Privacy Policy

1. Overview

We collect and process WhatsApp messages and message attachments (media) that you send to our connected WhatsApp Business account in order to provide the service: storing, indexing, search, and user access. This policy explains what data we collect, why we collect it, how we use it, with whom we share it, how long we retain it, and how you can request deletion or changes. See “Your Rights” below for request instructions.

2. Data we collect

a. Data we receive from WhatsApp webhooks (pushed by Meta)

• Message contents: text you send to the business.
• Media metadata: media ID, mime-type, filename, size. (Webhooks provide media IDs, not direct download URLs.)
• Sender: phone number and WhatsApp profile name (if provided by WhatsApp).
• Timestamps & delivery/read info: message IDs, timestamps, delivery/read receipts where available.

b. Data we obtain via Graph API calls

When processing media we call the WhatsApp Graph API to obtain a temporary download URL and then fetch the file from that URL (lookaside.whatsapp.net). The Graph API call (for example GET /{MEDIA_ID}) is recorded as an API call and logged for operational reasons. Note: actually downloading the lookaside URL via HTTPS is not itself a Graph API call.

c. Data you provide directly to our app

• Account registration information (if you choose to create an account).
• Support requests, deletion or correction requests, and other communications you send to us.

3. Legal basis & purpose of processing

We process your WhatsApp messages and attachments to:

• Provide the core service: store, index, and make messages accessible to authorized users.
• Respond to support requests and enforce our Terms of Service.
• Comply with legal obligations (e.g., lawful requests, ensuring platform safety).

For users in the EU, our lawful basis may include performance of contract and legitimate interests (providing the service and maintaining safety/quality).

4. Retention

We retain message text and media for as long as necessary to provide the service or until you request deletion. If you request deletion, we will normally complete deletion within 30 days and will confirm completion to the requester. If we are required to retain certain data for legal reasons, we will explain that in our response.

5. How we store and secure data

• Storage: Stored on Google Cloud Storage (or other cloud storage partners as appropriate).
• Encryption: We use encryption in transit (HTTPS/TLS) and at rest (provider-managed encryption).
• Access control & logging: We follow industry best practices for access control and operational logging.
• Secrets management: Permanent tokens used to communicate with Meta/Graph API are stored in a secure secrets manager; access to these secrets is limited to authorized systems and personnel only.

6. Sharing & third parties

We may share data with:

• Meta / WhatsApp: as required for API and platform operations.
• Cloud storage providers: (e.g., Firebase, Google Cloud Platform, AWS) for storing files.
• Subprocessors: analytics, logging, support vendors, and other service providers who process data on our behalf and are contractually obligated to protect it.

We do not sell personal data.

7. Data deletion & your rights

You have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion (right to erasure) of your data.

How to request deletion

Send an email to privacy@justmotes.com. We will authenticate requests and ordinarily complete deletion within 30 business days. If deletion cannot be completed due to a legal hold or other requirement, we will explain the reason and scope.

8. Cookies & tracking

If our web UI uses cookies or analytics (for example session cookies or Google Analytics), we will list them here and explain their purposes and opt-out instructions. Typical examples:

• Session cookies: used to keep you logged in during a browser session.
• Persistent cookies: optionally used to remember preferences.
• Analytics: Google Analytics or equivalent may be used to measure usage; opt-out instructions are provided by the analytics provider and can typically be applied via browser-level settings or provider opt-out tools.

(If you would like a detailed cookie table inserted here listing cookie names, purpose, and expiry, we can add that.)

9. Children

We do not knowingly collect Personal Data from children under 16 (or the applicable local age threshold). If we learn we have collected personal data from a child under the applicable age, we will promptly delete it.

10. Contact & changes

For privacy questions or deletion requests contact: privacy@justmotes.com.

We may update this policy. When we do, we will post the updated policy with a version date. The "Last updated" date at the top indicates when this version was published.