1. Who We Are

BulkWhatsApp is a self-hosted WhatsApp broadcast platform operated for business customers. The platform enables businesses to send bulk WhatsApp messages using the WhatsApp Business API (via providers such as Gupshup and Meta) or WhatsApp Web.

For the purposes of this Privacy Policy, "we", "us", or "our" refers to the BulkWhatsApp operator. "You" refers to any individual or business entity that accesses or uses our platform.

2. Data We Collect

2.1 Account Data

When you register or are onboarded as a user, we collect:

• Username and password (hashed with bcrypt — never stored in plain text)
• Your assigned subscription plan and expiry date
• WhatsApp Business API credentials you provide (API keys, App Names, access tokens) — stored on your server
• Two-factor authentication settings (TOTP secret — stored encrypted on server)

2.2 Contact Data You Upload

The platform stores contact lists, phone numbers, names, and groups that you import or enter. This data is stored entirely on your own hosting server. We (as the platform developer) do not have access to this data unless you grant us direct server access for support purposes.

2.3 Broadcast & Message Data

Records of messages sent, delivery status (sent / delivered / read), failure reasons, and broadcast history are stored on your server for analytics and retry purposes. Message content is not stored independently — only template names, parameters, and delivery outcomes are recorded.

2.4 Technical Data

Standard server logs may record IP addresses, request timestamps, HTTP methods, and response codes for security and debugging. These logs are retained for up to 30 days by default.

2.5 Data We Do NOT Collect

• We do not collect payment card or banking details through this platform
• We do not collect the content of WhatsApp messages sent by end-users to your contacts
• We do not collect data from your recipients — that is your responsibility as the sender

3. How We Use Your Data

We use the data collected to:

• Authenticate and authorise users on the platform
• Operate and maintain the broadcast service
• Process and queue messages through your configured WhatsApp provider
• Track delivery receipts (DLR) via webhooks and update broadcast analytics
• Manage subscription plans and enforce usage limits
• Monitor for security threats, abuse, or unauthorised access
• Send critical service notifications (e.g., subscription expiry)

We do not use your data for advertising, profiling, or sale to third parties.

4. Third-Party Services

The platform integrates with the following third-party services to deliver functionality. Each has its own privacy policy:

• Gupshup — WhatsApp Business API provider. Messages are transmitted through Gupshup's infrastructure. Gupshup may log message metadata per their terms. See Gupshup Privacy Policy.
• Meta (Facebook) — WhatsApp Business API is ultimately operated by Meta. Meta processes message delivery data under their WhatsApp Business Data Processing Terms.
• WhatsApp Web (whatsapp-web.js) — Personal number sessions connect directly to WhatsApp's servers. No intermediary service is used; data flows between your server and WhatsApp directly.

We are not responsible for the privacy practices of these third-party providers. You are advised to review their policies before use.

5. Data Storage & Security

Since BulkWhatsApp is self-hosted, all data (contacts, broadcasts, users, credentials) is stored on the server you or your organisation controls. Physical and logical security of that server is your responsibility.

Security measures built into the platform include:

• Passwords stored using bcrypt hashing (cost factor 10) — never stored in plain text; irreversible even with direct server access
• JWT tokens signed with a secret key, expiring every 8 hours
• Revocable token blocklist for immediate logout on all devices
• Optional two-factor authentication (TOTP / authenticator app) for all accounts
• Rate limiting on all sensitive endpoints (login, password change, 2FA) to prevent brute-force
• Atomic file writes to prevent data corruption on concurrent requests
• HMAC-SHA256 signature verification on all incoming webhooks
• Per-user data isolation — each user's contacts, broadcasts, and history are stored in a separate folder; no user (including admin) can access another user's message data through the platform
• Admin password reset — admins can set a new password for any user but cannot view the old one
• Input sanitisation on all API parameters; XSS protection throughout the UI

5.1 What Admin Can and Cannot See

The platform administrator has elevated privileges limited to:

• Can do: Create, edit, and delete user accounts; set subscription plans and daily limits; reset any user's password (but cannot read the old password)
• Cannot do: View another user's broadcast history, message content, contacts, templates, or WhatsApp credentials through the platform interface

Physical server access is separate from platform-level access. If you or your hosting provider have direct file system access to the server, the JSON data files are readable by anyone with that access. This is a hosting-level security concern, not a platform vulnerability.

5.2 Password Security

Passwords are hashed using bcrypt with a cost factor of 10 before being stored. This means:

• Passwords are never stored, logged, or transmitted in plain text
• Even the administrator cannot recover a forgotten password — only reset it
• If a user forgets their password, the admin can set a new temporary password via the Users panel
• Users are encouraged to enable Two-Factor Authentication (TOTP) for additional account security

6. Your Rights

As a user of the platform, you have the following rights regarding your personal data:

• Access: Request a copy of data held about your account
• Correction: Update your username, password, or account settings via the Settings panel
• Deletion: Request deletion of your account and associated data
• Portability: Export your contacts and broadcast history in JSON format
• Objection: Object to processing of your data for specific purposes

To exercise any of these rights, contact us via WhatsApp or email (details in Section 11). We will respond within 30 days.

7. Cookies

The BulkWhatsApp application does not use cookies for authentication or tracking. Authentication is handled via a JWT token stored in localStorage, which is scoped to your browser and not transmitted to any third-party analytics service.

The landing page (this website) does not use tracking cookies or third-party analytics. No consent banner is required for this site.

8. Children's Privacy

BulkWhatsApp is a business-to-business platform intended solely for adults and businesses. We do not knowingly collect data from individuals under the age of 18. If you believe a minor has created an account, please contact us immediately.

9. Jurisdiction-Specific Rights

India — IT Act 2000 & DPDP Act 2023

Under the Information Technology Act 2000 and the Digital Personal Data Protection (DPDP) Act 2023:

• You have the right to know what personal data is processed and for what purpose
• You have the right to correction and erasure of inaccurate or unnecessary data
• You have the right to grievance redressal — contact our Grievance Officer at the address in Section 11
• Sensitive personal data (passwords, financial data) is protected under IT (Reasonable Security Practices) Rules 2011

Our Grievance Officer can be reached via WhatsApp at +91 63851 27887. We will acknowledge grievances within 24 hours and resolve them within 30 days.

European Union — GDPR

If you are located in the EU or EEA, you have rights under the General Data Protection Regulation (GDPR), including:

• Right to Access (Art. 15): Obtain a copy of your personal data
• Right to Rectification (Art. 16): Correct inaccurate data
• Right to Erasure (Art. 17): Request deletion ("right to be forgotten")
• Right to Restriction (Art. 18): Limit how we process your data
• Right to Data Portability (Art. 20): Receive data in a machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests

Our lawful basis for processing is contract performance (Art. 6(1)(b)) — processing is necessary to provide the service you have requested. You may lodge a complaint with your national Data Protection Authority.

United States — CCPA (California)

California residents have rights under the California Consumer Privacy Act (CCPA) and CPRA, including the right to know, delete, and opt out of sale of personal information. We do not sell personal information to third parties.

United Kingdom

UK users have equivalent rights under the UK GDPR and Data Protection Act 2018.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. Material changes will be communicated to active users via the platform's notification system or via WhatsApp.

Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us