Privacy policy

Last updated: 2026-06-01

WhatPro ("WhatPro", "we", "us") is a Shopify application that helps merchants ("you", "the merchant") send WhatsApp messages to their customers via the Meta WhatsApp Business Cloud API. This Privacy Policy explains what data we collect, why we collect it, who we share it with, and the rights you and your customers have.

1. Who is the data controller?
For data about merchants (you, the Shopify store owner): WhatPro is the data controller. For data about your customers (people who buy from your Shopify store): you are the data controller; WhatPro is your data processor and acts only on your documented instructions.

2. What data we collect
From merchants
Shopify shop domain, store name, country, currency, and email (provided by Shopify on install).
WhatsApp Business Account ID, phone number ID, and an OAuth access token granted by you via Meta's Embedded Signup. Tokens are encrypted at rest using AES-256-GCM.
App configuration you create — flow templates, popup copy, discount codes, schedules.
Billing information (handled entirely by Shopify Billing API — WhatPro never sees card numbers).
From your customers (on your behalf)
Phone number (E.164 format) and country code, used to send WhatsApp messages.
Order data you choose to surface in messages: order number, total, customer first name, shipping carrier, tracking number.
Newsletter subscription opt-in, IP address, and user agent, captured at the moment of subscribe to prove consent under GDPR.
Message delivery metadata returned by Meta: sent / delivered / read / clicked timestamps and any error codes.
What we do NOT collect
The content of customer replies on WhatsApp (Meta retains those, not us).
Customer credit-card data (Shopify and the customer's payment provider handle that).
Browsing behaviour outside the explicit storefront popup interactions.

3. How we use the data
To send the WhatsApp messages you configured (order confirmations, abandoned-cart reminders, newsletter messages, cross-sell follow-ups).
To enforce your settings — country gating, business-hours scheduling, blocked-phone lists, cooldowns.
To compute analytics for your dashboard (messages sent, delivered, conversion rate, revenue attributed).
To bill you for usage of paid plans via Shopify.
To investigate abuse of the WhatsApp Business Policy (spam, prohibited content) — required by Meta.
We never sell, rent, or share your data with advertisers. We do not use your data to train AI models.

4. Who we share data with
Meta Platforms, Inc. — every WhatsApp message is delivered through the Meta WhatsApp Business Cloud API. Customers' phone numbers and message content are processed by Meta under Meta's Business Messaging Policy and Privacy Policy.
Shopify Inc. — we read order, customer and product data through the Shopify Admin API, scoped to the permissions you grant on install. Shopify Privacy Policy applies.
Google Cloud Platform — our application servers and databases are hosted on Google Cloud in the European Union (europe-west1 region). Google Cloud is a SOC 2 / ISO 27001 compliant infrastructure provider.
Sentry — we use Sentry for error monitoring. Error reports are scrubbed of personal data before transmission.
Law enforcement — only when compelled by valid legal process, and only the minimum necessary data.

5. Data retention
Active merchant data — kept for the lifetime of the install.
After uninstall — kept for 60 days (so you can reinstall without losing settings), then permanently deleted.
Message logs — kept for 12 months for analytics, then aggregated and the row-level records deleted.
Newsletter subscribers who unsubscribe — flag set to UNSUBSCRIBED but the record stays for 24 months as proof of opt-in / opt-out (regulatory requirement).
Customer support tickets — 24 months.

6. Your customers' rights (GDPR / CCPA / PDPL)
Customers of merchants using WhatPro have the right to:
Access the personal data we hold about them.
Correct inaccurate data.
Delete their data.
Withdraw consent at any time by replying STOP to any WhatsApp message we send, or by using the unsubscribe link in the newsletter popup.
Object to processing or request data portability.
To exercise any of these rights, write to info@whatpro.app. We respond within 30 days.

7. Data security
All data in transit is encrypted with TLS 1.2+.
Meta access tokens are encrypted at rest using AES-256-GCM with a key stored separately from the database.
Our database runs in a private network on Google Cloud and is not exposed to the public internet.
Production access is restricted to the founding team via SSO + 2FA.
We log every administrative action for audit purposes.

8. International transfers
WhatPro processes data on Google Cloud infrastructure located in the European Union. For any transfer of personal data outside the EEA, we rely on Standard Contractual Clauses (SCCs). Meta's WhatsApp infrastructure may process messages in additional regions per Meta's policies.

9. Children
WhatPro is not directed at children under 13 (or under 16 in the EEA). We don't knowingly collect data from children. If you believe a child has provided personal data, contact us and we will delete it.

10. Cookies
This site uses one essential cookie to remember the merchant's chosen language. The Shopify embedded admin sets a session cookie required for authentication. We do not use third-party advertising cookies.

11. Changes to this policy
We may update this Privacy Policy. Material changes will be communicated via the email on file with Shopify at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent change.

12. Contact
info@whatpro.app

To request deletion of your data, see our Data Deletion Instructions: https://whatpro.app/pages/data-deletion