WhatsDesk ("the App") is a Shopify application developed and operated by idnovate.com, innovación y desarrollo, scp ("we", "us"). It connects your store to the WhatsApp Business Cloud API to send order notifications, automatic messages and to chat with your customers. This policy explains what data the App processes, why, and the rights you and your customers have. We act as a data processor on behalf of the merchant (the Shopify store owner), who is the data controller for their store's data.
The App requests the minimum Shopify permissions it needs to function: read_customers, read_orders, read_fulfillments, read_locales, read_products. With these it processes store & installation data (your store's domain, name, locale, currency and the access token issued at install), the WhatsApp Business account credentials you connect (phone number ID, access token and app secret, stored encrypted), customer personal data (name, email, phone number and the country/region of the address), order data (order number, totals, line items, fulfillment and tracking details) used to trigger and compose messages, and the content of the WhatsApp conversations (inbound and outbound messages, and any media) exchanged through the App.
Unlike many apps, WhatsDesk processes protected customer data because messaging requires it: the phone number is the destination of the WhatsApp message; the name personalizes the message; email and order data identify the customer and compose the notification; the country/region derived from the address powers optional automation filters. We process only the customers of stores that have installed the App, and only for the messaging purposes described here. We do not build advertising profiles or use tracking cookies.
Data is used solely to provide the App's features: sending automatic event notifications (order placed, paid, fulfilled, tracking updates and similar), two-way live chat with customers, direct and template messages, and aggregate analytics on message delivery and cost. We do not sell your or your customers' data, and we do not use it for advertising.
To deliver messages, the recipient's phone number and the message content are transmitted to Meta Platforms Ireland Ltd. (WhatsApp Business Cloud API), which delivers them over WhatsApp under Meta's own terms and privacy policy. Beyond Meta and the hosting infrastructure strictly necessary to run the App, we do not share data with third parties, and never for marketing. If you enable the optional AI customer agent (off by default), the content of the relevant WhatsApp messages is also sent to Anthropic, PBC (the Claude API) using your own API key, which is stored encrypted, solely to generate the suggested or automatic reply; this is under your control and Anthropic's terms apply.
Messages and their media are retained according to the merchant's configurable auto-delete setting (messages older than the chosen number of days are permanently removed), and store data is deleted when the App is uninstalled. We honour Shopify's mandatory GDPR webhooks: customers/data_request, customers/redact, shop/redact. On a customer redaction request we delete that customer's conversations, messages, media and consent records.
Sensitive data — WhatsApp credentials, customer identifiers and the content of messages — is encrypted at rest (AES), and stored media files are encrypted on disk. All data is transmitted over HTTPS. Data is stored on access-controlled servers and staff access is limited to what is required to operate and support the App.
Proactive (merchant-initiated) WhatsApp messages are sent subject to customer opt-in. The App captures and respects customers' opt-in and opt-out decisions, and merchants can require explicit opt-in before any proactive message is sent.
If you are in the EU/EEA you have the right to access, rectify, erase, restrict or port your personal data, and to object to its processing. Merchants can exercise these rights, and request or erase data on behalf of their customers, by contacting us or via Shopify's data-request tooling.
We may update this policy from time to time; material changes are reflected by the "Last updated" date above. For privacy questions or data requests, contact idnovate.com, innovación y desarrollo, scp at privacy@idnovate.com.