Privacy Policy

1. Our Role

Creatyvot provides software that helps businesses connect approved WhatsApp Business assets, Meta app permissions, customer conversations, team inboxes, broadcasts, automations, templates, and CRM records. We do not replace Meta, WhatsApp, your CRM, or your business account. We provide the technology layer that allows your authorized systems to communicate with each other in a controlled and auditable way.

Depending on how you use the platform, we may act as a data processor, service provider, or technology vendor on behalf of your business. Your business remains responsible for deciding what customer data is collected, why it is collected, how messages are sent, whether contacts have consented, and whether your campaigns comply with applicable law and Meta's policies.

Where applicable, your business is the controller or business owner of customer data, and Creatyvot acts as a processor, service provider, or subprocessor for the limited purpose of providing the platform. If a separate data processing agreement is required by law or by your organization, it must be agreed in writing before it applies.

2. Information We Collect

We may collect and process the following categories of information when you use Creatyvot:

• Account information: name, email address, phone number, company name, billing details, role, login activity, and support requests.
• Business and CRM information: contacts, leads, tags, notes, assignments, pipelines, customer status, preferences, conversation ownership, and related business records you add or sync.
• WhatsApp and Meta information: WhatsApp Business Account IDs, phone number IDs, display names, templates, webhook events, message statuses, app permission status, business verification state, and Meta approval details.
• Conversation data: customer phone numbers, message content, attachments, timestamps, delivery status, opt-in or opt-out status, and agent replies required to operate inbox, automation, and CRM features.
• Technical information: IP address, browser, device type, logs, API request metadata, error reports, security events, and performance data.
• Payment and subscription information: plan details, invoices, payment status, billing address, and transaction references processed through our payment providers.

Cookies, Analytics, and Similar Technologies

We may use cookies, local storage, session storage, pixels, analytics tools, and similar technologies to keep you signed in, remember preferences, protect sessions, measure usage, troubleshoot errors, improve performance, prevent abuse, and understand how visitors use our website and product pages. You can control certain cookies through your browser settings, but disabling essential cookies may affect login, security, and platform functionality.

3. How We Use Data

We use data only for legitimate business and platform purposes, including to:

• connect your approved Meta and WhatsApp Business assets with Creatyvot and your CRM;
• send, receive, route, store, and display WhatsApp conversations for authorized users;
• manage templates, campaigns, automations, broadcasts, contact records, and team inbox workflows;
• sync data between Creatyvot and third-party systems that you authorize;
• provide support, troubleshoot errors, detect misuse, and protect platform security;
• maintain audit records, delivery logs, and service reliability;
• send billing, account, operational, and policy-related communications;
• meet legal, tax, security, regulatory, and compliance obligations.

We do not sell customer conversation data. We do not use your customers' WhatsApp messages to build unrelated advertising profiles. We access message and CRM data only as needed to provide the service, support your authorized use, maintain security, comply with law, or investigate abuse.

We may monitor account activity, usage patterns, message volume, API usage, login activity, campaign behavior, and integration events to detect spam, abuse, malware, security threats, unauthorized access, policy violations, service misuse, or platform stability risks.

4. Data Privacy and Encryption

We use reasonable technical and organizational safeguards designed to protect business and customer data from unauthorized access, loss, misuse, alteration, or disclosure. These safeguards may include encrypted transport, encrypted storage where appropriate, access controls, authentication, least-privilege access, logging, secure credential handling, infrastructure monitoring, and operational review.

WhatsApp messages are protected by Meta's infrastructure while they are handled inside the WhatsApp ecosystem. When data is delivered to Creatyvot through approved APIs and webhooks, we protect it within our application and infrastructure using commercially reasonable security practices. No internet-based service can guarantee absolute security, but we work to reduce risk and respond promptly to security concerns.

We may use MongoDB Atlas as part of our database infrastructure to store application, CRM, conversation, audit, and operational data. MongoDB Atlas may provide managed database hosting, replication, monitoring, security controls, and continuous or scheduled backup capabilities to help protect data availability and recovery.

We may use Cloudflare services for security, traffic protection, performance, DNS, firewall, DDoS mitigation, bot protection, caching, routing, monitoring, and backup or recovery-related services where configured. Cloudflare may process technical information such as IP addresses, request metadata, security events, device/browser details, and traffic logs as needed to protect and operate the platform.

Creatyvot is provided as a multi-tenant SaaS platform. Each business workspace is logically isolated from other workspaces through account boundaries, authorization checks, role-based permissions, tenant-aware data access controls, and operational safeguards. Your users should only see and manage data belonging to the workspace, WhatsApp assets, CRM connections, and integrations they are authorized to access.

We design the platform to prevent one customer from accessing another customer's data. If we discover or suspect unauthorized cross-workspace access, we will investigate, restrict access where appropriate, and take reasonable steps to protect affected data. Customers are responsible for managing their own internal users, roles, shared devices, exported files, API keys, webhooks, and connected third-party systems.

You are responsible for securely storing and protecting your own passwords, Meta credentials, CRM credentials, API keys, webhook secrets, third-party app tokens, recovery codes, devices, and administrator accounts. We provide platform controls and security safeguards, but you must keep your credentials confidential, rotate them when needed, remove access for former users, and avoid sharing sensitive access details through insecure channels.

If we become aware of a security incident that affects personal data or customer data, we will investigate and take reasonable steps to contain and remediate it. We will notify affected customers when required by applicable law or when we believe notice is reasonably appropriate based on the nature of the incident.

5. Meta, WhatsApp, and App Approval

Creatyvot relies on Meta's WhatsApp Business Platform, approved Meta apps, business permissions, phone number verification, template approvals, webhooks, and related Meta systems. Some features require Meta review, Meta app approval, business verification, payment method configuration, message template approval, or additional permissions before they can be used in production.

Meta may approve, reject, limit, pause, suspend, or revoke access to an app, phone number, template, WhatsApp Business Account, business portfolio, or API permission. These decisions are controlled by Meta. Creatyvot can help you connect and manage the approved assets, but we cannot guarantee Meta approval or override Meta's enforcement decisions.

Meta business verification is handled by Meta directly with your business or the customer-side Meta Business account. Meta may take several days, longer periods, or an unknown amount of time to review, request documents, approve, reject, pause, or move a business verification into additional review. Creatyvot does not control Meta's verification timeline and is not responsible for delays, rejection, under-review status, or approval outcomes.

Where practical, Creatyvot may provide support, troubleshooting, documentation, configuration guidance, issue review, and assistance with contacting or following up with Meta support about app, business, template, phone number, webhook, or account issues. Any information shared with Meta support may be processed by Meta under Meta's own terms and privacy practices. Meta remains responsible for its support process, response time, investigation, and final decision.

6. Responsibility for Meta Policy Compliance

Your business is responsible for following all applicable Meta, WhatsApp, messaging, privacy, marketing, telecom, consumer protection, and data protection rules. This includes obtaining valid opt-ins, honoring opt-outs, using approved templates correctly, avoiding spam, avoiding prohibited content, and making sure messages are expected, lawful, accurate, and relevant.

If your business, team, customer list, template, automation, integration, or campaign violates Meta's policies or applicable law, Creatyvot is not responsible for Meta enforcement actions, rejected templates, quality rating reductions, messaging limits, phone number restrictions, account suspension, business verification issues, loss of access, penalties, customer complaints, or other consequences caused by that violation. Those matters are handled by Meta and the relevant platform or authority.

7. Coexistence and Regular WhatsApp API Usage

Some businesses use WhatsApp Business App coexistence, while others use the regular WhatsApp Business Platform API model. Coexistence may allow certain app and API experiences to operate together, subject to Meta availability, region, account status, device status, and feature limitations. Regular API usage generally depends on approved phone numbers, templates, webhooks, and API-based messaging workflows.

The exact behavior of coexistence, app access, message visibility, history availability, phone number migration, billing, limitations, and feature support is controlled by Meta. We may display, sync, or act on the data that Meta makes available through authorized APIs, but we do not control Meta's product behavior or guarantee that every WhatsApp app feature will be available inside Creatyvot.

8. Sharing and Subprocessors

We may share data only when needed to operate the service or comply with obligations, including with:

• Meta, WhatsApp, and related platform services for message delivery, template review, account connection, and webhook processing;
• cloud hosting, storage, database, backup, monitoring, security, analytics, payment, email, and support providers, including services such as MongoDB Atlas and Cloudflare where used;
• authentication providers, including Google, when you choose one-click login or signup;
• CRM, automation, webhook, or integration providers that you choose to connect;
• professional advisers, auditors, regulators, law enforcement, or courts where legally required;
• successor entities in connection with a merger, acquisition, financing, restructuring, or sale of business assets.

We require service providers to process data only for authorized purposes and to protect it using appropriate safeguards. Third-party services that you connect may have their own privacy practices, and your use of those services is governed by their terms and policies.

Meta may collect or process payment information for WhatsApp Business Platform messaging charges, conversation fees, template message fees, taxes, or related Meta services. Creatyvot does not manage, store, or control the card details or payment methods you provide directly to Meta for WhatsApp message payments. Those payment details are handled by Meta under Meta's own payment terms and privacy practices.

If you use Google one-click login or signup, Google may share authentication information with Creatyvot, such as your name, email address, profile image, account identifier, and login status, depending on the permissions shown during authentication. We use this information to create your account, sign you in, reduce login friction, protect account access, and maintain authentication records.

9. User-Connected Third-Party Apps and APIs

Creatyvot may allow you to connect user-provided third-party applications, APIs, webhooks, automation tools, and business systems. Examples include external CRMs, ecommerce platforms, order management tools, payment systems, helpdesks, analytics tools, n8n workflows, Zapier-style automations, custom backend APIs, lead forms, and other services selected by your business.

When you connect these services, Creatyvot may send, receive, sync, transform, or trigger data between Creatyvot and the connected system based on your configuration. This may include contacts, leads, WhatsApp messages, customer identifiers, order information, tags, notes, assignment data, conversation status, template events, webhook payloads, chatbot outputs, and other CRM or business workflow data.

We apply safety measures designed to support secure integrations, such as authorization checks, workspace-level access boundaries, encrypted transport where supported, credential handling safeguards, logging, permission controls, and limiting integrations to the data required for the configured workflow. However, once data is sent to a third-party app, API, webhook endpoint, n8n flow, ecommerce platform, or external CRM that you authorize, that service's own security, privacy, retention, and deletion practices may apply.

You are responsible for choosing trustworthy third-party services, confirming you have authority to connect them, keeping API keys and webhook URLs secure, reviewing permissions, testing flows before production, preventing accidental data exposure, and ensuring integrations comply with customer consent, privacy law, Meta policies, and your own business obligations.

10. AI Chatbot Conversation Data Sharing

If you enable an AI chatbot, AI assistant, automated reply feature, or connect a third-party AI provider through Creatyvot, conversation data may be shared with that AI system so it can understand the customer's message, generate a response, summarize a conversation, classify intent, update CRM fields, route a chat, or perform another automation that you configure.

You may be able to select the AI provider used for chatbot conversations, such as ChatGPT/OpenAI, Gemini/Google, or another supported AI provider. The provider you select determines where the relevant chatbot data is sent for processing, subject to your configuration and the provider's own terms, privacy policy, security controls, retention settings, and model training options.

The data shared with an AI chatbot may include customer messages, business replies, phone numbers, names, CRM notes, tags, order or lead details, conversation history, attachments, metadata, and instructions or knowledge base content supplied by your business. We only send the data needed for the enabled chatbot feature or integration, but the exact data processed depends on your configuration, prompts, connected tools, and selected AI provider.

You are responsible for informing your customers where required that AI or automated systems may assist with conversations, and for obtaining any consent, agreement, disclosure, or lawful basis required by privacy, consumer protection, telecom, employment, industry, or AI-specific laws. You are also responsible for reviewing chatbot responses, configuring guardrails, preventing sensitive data misuse, and ensuring automated replies do not make unlawful, misleading, discriminatory, medical, financial, legal, or binding commitments without proper human review.

Third-party AI providers may process conversation data under their own terms, privacy policies, security practices, retention rules, and model training settings. You are responsible for choosing an AI provider appropriate for your business, region, customers, and compliance requirements. Creatyvot is not responsible for how a third-party AI provider processes data after you authorize the connection, except where required by law or a written agreement with us.

11. Data Retention and 60-Day Deletion Policy

We retain account, CRM, WhatsApp, message, audit, billing, and technical data only for as long as needed to provide the service, support your account, meet legal obligations, resolve disputes, prevent abuse, maintain security, and preserve legitimate business records.

After you connect WhatsApp to Creatyvot, our infrastructure may continuously receive, process, store, index, secure, and back up incoming message events, delivery statuses, conversation updates, webhook events, CRM changes, and related operational records, even during periods when your team is not actively using the dashboard. This ongoing processing helps preserve inbox continuity, message history, audit trails, recovery capability, and service reliability.

When you request deletion of your workspace, customer data, or connected WhatsApp/CRM data, we will delete or anonymize eligible production data within 60 days, unless a longer retention period is required by law, security needs, fraud prevention, tax records, dispute resolution, backups, or legitimate business obligations. Backup copies may persist for a limited period until they are overwritten or securely removed through our normal backup lifecycle.

We may retain audit logs, access logs, API logs, webhook logs, billing records, message delivery records, abuse investigation records, and security events for longer periods where needed for legal compliance, fraud prevention, security, dispute resolution, platform reliability, or legitimate business purposes.

12. Your Controls and Customer Rights

You can access, update, export, correct, or delete certain account and CRM information through the platform or by contacting us. You are responsible for honoring your customers' rights requests when you are the business controller of that data, including requests to access, correct, delete, restrict, or opt out of communications.

You should export any business records, CRM data, message history, reports, or files you need before cancelling, deleting, or closing a workspace. After deletion, suspension, expiration, or the end of an applicable retention period, some data may no longer be available for export or recovery.

If a customer contacts us directly about data controlled by your business, we may direct that customer to your business unless we are legally required to respond directly. We may assist you with reasonable data requests where technically possible and where the request is consistent with applicable law and platform limitations.

13. International Transfers

Creatyvot, Meta, cloud providers, and connected services may process data in countries other than the country where you or your customers are located. Where required, we use appropriate safeguards for international transfers and expect customers to use the platform in compliance with their regional privacy and data transfer obligations.

14. Children's Data and Sensitive Data

Creatyvot is designed for business use and is not intended for children. You must not knowingly upload, message, or process children's data unless you have a lawful basis and all required consents. You should not use Creatyvot to collect or send highly sensitive data unless it is legally permitted, necessary for your business purpose, and protected by appropriate safeguards.

15. Changes to This Policy

We may update this Privacy Policy as our service, legal obligations, security practices, or Meta platform requirements change. If changes are material, we will take reasonable steps to notify you through the platform, email, or another appropriate channel. Continued use of Creatyvot after an update means the updated policy applies from its effective date.

16. Contact Us

If you have questions about this Privacy Policy, data privacy, deletion requests, security, or how Creatyvot handles WhatsApp and CRM data, please contact us at [email protected]. For account support, billing, abuse, or security issues, you may also contact [email protected].