform requires data to occasionally cross international borders. Our primary routing hubs include:

• The United States (Core cloud processing and WhatsApp API nodes).
• The European Union (Specific Google Cloud data centers).
• Singapore (Failover and Asian routing infrastructure).

When data is exported internationally, we enforce legal frameworks such as Standard Contractual Clauses (SCCs) and rely on adequacy decisions drafted by major data protection authorities to ensure your privacy travels safely with your data.

12. Protections for Minors

Chatofy is engineered exclusively for B2B commercial environments. We deliberately do not target or market to anyone under the age of 18. We do not intentionally harvest data from minors. If you discover a minor has bypassed our age filters, please alert us immediately so we can execute a complete data purge.

13. The Zero-Sale Guarantee

14. Policy Modifications

As our feature set expands, this document will inevitably evolve. If we execute substantial changes to our data handling practices, we will:

• Revise the "Last Updated" timestamp at the top of this document.
• Broadcast an email blast summarizing the changes to all active administrators.
• Pin a temporary notification banner to the top of your dashboard.

15. Contact Directory

If you need to escalate a privacy concern or formally request a data export, reach out to our dedicated teams:

• Privacy Office: contact@chatofy.com
• Primary Domain: www.chatofy.com

To expedite your request, please email us from the address registered to your Chatofy account and specify your exact requirements.