Privacy Policy

Last updated: May 15, 2026

1. Introduction

[Sendr entity name](“Sendr,” “we,” “us,” or “our”) operates the Sendr platform at sendr.app(the “Service”). Sendr lets businesses connect their WhatsApp Business Account through Meta's Cloud API, manage approved message templates, and send marketing campaigns to phone number lists using a prepaid wallet.

This Privacy Policy explains what personal data we collect, how we process it, the purposes for which it is used, and how you can exercise your rights. By creating an account or using the Service, you agree to the practices described here.

2. Data We Collect

2.1 Data You Provide Directly

  • Account information: email address, password (hashed), display name, and Google profile data (email, name, profile picture URL) if you sign up with Google OAuth.
  • Organization details: organization name and URL slug.
  • WhatsApp Business Account (WABA) data: WABA ID, phone number ID, business account ID, and an access token which we encrypt at rest using AES-256-GCM.
  • Contact lists: phone numbers, display names, and optional metadata (e.g., tags) of the people your business messages through Sendr.
  • Campaign data: recipient phone number lists and template parameter values you provide when composing a campaign.
  • Payment information:billing details processed by Stripe. We do not store your credit card number on our servers; Stripe handles card data under PCI DSS compliance.

2.2 Data Collected Automatically

  • Message delivery data:for every message sent or received through the platform we record the recipient phone number, direction (inbound / outbound), delivery status, Meta message ID, message body (as JSON), and per-message cost.
  • Template metadata: approved WhatsApp message templates synced from Meta, including template name, language, category, status, and component structure.
  • Wallet transactions: top-up amounts, message costs, and balance changes.
  • Product analytics (optional):when PostHog is configured, we collect anonymous page-view and interaction events. See Section 5 (Cookies & Tracking).
  • Error monitoring (optional): when Sentry is configured, unhandled errors are reported with stack traces and request metadata. These may include your IP address and browser user-agent.
  • Authentication cookies: Supabase sets session-management cookies required to keep you signed in.

3. How We Use Your Data

  • Provide the Service:authenticate your account, connect your WABA, send and receive WhatsApp messages on your behalf via Meta's Cloud API, and process wallet top-ups through Stripe.
  • Campaign orchestration: queue, send, and track delivery of your marketing campaigns using background job processing.
  • Improve the product: analyze aggregated, de-identified usage patterns (when analytics are enabled) to identify bugs and improve features.
  • Security & fraud prevention: detect unauthorized access and abuse of the platform.
  • Legal obligations: comply with applicable laws, respond to lawful requests, and enforce our Terms of Service.

4. Third-Party Sharing & Subprocessors

We do not sell your personal data. We share data only with the following categories of service providers (subprocessors) that are necessary to operate Sendr:

ProviderPurposeData shared
SupabaseAuthentication & database hostingAll platform data stored in the database; auth tokens and session cookies
Meta / FacebookWhatsApp Cloud API, webhooks, Embedded SignupWABA credentials, message content, recipient phone numbers, template data
StripePayment processingEmail, billing details, transaction amounts
InngestBackground job orchestrationCampaign and message metadata required for job execution
PostHog (optional)Product analyticsAnonymous page-view events, browser metadata
Sentry (optional)Error monitoringError stack traces, IP address, user-agent

5. Cookies & Tracking Technologies

Sendr uses the following cookies and similar technologies:

  • Essential cookies (Supabase): session and authentication tokens required for the Service to function. These cannot be disabled.
  • Analytics cookies (PostHog): when configured by the platform operator, PostHog may set cookies or use local storage to track page views and product interactions. These are used to improve the product.
  • Error-tracking (Sentry): Sentry may set cookies to correlate errors within a session.

For more details, see our Cookie Policy.

6. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: retained until you delete your account or request deletion.
  • Messages & campaign data: retained for the lifetime of your account. Inbound WhatsApp message content stored in the database is subject to the same retention period.
  • Payment records:retained as required by applicable tax and financial regulations (typically 7 years).
  • Analytics data:governed by PostHog's and Sentry's respective retention policies.

7. Data Deletion

You have the right to request deletion of all personal data we hold about you. Here is how:

  1. Email request: send an email to [contact email]from the email address associated with your Sendr account with the subject line “Data Deletion Request.” Include your account email and organization name.
  2. Data deletion page: visit sendr.app/data-deletion for step-by-step instructions and to check the status of an existing deletion request.
  3. Facebook settings: if you connected your Facebook account to Sendr, you can request deletion directly through Facebook at Settings & Privacy → Settings → Apps and Websites. Select Sendr and click “Remove.” Meta will notify us via a callback, and we will process the deletion.

Upon receiving a valid deletion request, we will:

  • Delete your account, organization, contacts, campaigns, messages, WABA connection, and wallet data from our primary database within 30 days.
  • Request deletion of associated data from our subprocessors where technically feasible.
  • Retain only the minimum data required by law (e.g., financial transaction records).

You will receive a confirmation code and a status URL to track your deletion request.

8. Data Security

We take the security of your data seriously and implement the following measures:

  • All data in transit is encrypted using TLS 1.2+.
  • WhatsApp Business access tokens are encrypted at rest using AES-256-GCM with key management separated from the database.
  • Passwords are hashed using bcrypt via Supabase Auth; we never store plaintext passwords.
  • Database access is restricted by Supabase Row Level Security (RLS) policies, ensuring users can only access their own organization's data.
  • Meta webhook payloads are validated using HMAC-SHA256 signature verification before processing.
  • Stripe webhook events are verified using Stripe's signature verification.

9. International Data Transfers

Our subprocessors (Supabase, Meta, Stripe, Inngest, PostHog, and Sentry) may process data in data centers located in the United States and other jurisdictions. When personal data is transferred outside the European Economic Area (EEA) or United Kingdom, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) and our subprocessors' certifications and compliance frameworks.

10. Your Rights Under GDPR

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate data.
  • Erasure:request deletion of your data (see Section 7).
  • Restriction: request that we limit processing of your data.
  • Portability: receive your data in a machine-readable format.
  • Objection: object to processing based on legitimate interests.
  • Withdraw consent: where processing is based on consent, withdraw at any time.

To exercise any of these rights, contact us at [contact email]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

11. Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act provides you with specific rights:

  • Right to know: what personal information we collect, use, disclose, and sell.
  • Right to delete:request deletion of your personal information (see Section 7).
  • Right to opt-out of sale: we do not sell personal information.
  • Non-discrimination: you will not receive discriminatory treatment for exercising your rights.

To exercise your rights, contact [contact email].

12. Children's Privacy

Sendr is a business-to-business platform and is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: [contact email]
  • Entity: [Sendr entity name]