Privacy Policy

This policy explains what data WhatsApp Portal collects, why we collect it, how long we keep it, and the choices you have over it.

Last updated: July 10, 2026

1. Who we are

WhatsApp Portal ("we", "us") operates a WhatsApp bulk messaging platform. For the account data you register with, we act as a data controller. For the contact lists and message content you upload and send, we act as a data processor on your behalf — you remain the controller of that data and are responsible for having a lawful basis to process it.

2. Data we collect

Account data. Your name, email address, and a securely hashed password. We never store your password in plain text.

Contact data. The phone numbers, names, and any custom fields you import or create through the dashboard or API.

Message and campaign data. The content of messages you send, their recipients, delivery and read receipts, timestamps, and campaign-level aggregates.

Connection credentials. If you use QR Code Session mode, we store a WhatsApp session file that keeps your number linked. If you use Meta Cloud API mode, we store the Phone Number ID, WhatsApp Business Account ID, access token, and webhook verify token that you provide.

API keys. We store only a SHA-256 hash of each key. The plaintext key is displayed once at creation and is not recoverable by us.

Billing data. Package purchases, transaction records, and credit balances. Card details are handled by our payment provider and never reach our servers.

Technical data. IP address, browser and device information, and server logs, used for security, rate limiting, and debugging.

3. How we use your data

  • To operate the service: authenticate you, deliver your messages, and report delivery status.
  • To enforce quotas, rate limits, and prevent abuse of the platform.
  • To process payments and maintain a record of your purchases and credit balance.
  • To provide support and respond to complaints you raise.
  • To send essential service notifications about your account, security, or billing.
  • To improve reliability and performance through aggregated, non-identifying analytics.

We do not sell your personal data, and we do not use the contents of your messages or contact lists for advertising or model training.

4. Who we share data with

We share data only with the processors required to run the service, and only to the extent necessary:

  • Meta Platforms — when you send messages, whether via a WhatsApp session or the Meta Cloud API. Meta’s handling of that data is governed by Meta’s own privacy policy.
  • Our payment provider — to process package purchases and maintain transaction records.
  • Our hosting and infrastructure providers — to store the database, queues, and session files that run the platform.
  • Analytics providers — where enabled, to measure aggregate usage of our public website.

We may also disclose data where required by law, court order, or to protect our rights, property, or the safety of our users.

5. Cookies and local storage

We use a secure, HTTP-only cookie to hold your refresh token so that your session survives a page reload. Your short-lived access token is kept in browser session storage and is cleared when you close the tab. These are strictly necessary for the service to function.

Where enabled, our public website may set analytics cookies to measure aggregate traffic and page performance. These are not used to identify you individually.

6. How we protect your data

  • Passwords are hashed with bcrypt; API keys are stored only as SHA-256 hashes.
  • Authentication uses short-lived JWT access tokens with rotating refresh tokens.
  • All traffic to the platform is served over HTTPS.
  • Access to production data is limited to personnel who need it to operate the service.
  • Rate limiting and audit logging are applied across authenticated and public API routes.

No system is perfectly secure. If we become aware of a breach affecting your personal data, we will notify you and the relevant authority as required by applicable law.

7. Data retention

We retain account, contact, and message data for as long as your account is active. When you delete your Meta configuration or disconnect a WhatsApp session, the corresponding credentials and session files are removed. When you close your account, we delete or anonymise your personal data within a reasonable period, except where we are required to retain billing records for tax or legal compliance.

8. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete your personal data, to object to or restrict its processing, and to withdraw consent. You can update your profile and delete your contacts and credentials directly in the dashboard, or contact us to exercise any of these rights.

Because we act as a processor for the contact data you upload, requests from your own message recipients should be directed to you as the controller; we will assist you in responding to them.

9. International transfers

Our infrastructure and processors may be located in countries other than your own. Where personal data is transferred internationally, we rely on appropriate safeguards, such as standard contractual clauses, to protect it.

10. Children

The service is not directed at children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us with personal data, contact us and we will delete it.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected in the "Last updated" date above and, where appropriate, communicated to you directly.

12. Contact us

For privacy questions or to exercise your rights, email support@yourportal.com. Your use of the service is also governed by our Terms & Conditions.