This Privacy Policy describes how WhatsApp Gateway ("we", "us") collects, uses and shares personal data when you use the Service at wapi.aramin.co. It is written to comply with the GDPR (European Economic Area & United Kingdom), the CCPA/CPRA (California) and similar laws.
1. Data we collect
We collect only the data we need to run the Service.
1.1 Account data
- Your name and email address.
- A securely hashed password (bcrypt) — or, if you sign in with Google, your Google profile id, name and avatar URL.
- Account role (user / admin), creation timestamp and login timestamps.
1.2 WhatsApp session & messages
- The session-credentials file generated by the WhatsApp Web pairing flow, stored encrypted on disk and used only to keep your session alive across restarts.
- Metadata about chats (chat id, type, name, last-message-at).
- The text body and basic metadata of messages routed through your linked numbers (so the dashboard, history and webhooks work).
We do not read, mine or share the content of your messages for advertising or marketing. Messages are stored to provide the Service to you and may be exported or deleted by you at any time.
1.3 AI usage
- Prompts and generated replies (for audit and debugging in the AI logs).
- Token counts and the cents-cost charged to your wallet.
When AI auto-reply is enabled, the relevant message and chat history are sent to the configured AI provider (e.g. OpenAI, OpenRouter, or a custom OpenAI-compatible endpoint). Their privacy policy applies to that data. We do not control whether they retain it for training; please check the chosen provider's policy.
1.4 Billing data
- Wallet balance, transaction history (top-ups, AI usage debits, refunds).
- Per-number subscription status, current period end date.
- Payment-processor customer ids (Lemon Squeezy and/or Paddle).
We never see your card details. Card processing is handled entirely by our merchants of record:
- Lemon Squeezy — merchant of record for some transactions.
- Paddle.com — merchant of record for some transactions.
1.5 Technical data
- IP address, user-agent string and request metadata (used for rate limiting and abuse prevention).
- Server logs of API requests, webhook deliveries and error stack traces (kept up to 30 days).
2. Why we use your data (lawful bases under GDPR)
| Purpose | Lawful basis |
|---|---|
| Provide the Service (authentication, sessions, message routing) | Contract |
| Bill subscriptions and wallet top-ups | Contract |
| Send transactional emails (receipts, password resets, abuse warnings) | Contract |
| Prevent fraud, abuse and spam (anti-spam shields, rate limits) | Legitimate interest |
| Meet legal obligations (tax invoices, lawful requests) | Legal obligation |
| Improve the Service via aggregated, non-identifying telemetry | Legitimate interest |
3. Who we share data with
We share data only with the processors needed to deliver the Service:
- Lemon Squeezy and Paddle — payment processing, invoicing, tax handling, merchant of record.
- Google — only if you choose to sign in with Google (we receive your profile id, name, email, avatar).
- The AI provider configured by the platform — only the prompt + chat-history slice required for each reply.
- Hosting and infrastructure providers used to run the servers (compute, storage, CDN).
- Authorities — when legally compelled by a valid court order or law-enforcement request.
We do not sell or rent personal data to anyone, ever.
4. International transfers
Some of our processors operate in the United States or other jurisdictions outside the EEA/UK. Where required, transfers rely on the EU Standard Contractual Clauses or equivalent safeguards.
5. How long we keep your data
- Account profile — kept while the account exists. Deleted within 30 days of account closure.
- WhatsApp session files — kept while the number is linked. Wiped on logout.
- Messages & chats — kept until you delete them or close the account. You can export or wipe at any time from the dashboard.
- AI logs — kept for 90 days for billing-dispute support, then anonymised.
- Billing records — kept for the period required by tax law in the operator's jurisdiction (typically 7 years).
- Server logs — kept for up to 30 days.
6. Your rights
Depending on where you live, you may have the right to:
- Access a copy of the personal data we hold about you.
- Correct inaccurate data.
- Delete your data (subject to legal retention).
- Restrict or object to processing.
- Export your data in a portable format (we offer chat & account exports built-in).
- Withdraw consent at any time (for any processing based on consent).
- Lodge a complaint with your local data-protection authority.
To exercise any of these rights, email privacy@aramin.co. We respond within 30 days.
7. Security
- All traffic is encrypted in transit using TLS 1.2+.
- Passwords are hashed with bcrypt.
- API keys and provider credentials are encrypted at rest using AES-256.
- Database access is restricted to the application services.
- Anti-spam controls run on the platform to limit abuse-driven data leakage.
8. Cookies
We use only first-party functional cookies / local-storage entries needed to keep you signed in. We do not use third-party advertising trackers.
9. Children
The Service is not intended for users under 18 years old. We do not knowingly collect data from minors. If you believe a minor has registered, please contact us and we will delete the account.
10. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be notified by in-app banner or email at least 7 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
11. Contact
Data-protection requests, questions or complaints: privacy@aramin.co. For other support: support@aramin.co.