Privacy Policy

Effective Date: June 11, 2026  ·  Version 2.0

Your privacy matters. This policy explains what data we collect, why we collect it, how we use it, and what rights you have. We have written it to be clear and honest — not to hide anything.
🔒
Encrypted Storage
Tokens & sensitive data encrypted at rest
🚫
No Selling Data
We never sell your or your customers' data
📱
WhatsApp Data
Messages processed only to operate your bot
🗑️
Right to Delete
Request deletion of your data anytime

Table of Contents

  1. 1. Who We Are
  2. 2. Data We Collect
  3. 3. Legal Basis for Processing
  4. 4. How We Use Your Data
  5. 5. WhatsApp & End Customer Data
  6. 6. Data Sharing & Disclosure
  7. 7. Data Retention
  8. 8. Data Security
  9. 9. Cookies & Tracking
  10. 10. International Transfers
  11. 11. Your Rights
  12. 12. Children's Privacy
  13. 13. Third-Party Links
  14. 14. Changes to This Policy
  15. 15. Contact & DPO

1. Who We Are

AppointFlow ("we", "us", "our") operates an online appointment scheduling and WhatsApp automation platform. For the purposes of data protection law, AppointFlow is the data controller of personal data we collect directly (e.g., Business User account data).

For personal data that Business Users collect from their End Customers (appointment records, WhatsApp conversations), the Business User is the data controller and AppointFlow acts as a data processor, processing that data only on the Business User's instructions as set out in these Terms and our Terms and Conditions.

2. Data We Collect

2.1 Business Users (Merchants)

When you register and use the Service, we collect:

Account InformationName, email address, password (hashed), profile photoAccount creation & login
Company InformationBusiness name, type, country, city, email, logoService operation & display
Staff ProfilesNames, email addresses, phone numbers, role, avatarScheduling & communication features
Subscription & BillingPlan type, payment status, subscription datesBilling management
WhatsApp CredentialsWABA ID, Phone Number ID, access token (AES-256 encrypted)WhatsApp bot operation
Usage DataAppointment records, service definitions, schedule rulesCore Service functionality
Technical LogsIP addresses, browser type, pages visited, timestampsSecurity, debugging, analytics

2.2 End Customers (via Business Users)

When a customer interacts with a Merchant's WhatsApp bot, we collect on behalf of the Merchant:

Phone NumberWhatsApp phone number (E.164 format)Identify and respond to customer
Display NameWhatsApp contact name (if provided by Meta)Customer record creation
Conversation HistoryInbound and outbound WhatsApp messagesBot state management & audit trail
Appointment DataSelected services, staff, date, time, statusBooking fulfilment

Note for End Customers: If you have interacted with a business via their WhatsApp bot and wish to access or delete your data, please contact that business directly. You may also contact us and we will facilitate the request.

2.3 Data We Do NOT Collect

  • We do not collect payment card numbers (payments are handled directly between you and us; no card processing is done through this platform at this time).
  • We do not read, store, or analyse WhatsApp message content beyond what is required to operate the bot and maintain audit logs.
  • We do not use End Customer data for advertising or profiling.

3. Legal Basis for Processing

We process personal data on the following legal bases:

Contract Performance
Processing necessary to provide the Service you have signed up for (account management, appointment booking, WhatsApp bot operation).
Legitimate Interests
Security monitoring, fraud prevention, improving our Service, maintaining service integrity.
Legal Obligation
Complying with applicable laws, responding to lawful government requests.
Consent
Where we send marketing communications, you may withdraw consent at any time by unsubscribing.

4. How We Use Your Data

We use the data we collect to:

  • Operate the Service: Create and manage accounts, process appointments, run the WhatsApp bot, manage staff schedules.
  • Authenticate users: Verify identity and manage secure access to accounts.
  • Subscription management: Process plan changes, track usage against limits, manage billing status.
  • Send service communications: Appointment confirmations, system alerts, policy updates, security notifications. These are non-marketing and cannot be opted out of while you use the Service.
  • Security and fraud prevention: Rate limiting (5 messages/minute per customer), duplicate message detection, suspicious activity monitoring.
  • Improve the Service: Aggregate, anonymised usage analytics to understand how the Service is used and prioritise improvements.
  • Legal compliance: Comply with applicable laws and respond to lawful requests from government authorities.

We do not use your data for targeted advertising, profiling for third parties, or any purpose not described in this policy.

5. WhatsApp & End Customer Data

5.1 How WhatsApp Data Flows

When an End Customer sends a message to a Merchant's WhatsApp number:

  1. Meta delivers the message to our webhook endpoint (/api/webhooks/whatsapp) with a cryptographic signature we verify before processing.
  2. The message content is processed in memory to determine the bot's next action.
  3. The inbound message and outbound reply are stored in our database (Supabase) associated with the Merchant's company ID.
  4. Session state (conversation progress) is stored and cleared when the conversation ends or the customer resets.

5.2 Message Content

We store the text content of WhatsApp messages for:

  • Operating the conversational bot (state machine requires knowing previous inputs).
  • Audit trail — Merchants can review conversations in their Inbox.
  • Rate limit enforcement (counting inbound messages per customer).

Message content is not used for training AI models, advertising, or shared with any third party other than the Merchant whose bot received the message.

5.3 Business User Responsibility

Business Users are data controllers for their End Customer data and are responsible for:

  • Obtaining valid consent from End Customers before they interact with the bot.
  • Maintaining a privacy notice that informs End Customers how their data is used.
  • Honouring End Customer data rights requests (access, deletion, etc.).
  • Complying with applicable local privacy laws in their jurisdiction.

6. Data Sharing & Disclosure

We do not sell your personal data. We share data only as follows:

RecipientRoleWhat is sharedLocation
SupabaseDatabase & authentication infrastructureStores all user and appointment dataEU/US (contractual safeguards)
Meta / WhatsAppMessage deliveryPhone number + message content for sending WhatsApp messagesMeta's servers globally
VercelHosting & serverless functionsRequest data processed through hosting infrastructureUS (contractual safeguards)

We may also disclose data:

  • Legal compliance: When required by applicable law, court order, or government authority, we will disclose the minimum data necessary and, where permitted, notify you.
  • Business transfers: In the event of a merger, acquisition, or sale of all or substantially all of our assets, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.
  • With your consent: For any other purpose, only with your explicit consent.

7. Data Retention

Data TypeRetention Period
Business User account dataDuration of account + 30 days after deletion request
Staff profilesDuration of account + 30 days after deletion request
WhatsApp credentials (encrypted)Until disconnected + immediate secure deletion on disconnect
Appointment records3 years from date of appointment (business record-keeping)
WhatsApp messages12 months from creation, then automatically purged
Session dataDeleted when conversation ends or customer resets
Security logs / IP data90 days

When data is deleted, it is permanently removed from our active databases. Backups containing historical data may persist for up to 30 additional days before being overwritten, during which time the data is not accessible for normal operations.

8. Data Security

We implement industry-standard technical and organisational measures to protect your data:

  • Encryption in transit: All data transmitted to and from the Service uses TLS 1.2 or higher (HTTPS).
  • Encryption at rest: WhatsApp Business access tokens are encrypted using AES-256-CBC before storage.
  • Webhook signature verification: All inbound Meta webhooks are validated using HMAC-SHA256 signature verification to prevent spoofing.
  • Rate limiting: Inbound WhatsApp messages are rate-limited per customer (5/minute) to prevent abuse.
  • Access controls: Database access is restricted by role-based policies. Staff members cannot access data outside their company.
  • Authentication: User authentication is managed by Supabase with industry-standard password hashing.
  • Duplicate message protection: Each incoming WhatsApp message is checked against stored message IDs to prevent double-processing.

Despite these measures, no security system is impenetrable. If you become aware of any security vulnerability or breach, please notify us immediately at security@appointflow.app.

9. Cookies & Tracking

We use the following types of cookies and local storage:

TypeCategoryPurposeDuration
Session cookiesEssentialMaintain your logged-in session (Supabase auth token)Session — deleted on browser close
Preference storageFunctionalRemember UI preferencesLocal storage, persisted

We do not use third-party advertising cookies, cross-site tracking pixels, or analytics services that share your data with advertisers. We do not currently use Google Analytics or similar third-party analytics platforms.

10. International Data Transfers

Our Service is hosted primarily in the United States (Vercel) and European Union (Supabase). By using the Service from any location, you acknowledge that your data may be transferred to and processed in these countries.

For Business Users and End Customers in the European Union or other regions with data transfer restrictions, we ensure appropriate safeguards are in place through:

  • Standard Contractual Clauses (SCCs) with our sub-processors (Supabase, Vercel).
  • Ensuring sub-processors maintain adequate data protection standards.

11. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

🔍 Access
Request a copy of the personal data we hold about you.
✏️ Rectification
Request correction of inaccurate or incomplete data.
🗑️ Erasure
Request deletion of your data ('right to be forgotten'), subject to legal retention requirements.
⏸️ Restriction
Request that we restrict processing of your data in certain circumstances.
📦 Portability
Receive your data in a structured, machine-readable format.
🚫 Objection
Object to processing based on legitimate interests.
↩️ Withdraw Consent
Withdraw consent for marketing communications at any time without affecting prior lawful processing.
📢 Complaint
Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@appointflow.app. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

Note: End Customers seeking to exercise rights over data held by a Merchant should contact that Merchant directly. We will assist as a data processor where required.

12. Children's Privacy

The Service is intended for business operators and is not directed at children under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If you believe a child has provided us with personal data without parental consent, please contact us at privacy@appointflow.app and we will promptly delete such data.

13. Third-Party Links & Integrations

The Service integrates with and may link to third-party services including Meta (WhatsApp), Supabase, and Vercel. This Privacy Policy applies only to data processed by AppointFlow. We encourage you to review the privacy policies of any third-party services you use:

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the "Effective Date" at the top of this page.
  • Notify registered Business Users via email or in-app notification at least 14 days before the change takes effect.

We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes acceptance of the revised policy.

15. Contact & Data Protection

For any privacy-related questions, data subject rights requests, or to report a security concern:

AppointFlow — Privacy Team

Privacy enquiries: privacy@appointflow.app

Security reports: security@appointflow.app

General: legal@appointflow.app

Website: appointflow.app

Address:

526/c, Eriyawetiya
Kiribathgoda, Sri Lanka
011600

Phone: +94713466180

We aim to respond to all privacy requests within 30 days. For complex requests, we may extend this by an additional 60 days and will notify you of the extension.

← Back to HomeTerms & Conditions →