1. Who We Are
WaPay is operated by Jenaige Design Ltd (CRO: 702966), registered in Ireland. WaPay provides invoicing, payment collection and accounts receivable services for small businesses, freelancers and sole traders via WhatsApp and a web dashboard.
For questions about this policy or your data, contact us at support@wapay.ai.
2. What Data We Collect
Data you provide directly
- Account information — name, business name, email address, password (stored as a bcrypt hash — we never see or store your actual password)
- WhatsApp number — captured automatically when you message us
- Customer information — names, email addresses and WhatsApp numbers of your customers, entered by you when creating invoices or payment requests
- Invoice and payment data — line items, amounts, VAT rates, payment status
- Messaging consent — how and when your customers consented to receive WhatsApp messages (consent source, timestamp)
Data collected automatically
- WhatsApp message metadata — sender number, message timestamps, message IDs (for idempotency and conversation state)
- Login activity — IP address and timestamps for security (rate limiting, failed login detection)
- Browser information — standard web server logs when you use the dashboard
Data from third parties
- Stripe — payment status, customer email (if provided during checkout), payment intent IDs. We never receive or store card numbers.
- WhatsApp / Meta — profile name and phone number from your WhatsApp account
3. How We Use Your Data
| Purpose | Data used | Legal basis (GDPR) |
|---|---|---|
| Provide the WaPay service | Account info, customer data, invoice data | Contract performance |
| Send WhatsApp messages on your behalf | Your and your customers' WhatsApp numbers | Contract performance |
| Process payments via Stripe | Invoice amounts, Stripe account IDs | Contract performance |
| Send payment reminders to your customers | Customer WhatsApp numbers, invoice data | Legitimate interest (with opt-out) |
| Record and verify messaging consent | Consent source, timestamps | Legal obligation (GDPR) |
| Prevent fraud and secure your account | IP addresses, login timestamps | Legitimate interest |
4. How We Share Your Data
We do not sell your data. We share data only with the following service providers who process it on our behalf:
- Stripe — payment processing. Stripe is PCI DSS Level 1 certified. We never handle card data. Stripe's Privacy Policy
- Meta / WhatsApp — message delivery. Messages are end-to-end encrypted by WhatsApp. WhatsApp Privacy Policy
- OpenAI — may be used for natural language processing features. No personal data is stored by OpenAI. OpenAI Privacy Policy
- Railway — cloud infrastructure hosting (EU region). Railway Privacy Policy
- Cloudflare — DNS, CDN and DDoS protection. Cloudflare Privacy Policy
5. Data Retention
| Data type | Retention period | Reason |
|---|---|---|
| Business account data | Until you delete your account | Service provision |
| Customer records | Until you or the customer requests deletion | Service provision |
| Invoices and payments | 7 years minimum | Tax and audit compliance (Irish Revenue) |
| WhatsApp conversation state | 1 hour | Conversation flow (Redis TTL) |
| Login attempt records | 1 hour | Rate limiting (Redis TTL) |
| Messaging consent records | Duration of customer relationship | GDPR compliance (proof of consent) |
| Audit logs | 90 days | Security monitoring |
6. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access your data — view your account and all associated data via your dashboard at app.wapay.ai
- Rectify inaccurate data — update your profile, business name, email and other details from your dashboard
- Delete your data — delete your account and all associated data from your dashboard (Profile → Delete Account) or by contacting support@wapay.ai
- Port your data — request a copy of your data in a machine-readable format by contacting support@wapay.ai
- Object to processing — opt out of payment reminders by replying STOP in WhatsApp at any time
- Withdraw consent — where processing is based on consent, you can withdraw it at any time
To exercise any of these rights, email support@wapay.ai or use the self-service options in your dashboard. We will respond within 30 days.
7. Data Deletion
You can request deletion of your data at any time through:
- Dashboard — Profile → Delete Account (immediate, permanent)
- Email — send a request to support@wapay.ai
- WhatsApp — message us and request account deletion
When you delete your account, we permanently remove your business profile, customer records, and linked data. Invoice and payment records may be retained for up to 7 years as required by Irish tax law.
8. Cookies and Tracking
The WaPay dashboard uses no third-party tracking cookies. We use:
- localStorage — to store your authentication token (JWT) for dashboard access
- Essential cookies only — Cloudflare may set a security cookie for DDoS protection
We do not use analytics trackers, advertising pixels, or any third-party tracking scripts.
9. Security
We take the security of your data seriously:
- Passwords are hashed with bcrypt — we never store or see your password
- All connections are encrypted with TLS/HTTPS
- WhatsApp messages are end-to-end encrypted by Meta
- Payment processing is handled by Stripe (PCI DSS Level 1) — we never touch card data
- Login rate limiting with exponential backoff to prevent brute force attacks
- Webhook signature verification on all inbound messages
- Security headers (HSTS, X-Frame-Options, CSP) on all responses
For security concerns, contact security@wapay.ai.
10. Children's Privacy
WaPay is a business-to-business service and is not intended for use by individuals under 18 years of age. We do not knowingly collect data from children.
11. International Transfers
Your data is primarily processed within the EU (Railway EU region). Where data is transferred outside the EU (e.g., to Stripe, OpenAI or Meta's infrastructure), it is protected by Standard Contractual Clauses or equivalent safeguards as required by GDPR.
12. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via WhatsApp or email. The "Last updated" date at the top reflects the most recent version.
13. Contact
If you have questions about this privacy policy or how we handle your data:
- Email: support@wapay.ai
- Security issues: security@wapay.ai
- Data protection officer: dpo@wapay.ai
- Postal address: Jenaige Design Ltd, Ireland
You also have the right to lodge a complaint with the Irish Data Protection Commission at dataprotection.ie.