Weflux

Privacy Policy

Last updated: May 23, 2026

Weflux ("Weflux", "we", "us", or "our") is a customer engagement platform operated by Serves ("Serves") that helps businesses communicate with their customers through the WhatsApp Business Platform provided by Meta Platforms, Inc. This Privacy Policy explains how we collect, use, store, share, and protect personal information when you use our website (wachat.serves.in) and our application (wachats.serves.in) (collectively, the "Service").

By accessing or using the Service you agree to this Privacy Policy. If you do not agree, please do not use the Service.

1. Who this Policy Applies To

  • Business Users — companies and their employees who sign up for and operate a Weflux workspace.
  • End Users — your customers who message your business via WhatsApp and whose information flows through Weflux. We process End User data as a data processor on behalf of the Business User, who is the data controller.
  • Website Visitors — anyone who browses our marketing website.

2. Information We Collect

2.1 Business User Information

  • Account details: name, email address, password (stored as a bcrypt hash), organization name, workspace slug, role.
  • Billing information (when applicable) such as company name, GST number, and payment details processed by our payment partners.
  • Communication preferences and support correspondence.

2.2 WhatsApp Business Account Credentials

  • WhatsApp Business Account ID (WABA ID), Phone Number ID, display name, phone number, and quality rating provided by Meta.
  • Permanent System User access tokens, which are encrypted at rest using AES‑256 before being stored.
  • Webhook verify tokens generated by Weflux and shared with you for Meta webhook configuration.

2.3 End User (Customer) Data

When an End User messages your business, WhatsApp forwards the message to Weflux via Meta webhooks. We process:

  • WhatsApp phone number and profile display name.
  • Message content (text, images, documents, audio, video, location, contacts) sent to or from your business.
  • Delivery and read receipts.
  • Custom contact attributes that you, as a Business User, choose to attach to a contact (e.g. lifecycle stage, tags, notes).

2.4 Usage Data

  • Log data: IP address, browser type, device identifiers, pages visited, timestamps, and referrer URLs.
  • Performance and crash data used to diagnose issues.

2.5 Cookies

See our Cookie Policy.

3. How We Use Information

  • To deliver and operate the Service — including authenticating you, routing messages between WhatsApp and your dashboard, and storing conversation history.
  • To send and receive WhatsApp messages on your behalf via Meta's Cloud API.
  • To provide product support and respond to your queries.
  • To bill you for paid plans and prevent fraud.
  • To improve and secure the Service through aggregated, de‑identified analytics.
  • To comply with legal obligations and enforce our Terms of Service.

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area, the United Kingdom, or India (DPDP Act 2023), our legal bases are:

  • Contract — to provide the Service you signed up for.
  • Legitimate interest — to secure, debug, and improve the Service.
  • Consent — for optional analytics cookies and marketing emails.
  • Legal obligation — when we must respond to lawful requests.

5. How We Share Information

We do not sell personal data. We share information only as follows:

  • Meta Platforms, Inc. — message content, recipient phone number, and template payloads are sent to Meta's WhatsApp Cloud API in order to deliver messages, as required by the platform.
  • Infrastructure providers — Vercel (hosting), Supabase (PostgreSQL database, EU/US regions), and Upstash (Redis cache). These providers process data on our behalf under data processing agreements.
  • Payment processors — for billing transactions; payment card data never touches our servers.
  • Legal authorities — when required by court order, subpoena, or other legally binding process.
  • Business transfers — in connection with a merger, acquisition, or sale, where the acquirer is bound by this Privacy Policy.

6. WhatsApp Business Platform Compliance

Because Weflux operates on the WhatsApp Business Platform, the following Meta policies also apply to data flowing through Weflux:

Business Users are responsible for obtaining valid opt‑in consent from End Users before initiating WhatsApp conversations, and for honouring opt‑out (STOP) requests promptly, as required by Meta's Business Messaging Policy.

7. Data Retention

  • Account and workspace data — retained for as long as your account is active, plus 30 days after deletion.
  • WhatsApp messages — retained for up to 24 months by default; Business Users can request shorter retention via privacy@serves.in.
  • Access logs — retained for 90 days.
  • Backups — retained for up to 35 days.

8. Data Security

  • All data in transit is encrypted with TLS 1.2 or higher.
  • Access tokens and other secrets are encrypted at rest using AES‑256.
  • Passwords are hashed with bcrypt (cost factor 10+).
  • Role‑based access control inside your workspace (Admin / Manager / Agent).
  • Audit logs of administrative actions.
  • Database backups are encrypted and geographically isolated.

For more detail see our Security page.

9. International Data Transfers

Your data may be processed in countries other than your own, including India, the European Union, and the United States, where our infrastructure providers operate. Where required, we rely on Standard Contractual Clauses or equivalent safeguards.

10. Your Rights

Depending on your jurisdiction, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Erase your data (see Data Deletion).
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time without affecting prior lawful processing.
  • Lodge a complaint with your local data‑protection authority.

To exercise any right, email privacy@serves.in. We respond within 30 days.

11. Children's Privacy

The Service is not directed to children under 13 (or under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has provided us with information, contact privacy@serves.in.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified through the Service or by email at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the latest revision.

13. Contact Us

Data Controller: Serves
Address: India
Email (privacy): privacy@serves.in
Email (support): support@serves.in