← Back to appLast updated: 2026-04-27

Privacy Policy

This Privacy Policy describes how [COMPANY_NAME] ("we", "us") collects, uses, and protects information when you use the WhatsApp Dashboard service (the "Service").

1. What we collect

Account information

  • Email address (for authentication)
  • Workspace name and the names of teammates you invite
  • Hashed password (managed by our auth provider, Supabase)

WhatsApp content

  • Phone numbers and WhatsApp identifiers (JIDs) of numbers you link, and of the contacts they message
  • Messages received and sent through linked numbers, including text and metadata (timestamps, group/individual flag, sender name)
  • Internal notes you add to chats
  • WhatsApp session credentials from the linking step, stored on a persistent volume on our infrastructure

Operational data

  • Server logs (request IDs, timestamps, IP addresses, error stack traces)
  • Error reports from Sentry, if enabled

2. How we use it

We use the information above to operate, secure, and improve the Service — specifically to authenticate you, route messages to the right workspace, deliver real-time updates over WebSocket, enforce per-workspace access controls, and diagnose problems.

We do not sell your data and we do not use your message content for advertising, model training, or any purpose other than running the Service.

3. Encryption

Sensitive chat fields — chat names, last-message previews, message bodies, sender names, and internal notes — are encrypted at rest with AES-256-GCM using a per-workspace Data Encryption Key (DEK). The DEK is itself encrypted by a master Key Encryption Key (KEK) that is held in our infrastructure, separate from the database. Phone numbers, JIDs, message IDs, and timestamps are stored in plaintext because the application needs to query on them.

Data in transit is protected with TLS (HTTPS / WSS). WhatsApp's own end-to-end encryption applies between linked devices and the WhatsApp servers; we receive messages already decrypted, in the same way the WhatsApp Web client does.

4. Sub-processors

Your data is hosted by the following sub-processors. See our Terms of Service for the current list. All sub-processors are contractually required to handle data only for the purposes of operating the Service.

5. Retention

  • Account and workspace data: kept while your workspace is active. Deleted within 30 days of workspace deletion.
  • Encrypted chat content and notes: same retention as the workspace.
  • Server logs: 30 days, then automatically rotated.
  • Sentry error reports (if enabled): 30 days.

6. Your rights

Depending on where you live, you may have the right to access, correct, export, or delete the personal data we hold about you, and to object to or restrict certain processing. To exercise these rights, email privacy@superhyre.com. We will respond within 30 days.

Note that messages we hold on your behalf are also personal data of the people you have spoken to. If they contact us directly, we will route their request through you as the workspace administrator.

7. Security

We rely on a small set of well-known providers (Supabase, Railway, Vercel) to keep the underlying infrastructure secure. Application-level controls include:

  • JWT-based authentication with a short token lifetime
  • Per-workspace access control on every API call
  • Rate limits on login, mutation, and bulk-send endpoints
  • Strict CORS and Content Security Policy
  • AES-256-GCM envelope encryption of chat content (see §3)

No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours of confirmation.

8. Children

The Service is not intended for users under 18. We do not knowingly collect data from children.

9. Changes

We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect.

10. Contact

Privacy questions: privacy@superhyre.com. General support: support@superhyre.com.

Questions? Contact support@superhyre.com.