Privacy Policy

Last updated: June 22, 2026

This Privacy Policy describes how AiServe Shared WhatsApp Inbox ("we", "us") collects, uses, and shares personal data when you and your team use the Service. It is designed to comply with the principles of the Malaysian Personal Data Protection Act 2010 (PDPA) and similar data-protection frameworks worldwide.

1. Who is the data controller

For data about your customers (the people sending you WhatsApp messages), you (the Workspace) are the data controller. We act as a data processor on your behalf.

For data about your team members (the users you invite to the portal) and Workspace administrators, we are the data controller.

2. What we collect

• Account & Workspace data: company name, workspace slug, billing details, your name, email, hashed password, role, and timestamps.
• Conversation content: incoming and outgoing WhatsApp messages, message metadata (timestamps, delivery status, sender), attached media files, internal notes, and tags.
• Contact records: customer WhatsApp ID, phone number, profile name as supplied by WhatsApp, and any contact-level metadata your team adds.
• Activity logs: logins, assignments, message sends, template uses, AI-suggestion requests, and other actions taken in the portal.
• Webhook events: the raw payloads delivered by your configured messaging provider, retained for diagnostics.
• Knowledge-base uploads: documents, PDFs, or text you upload for AI grounding, plus the extracted plain text.
• Technical data: IP address, browser user agent, and session cookies necessary to keep you logged in.

3. How we use it

We process the data above only to:

• provide and maintain the Service;
• route inbound WhatsApp messages to the right Workspace and agent;
• generate AI reply drafts, when AI is enabled by the Workspace admin;
• produce activity logs and reports requested by Workspace admins;
• diagnose problems (the webhook log page exposes recent payloads to Workspace admins);
• comply with legal obligations and enforce our Terms.

4. Third-party processors

Depending on the providers and AI features your Workspace enables, we may share data with the following processors. Their own privacy notices apply to data they receive:

• Meta Platforms, Inc. — when you use the WhatsApp Business Cloud API to send/receive messages. Messages traverse Meta's servers.
• Your Evolution API host or partner gateway — when you use those providers, messages pass through their infrastructure on the way to and from WhatsApp.
• Anthropic, PBC — when AI reply suggestions are enabled, the last 20 messages of context, your system prompt, and any active knowledge-base articles are sent to Anthropic's Messages API for processing. Anthropic does not train models on API traffic by default (see Anthropic's commercial-terms statements). Data is processed in the United States.
• Hostinger (or your own VPS provider) — hosts the portal application and database.

5. Where data is stored

Workspace data is stored on the server you (or your operator) deployed the portal on. If you use third-party processors above, copies of relevant data may also be transmitted to and stored in their jurisdictions, which may include the United States and European Union.

6. Retention

We retain conversation content, contacts, and activity logs for as long as your Workspace remains active, unless you delete them sooner via the admin interface. Webhook diagnostic logs are retained at the discretion of the Workspace admin. When a Workspace is closed, related data is deleted within 90 days unless retention is required by law.

7. Your rights

Subject to applicable law, you have the right to:

• access the personal data we hold about you;
• correct inaccurate data via your profile or by contacting the Workspace admin;
• delete your account and associated data;
• export Workspace data (contacts, conversations) on request;
• object to or restrict certain processing;
• withdraw consent for optional features such as AI suggestions at any time.

Requests should be directed to your Workspace administrator. If you are a customer messaging a business that uses the Service, please contact that business directly — they are the controller of the conversation.

8. Security

We protect data with industry-standard measures: HTTPS for all browser traffic, hashed passwords (bcrypt), per-session CSRF tokens, role-based access control, audit logging, and HMAC-signed media URLs for outbound attachments. No system is 100% secure; please report suspected vulnerabilities to the Workspace administrator.

9. Cookies & sessions

We set a single first-party session cookie (HttpOnly, SameSite=Lax, Secure over HTTPS) to keep you logged in. We do not use third-party analytics or advertising cookies.

10. Children's privacy

The Service is not intended for use by individuals under 18. We do not knowingly collect personal data from children.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email to Workspace administrators or by an in-app notice. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

Questions about this Policy or to exercise your rights, contact your Workspace administrator. For Workspace-administrator-level inquiries, use the support address listed in your Workspace settings.