Privacy Policy

Wabot's core design principle is "customer data stays local". Your customer chats, contact lists, and product catalogs remain on your own Windows device and are never uploaded to Wabot servers.

1. What We Collect

1.1 Information you actively provide

• Registration: Email, name, business name, country/city (for activation, renewal, ops communication)
• Payment info: Submitted via PayPal/Yappy — name, email, transaction ID. We do not handle card details (those are processed by PayPal/Yappy).
• Support tickets: Issues you send to [email protected]

1.2 Information automatically collected

• Device fingerprint (machine_id): Anonymous hash from hardware info, prevents shared activation codes
• IP address: Logged on heartbeat and login only, for anomaly detection
• Software version: For pushing upgrades
• Heartbeat: Every 60 minutes — timestamp + online status
• AI call metadata: Time, model name, input/output token counts, latency (not the prompt or response content)
• Install logs: Uploaded only on install failure for auto-diagnosis

1.3 What we explicitly do NOT collect

• ❌ WhatsApp chat content with your customers (stored locally + on WhatsApp's servers)
• ❌ Customer phone numbers, names, addresses (stored in your local profile)
• ❌ Your product catalog, menu, or business assets (stored in local JSON)
• ❌ The actual content of AI conversations (transmitted directly between client device and AI provider)
• ❌ Other files or browsing history on your Windows device

2. How We Use Your Data

• Account management: Send activation codes, renewal reminders, product updates
• Billing: Process payments, generate invoices, refunds
• Operations: Monitor service health, track AI usage, detect abuse
• Customer support: Respond to tickets, remote upgrades (only if you initiate from admin panel)
• Product improvement: Analyze anonymous usage patterns; no individual identification

3. Who We Share With

We do not sell or rent your personal data. Sharing only happens with:

• Resend (email): For sending activation codes, renewal reminders. Shares: your email + subject + body
• PayPal, Yappy (payments): Process payments. Shares: amount, order ID
• Cloudflare (CDN + DNS): Hosts docs.gowabot.com, api.gowabot.com. Shares: visitor IP + request path
• DeepSeek, OpenAI, Aliyun (AI): Process AI conversations. Shares: prompts from your client device (no license info attached)
• Google Workspace (mail backend): Forward domain emails to Licensor's personal mailbox for ticket response
• Legal obligation: Only upon valid legal subpoena or regulatory order

4. Data Retention

• Account and licenses: Long-term (kept 365 days post-termination for refund window and audit, then anonymized)
• Heartbeats: Archived to cold storage after 90 days, deleted after 2 years
• AI call metadata: Deleted after 12 months
• Install logs: Deleted after 30 days
• Email send logs: Deleted after 6 months
• DB backups: Last 30 backups (~30 days rolling)

5. Data Security

• All transit uses HTTPS / TLS 1.2+
• Third-party payment credentials AES-256-GCM encrypted in DB
• Activation codes RS256 digitally signed; tampering invalidates
• Daily encrypted DB backups to Cloudflare R2 (GPG AES-256)
• Server access protected by SSH key + admin token (2FA)
• Wabot is a small team (Licensor solo) — your data doesn't pass through many hands

6. Your Rights (GDPR / LGPD / Panama Law 49/2018 compatible)

• Access: Email [email protected] to request all data we hold about you (PDF export, replied within 30 days)
• Correction: Account info editable in admin panel; other data via support ticket
• Deletion: Uninstall locally and request server-side account deletion (payment audit retained 365 days for compliance)
• Object: Decline product analytics (contact us to opt out)
• Export: Account data exportable as JSON

7. Children's Privacy

The Software targets business users and is not sold or provided to minors under 18. If a minor's account is detected, we will delete it upon notification.

8. Cross-border Data Transfer

Licensor servers are hosted on Aliyun International (AS73). Some metadata may transit to the US (Cloudflare, PayPal, Resend), Mainland China (DeepSeek), etc. We only work with providers offering compliant equivalent protection. If you have specific data localization requirements (e.g. Russia, Iran), please email before subscribing.

9. Cookies and Tracking

The admin panel uses one token cookie for login persistence. We use no third-party analytics, advertising, or social-media tracking cookies. docs.gowabot.com is fully static and cookie-free.

10. Policy Updates

This policy may evolve with the product. Material changes will be announced via email 30 days in advance and reflected in the date above.

11. Contact

Privacy inquiries: [email protected] with subject prefix "[Privacy]". We commit to a reply within 7 business days.

Disclaimer: This document does not constitute formal legal advice. Data protection laws vary by jurisdiction; if your business is subject to GDPR, CCPA, LGPD, or similar specific regulations, consult a compliance advisor. The English version is authoritative over translations.