GDPR Compliance

1. What is GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It applies to all organizations that process personal data of individuals in the European Union, regardless of where the organization is located. GDPR gives individuals more control over their personal data and imposes strict obligations on organizations that collect and process this data.

2. Our Role Under GDPR

As a Data Controller

When we collect your personal data for our own purposes (account registration, billing, marketing), we act as a data controller. We determine how and why your data is processed.

As a Data Processor

When processing your customers' data through our WhatsApp automation platform, we act as a data processor on your behalf. You remain the data controller for your customers' data.

3. Your GDPR Rights

Under GDPR, you have the following rights regarding your personal data:

4. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract: Processing necessary to fulfill our service agreement with you
• Consent: Marketing communications and optional features (you can withdraw anytime)
• Legitimate Interest: Security monitoring, fraud prevention, service improvement
• Legal Obligation: Tax records, regulatory compliance, law enforcement requests

5. Data Processing Agreement

When you use WhatsBot AI to process your customers' data, we act as your data processor. Our Data Processing Agreement (DPA) covers:

• The subject matter and duration of processing
• Nature and purpose of data processing
• Categories of personal data processed
• Your rights and obligations as data controller
• Our obligations as data processor
• Sub-processor authorization and notification
• Data breach notification procedures
• Audit rights and compliance verification

6. International Data Transfers

When transferring personal data outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions for countries with equivalent data protection
• Binding Corporate Rules for intra-group transfers
• Your explicit consent for specific transfers (when applicable)

7. Data Retention

We retain personal data only for as long as necessary:

8. Security Measures

We implement appropriate technical and organizational measures to protect your data:

• End-to-end encryption for all data in transit (TLS 1.3)
• AES-256 encryption for data at rest
• Multi-factor authentication options
• Regular security audits and penetration testing
• Access controls and employee training
• Incident response and data breach procedures
• SOC 2 Type II certification
• Regular backup and disaster recovery testing

9. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms:

• We will notify you within 72 hours of becoming aware of the breach
• Our notification will describe the nature of the breach
• We will provide contact details for our Data Protection Officer
• We will describe likely consequences and measures taken
• We maintain detailed records of all security incidents

10. How to Exercise Your Rights

You can exercise your GDPR rights in several ways:

We will respond to all requests within 30 days. Complex requests may take up to 60 days, and we will inform you if an extension is needed.

12. Supervisory Authority

If you are not satisfied with our response to your request or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority in your country of residence. For users in Israel, this is the Privacy Protection Authority (PPA).