Privacy Policy
Last updated: February 11, 2026
1. Data Controller
The data controller for your account and platform data is:
WaiFlow
Email: [email protected]
When you use MoltFlow to process your contacts' messages, you are the Data Controller for your contacts' personal data, and MoltFlow acts as your Data Processor. See Section 10 for details.
2. Categories of Personal Data We Collect
We collect and process the following categories of personal data:
| Category | Data | Source |
|---|---|---|
| Account Data | Email address, hashed password, tenant ID | You provide at registration |
| Message Previews | First 500 characters of each WhatsApp message, sender name, sender phone number | Your WhatsApp session via WAHA |
| Message Metadata | Timestamps, delivery status, read receipts, message direction | Your WhatsApp session via WAHA |
| AI Analysis Results | Lead scores, sentiment labels, auto-generated labels | Generated by our AI processing |
| Style Profiles | Statistical writing patterns (word frequency, formality score, emoji usage) | Derived from your outbound messages |
| Knowledge Base | Uploaded documents, text chunks, vector embeddings | You upload directly |
| Billing Data | Subscription plan, payment history (processed by Stripe; we do not store card details) | Stripe |
| Usage Data | Messages sent/received counts, API call counts, feature usage metrics | Automatically collected |
| Collected Reviews | Review text (up to 2000 characters), sender phone, sender name | Your contacts via review collectors |
3. Purposes and Legal Basis for Processing
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Providing the Service (message delivery, session management) | Performance of contract (Art. 6(1)(b)) |
| AI-powered features (auto-responses, lead detection, sentiment analysis) | Legitimate interest (Art. 6(1)(f)) — providing the contracted service features |
| Style training (Learn Mode) | Consent (Art. 6(1)(a)) — you opt into Learn Mode |
| Billing and payment processing | Performance of contract (Art. 6(1)(b)) |
| Security, abuse prevention, rate limiting | Legitimate interest (Art. 6(1)(f)) — protecting the Service and users |
| Analytics and service improvement | Legitimate interest (Art. 6(1)(f)) — improving service quality |
| Review collection | Legitimate interest (Art. 6(1)(f)) — facilitating business feedback |
4. Data Retention
We retain personal data only as long as necessary for the purposes described:
| Data Type | Retention Period |
|---|---|
| Message previews (content, sender info) | 90 days, then automatically deleted |
| Message metadata (timestamps, delivery status) | Up to 1 year |
| Collected reviews | 90 days, then automatically deleted |
| AI audit logs | 90 days |
| Account and billing data | Duration of account + 1 year after deletion |
| Knowledge base documents | Until you delete them or account termination |
| Style profiles | Until you delete them or account termination |
| Consent records | 7 years (legal requirement) |
| Database backups | 30 days after source data deletion |
5. Sub-Processors & Third-Party Sharing
We do not sell your personal data. We share data with the following sub-processors to provide the Service:
| Sub-Processor | Location | Purpose | Transfer Mechanism |
|---|---|---|---|
| OpenAI, LLC | USA | AI text generation, voice transcription, message analysis | Standard Contractual Clauses (SCCs) |
| Stripe, Inc. | USA | Payment processing | Standard Contractual Clauses (SCCs) |
| Hetzner Online GmbH | Germany | Infrastructure hosting | EU-based (no transfer required) |
| Twilio SendGrid | USA | Transactional email delivery | Standard Contractual Clauses (SCCs) |
We will notify you at least 30 days before adding or changing sub-processors. You may object by contacting [email protected].
6. International Data Transfers
Your data may be transferred to and processed in the United States when using AI-powered features (via OpenAI) and payment processing (via Stripe). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
Our primary infrastructure is hosted in the European Union (Germany) by Hetzner Online GmbH.
7. Your Data Subject Rights
Under the GDPR and other applicable data protection laws, you have the following rights:
- Right of Access (Art. 15): Request a copy of the personal data we hold about you.
- Right to Rectification (Art. 16): Request correction of inaccurate personal data.
- Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to Restriction (Art. 18): Request that we limit how we use your data.
- Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to Object (Art. 21): Object to processing based on legitimate interests, including automated profiling.
- Right to Withdraw Consent: Where processing is based on consent (e.g., Learn Mode), you may withdraw consent at any time through your dashboard settings without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
8. Rights of Your Contacts (Third Parties)
If you are a contact of a MoltFlow user and your messages have been processed through our Service, you have the right to:
- Request information about what data we hold about you
- Request erasure of your message data from our systems
- Object to automated processing of your messages
To exercise these rights, contact us at [email protected] with your phone number for identification. We will process your request and notify the relevant MoltFlow user.
9. Automated Decision-Making & Profiling
MoltFlow uses automated processing for the following purposes:
- Lead Scoring: Automatically identifies potential leads based on message content and patterns.
- Sentiment Analysis: Classifies message tone to help prioritize responses.
- Auto-Labeling: Automatically assigns labels to conversations based on content.
- Anti-Spam Detection: Monitors for policy violations and suspicious messaging patterns.
These automated decisions help organize and prioritize conversations but do not produce legal effects or similarly significant effects on individuals. MoltFlow users can review and override any automated decision through the dashboard.
10. Data Processing Agreement
When you use MoltFlow to process messages from your WhatsApp contacts:
- You are the Data Controller for your contacts' personal data.
- MoltFlow acts as your Data Processor, processing data on your behalf and according to your instructions.
By using the Service, you agree to the terms of our Data Processing Agreement (DPA), which includes Standard Contractual Clauses for international transfers.
11. Data Security
We implement appropriate technical and organizational measures to protect your data:
- Encryption in transit: All data is transmitted over TLS/HTTPS.
- Encryption at rest: Sensitive fields including message content and personal identifiers are encrypted at the application layer.
- Access controls: Multi-tenant isolation ensures your data is only accessible to your account.
- API key security: API keys are hashed using SHA-256 before storage.
- Audit logging: Security-relevant actions are logged for monitoring and compliance.
- Automatic data deletion: Message data is automatically purged after the retention period.
12. Cookies
We use the following cookies:
- Session cookies (essential): Required to maintain your login session and preferences. Cannot be disabled.
- Authentication tokens (essential): JWT tokens stored in httpOnly cookies for secure authentication.
- Analytics cookies (optional): Google Analytics 4 cookies are only loaded after you explicitly accept them via our cookie consent banner. If you reject analytics cookies, no GA4 scripts or cookies are set.
We do not use advertising or tracking cookies. For full details on our cookie usage, see our Cookie Policy.
13. Children's Data
MoltFlow is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us at [email protected] and we will promptly delete it.
14. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and notify affected users without undue delay, as required by GDPR Article 33 and 34.
15. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority in your country of residence if you believe our processing of your personal data violates applicable data protection laws.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we will also notify you by email.
17. Contact
For privacy-related inquiries or data subject requests, contact us at [email protected]. Our Data Processing Agreement is also available online.
By using MoltFlow, you acknowledge that you have read and understood this Privacy Policy. This policy should be read in conjunction with our Terms of Service and Data Processing Agreement.