Privacy Policy

joseaburto ("joseaburto", "we", "us", or "our") operates the joseaburto SaaS platform, which allows businesses to connect their WhatsApp Business accounts and automate customer conversations via the Meta WhatsApp Cloud API.

This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have regarding your data. By using our service, you agree to the practices described in this policy.

Data Controller: joseaburto, privacy@joseaburto.com

We collect the following categories of personal data when you use joseaburto:

2.1 Account Data

• Name and email address (provided via Clerk / Facebook Login)
• Facebook User ID (used for authentication)
• Account creation timestamp

2.2 Business & WhatsApp Data

• WhatsApp Business Account ID (WABA ID)
• Phone Number ID and display phone number
• Meta access tokens (stored encrypted with AES-256-GCM)
• Business name

2.3 Message Data

• WhatsApp message content (text and metadata) sent to and from your connected number
• Sender and recipient phone numbers
• Message timestamps and delivery statuses

2.4 Technical & Usage Data

• IP address and browser / user-agent information
• Pages visited and features used on the platform
• Error logs and performance metrics (no message content in logs)

We process your personal data for the following purposes:

• Providing and operating the joseaburto service (legal basis: contract performance)
• Authenticating your identity and maintaining your session (legal basis: contract performance)
• Processing and routing WhatsApp messages on your behalf (legal basis: contract performance)
• Encrypting and storing your Meta access tokens securely (legal basis: contract performance)
• Proactively renewing Meta access tokens to prevent service interruption (legal basis: legitimate interest)
• Sending transactional emails such as account notifications (legal basis: contract performance)
• Improving and debugging the platform using anonymized usage data (legal basis: legitimate interest)
• Complying with legal obligations (legal basis: legal obligation)

We do not sell your personal data. We share data only with the following third parties where necessary to operate the service:

• Meta Platforms, Inc. — to deliver and receive WhatsApp messages via the WhatsApp Cloud API and to authenticate via Facebook Login. Meta's data use is governed by the Meta Platform Terms.
• Clerk, Inc. — to manage user authentication, sessions, and identity. Clerk processes your email and name to create and maintain your account.
• Cloud infrastructure providers — to host our database (PostgreSQL), message queue (Redis/BullMQ), and application servers. Providers are bound by data processing agreements.
• We may disclose data if required by law, court order, or to protect the rights, property, or safety of joseaburto, our users, or the public.

We retain your data for the following periods:

• Account data: for the duration of your account plus 90 days after deletion
• WhatsApp message records: 12 months from the date of the message
• Access tokens: encrypted in our database; deleted when you disconnect your WhatsApp account or delete your account
• Technical logs: 30 days

After the retention period, data is permanently deleted from our systems.

We implement the following technical and organizational measures to protect your data:

• AES-256-GCM encryption for all Meta access tokens stored in the database
• HMAC-SHA256 verification for all incoming webhooks
• HTTPS / TLS encryption for all data in transit
• Authentication via Clerk with verified JWTs on every API request
• Role-based access control — each tenant can only access their own data
• Regular automated backups with encryption at rest
• No sensitive data (tokens, message content, full phone numbers) in application logs

Depending on your location, you may have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate data
• Right to erasure — request deletion of your data (see Section 8 and our Data Deletion page)
• Right to restriction of processing — request that we limit how we use your data
• Right to data portability — receive your data in a machine-readable format
• Right to object — object to processing based on legitimate interest
• Right to withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at privacy@joseaburto.com. We will respond within 30 days.

You can request deletion of all your personal data at any time. See our dedicated Data Deletion page for step-by-step instructions.

When your account is deleted, we remove: your user record, your tenant record, your WhatsApp account credentials (encrypted tokens), and your message history within 30 days, subject to any legal retention obligations.

We use cookies and similar tracking technologies. Please refer to our Cookie Policy for details.

Our infrastructure is hosted in the United States. If you are located in the European Economic Area (EEA), UK, or Switzerland, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by applicable data protection authorities.

joseaburto is not directed at children under the age of 13 (or 16 in certain jurisdictions). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by displaying a prominent notice in the platform. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

For any questions, concerns, or requests related to this Privacy Policy, please contact:

• Email: privacy@joseaburto.com
• Subject line: Privacy Policy Inquiry
• We aim to respond to all inquiries within 5 business days.