Privacy Policy

This Privacy Policy explains how WAOS (“we”, “us”) collects, uses, and protects information when you use our Service. We collect only what is necessary to operate the WhatsApp-to-GoHighLevel bridge and to support your account.

Account information. When you sign in with GoHighLevel, we receive your email, name (if available), GoHighLevel company ID, and a list of locations you authorize.

OAuth tokens. We store encrypted access and refresh tokens that let us call the GoHighLevel API on your behalf. Tokens are encrypted at rest using envelope encryption (AES-256-GCM, per-record keys wrapped by a master key).

WhatsApp messages. Messages routed through WAOS — both inbound and outbound — are stored in our database with metadata (timestamps, sender JID, chat thread). For voice notes and images, the transcript or AI-generated caption is stored alongside the original media reference.

WhatsApp session data (WEB transport). When you connect a number via QR scan, we store the resulting Chromium profile (cookies, localStorage) encrypted at rest. Without this, you would have to re-scan QR every restart.

Usage data. Standard server logs (IP address, user agent, request paths, timestamps) retained for up to 30 days for security and debugging.

Cookies. One session cookie (HttpOnly, Secure) used to keep you signed in. We do not use third-party tracking cookies.

• To provide the Service: routing messages, generating AI replies, calling GoHighLevel and Meta APIs on your behalf
• To authenticate you and authorize requests
• To detect abuse, troubleshoot issues, and improve reliability
• To communicate with you about service changes and support
• To comply with legal obligations

We do not sell your data. We do not use your WhatsApp message content for advertising or to train machine-learning models.

WAOS relies on the following third-party service providers:

• Supabase — Postgres database hosting
• Upstash — Redis cache and job queue
• Cloudflare — DNS, TLS, and tunnel to our backend
• Vercel — Web frontend hosting
• Hostinger — Backend server hosting (VPS)
• Anthropic — Claude API for AI replies (only when you enable AI; only the conversation context is sent)
• OpenAI / Groq / Deepgram — Speech-to-text (only audio messages, only if you enable transcription)
• Meta — WhatsApp Cloud API (only if you choose Cloud API transport)
• HighLevel, Inc. — GoHighLevel API (necessary for all users)
• Cloudflare R2 / AWS S3 — Encrypted blob storage for WhatsApp session profiles (optional)

These subprocessors are bound by their own privacy commitments. We pass only the minimum data necessary for each provider to function.

Depending on your jurisdiction, you may have the right to:

• Access the data we hold about you
• Correct inaccurate data
• Request deletion of your account and data
• Export your data in a portable format
• Object to certain processing

To exercise any of these rights, email support@centralops.ai from your account email. We respond within 30 days.

We use industry-standard practices to protect your data: TLS for all transport, envelope encryption for sensitive data at rest, short-lived session tokens, principle-of-least-privilege for internal access. No system is perfectly secure; we work hard to make breaches unlikely and to disclose responsibly if they happen.

WAOS is not intended for users under 18. We do not knowingly collect data from minors.

Our infrastructure operates across multiple regions (United States, Europe, Asia). By using the Service you consent to your data being transferred and processed in those regions.

We will notify you of material changes via email or in-app notice at least 14 days before they take effect.

Questions about privacy? Email support@centralops.ai with subject line “Privacy”.