Privacy Policy

AITEX Agency (“Company,” “we,” “us”) operates a WhatsApp Business automation platform and is applying for Tech Provider status through Meta’s App Review process. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data processed through our WhatsApp automation platform, including our WhatsApp Business portals, order confirmation messaging templates, and AI-powered sales agent services (collectively, the “Services”). This policy has been prepared in accordance with Meta’s WhatsApp Business Policy, the WhatsApp Business API Terms of Service, the Meta Platform Terms, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable local data protection laws.

1. Scope and Application

This Privacy Policy applies to:

• Businesses and merchants (Clients) who subscribe to our WhatsApp automation platform and messaging services.
• End users (Users) who interact with our Clients via WhatsApp-powered portals, chatbots, and automated notifications.
• Visitors to our website and anyone who communicates with us directly.

This policy does NOT apply to Meta’s own data processing practices. For information on how WhatsApp handles data, please refer to WhatsApp’s Privacy Policy.

2. Data Controller and Processor Roles

We act as a Data Processor on behalf of our Clients (who are the Data Controllers) when processing end-user messages transmitted via the WhatsApp Business API, in accordance with the WhatsApp Business Data Processing Terms. We act as a Data Controller in our own right for data we collect from Clients and website visitors for account management and service delivery purposes.

Upon approval as a Tech Provider under the Meta Platform Terms, we will process Platform Data solely on behalf of and at the direction of our Clients for their approved purposes, and not for our own independent purposes or for another Client’s benefit.

For GDPR inquiries, our Data Protection Officer (DPO) can be reached at: privacy@aitex.agency

3. Information We Collect

3.1 Information Collected from Clients (Businesses)

• Business name, registration details, and WhatsApp Business Account (WABA) information.
• Contact information: name, email address, phone number, and billing address.
• Payment and billing data (processed securely via PCI-DSS compliant payment processors).
• API credentials and configuration settings for WhatsApp Business API integration.
• Usage logs, analytics, and message volume data associated with your account.

3.2 Information Collected from End Users (via Client Deployments)

• WhatsApp phone number (mandatory for WhatsApp communication).
• WhatsApp display name (as shared by the user’s WhatsApp profile).
• Message content submitted by the user within the conversation flow.
• Order details, transaction references, and confirmation data (for order confirmation templates).
• Responses to AI sales agent prompts and conversation history within a session.
• Device metadata as transmitted through the WhatsApp Business API (e.g., message timestamps, delivery status).

3.3 Information We Do Not Collect

We do not collect, access, or store:

• WhatsApp message encryption keys or decrypted message content outside of the service delivery context.
• Sensitive personal data (health, biometric, financial account numbers) unless explicitly required by a Client’s approved use case.
• Data from personal WhatsApp accounts not connected to a business WABA.

3.4 Prohibited Data Practices

In compliance with Meta’s WhatsApp Business Messaging Policy and the Meta Platform Terms, we and our Clients must adhere to the following restrictions:

• No sharing of sensitive identifiers: We do not share or request full-length individual payment card numbers, financial account numbers, personal ID card numbers, or other sensitive identifiers via WhatsApp messages.
• No cross-customer data sharing: Information from one customer’s chat may not be forwarded or otherwise shared with any other customer.
• No health-related messaging: We do not use WhatsApp for telemedicine or to send or request health-related information where applicable regulations prohibit distribution to systems without heightened data handling requirements.
• No data selling or licensing: We do not sell, license, or purchase Platform Data obtained through the WhatsApp Business API.
• No discriminatory processing: We do not process data to discriminate or encourage discrimination against people based on personal attributes including race, ethnicity, religion, age, sex, sexual orientation, gender identity, disability, or any other protected characteristic.
• No re-identification: We do not attempt to decode, circumvent, re-identify, de-anonymize, or reverse-engineer any anonymized or aggregated Platform Data.

4. How We Use Information

4.1 Lawful Bases (GDPR)

We rely on the following legal bases for processing personal data:

• Contract Performance: To deliver the Services agreed upon with our Clients.
• Legitimate Interests: To improve service quality, detect abuse, and ensure platform security.
• Consent: Where end users have opted in to receive WhatsApp communications from our Clients.
• Legal Obligation: To comply with applicable laws, regulations, and Meta’s platform policies.

4.2 Limitation on Data Use

In accordance with Section 3 of the WhatsApp Business Messaging Policy, we do not use any data obtained about a person messaged within WhatsApp, other than the content of message threads, for any purpose other than as reasonably necessary to support messaging with that person on behalf of the applicable Client.

4.3 Specific Uses

• To provision, operate, and maintain WhatsApp Business portals and API integrations.
• To send and deliver transactional messages, including order confirmations, shipping updates, and appointment reminders via pre-approved WhatsApp Message Templates.
• To power AI-driven sales agent conversations on behalf of Clients, within the scope of the Client’s approved WhatsApp Business use case.
• To provide analytics and reporting dashboards to Clients on messaging performance.
• To authenticate users, manage accounts, and process Client billing.
• To detect, investigate, and prevent fraudulent, harmful, or unauthorized use of the platform.
• To comply with Meta’s WhatsApp Business Policy and applicable legal requirements.

5. WhatsApp Messaging Compliance

5.1 User Opt-In Requirements

We require all Clients to obtain opt-in consent from end users before initiating any WhatsApp Business conversations. As per the WhatsApp Business Messaging Policy, Clients may only contact people on WhatsApp if: (a) they have provided their mobile phone number, and (b) the Client has received opt-in permission confirming the person wishes to receive subsequent messages or calls. Opt-in must:

• Clearly state that the person is opting in to receive communication from the business.
• Clearly identify the business’s name that the person is opting in to receive messages from.
• State the types or categories of messages the user will receive (e.g., order updates, offers, product recommendations).
• Be recorded and auditable by the Client.
• Comply with all applicable laws and regulations governing the Client’s communications.
• Comply with WhatsApp’s Opt-In Requirements as specified in the WhatsApp Business Policy.

Clients must provide clear instructions for how people can opt out of receiving specific categories of messages, and must honour all requests (on or off WhatsApp) to block, discontinue, or otherwise opt out of communications, including removing that person from their contact list.

5.2 Message Template Compliance

All message templates, including order confirmation templates, are submitted to and approved by Meta through the official WhatsApp Business API template review process before deployment. Templates must:

• Not contain promotional content in transactional templates without appropriate categorization.
• Not use deceptive language, impersonation, or misleading calls-to-action.
• Comply with WhatsApp’s Business Messaging Policy and local consumer protection laws.

5.3 AI Sales Agent Standards

Our AI-powered sales agent operates within the following guidelines:

• The AI agent identifies itself as an automated assistant when directly asked by a user.
• AI conversations are conducted solely within permitted WhatsApp use cases as approved by Meta.
• No profiling, automated decision-making with legal effects, or sensitive data processing is performed without explicit Client authorization and appropriate data processing agreements.

5.4 Escalation Paths

As required by Section 2 of the WhatsApp Business Messaging Policy, we ensure that prompt, clear, and direct escalation paths are available when automation is used. These escalation paths include:

• In-chat human agent transfer upon user request or when the AI cannot resolve a query.
• Phone number for direct support.
• Email support.
• Web support via the Client’s business website.
• Support form for submitting inquiries.

6. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share data only in the following circumstances:

6.1 Meta Platforms, Inc.

Message data is transmitted via Meta’s WhatsApp Business API infrastructure. Meta’s data processing is governed by Meta’s own privacy policy and terms of service. We will maintain a Data Processing Agreement with Meta as required by applicable law.

6.2 Our Clients

End-user data collected within a Client’s WhatsApp deployment is accessible by that Client as the Data Controller. Clients are contractually bound by our Data Processing Agreement and WhatsApp’s Business Policy. We contractually prohibit Clients from processing Platform Data in a way that would violate Meta’s Platform Terms or any other applicable Meta policy.

6.3 Client Data Segregation

As required by the Meta Platform Terms (Section 5.b), Platform Data maintained on behalf of one Client is maintained separately from that of other Clients. We do not commingle, cross-reference, or use one Client’s data for the benefit of another Client or for our own independent purposes.

6.4 Notification of Data Subject Requests from Meta

In accordance with the Meta Platform Terms, we will promptly notify a Client of any communication sent to us by Meta concerning a user’s request regarding the processing of their Platform Data, including requests to exercise their data subject rights.

6.5 Service Providers and Sub-Processors

We engage trusted third-party service providers to operate our platform, including cloud hosting providers, payment processors, analytics providers, and customer support tools. All sub-processors are bound by data processing agreements that meet GDPR standards and are listed in our Sub-Processor Register available upon request.

6.6 Legal Requirements

We may disclose personal data when required by law, court order, or governmental authority, or to protect the rights, property, or safety of our Company, Clients, or end users.

7. Data Retention

• Message content and conversation logs are retained for a maximum of 90 days from the date of transmission, unless a Client’s operational requirements and applicable law mandate a different retention period.
• Client account data is retained for the duration of the active subscription and for 2 years thereafter for legal and audit purposes.
• Data subject to a legal hold or regulatory investigation will be retained until the matter is resolved.
• Upon account termination, Client data is securely deleted or anonymized within 30 days of a written request. In accordance with Meta’s WhatsApp Business Terms (Section 12), data associated with your WhatsApp Business Account may be retained by WhatsApp for up to 90 days following termination, with limited copies retained in backup storage for disaster recovery purposes.
• Platform Data will be promptly deleted when retaining it is no longer necessary for a legitimate business purpose, when we stop operating the relevant service, when Meta requests deletion for user protection, or when required by applicable law, in accordance with Meta Platform Terms (Section 3.d).

8. Data Security

We implement industry-standard technical and organizational security measures, including:

• End-to-end encryption of data in transit using TLS 1.2 or higher.
• AES-256 encryption of data at rest.
• Role-based access controls (RBAC) and least-privilege access principles.
• Regular vulnerability assessments and penetration testing.
• Incident response procedures with breach notification protocols aligned with GDPR Article 33 (72-hour notification to supervisory authority) and WhatsApp’s incident reporting requirements.
• ISO 27001-aligned information security management practices.
• An easily accessible channel for reporting security vulnerabilities in our platform, available at security@aitex.agency. Identified deficiencies are promptly addressed.

8.1 Meta Incident Reporting

In the event of any unauthorized processing, access, destruction, loss, alteration, disclosure, or compromise of Platform Data, or any incident reasonably likely to compromise the security, confidentiality, or integrity of our IT systems, we will:

• Report the incident to Meta as soon as practicable using Meta’s incident reporting form, and no later than required under applicable laws and regulations.
• Immediately begin remediation and reasonably cooperate with Meta, including providing details of the impact on Platform Data and corrective actions taken.
• Notify the relevant supervisory authority within 72 hours as required by GDPR Article 33.
• Notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

9. Data Subject Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Right to Access: Request a copy of personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete data.
• Right to Erasure (‘Right to be Forgotten’): Request deletion of personal data, subject to legal retention obligations.
• Right to Restriction: Request that we limit processing of your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to Opt-Out of Sale (CCPA): We do not sell personal data; however, California residents may submit requests as applicable.

To exercise any of these rights, please contact us at privacy@aitex.agency. We will respond to verified requests.

End users wishing to stop receiving WhatsApp messages from a Client should contact that Client directly or reply STOP to any message.

10. International Data Transfers

Your data may be processed in countries outside your jurisdiction, including the United States and other countries globally where we, Meta, or our service providers have facilities. You acknowledge that the laws, regulations, and standards of the country in which your data is stored or processed may differ from those of your own country. Where we transfer personal data outside the European Economic Area (EEA), we rely on:

• Standard Contractual Clauses (SCCs) as approved by the European Commission, including Module One (controller to controller) transfers as specified in the Meta Platform Terms.
• Adequacy decisions where applicable.
• The WhatsApp Business Data Transfer Addendum for EEA transfers, the WhatsApp Business UK Data Transfer Addendum for UK transfers, and the WhatsApp Business Global Data Transfer Addendum for transfers subject to other applicable data protection laws.
• Binding corporate rules or other lawful transfer mechanisms as required.
• Implementation and maintenance of Meta’s Technical and Organisational Measures as required for international data transfers.

11. Children’s Privacy

Our Services are intended for use by businesses and individuals aged 18 or older. We do not knowingly collect personal data from children under 13 (or the applicable minimum age in your jurisdiction). If you believe a child has submitted personal data through our platform, please contact us immediately at privacy@aitex.agency.

12. Cookies and Tracking Technologies

Our website at www.aitex.agency uses cookies and similar technologies for authentication, analytics, and performance monitoring. You may manage cookie preferences through your browser settings or our Cookie Consent Manager. Our full Cookie Policy is available on our website.

13. WhatsApp Business and Meta Platform Compliance

As part of our application for Tech Provider status through Meta’s App Review process, we commit to full compliance with the following policies and terms:

• WhatsApp Business Messaging Policy
• WhatsApp Business Terms of Service
• WhatsApp Messaging Guidelines
• WhatsApp Business Data Processing Terms
• WhatsApp Business Data Security Terms
• WhatsApp Commerce Policy (where applicable)
• Meta Platform Terms
• Meta Developer Policies

We conduct regular compliance audits and cooperate fully with Meta in any investigation related to policy violations, including providing information, certifications, and attestations regarding our use of Platform and processing of Platform Data as required by Meta. Clients using our platform agree to abide by all applicable WhatsApp and Meta policies as a condition of service. We will promptly terminate a Client’s access to our Services if Meta requests it due to policy violations or negative impact on the platform or its users.

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or Meta’s platform policies. We will notify Clients of material changes via email and in-platform notification at least 30 days prior to the effective date of the change. Continued use of our Services following notice of changes constitutes acceptance of the revised policy.

15. Contact Information

For privacy-related questions, requests, complaints, or to reach our Data Protection Officer:

If you are located in the European Union and believe we have not adequately addressed your privacy concern, you have the right to lodge a complaint with your local supervisory authority.