WhatACRM ("we", "our", or "us") operates the whatacrm.cloud platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.
Summary: We collect only what's necessary to provide our CRM service. We never sell your data, we encrypt it in transit and at rest, and you can delete your account and data at any time.
1. Information We Collect
1.1 Account Information
When you sign up for WhatACRM, we collect:
- Name and email address — for account identification and communication
- Password — stored as a one-way cryptographic hash (bcrypt); we never store your plaintext password
- Organization name — to set up your team workspace
- WhatsApp phone number — to establish and manage your WhatsApp Web session
1.2 Usage Data
We automatically collect:
- IP address and approximate geolocation (country level, for regional pricing and analytics)
- Browser type, device information, and operating system
- Pages visited, features used, and session duration
- Error logs and performance metrics
1.3 WhatsApp & Messaging Data
When you connect your WhatsApp account through our platform:
- Messages — sent and received messages are stored in your account to provide CRM functionality (conversation history, search, and contact management)
- Contacts — phone numbers and contact names from your WhatsApp interactions
- Media files — images, documents, and other media exchanged through messages
- Group information — group names, membership, and associated messages
1.4 Payment Information
Payment processing is handled entirely by Stripe. We do not store credit card numbers, CVVs, or full payment card details on our servers. We only retain:
- Stripe customer ID and subscription ID
- Billing email and country
- Last 4 digits of your card (for display purposes)
- Transaction history and invoice records
2. How We Use Your Information
We use the information we collect to:
- Provide the Service — manage your WhatsApp CRM, deliver messages, organize contacts, run campaigns, and provide automation features
- Manage your account — authentication, authorization, team management, and subscription billing
- Improve the Service — analyze usage patterns, fix bugs, and develop new features
- Communicate with you — send service notifications, billing alerts, security warnings, and product updates
- Ensure security — detect fraud, prevent abuse, enforce rate limits, and protect against unauthorized access
- Comply with law — respond to legal processes and enforce our Terms of Service
3. WhatsApp Data & Messaging
Important: WhatACRM is an independent CRM tool. We are not affiliated with, endorsed by, or partnered with WhatsApp or Meta Platforms, Inc. We use the WhatsApp Web interface to facilitate your messaging.
3.1 How WhatsApp Data Is Processed
Your WhatsApp session runs through our servers to enable multi-device CRM access. This means:
- Messages pass through our server infrastructure to provide features like scheduling, auto-reply, campaigns, and logging
- We store message content in your account database to enable search, conversation history, and CRM contact management
- Media files (images, documents) are stored on our servers for the duration of your subscription
3.2 What We Do NOT Do
- We do not read, analyze, or use your message content for advertising purposes
- We do not share your WhatsApp messages with third parties
- We do not use your contact lists for marketing to those contacts
- We do not train AI models on your private messages
3.3 AI Features
If you use our AI tools (AI-powered replies, chatbot, translation), your message content is sent to third-party AI providers (e.g., OpenAI) to process the request. These AI providers have their own privacy policies and do not retain your data for model training when accessed via API.
4. Data Storage & Security
We take the security of your data seriously and implement the following measures:
- Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS 1.2+
- Password security — user passwords are hashed using bcrypt with salt
- Session security — sessions are secured with HTTP-only cookies, CSRF tokens, and automatic timeouts
- Access control — role-based access control (admin/agent) limits who can access organization settings and user management
- Infrastructure — our servers are hosted in data centers with physical security, firewalls, and regular security updates
- Database — access to the database is restricted to application servers only, with no public internet exposure
5. Data Sharing & Third Parties
We do not sell your personal information. We share data only with the following categories of third parties, and only as necessary to provide the Service:
5.1 Service Providers
- Stripe — payment processing (Stripe Privacy Policy)
- OpenAI — AI-powered features, only when you use them (OpenAI Privacy Policy)
- SMTP/Email providers — for sending system emails (account verification, password resets)
5.2 Legal Requirements
We may disclose your information if required by law, court order, or government regulation, or if we believe disclosure is necessary to protect the rights, property, or safety of WhatACRM, our users, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. You will be notified via email and/or prominent notice on our website of any such change.
6. Cookies & Tracking
We use cookies and similar technologies. For full details, please see our Cookie Policy.
In brief:
- Essential cookies — session management, authentication, CSRF protection (required)
- Functional cookies — user preferences, language/timezone settings
- Analytics — aggregated usage statistics to improve the Service
We do not use advertising cookies or third-party ad trackers.
7. Data Retention
- Active accounts — data is retained for the duration of your subscription
- Cancelled accounts — your data is retained for 30 days after cancellation to allow for reactivation, then permanently deleted
- Message history — stored as long as your account is active; deleted when you delete your account
- Server logs — retained for up to 90 days for security and debugging purposes
- Billing records — retained for up to 7 years as required by tax and financial regulations
You may request early deletion of your data at any time by contacting us.
8. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate or incomplete data
- Deletion — request deletion of your personal data ("right to be forgotten")
- Portability — request your data in a structured, machine-readable format
- Restriction — request that we limit processing of your data
- Objection — object to processing of your data for certain purposes
- Withdraw consent — where processing is based on consent, you may withdraw it at any time
To exercise these rights, contact us at highpasstech@gmail.com. We will respond within 30 days.
9. International Data Transfers
Your data may be processed on servers located outside your country of residence. We take appropriate safeguards to ensure your data is protected in accordance with this Privacy Policy, regardless of where it is processed.
10. Children's Privacy
Our Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 16, we will take steps to delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will revise the "Effective Date" at the top of this page and, for material changes, notify you via email or a prominent notice on our website.
Your continued use of the Service after changes constitutes acceptance of the updated policy.
If you have questions about this Privacy Policy or our data practices, please contact us: