Privacy Policy

2. Legal Framework

This Privacy Policy is based on the following legal frameworks:

• Swiss Federal Act on Data Protection (FADP/DSG) - SR 235.1, effective September 1, 2023
• Swiss Data Protection Ordinance (DPO/DSV) - SR 235.11
• EU General Data Protection Regulation (GDPR) - Where applicable to EU/EEA residents
• Swiss Unfair Competition Act (UCA/UWG) - SR 241

3. Data We Collect

We collect and process the following categories of personal data:

3.1 Account Data

• Name, email address, profile picture (from Facebook OAuth)
• OAuth authentication tokens and session data
• Language preferences

3.2 Business Data

• Business name, address, and registration details
• Contact information (phone, email)
• WhatsApp Business configuration
• Product catalog and pricing information
• Working hours and delivery settings

3.3 Customer Data (Your Customers)

• Customer names and phone numbers
• Delivery addresses
• Order history and preferences
• Communication history via WhatsApp

3.4 Technical Data

• IP addresses and device information
• Browser type and version
• Operating system
• Session and cookie data
• Log files and error reports

3.5 Payment Data

• Subscription and billing information
• Payment transaction records (processed by Stripe)
• Invoice history

4. Processing Purposes

We process your data for the following purposes:

4.1 Contract Performance

• Providing WhatsApp order management services
• Processing and managing customer orders
• Synchronizing product catalogs with WhatsApp
• Processing subscription payments

4.2 Legitimate Interests

• Improving and developing our services
• Analyzing usage patterns (anonymized)
• Preventing fraud and ensuring security
• Technical support and troubleshooting

4.3 Legal Obligations

• Tax documentation and accounting (7-10 years)
• Responding to legal requests from authorities
• Compliance with Swiss commercial law

5. Data Recipients

We may share your data with the following categories of recipients:

5.1 Meta Platforms (WhatsApp)

WhatsApp Business API for messaging functionality. Meta is headquartered in the USA. Data transfers are covered by EU-US Data Privacy Framework and Standard Contractual Clauses.

5.2 Stripe Inc.

Payment processing for subscriptions. Stripe is certified under PCI DSS Level 1. Privacy policy: stripe.com/privacy

5.3 Hetzner Online GmbH

Server hosting and infrastructure (Hetzner Online GmbH, Germany). All databases (PostgreSQL, Redis) and search services (Meilisearch) are hosted on Hetzner servers in German data centers. Privacy policy: hetzner.com/legal/privacy-policy

5.4 Functional Software Inc. (Sentry)

Error tracking and application monitoring (Functional Software Inc., USA). Sentry processes technical error data and log information. Privacy policy: sentry.io/privacy

5.5 Authorities

We may disclose data to Swiss authorities when required by law or court order.

6. International Data Transfers

Some of our service providers are located outside Switzerland and the European Economic Area. When transferring data internationally, we ensure adequate protection through:

• EU Adequacy Decision: The EU has recognized Switzerland as providing adequate data protection
• Standard Contractual Clauses (SCCs): EU-approved contractual safeguards
• EU-US Data Privacy Framework: For US-based providers that are certified

7. Data Retention

We retain personal data only as long as necessary for the purposes described above, or as required by law:

8. Your Rights

Under the Swiss Federal Act on Data Protection (FADP) and GDPR (where applicable), you have the following rights:

8.1 Right of Access (FADP Art. 25)

You can request information about the personal data we hold about you.

8.2 Right to Rectification (FADP Art. 6)

You can request correction of inaccurate or incomplete data.

8.3 Right to Erasure (FADP Art. 17)

You can request deletion of your personal data, subject to legal retention requirements. See our Data Deletion page for details.

8.4 Right to Data Portability (FADP Art. 28)

You can request a copy of your data in a structured, commonly used format (JSON/CSV).

8.5 Right to Object (FADP Art. 30)

You can object to processing of your data based on legitimate interests.

8.6 Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9. Automated Decision-Making

WhatsOrder does not use automated decision-making or profiling that produces legal effects or significantly affects you. Our AI-powered features (such as text improvement) are assistive tools that always allow human review and override.

10. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising or tracking cookies. Analytics data is processed anonymously.

11. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Encryption in transit (TLS 1.3) and at rest
• Secure authentication via OAuth 2.0 (Facebook Login)
• Role-based access controls and audit logging
• Multi-tenant data isolation at database level
• Data center security (Hetzner, ISO 27001 certified)

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the platform at least 30 days before they take effect.