WaAutoflow's commitment to the General Data Protection Regulation (EU) 2016/679 and UK GDPR.
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and European Economic Area (EEA). The UK GDPR applies similar requirements in Great Britain following Brexit.
WaAutoflow is committed to full compliance with GDPR and UK GDPR in all aspects of our operations. This page explains how GDPR applies to WaAutoflow, the roles we play in data processing, and how you can exercise your rights.
Data Minimisation
We only collect data strictly necessary for app functionality
Lawful Basis
Every processing activity has a documented legal basis under GDPR
Rights Response
All data subject requests acknowledged within 30 days
You (the Merchant) are the Data Controller for your customers' personal data. You determine the purposes and means of processing customer data through WaAutoflow.
As Controller, you are responsible for ensuring you have a lawful basis for processing, obtaining necessary consents, and providing customers with privacy information.
WaAutoflow acts as a Data Processor when processing your customers' data on your behalf to deliver the automation services.
As Processor, WaAutoflow processes data only on your documented instructions, maintains appropriate security measures, and assists you in fulfilling data subject rights.
Data Processing Agreement (DPA): GDPR Article 28 requires a written contract between controllers and processors. By using WaAutoflow, you enter into a Data Processing Agreement with us. The full DPA terms are incorporated into our Terms of Service. If you require a standalone signed DPA document, contact us at hello.waflows@gmail.com.
Under GDPR Article 6, every processing activity must have a lawful basis. WaAutoflow relies on the following legal bases:
The following categories of personal data are processed by WaAutoflow:
| Category | Examples | Purpose | Retention |
|---|---|---|---|
| Merchant Account Data | Store name, URL, owner name, email address, phone number, app configuration settings | Account management, service provision, support | Duration of app installation + 30 days post-uninstall |
| Customer Order Data | Customer name, phone number, order ID, order items, amounts, shipping address, order status | Sending WhatsApp automation messages configured by the merchant | Up to 12 months for operational records |
| WhatsApp Session Data | Linked-device session tokens, connection status | Maintaining WhatsApp connection for automation | Revoked immediately on disconnection or uninstall |
| Technical & Log Data | IP address, browser type, error logs, API call logs, performance metrics | Security, fraud prevention, service stability | Up to 90 days |
| Usage Analytics | Feature usage frequency, automation trigger counts (anonymised) | Product improvement, aggregated reporting | Indefinitely in anonymised/aggregated form |
| Support Communications | Emails, chat messages exchanged during customer support | Resolving support requests, training, quality assurance | Up to 2 years |
WaAutoflow does not process special categories of personal data (sensitive data) as defined under GDPR Article 9.
Data subjects (individuals whose data is processed) have the following rights under GDPR. Merchants can also exercise these rights in relation to their own data as a merchant/account holder.
You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data along with information about how it is used.
Submit a Subject Access Request (SAR) to hello.waflows@gmail.com with subject: 'GDPR - Access Request'. We will respond within 30 days.
You have the right to request correction of inaccurate personal data we hold about you, and to have incomplete data completed.
Contact us at hello.waflows@gmail.com with subject: 'GDPR - Rectification Request', specifying what data needs correction.
You have the right to request deletion of your personal data where there is no compelling reason for its continued processing.
Submit a deletion request to hello.waflows@gmail.com with subject: 'GDPR - Erasure Request'. We will process and confirm within 30 days.
You have the right to request that we restrict processing of your personal data in certain circumstances - for example, while accuracy is contested or while an objection is being considered.
Contact us at hello.waflows@gmail.com with subject: 'GDPR - Restriction Request'.
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Submit a portability request to hello.waflows@gmail.com with subject: 'GDPR - Portability Request'. Data will be provided in JSON or CSV format.
You have the right to object to processing of your personal data where processing is based on legitimate interests or for direct marketing purposes.
Contact us at hello.waflows@gmail.com with subject: 'GDPR - Objection'. Processing will cease unless we demonstrate compelling legitimate grounds.
Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.
Withdrawal requests can be sent to hello.waflows@gmail.com with subject: 'GDPR - Withdraw Consent'.
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
WaAutoflow does not engage in automated decision-making that produces legal effects on individuals.
Within 72 hours
Acknowledgement
Within 30 days
Full Response
Up to 90 days (with notice)
Extension (complex)
WaAutoflow is operated from India. When we process data of EEA/UK individuals, we ensure appropriate safeguards are in place per GDPR Chapter V:
Standard Contractual Clauses (SCCs)
Where applicable, we use EU Commission-approved SCCs to ensure adequate protection for data transferred to non-EEA countries.
Adequacy Decisions
Transfers to countries with an EU adequacy decision are made without additional safeguards.
Processor Agreements
All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures.
India is currently working towards an EU adequacy decision. In the meantime, we rely on Standard Contractual Clauses for transfers from the EEA to India. For details of the SCCs in use, contact hello.waflows@gmail.com.
Per GDPR Article 32, WaAutoflow implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk:
Encryption in Transit
All data transmitted between users, Shopify, and our servers uses TLS 1.2+ encryption
Encryption at Rest
Sensitive stored data is encrypted using industry-standard encryption algorithms
Access Controls
Role-based access controls ensure staff access only the minimum data necessary
Authentication
Multi-factor authentication required for all internal system access
Security Monitoring
Continuous monitoring for suspicious activity, intrusion attempts, and anomalies
Vulnerability Management
Regular security assessments, penetration testing, and prompt patching of vulnerabilities
Sub-processor Controls
All sub-processors are vetted and bound by Data Processing Agreements
Staff Training
Regular GDPR and security awareness training for all staff with data access
Incident Response
Documented incident response procedures for rapid containment and notification
Data Minimisation
Systems designed to collect and retain only the minimum data necessary for service delivery
In compliance with GDPR Articles 33 and 34, WaAutoflow has documented procedures for detecting, reporting, and investigating data breaches:
Security team identifies and contains the breach. Initial assessment of scope, type, and risk to individuals.
Full investigation of cause, data affected, number of individuals impacted, and potential consequences.
Where required, notify the competent Lead Supervisory Authority (per GDPR Article 33). Notification includes nature of breach, categories of data, approximate numbers affected, and measures taken.
Notify affected merchants where the breach is likely to result in a risk to their customers' rights and freedoms, including sufficient detail to allow them to meet their own notification obligations.
Where the breach is likely to result in a high risk to individuals' rights and freedoms, those individuals are notified directly with clear information about what happened and recommended protective steps.
Per GDPR Article 28(3)(d), we disclose all sub-processors used in delivering the Service. All sub-processors are bound by GDPR-compliant Data Processing Agreements:
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Shopify Inc. | App distribution, billing, store API | Canada (Adequate) | EU Adequacy Decision |
| Cloud Hosting Provider | Server infrastructure, data storage | India / Global | Standard Contractual Clauses |
| Meta / WhatsApp | WhatsApp message delivery | USA | SCCs + Meta DPA |
| Error Monitoring Service | Bug tracking, error logging | USA / EU | SCCs or EU hosting |
We will notify merchants of any intended changes to sub-processors (additions or replacements) with sufficient advance notice.
Data Protection Contact
For all GDPR-related enquiries and data subject requests
Subject Lines
GDPR - Access Request
GDPR - Erasure Request
GDPR - DPA Request
GDPR - Complaint
Address
18 Kadamb Bungalow, Ahmedabad, GJ 380015, India
Supervisory Authority
You have the right to lodge a complaint with a supervisory authority
EEA - Lead Supervisory Authority
Contact your local EU data protection authority. Find yours at: edpb.europa.eu
UK - Information Commissioner's Office (ICO)
ico.org.uk · 0303 123 1113
India - Data Protection Board
Under the Digital Personal Data Protection Act, 2023
Requesting a Data Processing Agreement (DPA)
If your organisation requires a standalone signed Data Processing Agreement (for example, for your own GDPR compliance documentation), please email hello.waflows@gmail.com with subject “GDPR - DPA Request”. We will provide a signed DPA document within 10 business days.
© 2026 WaAutoflow · Developed by NCS Global · Ahmedabad, India
Last updated January 2026