Privacy Policy

1.1 Information you provide directly

• Account registration data: name, email address, phone number, business name, business address, and tax identification numbers.
• Payment and financial information: bank account details, mobile money wallet identifiers, and billing addresses. Card numbers are tokenised by our payment processors and are never stored on our servers.
• Business content you upload: product catalogues, images, pricing, inventory data, and storefront configurations.
• Communications you send through the platform: customer support messages, in-app chat, and any files or media attached to those messages.
• WhatsApp Business onboarding data: when you connect your WhatsApp Business Account through Meta Embedded Signup, we receive your WhatsApp Business Account ID, phone number, display name, and business verification status from Meta.

1.2 Information collected automatically

• Device and browser information: IP address, device type, operating system, browser type and version, screen resolution, and language preferences.
• Usage data: pages visited, features used, click patterns, session duration, and referring URLs.
• Transaction metadata: order timestamps, amounts, currency, payment method used, and order status changes.
• Log data: server logs that record requests, errors, and system performance metrics.

1.3 Information from third parties

• Identity verification providers: to confirm business identity and comply with know-your-customer (KYC) obligations.
• Payment processors: transaction confirmation, chargeback, and settlement data.
• Meta / WhatsApp: message delivery status, read receipts, template approval status, and quality ratings for your WhatsApp Business Account.

We process your personal data only where we have a lawful basis to do so. The legal bases we rely on are: performance of a contract with you, your consent, our legitimate interests, and compliance with legal obligations.

Specifically, we use your information to:

• Provide, operate, and maintain the Services, including processing orders and payments.
• Route and deliver messages between you and your customers across supported channels (WhatsApp, Instagram, Telegram, email, SMS).
• Power AI-assisted customer support features, including suggested replies and automated responses, using the message context of your conversations.
• Calculate and collect the applicable transaction fee that funds the platform.
• Send transactional notifications: order confirmations, shipping updates, payment receipts, and account alerts.
• Detect, prevent, and investigate fraud, abuse, and security incidents.
• Conduct analytics and research to improve the Services, develop new features, and understand usage patterns in aggregate.
• Comply with applicable laws, regulations, and lawful government requests.

We do not sell your personal data to third parties. We do not use message content for advertising purposes.

Cimplify operates as a Business Solution Provider (BSP) for the WhatsApp Business Platform and also integrates with Instagram Messaging, Telegram Bot API, email (SMTP/IMAP), and SMS gateways. This section describes how messaging data is handled.

3.1 What messaging data we collect

• Sender and recipient phone numbers, email addresses, or platform identifiers.
• Message content: text, images, documents, voice notes, location data, and other media sent or received through the platform.
• Message metadata: timestamps, delivery status, read receipts, and channel of origin.
• Opt-in records: evidence that the end customer consented to receive messages from the business.

3.2 How messaging data flows

When a business uses Cimplify to communicate with customers via WhatsApp, messages are routed from the business through our servers to Meta's WhatsApp Business API, and vice versa. Cimplify acts as a data processor on behalf of the business (the data controller). Meta processes message data according to its own privacy policies once messages enter the WhatsApp network.

3.3 Opt-in and consent

Businesses using Cimplify are required to obtain valid opt-in consent from their customers before sending WhatsApp messages, as mandated by Meta's WhatsApp Business Policy. Cimplify provides tools to capture and record opt-in consent, but the business remains responsible for ensuring compliance. Opt-in records are stored alongside the customer profile and are available for audit.

3.4 Message content handling limitations

Cimplify does not use the content of private messages between businesses and their customers for advertising, marketing to unrelated third parties, or training machine-learning models. AI features that analyse message content (such as suggested replies) operate solely within the business's own conversation context at inference time and are not shared across businesses.

We may access message content when required by law, to enforce our Terms of Service, or to investigate reports of abuse or policy violations. Access is logged and restricted to authorised personnel.

We share personal data with the following categories of third-party service providers, each of which is contractually obligated to protect your data:

We may also disclose personal data when required by law, court order, or governmental authority, or when necessary to protect the rights, property, or safety of Cimplify, our users, or the public.

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, unless a longer retention period is required or permitted by law.

• Account data: retained for the duration of your account and for 90 days after account deletion to allow recovery, after which it is permanently deleted or anonymised.
• Transaction records: retained for a minimum of 7 years to comply with tax, accounting, and anti-money-laundering regulations.
• Message content: retained for 12 months from the date of the message, unless the business configures a shorter retention period. After the retention period, message content is permanently deleted. Message metadata (timestamps, delivery status) may be retained in anonymised form for analytics.
• Opt-in consent records: retained for as long as the business-customer relationship is active, plus 3 years, to serve as evidence of consent.
• Server logs: retained for 90 days for security and debugging, then automatically purged.
• Cookies and analytics data: see Section 6 below for cookie-specific retention periods.

When data is no longer needed, it is either permanently deleted or irreversibly anonymised so that it can no longer be associated with you.

Our websites and applications use cookies, local storage, and similar technologies. Below is a summary of the cookies we use:

6.1 Strictly necessary cookies

These cookies are essential for the Services to function. They handle session management, authentication, and security. They cannot be disabled without breaking core functionality.

6.2 Analytics cookies

We use analytics tools to understand how visitors use our websites. These cookies collect information in aggregate form and help us improve the user experience. You may opt out via your browser settings or our cookie banner.

6.3 Meta / Facebook SDK cookies

Our website loads the Meta (Facebook) SDK to support the WhatsApp Embedded Signup flow and Facebook Login. The Meta SDK may set cookies on your device, including but not limited to:

• _fbp: used by Meta to deliver and measure advertising. Expires after 90 days.
• fr: used by Meta for advertising targeting and measurement. Expires after 90 days.
• sb, datr: browser identification cookies set by Meta. Expiry varies.

These cookies are governed by Meta's Privacy Policy. You can manage Meta cookies through your Facebook ad preferences or by using browser-level cookie controls.

6.4 How to manage cookies

Most browsers allow you to refuse or delete cookies. Note that disabling strictly necessary cookies may impair the functionality of the Services. For more information, visit your browser's help pages or allaboutcookies.org.

We implement technical and organisational measures designed to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256).
• Regular vulnerability assessments and penetration testing.
• Role-based access controls with the principle of least privilege.
• Audit logging of administrative and data-access actions.
• Incident response procedures with defined escalation paths.
• Employee access to personal data is limited to those who need it for their job function, and all staff with access are bound by confidentiality obligations.

No method of electronic transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us immediately at [email protected].

Depending on your location and applicable law (including the EU General Data Protection Regulation, the UK GDPR, Ghana's Data Protection Act 2012, Nigeria's NDPR, and South Africa's POPIA), you may have the following rights:

• Access: request a copy of the personal data we hold about you.
• Rectification: request correction of inaccurate or incomplete data.
• Erasure: request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction of processing: request that we limit how we use your data in certain circumstances.
• Data portability: receive your data in a structured, commonly used, machine-readable format, or request transfer to another controller.
• Objection: object to processing based on our legitimate interests, including profiling.
• Withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
• Lodge a complaint: file a complaint with your local data protection authority.

To exercise any of these rights, contact our Data Protection Officer at [email protected]. We will respond to your request within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.

Cimplify operates globally and your data may be transferred to, and processed in, countries other than the country in which you reside. These countries may have data protection laws that differ from those in your jurisdiction.

When we transfer personal data outside the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions, we rely on one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• Adequacy decisions by the European Commission or UK Secretary of State, where applicable.
• Your explicit consent, where no other mechanism is available.

Sub-processors such as Meta Platforms, Inc. are based in the United States and may process data subject to US law. Meta relies on its own data transfer mechanisms as described in its privacy policy.

The Services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at [email protected] and we will take steps to delete that information promptly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Post the updated policy on this page with a revised effective date.
• Notify you via email or an in-app notification at least 14 days before the changes take effect, where the changes materially affect your rights.

Your continued use of the Services after the effective date constitutes your acceptance of the updated policy.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Protection Officer:

If you are located in the European Union and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. If you are located in Ghana, you may contact the Data Protection Commission. If you are located in Nigeria, you may contact the Nigeria Data Protection Commission (NDPC).